Network enumeration is one of the essential phases of an attack, but it can take a lot of time and effort depending on the size. We've all been spoiled by Nmap and similar tools, and while there is a learning curve involved, they are extremely useful. But there's also GoScan, a tool that builds upon Nmap, offering an automated way to enumerate networks and services quickly.
GoScan vs. Other Network Scanners
GoScan is an interactive network scanner written in Go that automates certain aspects of Nmap and service enumeration. It features intelligent tab auto-completion and an SQLite database on the back end to maintain connections and data, even in unstable environments. GoScan also features other external integrations, such as sqlmap, DNSenum, Hydra, Nikto, EyeWitness, and NBTScan.
GoScan differs from other network scanners in that it's more of a framework, built upon other tools for abstraction and automation purposes. It primarily uses Nmap's functionality to perform port scanning and service enumeration but also takes advantage of other scanners like Nikto.
While GoScan is useful for quickly enumerating networks and services, there are a few things that could be improved. First, once in the framework, there is no way to issue underlying OS commands, meaning you need a new terminal window or tab. There's also not an easy way to cancel a scan, which is unfortunate because some of these can take a long time. There could be more service enumeration modules, too, but overall, GoScan is a great tool that makes things easy.
Get GoScan Installed & Ready
We will be using Metasploitable 2 as the target and Kali Linux as our local machine, but you can use a different setup to test the tool out.
To download GoScan, we can use wget to grab it directly from GitHub:
~# wget https://github.com/marco-lancini/goscan/releases/download/v2.4/goscan_2.4_linux_amd64.zip
--2020-03-01 12:03:35-- https://github.com/marco-lancini/goscan/releases/download/v2.4/goscan_2.4_linux_amd64.zip
Resolving github.com (github.com)... 192.30.253.112
Connecting to github.com (github.com)|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/133977183/d62b7180-45d6-11e9-95a0-a27738c7d5cb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200301%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200301T170336Z&X-Amz-Expires=300&X-Amz-Signature=30bf07eb967416e5c5f5bdd2f11e144d4b41f55675e75558f435b2fb36b5982d&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dgoscan_2.4_linux_amd64.zip&response-content-type=application%2Foctet-stream [following]
--2020-03-01 12:03:36-- https://github-production-release-asset-2e65be.s3.amazonaws.com/133977183/d62b7180-45d6-11e9-95a0-a27738c7d5cb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200301%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200301T170336Z&X-Amz-Expires=300&X-Amz-Signature=30bf07eb967416e5c5f5bdd2f11e144d4b41f55675e75558f435b2fb36b5982d&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dgoscan_2.4_linux_amd64.zip&response-content-type=application%2Foctet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.177.3
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.216.177.3|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5031753 (4.8M) [application/octet-stream]
Saving to: ‘goscan_2.4_linux_amd64.zip’
goscan_2.4_linux_amd64.zip 100%[===========================>] 4.80M 6.60MB/s in 0.7s
2020-03-01 12:03:37 (6.60 MB/s) - ‘goscan_2.4_linux_amd64.zip’ saved [5031753/5031753]
Next, unzip the archive:
~# unzip goscan_2.4_linux_amd64.zip
Archive: goscan_2.4_linux_amd64.zip
inflating: goscan
We can check what type of file it is using the file command:
~# file goscan
goscan: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, Go BuildID=pGoWXkwAVk8V427XeEiD/_gHLR9pQcRgIcaS6-h1Y/3NHjKMCsn272cDOntZE2/lQhv-s-msoGBONoodm2c, BuildID[sha1]=b0465bb281d341d50215219d6a7611a5b8876c60, with debug_info, not stripped
It looks like it is already executable. Nice.
