How To: Use GoScan to Quickly Enumerate Networks & Services

Use GoScan to Quickly Enumerate Networks & Services

Network enumeration is one of the essential phases of an attack, but it can take a lot of time and effort depending on the size. We've all been spoiled by Nmap and similar tools, and while there is a learning curve involved, they are extremely useful. But there's also GoScan, a tool that builds upon Nmap, offering an automated way to enumerate networks and services quickly.

GoScan vs Other Network Scanners

GoScan is an interactive network scanner written in Go that automates certain aspects of Nmap and service enumeration. It features intelligent tab auto-completion and an SQLite database on the back end to maintain connections and data, even in unstable environments. GoScan also features other external integrations, such as sqlmap, DNSenum, Hydra, Nikto, EyeWitness, and NBTScan.

GoScan differs from other network scanners in that it's more of a framework, built upon other tools for abstraction and automation purposes. It primarily uses Nmap's functionality to perform port scanning and service enumeration but also takes advantage of other scanners like Nikto.

While GoScan is useful for quickly enumerating networks and services, there are a few things that could be improved. First, once in the framework, there is no way to issue underlying OS commands, meaning you need a new terminal window or tab. There's also not an easy way to cancel a scan, which is unfortunate because some of these can take a long time. There could be more service enumeration modules, too, but overall, GoScan is a great tool that makes things easy.

Get GoScan Installed & Ready

We will be using Metasploitable 2 as the target and Kali Linux as our local machine, but you can use a different setup to test the tool out.

To download GoScan, we can use wget to grab it directly from GitHub:

~# wget https://github.com/marco-lancini/goscan/releases/download/v2.4/goscan_2.4_linux_amd64.zip

--2020-03-01 12:03:35--  https://github.com/marco-lancini/goscan/releases/download/v2.4/goscan_2.4_linux_amd64.zip
Resolving github.com (github.com)... 192.30.253.112
Connecting to github.com (github.com)|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/133977183/d62b7180-45d6-11e9-95a0-a27738c7d5cb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200301%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200301T170336Z&X-Amz-Expires=300&X-Amz-Signature=30bf07eb967416e5c5f5bdd2f11e144d4b41f55675e75558f435b2fb36b5982d&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dgoscan_2.4_linux_amd64.zip&response-content-type=application%2Foctet-stream [following]
--2020-03-01 12:03:36--  https://github-production-release-asset-2e65be.s3.amazonaws.com/133977183/d62b7180-45d6-11e9-95a0-a27738c7d5cb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200301%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200301T170336Z&X-Amz-Expires=300&X-Amz-Signature=30bf07eb967416e5c5f5bdd2f11e144d4b41f55675e75558f435b2fb36b5982d&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dgoscan_2.4_linux_amd64.zip&response-content-type=application%2Foctet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.177.3
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.216.177.3|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5031753 (4.8M) [application/octet-stream]
Saving to: ‘goscan_2.4_linux_amd64.zip’

goscan_2.4_linux_amd64.zip 100%[===========================>]   4.80M  6.60MB/s    in 0.7s

2020-03-01 12:03:37 (6.60 MB/s) - ‘goscan_2.4_linux_amd64.zip’ saved [5031753/5031753]

Next, unzip the archive:

~# unzip goscan_2.4_linux_amd64.zip

Archive:  goscan_2.4_linux_amd64.zip
  inflating: goscan

We can check what type of file it is using the file command:

~# file goscan

goscan: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, Go BuildID=pGoWXkwAVk8V427XeEiD/_gHLR9pQcRgIcaS6-h1Y/3NHjKMCsn272cDOntZE2/lQhv-s-msoGBONoodm2c, BuildID[sha1]=b0465bb281d341d50215219d6a7611a5b8876c60, with debug_info, not stripped

It looks like it is already executable. Nice.

