FTP,SMTP,VNC Fingerprints

2016-06-05 11:54:01 -07:00 · 2016-06-05 11:54:01 -07:00 · 56c267c66e
parent 49095c586a
commit 56c267c66e
9 changed files with 110 additions and 39 deletions
--- a/config/onionscan_config.go
+++ b/config/onionscan_config.go
@ -1,15 +1,15 @@
 package config

-import ()
-
 type OnionscanConfig struct {
 	TorProxyAddress string
 	DirectoryDepth  int
+	Fingerprint     bool
 }

-func Configure(torProxyAddress string, directoryDepth int) *OnionscanConfig {
+func Configure(torProxyAddress string, directoryDepth int, fingerprint bool) *OnionscanConfig {
 	onionScan := new(OnionscanConfig)
 	onionScan.TorProxyAddress = torProxyAddress
 	onionScan.DirectoryDepth = directoryDepth
+	onionScan.Fingerprint = fingerprint
 	return onionScan
 }
--- a/main.go
+++ b/main.go
@ -24,6 +24,7 @@ func main() {
 	jsonReport := flag.Bool("jsonReport", false, "print out a json report providing a detailed report of the scan.")
 	verbose := flag.Bool("verbose", false, "print out a verbose log output of the scan")
 	directoryDepth := flag.Int("depth", 100, "depth of directory scan recursion (default: 100)")
+	fingerprint := flag.Bool("fingerprint", true, "whether to conduct a full scan, or just fingerprint possible ports")

 	flag.Parse()

@ -42,13 +43,9 @@ func main() {
 	}

 	onionScan := new(OnionScan)
-	onionScan.Config = config.Configure(*torProxyAddress, *directoryDepth)
+	onionScan.Config = config.Configure(*torProxyAddress, *directoryDepth, *fingerprint)
 	scanReport, err := onionScan.Scan(hiddenService)

-	if err != nil {
-		log.Fatalf("Error running scanner: %s", err)
-	}
-
 	if *jsonReport {
 		report.GenerateJsonReport(*reportFile, scanReport)
 	}
@ -56,4 +53,9 @@ func main() {
 	if *simpleReport {
 		report.GenerateSimpleReport(*reportFile, scanReport)
 	}
+
+	if !*jsonReport && err != nil {
+		log.Fatalf("Error running scanner: %s", err)
+	}
+
 }
--- a/onionscan.go
+++ b/onionscan.go
@ -2,11 +2,11 @@ package main

 import (
 	"errors"
-	"fmt"
 	"github.com/s-rah/onionscan/config"
 	"github.com/s-rah/onionscan/protocol"
 	"github.com/s-rah/onionscan/report"
 	"github.com/s-rah/onionscan/utils"
+	"log"
 	"strings"
 )

@ -57,8 +57,12 @@ func (os *OnionScan) Scan(hiddenService string) (*report.OnionScanReport, error)
 	mdbps := new(protocol.MongoDBProtocolScanner)
 	mdbps.ScanProtocol(hiddenService, os.Config, report)

+	//VNC
+	vncps := new(protocol.VNCProtocolScanner)
+	vncps.ScanProtocol(hiddenService, os.Config, report)
+
 	if !report.WebDetected && !report.SSHDetected && !report.RicochetDetected && !report.BitcoinDetected && !report.IRCDetected && !report.FTPDetected && !report.SMTPDetected && !report.MongoDBDetected {
-		fmt.Printf("Unable to connect to this Tor Hidden Service on any known protocol.\n")
+		log.Printf("Unable to connect to this Tor Hidden Service on any known protocol.\n")
 		return nil, errors.New("Unable to connect to this Tor Hidden Service on any known protocol.")
 	}