Next, we can move the binary to the /bin/ directory, which will enable us to run it from anywhere. Use the mv command:
~# mv ./goscan /bin/goscan
Now, when we run GoScan, we are automatically dropped into the framework:
~# goscan
_________ ___________________________ __
__ ____/_______ ___/_ ____/__ |__ | / /
_ / __ _ __ \____ \_ / __ /| |_ |/ /
/ /_/ / / /_/ /___/ // /___ _ ___ | /| /
\____/ \____//____/ \____/ /_/ |_/_/ |_/
goscan (v.2.4)
Marco Lancini [@LanciniMarco]
[-] Created directory: /root/.goscan
[-] Connected to DB
[goscan] >
Option 1: Ping Sweep
GoScan contains automatic-command-suggestion and tab-completion features, which makes it easy to use. Simply start typing a command, and a suggestion and its description will show up:
[goscan] > he
help Show help
The help menu is probably the most critical part of GoScan. Here we can find all the available commands, their descriptions, and syntax:
[goscan] > help
[*] GoScan automates the scanning and enumeration steps of a penetration test
[*] Available commands:
+----------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------+
| AREA | COMMAND | SYNTAX |
+----------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------+
| Load target | Add a single target via the CLI (must be a /32) | load target SINGLE <IP> |
| Load target | Upload multiple targets from a text file or folder | load target MULTI <path-to-file> |
| Host Discovery | Perform a Ping Sweep | sweep <TYPE> <TARGET> |
| Load Host Discovery | Add a single alive host via the CLI (must be a /32) | load alive SINGLE <IP> |
| Load Host Discovery | Upload multiple alive hosts from a text file or folder | load alive MULTI <path-to-file> |
| Port Scan | Perform a port scan | portscan <TYPE> <TARGET> |
| Load Port Scan | Upload nmap port scan results from XML files or folder | load portscan <path-to-file> |
| Service Enumeration | Dry Run (only show commands, without performing them | enumerate <TYPE> DRY <TARGET> |
| Service Enumeration | Perform enumeration of detected services | enumerate <TYPE> <POLITE/AGGRESSIVE> <TARGET> |
| Special Scan - EyeWitness | Take screenshots of websites, RDP services, and open VNC servers (KALI ONLY) | special eyewitness |
| Special Scan - Domain Info | Extract Windows domain information from enumeration data | special domain <users/hosts/servers> |
| Special Scan - DNS | Enumerate DNS (nmap, dnsrecon, dnsenum) | special dns DISCOVERY <domain> |
| Special Scan - DNS | Bruteforce DNS | special dns BRUTEFORCE <domain> |
| Special Scan - DNS | Reverse Bruteforce DNS | special dns BRUTEFORCE_REVERSE <domain> <base_IP> |
| Show | Show targets | show targets |
| Show | Show live hosts | show hosts |
| Show | Show detailed ports information | show ports |
| Utils | Set configs from file | set config_file <PATH> |
| Utils | Set output folder | set output_folder <PATH> |
| Utils | Modify the default nmap switches | set nmap_switches <SWEEP/TCP_FULL/TCP_STANDARD/TCP_VULN/UDP_STANDARD> <SWITCHES> |
| Utils | Modify the default wordlists | set wordlists <FINGER_USER/FTP_USER/...> <PATH> |
| Utils | Exit this program | exit |
+----------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------+
To begin, we need to load a target. We can load multiple IP addresses or, in our case, the single IP of our target machine:
[goscan] > load target SINGLE 10.10.0.50
[*] Imported target: 10.10.0.50
Next, let's perform a ping sweep:
[goscan] > sweep PING 10.10.0.50
[*] Starting Ping Sweep
[goscan] > [-] Created directory: /root/.goscan/10.10.0.50/sweep
[-] Executing command: nmap -n -sn -PE -PP 10.10.0.50 -oA /root/.goscan/10.10.0.50/sweep/ping_10.10.0.50
[*] [ping] Nmap work in progress on host: 10.10.0.50
[+] [ping] Nmap finished on host: 10.10.0.50
[+] [ping] Output has been saved at: /root/.goscan
First, GoScan creates a directory to house the results. The directory can be configured to a custom location, but the default works just fine. Next, we can see the Nmap command it calls and executes, and it tells us when it is finished.
If we browse to the newly created directory where the results are stored, we can see the output comes in a few different formats:
~# ls .goscan/10.10.0.50/sweep/
ping_10.10.0.50.gnmap ping_10.10.0.50.nmap ping_10.10.0.50.xml
Option 2: Port Scan
GoScan's port scanning capability is perhaps its most robust feature. When we start typing portscan, we can see the variety of scan types it can perform:
[goscan] > portscan
TCP-FULL Perform FULL TCP scan
TCP-STANDARD Perform TCP scan (top 200)
TCP-PROD Perform PROD TCP scan (T3, no scripts)
TCP-VULN-SCAN Perform TCP VULN scan (vulscan.nse)
UDP-STANDARD Perform UDP scan (common ports)
UDP-PROD Perform PROD UDP scan (T3, no scripts)
For instance, we can run a full TCP scan:
[goscan] > portscan TCP-FULL 10.10.0.50
[*] Starting full TCP port scan
[goscan] > [-] Created directory: /root/.goscan/10.10.0.50/portscan
[-] Executing command: nmap -Pn -sT -sC -A -T4 -p- 10.10.0.50 -oA /root/.goscan/10.10.0.50/portscan/tcp_full_10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
...
Or a UDP scan on common ports:
[goscan] > portscan UDP-STANDARD ALL
[*] Starting UDP port scan (common ports)
[goscan] > [-] Executing command: nmap -Pn -sU -sC -A -T4 -p19,53,69,79,111,123,135,137,138,161,177,445,500,514,520,1434,1900,5353 10.10.0.50 -oA /root/.goscan/10.10.0.50/portscan/udp_standard_10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
...