Next, we can move the binary to the /bin/ directory, which will enable us to run it from anywhere. Use the mv command:

~# mv ./goscan /bin/goscan

Now, when we run GoScan, we are automatically dropped into the framework:

~# goscan

_________     ___________________________   __
__  ____/_______  ___/_  ____/__    |__  | / /
_  / __ _  __ \____ \_  /    __  /| |_   |/ /
/ /_/ / / /_/ /___/ // /___  _  ___ |  /|  /
\____/  \____//____/ \____/  /_/  |_/_/ |_/

                goscan (v.2.4)
        Marco Lancini [@LanciniMarco]

[-] Created directory: /root/.goscan
[-] Connected to DB
[goscan] >

Option 1: Ping Sweep

GoScan contains automatic-command-suggestion and tab-completion features, which makes it easy to use. Simply start typing a command, and a suggestion and its description will show up:

[goscan] > he
              help  Show help

The help menu is probably the most critical part of GoScan. Here we can find all the available commands, their descriptions, and syntax:

[goscan] > help

[*] GoScan automates the scanning and enumeration steps of a penetration test
[*] Available commands:
+----------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------+
|            AREA            |                                   COMMAND                                    |                                      SYNTAX                                      |
+----------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------+
| Load target                | Add a single target via the CLI (must be a /32)                              | load target SINGLE <IP>                                                          |
| Load target                | Upload multiple targets from a text file or folder                           | load target MULTI <path-to-file>                                                 |
| Host Discovery             | Perform a Ping Sweep                                                         | sweep <TYPE> <TARGET>                                                            |
| Load Host Discovery        | Add a single alive host via the CLI (must be a /32)                          | load alive SINGLE <IP>                                                           |
| Load Host Discovery        | Upload multiple alive hosts from a text file or folder                       | load alive MULTI <path-to-file>                                                  |
| Port Scan                  | Perform a port scan                                                          | portscan <TYPE> <TARGET>                                                         |
| Load Port Scan             | Upload nmap port scan results from XML files or folder                       | load portscan <path-to-file>                                                     |
| Service Enumeration        | Dry Run (only show commands, without performing them                         | enumerate <TYPE> DRY <TARGET>                                                    |
| Service Enumeration        | Perform enumeration of detected services                                     | enumerate <TYPE> <POLITE/AGGRESSIVE> <TARGET>                                    |
| Special Scan - EyeWitness  | Take screenshots of websites, RDP services, and open VNC servers (KALI ONLY) | special eyewitness                                                               |
| Special Scan - Domain Info | Extract Windows domain information from enumeration data                     | special domain <users/hosts/servers>                                             |
| Special Scan - DNS         | Enumerate DNS (nmap, dnsrecon, dnsenum)                                      | special dns DISCOVERY <domain>                                                   |
| Special Scan - DNS         | Bruteforce DNS                                                               | special dns BRUTEFORCE <domain>                                                  |
| Special Scan - DNS         | Reverse Bruteforce DNS                                                       | special dns BRUTEFORCE_REVERSE <domain> <base_IP>                                |
| Show                       | Show targets                                                                 | show targets                                                                     |
| Show                       | Show live hosts                                                              | show hosts                                                                       |
| Show                       | Show detailed ports information                                              | show ports                                                                       |
| Utils                      | Set configs from file                                                        | set config_file <PATH>                                                           |
| Utils                      | Set output folder                                                            | set output_folder <PATH>                                                         |
| Utils                      | Modify the default nmap switches                                             | set nmap_switches <SWEEP/TCP_FULL/TCP_STANDARD/TCP_VULN/UDP_STANDARD> <SWITCHES> |
| Utils                      | Modify the default wordlists                                                 | set wordlists <FINGER_USER/FTP_USER/...> <PATH>                                  |
| Utils                      | Exit this program                                                            | exit                                                                             |
+----------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------+

To begin, we need to load a target. We can load multiple IP addresses or, in our case, the single IP of our target machine:

[goscan] > load target SINGLE 10.10.0.50

[*] Imported target: 10.10.0.50

Next, let's perform a ping sweep:

[goscan] > sweep PING 10.10.0.50

[*] Starting Ping Sweep
[goscan] > [-] Created directory: /root/.goscan/10.10.0.50/sweep
[-] Executing command: nmap -n -sn -PE -PP 10.10.0.50 -oA /root/.goscan/10.10.0.50/sweep/ping_10.10.0.50
[*] [ping] Nmap work in progress on host:   10.10.0.50
[+] [ping] Nmap finished on host:   10.10.0.50
[+] [ping] Output has been saved at:    /root/.goscan

First, GoScan creates a directory to house the results. The directory can be configured to a custom location, but the default works just fine. Next, we can see the Nmap command it calls and executes, and it tells us when it is finished.

