nmapにかわるツールがあると聞いて ~Rustscan
聞いてしまったので、試してみるしかないでしょう・・・!
GitHub - brandonskerritt/RustScan: Faster Nmap Scanning with Rust
— _spxn🔑 (@_spxn) 2020年7月23日
✔︎Nmapのスキャンを高速化したRust製ポートスキャナ
✔︎Nmapで17分かかる処理を1分以内に抑える高速化を実現している
https://t.co/faBR6edSBR
Rust自体見たことないんだけど。。。
とりあえずインスコして、ヘルプを見てみる
kali@kali:~/SyachinekoLab/workspace/Tools$ rustscan -h RustScan 1.2.0 Bee https://github.com/brandonskerritt Fast Port Scanner built in Rust USAGE: rustscan [OPTIONS] <ip> [command]... FLAGS: -h, --help Prints help information -V, --version Prints version information OPTIONS: -T, --timeout <T> The timeout before a port is assumed to be close. In MS. [default: 1500] -b, --batch <b> Increases speed of scanning. The batch size for port scanning. Depends on your open file limit of OS. If you do 65535 it will do every port at the same time. Although, your OS may not support this. [default: 4500] ARGS: <ip> The IP address to scan <command>... The Nmap arguments to run. To use the argument -A, end RustScan's args with '-- -A'. To run EXAMPLE: 'rustscan -T 1500 127.0.0.1 -- -A -sC'. This argument auto runs nmap {your commands} -vvv -p $PORTS
なるほどなるほど、とりあえず回してみる!
kali@kali:~/SyachinekoLab/workspace/Tools$ rustscan 10.10.10.197 _____ _ _____ | __ \ | | / ____| | |__) | _ ___| |_| (___ ___ __ _ _ __ | _ / | | / __| __|\___ \ / __/ _` | '_ \ | | \ \ |_| \__ \ |_ ____) | (_| (_| | | | | |_| \_\__,_|___/\__|_____/ \___\__,_|_| |_| Faster nmap scanning with rust. Automated Decryption Tool - https://github.com/ciphey/ciphey Creator https://github.com/brandonskerritt Os { code: 24, kind: Other, message: "Too many open files" } thread 'main' panicked at 'Too many open files. Please reduce batch size. The default is 5000. Try -b 2500.', src/main.rs:179:21 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace kali@kali:~/SyachinekoLab/workspace/Tools$ rustscan -b 2500 10.10.10.197 _____ _ _____ | __ \ | | / ____| | |__) | _ ___| |_| (___ ___ __ _ _ __ | _ / | | / __| __|\___ \ / __/ _` | '_ \ | | \ \ |_| \__ \ |_ ____) | (_| (_| | | | | |_| \_\__,_|___/\__|_____/ \___\__,_|_| |_| Faster nmap scanning with rust. Automated Decryption Tool - https://github.com/ciphey/ciphey Creator https://github.com/brandonskerritt Os { code: 24, kind: Other, message: "Too many open files" } thread 'main' panicked at 'Too many open files. Please reduce batch size. The default is 5000. Try -b 2500.', src/main.rs:179:21 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
おや、Tが多くてダメみたい・・・
上限値を減らして動かしてみると、、、動いた!