--- a/protocol/ftp_scanner.go
+++ b/protocol/ftp_scanner.go
@ -1,6 +1,9 @@
 package protocol

 import (
+	"bufio"
+	"crypto/sha1"
+	"encoding/hex"
 	"github.com/s-rah/onionscan/config"
 	"github.com/s-rah/onionscan/report"
 	"h12.me/socks"
@ -12,14 +15,22 @@ type FTPProtocolScanner struct {

 func (sps *FTPProtocolScanner) ScanProtocol(hiddenService string, onionscanConfig *config.OnionscanConfig, report *report.OnionScanReport) {
 	// FTP
-	log.Printf("Checking %s FTP(22)\n", hiddenService)
-	_, err := socks.DialSocksProxy(socks.SOCKS5, onionscanConfig.TorProxyAddress)("", hiddenService+":21")
+	log.Printf("Checking %s FTP(21)\n", hiddenService)
+	conn, err := socks.DialSocksProxy(socks.SOCKS5, onionscanConfig.TorProxyAddress)("", hiddenService+":21")
 	if err != nil {
 		log.Printf("Failed to connect to service on port 21\n")
 		report.FTPDetected = false
 	} else {
 		// TODO FTP Checking
 		report.FTPDetected = true
+		reader := bufio.NewReader(conn)
+		banner, err := reader.ReadString('\n')
+		if err == nil {
+			report.FTPBanner = banner
+			hash := sha1.Sum([]byte(banner))
+			report.FTPFingerprint = hex.EncodeToString(hash[:])
+			log.Printf("Found FTP Banner: %s (%s)", banner, report.FTPFingerprint)
+		}
 	}

 }
--- a/protocol/http_scanner.go
+++ b/protocol/http_scanner.go
@ -65,13 +65,16 @@ func (hps *HTTPProtocolScanner) ScanProtocol(hiddenService string, onionscanConf
 		hps.ScanPage(hiddenService, "/server-status", report, scans.ApacheModStatus)
 		hps.ScanPage(hiddenService, "/", report, scans.StandardPageScan)

+		if onionscanConfig.Fingerprint == false {
 			log.Printf("\tScanning Common and Referenced Directories\n")
 			directories := append(CommonDirectories, report.PageReferencedDirectories...)
 			utils.RemoveDuplicates(&directories)
+
 			for _, directory := range directories {
 				hps.ScanPage(hiddenService, directory, report, scans.CheckDirectoryListing(onionscanConfig.DirectoryDepth))
 			}
 		}
+	}
 	log.Printf("\n")
 }

--- a/protocol/smtp_scanner.go
+++ b/protocol/smtp_scanner.go
@ -1,6 +1,9 @@
 package protocol

 import (
+	"bufio"
+	"crypto/sha1"
+	"encoding/hex"
 	"github.com/s-rah/onionscan/config"
 	"github.com/s-rah/onionscan/report"
 	"h12.me/socks"
@ -13,13 +16,21 @@ type SMTPProtocolScanner struct {
 func (sps *SMTPProtocolScanner) ScanProtocol(hiddenService string, onionscanConfig *config.OnionscanConfig, report *report.OnionScanReport) {
 	// SMTP
 	log.Printf("Checking %s SMTP(25)\n", hiddenService)
-	_, err := socks.DialSocksProxy(socks.SOCKS5, onionscanConfig.TorProxyAddress)("", hiddenService+":25")
+	conn, err := socks.DialSocksProxy(socks.SOCKS5, onionscanConfig.TorProxyAddress)("", hiddenService+":25")
 	if err != nil {
 		log.Printf("Failed to connect to service on port 25\n")
 		report.SMTPDetected = false
 	} else {
 		// TODO SMTP Checking
 		report.SMTPDetected = true
+		reader := bufio.NewReader(conn)
+		banner, err := reader.ReadString('\n')
+		if err == nil {
+			report.SMTPBanner = banner
+			hash := sha1.Sum([]byte(banner))
+			report.SMTPFingerprint = hex.EncodeToString(hash[:])
+			log.Printf("Found SMTP Banner: %s (%s)", banner, report.SMTPFingerprint)
+		}
 	}