If we browse to the newly created directory where the results are stored, we can see the output comes in a few different formats:

~# ls .goscan/10.10.0.50/sweep/

ping_10.10.0.50.gnmap  ping_10.10.0.50.nmap  ping_10.10.0.50.xml

Option 2: Port Scan

GoScan's port scanning capability is perhaps its most robust feature. When we start typing portscan, we can see the variety of scan types it can perform:

[goscan] > portscan
                     TCP-FULL       Perform FULL TCP scan
                     TCP-STANDARD   Perform TCP scan (top 200)
                     TCP-PROD       Perform PROD TCP scan (T3, no scripts)
                     TCP-VULN-SCAN  Perform TCP VULN scan (vulscan.nse)
                     UDP-STANDARD   Perform UDP scan (common ports)
                     UDP-PROD       Perform PROD UDP scan (T3, no scripts)

For instance, we can run a full TCP scan:

[goscan] > portscan TCP-FULL 10.10.0.50

[*] Starting full TCP port scan
[goscan] > [-] Created directory: /root/.goscan/10.10.0.50/portscan
[-] Executing command: nmap -Pn -sT -sC -A -T4 -p- 10.10.0.50 -oA /root/.goscan/10.10.0.50/portscan/tcp_full_10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50

...

Or a UDP scan on common ports:

[goscan] > portscan UDP-STANDARD ALL

[*] Starting UDP port scan (common ports)
[goscan] > [-] Executing command: nmap -Pn -sU -sC -A -T4 -p19,53,69,79,111,123,135,137,138,161,177,445,500,514,520,1434,1900,5353 10.10.0.50 -oA /root/.goscan/10.10.0.50/portscan/udp_standard_10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50

...

We can also use the load command to load any external scan results, like those of Nmap:

[goscan] > load portscan nmap_results.xml

The show command can be used to display any information currently stored by GoScan. We can view targets:

[goscan] > show targets

+------------+---------+
|  ADDRESS   |  STEP   |
+------------+---------+
| 10.10.0.50 | SWEEPED |
+------------+---------+

And show the status of our hosts, including operating system information and ports:

[goscan] > show hosts

+------------+--------+-----------------+------+-------------------------------------+
|  ADDRESS   | STATUS |       OS        | INFO |                PORTS                |
+------------+--------+-----------------+------+-------------------------------------+
| 10.10.0.50 | up     | Linux 3.2 - 4.9 |      | *  5355/tcp open    : llmnr         |
|            |        |                 |      | *    19/udp closed  : chargen       |
|            |        |                 |      | *    53/udp closed  : domain        |
|            |        |                 |      | *    69/udp closed  : tftp          |
|            |        |                 |      | *    79/udp closed  : finger        |
|            |        |                 |      | *   111/udp open|filtered: rpcbind  |
|            |        |                 |      | *   123/udp closed  : ntp           |
|            |        |                 |      | *   135/udp open|filtered: msrpc    |
|            |        |                 |      | *   137/udp closed  : netbios-ns    |
|            |        |                 |      | *   138/udp closed  : netbios-dgm   |
|            |        |                 |      | *   161/udp open|filtered: snmp     |
|            |        |                 |      | *   177/udp closed  : xdmcp         |
|            |        |                 |      | *   445/udp closed  : microsoft-ds  |
|            |        |                 |      | *   500/udp open|filtered: isakmp   |
|            |        |                 |      | *   514/udp open|filtered: syslog   |
|            |        |                 |      | *   520/udp closed  : route         |
|            |        |                 |      | *  1434/udp closed  : ms-sql-m      |
|            |        |                 |      | *  1900/udp closed  : upnp          |
|            |        |                 |      | *  5353/udp open|filtered: zeroconf |
|            |        |                 |      |                                     |
+------------+--------+-----------------+------+-------------------------------------+