We can also use the load command to load any external scan results, like those of Nmap:
[goscan] > load portscan nmap_results.xml
The show command can be used to display any information currently stored by GoScan. We can view targets:
[goscan] > show targets
+------------+---------+
| ADDRESS | STEP |
+------------+---------+
| 10.10.0.50 | SWEEPED |
+------------+---------+
And show the status of our hosts, including operating system information and ports:
[goscan] > show hosts
+------------+--------+-----------------+------+-------------------------------------+
| ADDRESS | STATUS | OS | INFO | PORTS |
+------------+--------+-----------------+------+-------------------------------------+
| 10.10.0.50 | up | Linux 3.2 - 4.9 | | * 5355/tcp open : llmnr |
| | | | | * 19/udp closed : chargen |
| | | | | * 53/udp closed : domain |
| | | | | * 69/udp closed : tftp |
| | | | | * 79/udp closed : finger |
| | | | | * 111/udp open|filtered: rpcbind |
| | | | | * 123/udp closed : ntp |
| | | | | * 135/udp open|filtered: msrpc |
| | | | | * 137/udp closed : netbios-ns |
| | | | | * 138/udp closed : netbios-dgm |
| | | | | * 161/udp open|filtered: snmp |
| | | | | * 177/udp closed : xdmcp |
| | | | | * 445/udp closed : microsoft-ds |
| | | | | * 500/udp open|filtered: isakmp |
| | | | | * 514/udp open|filtered: syslog |
| | | | | * 520/udp closed : route |
| | | | | * 1434/udp closed : ms-sql-m |
| | | | | * 1900/udp closed : upnp |
| | | | | * 5353/udp open|filtered: zeroconf |
| | | | | |
+------------+--------+-----------------+------+-------------------------------------+
And a bit more organized view of ports and services:
[goscan] > show ports
+------------+----------+---------------+--------------+
| HOST | PORT | STATUS | SERVICE |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 5355/tcp | open | llmnr |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 19/udp | closed | chargen |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 53/udp | closed | domain |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 69/udp | closed | tftp |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 79/udp | closed | finger |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 111/udp | open|filtered | rpcbind |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 123/udp | closed | ntp |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 135/udp | open|filtered | msrpc |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 137/udp | closed | netbios-ns |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 138/udp | closed | netbios-dgm |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 161/udp | open|filtered | snmp |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 177/udp | closed | xdmcp |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 445/udp | closed | microsoft-ds |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 500/udp | open|filtered | isakmp |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 514/udp | open|filtered | syslog |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 520/udp | closed | route |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 1434/udp | closed | ms-sql-m |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 1900/udp | closed | upnp |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 5353/udp | open|filtered | zeroconf |
+------------+----------+---------------+--------------+
Option 3: Enumerate Services
In addition to its port scanning capability, GoScan also allows us to enumerate running services on the target. Typing enumerate shows us the available modules, which includes FINGER, FTP, HTTP, RDP, and SMB:
[goscan] > enumerate
ALL Automatically identify open services and enumerate them
FINGER Enumerate FINGER
FTP Enumerate FTP
HTTP Enumerate HTTP
RDP Enumerate RDP
SMB Enumerate SMB
Each service has a few options as well, including DRY, which only performs a dry run; POLITE, which runs but avoids brute-forcing; and BRUTEFORCE.
[goscan] > enumerate HTTP
DRY Only show the commands that would be performed, without performing them
POLITE Avoid bruteforcing
BRUTEFORCE Include bruteforce scripts
For example, we can perform a dry run of the HTTP scan:
[goscan] > enumerate HTTP DRY 10.10.0.50
[*] Starting service enumeration
[goscan] > [+] [HTTP] Enumeration finished on host: 10.10.0.50
[+] [HTTP] Output has been saved at: /root/.goscan
Option 4: Special Scans
GoScan also contains a few special scans that can be useful for reconnaissance. Type special at the prompt to view the available options:
[goscan] > special
eyewitness Take screenshots of websites, RDP services, and open VNC servers (KALI ONLY)
domain Extract (windows) domain information from enumeration data
dns Perform DNS enumeration
The eyewitness scan incorporates the EyeWitness tool, which will take screenshots of websites, RDP services, and VNC servers. The only caveat here is that EyeWitness needs to be installed in the system PATH in order for it to work.
We can also use the domain scan to enumerate certain domain information, including users, hosts, and servers:
[goscan] > special domain
users Extract users from enumeration data
hosts Extract hosts from enumeration data
servers Extract servers from enumeration data
The dns scan will perform a few DNS enumeration techniques, such as discovery and brute-forcing:
[goscan] > special dns
DISCOVERY Enumerate DNS (nmap, dnsrecon, dnsenum)
BRUTEFORCE Bruteforce DNS
BRUTEFORCE_REVERSE Reverse Bruteforce DNS
GoScan has a few more utilities that can set the output folder, the Nmap switches that are used, and the default wordlists.
Wrapping Up
Today, we explored GoScan and how it can be used to quickly enumerate networks and services. First, we covered downloading and installing the tool. Then, we went through some of the options, including ping sweeping, port scanning, service enumeration, and special scans. All in all, GoScan is a useful framework that makes network enumeration easier.
Cover image by Brett Sayles/Pexels; Screenshots by drd_/Null Byte
Comments
No Comments Exist
Be the first, drop a comment!