 }
--- a/protocol/vnc_scanner.go
+++ b/protocol/vnc_scanner.go
@ -0,0 +1,26 @@
+package protocol
+
+import (
+	"github.com/s-rah/onionscan/config"
+	"github.com/s-rah/onionscan/report"
+	"h12.me/socks"
+	"log"
+)
+
+type VNCProtocolScanner struct {
+}
+
+func (vncps *VNCProtocolScanner) ScanProtocol(hiddenService string, onionscanConfig *config.OnionscanConfig, report *report.OnionScanReport) {
+	// MongoDB
+	log.Printf("Checking %s VNC(5900)\n", hiddenService)
+	_, err := socks.DialSocksProxy(socks.SOCKS5, onionscanConfig.TorProxyAddress)("", hiddenService+":5900")
+	if err != nil {
+		log.Printf("Failed to connect to service on port 5900\n")
+		report.VNCDetected = false
+	} else {
+		log.Printf("Detected possible VNC instance\n")
+		// TODO: Actual Analysis
+		report.VNCDetected = true
+	}
+
+}
--- a/report/onionscanreport.go
+++ b/report/onionscanreport.go
@ -17,36 +17,48 @@ type ExifImage struct {
 }

 type OnionScanReport struct {
+	HiddenService string `json:"hiddenService"`
+
+	// Summary
 	WebDetected      bool `json:"webDetected"`
 	SSHDetected      bool `json:"sshDetected"`
 	RicochetDetected bool `json:"ricochetDetected"`
 	IRCDetected      bool `json:"ircDetected"`
 	FTPDetected      bool `json:"ftpDetected"`
 	SMTPDetected     bool `json:"smtpDetected"`
-
 	BitcoinDetected  bool `json:"bitcoinDetected"`
 	MongoDBDetected  bool `json:"mongodbDetected"`
+	VNCDetected      bool `json:"vncDetected"`

-	HiddenService             string      `json:"hiddenService"`
+	// Web Specific
 	ServerPoweredBy           string            `json:"serverPoweredBy"`
 	ServerVersion             string            `json:"serverVersion"`
 	FoundApacheModStatus      bool              `json:"foundApacheModStatus"`
 	RelatedOnionServices      []string          `json:"relatedOnionServices"`
 	RelatedClearnetDomains    []string          `json:"relatedOnionDomains"`
 	LinkedSites               []string          `json:"linkedSites"`
-	InternalPages             []string    `json:"InternalPages"`
+	InternalPages             []string          `json:"internalPages"`
 	IP                        []string          `json:"ipAddresses"`
 	OpenDirectories           []string          `json:"openDirectories"`
 	ExifImages                []ExifImage       `json:"exifImages"`
 	InterestingFiles          []string          `json:"interestingFiles"`
 	PageReferencedDirectories []string          `json:"pageReferencedDirectories"`
 	PGPKeys                   []string          `json:"pgpKeys"`
-
 	Hashes                    []string          `json:"hashes"`
-	SSHKey          string            `json:"sshKey"`
 	Snapshot                  string            `json:"snapshot"`
 	PageTitle                 string            `json:"pageTitle"`
 	ResponseHeaders           map[string]string `json:"responseHeaders"`
+
+	// SSH
+	SSHKey string `json:"sshKey"`
+
+	// FTP
+	FTPFingerprint string `json:"ftpFingerprint"`
+	FTPBanner      string `json:"ftpBanner"`
+
+	// SMTP
+	SMTPFingerprint string `json:"smtpFingerprint"`
+	SMTPBanner      string `json:"smtpBanner"`
 }

 func LoadReportFromFile(filename string) (OnionScanReport, error) {
--- a/scans/standard-page-scan.go
+++ b/scans/standard-page-scan.go
@ -79,6 +79,7 @@ func StandardPageScan(scan Scanner, page string, status int, contents string, re
 		}

 		log.Printf("\tScanning for CSS Fonts and Background Images\n")
+		utils.RemoveDuplicates(&cssLinks)
 		for _, cssUrl := range cssLinks {
 			log.Printf("\tScanning CSS file: %s\n", cssUrl)
 			_, cssContents, _ := scan.ScrapePage(report.HiddenService, utils.WithoutProtocol(cssUrl))
@ -87,6 +88,7 @@ func StandardPageScan(scan Scanner, page string, status int, contents string, re

 		log.Printf("\tScanning for Links\n")
 		domains = append(domains, utils.ExtractDomains(contents)...)
+		utils.RemoveDuplicates(&domains)
 		for _, domain := range domains {
 			baseUrl, _ := url.Parse(domain)
 			if baseUrl.Host != "" && utils.WithoutSubdomains(baseUrl.Host) != utils.WithoutSubdomains(report.HiddenService) {