And a bit more organized view of ports and services:

[goscan] > show ports

+------------+----------+---------------+--------------+
|    HOST    |   PORT   |    STATUS     |   SERVICE    |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 5355/tcp | open          | llmnr        |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 19/udp   | closed        | chargen      |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 53/udp   | closed        | domain       |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 69/udp   | closed        | tftp         |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 79/udp   | closed        | finger       |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 111/udp  | open|filtered | rpcbind      |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 123/udp  | closed        | ntp          |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 135/udp  | open|filtered | msrpc        |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 137/udp  | closed        | netbios-ns   |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 138/udp  | closed        | netbios-dgm  |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 161/udp  | open|filtered | snmp         |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 177/udp  | closed        | xdmcp        |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 445/udp  | closed        | microsoft-ds |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 500/udp  | open|filtered | isakmp       |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 514/udp  | open|filtered | syslog       |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 520/udp  | closed        | route        |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 1434/udp | closed        | ms-sql-m     |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 1900/udp | closed        | upnp         |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 5353/udp | open|filtered | zeroconf     |
+------------+----------+---------------+--------------+

Option 3: Enumerate Services

In addition to its port scanning capability, GoScan also allows us to enumerate running services on the target. Typing enumerate shows us the available modules, which includes FINGER, FTP, HTTP, RDP, and SMB:

[goscan] > enumerate
                      ALL     Automatically identify open services and enumerate them
                      FINGER  Enumerate FINGER
                      FTP     Enumerate FTP
                      HTTP    Enumerate HTTP
                      RDP     Enumerate RDP
                      SMB     Enumerate SMB

Each service has a few options as well, including DRY, which only performs a dry run; POLITE, which runs but avoids brute-forcing; and BRUTEFORCE.

[goscan] > enumerate HTTP
                           DRY         Only show the commands that would be performed, without performing them
                           POLITE      Avoid bruteforcing
                           BRUTEFORCE  Include bruteforce scripts

For example, we can perform a dry run of the HTTP scan:

[goscan] > enumerate HTTP DRY 10.10.0.50

[*] Starting service enumeration
[goscan] > [+] [HTTP] Enumeration finished on host: 10.10.0.50
[+] [HTTP] Output has been saved at:    /root/.goscan

Option 4: Special Scans

GoScan also contains a few special scans that can be useful for reconnaissance. Type special at the prompt to view the available options:

[goscan] > special
                    eyewitness  Take screenshots of websites, RDP services, and open VNC servers (KALI ONLY)
                    domain      Extract (windows) domain information from enumeration data
                    dns         Perform DNS enumeration

The eyewitness scan incorporates the EyeWitness tool, which will take screenshots of websites, RDP services, and VNC servers. The only caveat here is that EyeWitness needs to be installed in the system PATH in order for it to work.

We can also use the domain scan to enumerate certain domain information, including users, hosts, and servers:

[goscan] > special domain
                           users    Extract users from enumeration data
                           hosts    Extract hosts from enumeration data
                           servers  Extract servers from enumeration data

The dns scan will perform a few DNS enumeration techniques, such as discovery and brute-forcing:

[goscan] > special dns
                        DISCOVERY           Enumerate DNS (nmap, dnsrecon, dnsenum)
                        BRUTEFORCE          Bruteforce DNS
                        BRUTEFORCE_REVERSE  Reverse Bruteforce DNS

GoScan has a few more utilities that can set the output folder, the Nmap switches that are used, and the default wordlists.

Wrapping Up

Today, we explored GoScan and how it can be used to quickly enumerate networks and services. First, we covered downloading and installing the tool. Then, we went through some of the options, including ping sweeping, port scanning, service enumeration, and special scans. All in all, GoScan is a useful framework that makes network enumeration easier.

Want to start making money as a white hat hacker? Jump-start your white-hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from ethical hacking professionals.

Buy Now (96% off) >

Cover image by Brett Sayles/Pexels; Screenshots by drd_/Null Byte

Our Best Hacking & Security Guides

New Null Byte posts — delivered straight to your inbox.

Be the First to Comment

Share Your Thoughts

  • Hot
  • Latest