kali@kali:~/SyachinekoLab/workspace/Tools$ rustscan -b 1000 10.10.10.197 _____ _ _____ | __ \ | | / ____| | |__) | _ ___| |_| (___ ___ __ _ _ __ | _ / | | / __| __|\___ \ / __/ _` | '_ \ | | \ \ |_| \__ \ |_ ____) | (_| (_| | | | | |_| \_\__,_|___/\__|_____/ \___\__,_|_| |_| Faster nmap scanning with rust. Automated Decryption Tool - https://github.com/ciphey/ciphey Creator https://github.com/brandonskerritt Open 21 Open 22 Open 25 Open 80 Open 143 Open 8080 Starting nmap. kali@kali:~/SyachinekoLab/workspace/Tools$ Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-24 10:20 EDT NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 10:20 Completed NSE at 10:20, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 10:20 Completed NSE at 10:20, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 10:20 Completed NSE at 10:20, 0.00s elapsed Initiating Ping Scan at 10:20 Scanning 10.10.10.197 [2 ports] Completed Ping Scan at 10:20, 0.33s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 10:20 Completed Parallel DNS resolution of 1 host. at 10:20, 0.01s elapsed DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 10:20 Scanning 10.10.10.197 [6 ports] Discovered open port 25/tcp on 10.10.10.197 Discovered open port 21/tcp on 10.10.10.197 Discovered open port 143/tcp on 10.10.10.197 Discovered open port 22/tcp on 10.10.10.197 Discovered open port 80/tcp on 10.10.10.197 Discovered open port 8080/tcp on 10.10.10.197 Completed Connect Scan at 10:20, 0.31s elapsed (6 total ports) Initiating Service scan at 10:20 Scanning 6 services on 10.10.10.197 Completed Service scan at 10:20, 10.92s elapsed (6 services on 1 host) NSE: Script scanning 10.10.10.197. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 10:20 Completed NSE at 10:21, 11.64s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 10:21 Completed NSE at 10:21, 25.59s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 10:21 Completed NSE at 10:21, 0.00s elapsed Nmap scan report for 10.10.10.197 Host is up, received syn-ack (0.32s latency). Scanned at 2020-07-24 10:20:38 EDT for 49s PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack vsftpd 3.0.3 22/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 57:c9:00:35:36:56:e6:6f:f6:de:86:40:b2:ee:3e:fd (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy6l2NxLZItm85sZuNKU/OzDEhlvYMmmrKpTD0+uxdQyySppZN3Lo6xOM2dC6pqG5DQjz+GPJl1/kbdla6qJXDZ1D5lnnCaImTqU++a1WceLck3/6/04B5RlTYUoLQFwRuy84CX8NDvs0mIyR7bpbd8W03+EAwTabOxXfukQG1MbgCY5V8QmLRdi/ZtsIqVxVZWOYI5rvuAQ+YM9D/Oa6mwAO5l2V3/h/A5nHDx2Vkl1++kfDqFNop2D2vssInvdwLKZ0M5RvXLQPlsqRLfqtcTBBLxYY6ZVcLHkvEA+gekHGcPRw0MV5U9vsx18+6O8wm9ZNI/a1Y4TyXIHMcbHi9 | 256 d8:21:23:28:1d:b8:30:46:e2:67:2d:59:65:f0:0a:05 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOHL62JJEI1N8SHtcSypj9IjyD3dm6CA5iyog1Rmi4P5N6VtA/5RxBxegMYv7bTFymmFm02+w9zXdKMUcSs5TbE= | 256 5e:4f:23:4e:d4:90:8e:e9:5e:89:74:b3:19:0c:fc:1a (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILZ/TeP6ZPj9zbHyFVfwZg48EElGqKCENQgPw+QCoC7x 25/tcp open smtp syn-ack Postfix smtpd |_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, 80/tcp open http syn-ack nginx 1.14.2 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: nginx/1.14.2 |_http-title: Did not follow redirect to http://sneakycorp.htb 143/tcp open imap syn-ack Courier Imapd (released 2018) |_imap-capabilities: completed THREAD=ORDEREDSUBJECT QUOTA IDLE ACL2=UNION NAMESPACE SORT ACL IMAP4rev1 STARTTLS OK CAPABILITY CHILDREN UTF8=ACCEPTA0001 ENABLE THREAD=REFERENCES UIDPLUS | ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US/localityName=New York/organizationalUnitName=Automatically-generated IMAP SSL key | Subject Alternative Name: email:postmaster@example.com | Issuer: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US/localityName=New York/organizationalUnitName=Automatically-generated IMAP SSL key | Public Key type: rsa | Public Key bits: 3072 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2020-05-14T17:14:21 | Not valid after: 2021-05-14T17:14:21 | MD5: 3faf 4166 f274 83c5 8161 03ed f9c2 0308 | SHA-1: f79f 040b 2cd7 afe0 31fa 08c3 b30a 5ff5 7b63 566c | -----BEGIN CERTIFICATE----- | MIIE6zCCA1OgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBjjESMBAGA1UEAxMJbG9j | YWxob3N0MS0wKwYDVQQLEyRBdXRvbWF0aWNhbGx5LWdlbmVyYXRlZCBJTUFQIFNT | TCBrZXkxHDAaBgNVBAoTE0NvdXJpZXIgTWFpbCBTZXJ2ZXIxETAPBgNVBAcTCE5l | dyBZb3JrMQswCQYDVQQIEwJOWTELMAkGA1UEBhMCVVMwHhcNMjAwNTE0MTcxNDIx | WhcNMjEwNTE0MTcxNDIxWjCBjjESMBAGA1UEAxMJbG9jYWxob3N0MS0wKwYDVQQL | EyRBdXRvbWF0aWNhbGx5LWdlbmVyYXRlZCBJTUFQIFNTTCBrZXkxHDAaBgNVBAoT | E0NvdXJpZXIgTWFpbCBTZXJ2ZXIxETAPBgNVBAcTCE5ldyBZb3JrMQswCQYDVQQI | EwJOWTELMAkGA1UEBhMCVVMwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIB | gQDCzBP4iuxxLmXPkmi5jABQrywLJK0meyW49umfYhqayBH7qtuIjyAmznnyDIR0 | 543qHgWAfSvGHLFDB9B1wnkvAU3aprjURn1956X/4jEi9xmhRwvum5T+vp3TT96d | JgW9SSLiPFQty5eVrKuQvg1bZg/Vjp7CUUQ0+7PmdylMOipohls5RDEppCDGFmiS | HN0ZayXpjd/kwqZ/O9uTJGHOzagY+ruTYAx3tanO4oDwdrz9FPr3S2KNPTjjtzqf | CPdcsi+6JTQJI03eMEftBKo3HZTp7Hx6FObZcvcNskTLqtsYZYuzHS7KQwiuTAJ5 | d/ZKowCeJDaVlS35tQleisu+pJCkwcStpM1BJ51UQRZ5IpvItTfnrChEa1uyTlAy | ZIOQK2/+34K2ZrldYWyfKlYHxieGZgzQXLo/vyW/1gqzXy7KHx+Uuf4CAzzOP1p3 | 8QNmvsqkJrQMuH3XPXLswr9A1gPe7KTLEGNRJSxcGF1Q25m4e04HhZzK76KlBfVt | IJ0CAwEAAaNSMFAwDAYDVR0TAQH/BAIwADAhBgNVHREEGjAYgRZwb3N0bWFzdGVy | QGV4YW1wbGUuY29tMB0GA1UdDgQWBBTylxdM/AHlToKxNvmnPdXJCjjbnDANBgkq | hkiG9w0BAQsFAAOCAYEAAo7NqfYlXSEC8q3JXvI5EeVpkgBDOwnjxuC/P5ziEU0c | PRx6L3w+MxuYJdndC0hT9FexXzSgtps9Xm+TE81LgNvuipZ9bulF5pMmmO579U2Y | suJJpORD4P+65ezkfWDbPbdKyHMeRvVCkZCH74z2rCu+OeQTGb6GLfaaB7v9dThR | rfvHwM50hxNb4Zb4of7Eyw2OJGeeohoG4mFT4v7cu1WwimsDF/A7OCVOmvvFWeRA | EjdEReekDJsBFpHa8uRjxZ+4Ch9YvbFlYtYi6VyXV1AFR1Mb91w+iIitc6ROzjJ2 | pVO69ePygQcjBRUTDX5reuBzaF5p9/6Ta9HP8NDI9+gdw6VGVTmYRJUbj7OeKSUq | FWUmtZYC288ErDAZ7z+6VqJtZsPXIItZ8J6UZE3zBclGMcQ7peL9wEvJQ8oSaHHM | AmgHIoMwKXSNEkHbBD24cf9KwVhcyJ4QCrSJBMAys98X6TzCwQI4Hy7XyifU3x/L | XUFD0JSVQp4Rmcg5Uzuk |_-----END CERTIFICATE----- |_ssl-date: TLS randomness does not represent time 8080/tcp open http syn-ack nginx 1.14.2 | http-methods: |_ Supported Methods: GET HEAD |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: nginx/1.14.2 |_http-title: Welcome to nginx! Service Info: Host: debian; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 10:21 Completed NSE at 10:21, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 10:21 Completed NSE at 10:21, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 10:21 Completed NSE at 10:21, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 50.10 seconds kali@kali:~/SyachinekoLab/workspace/Tools$
なるほど、予想だけど、まずは超高速でポートスキャンだけして、
そのポートに対してダイレクトにnmap回している感じか・・・・?
であれば、確かに無駄なくnmapが打てるので、効率はいいかもしれない
なるほど・・・
実践でも試してみようかなぁ!
いいツールを見つけました
以上