diff --git a/.idea/workspace.xml b/.idea/workspace.xml
index 0f46702..4f91387 100644
--- a/.idea/workspace.xml
+++ b/.idea/workspace.xml
@@ -4,7 +4,15 @@
-
+
+
+
+
+
+
+
+
+
@@ -43,6 +51,7 @@
{
"keyToString": {
+ "DefaultGoTemplateProperty": "Go File",
"RunOnceActivity.go.format.on.save.advertiser.fired": "true",
"RunOnceActivity.go.formatter.settings.were.checked": "true",
"RunOnceActivity.go.migrated.go.modules.settings": "true",
@@ -149,6 +158,10 @@
+
+
+
+
true
diff --git a/Yasso.exe b/Yasso.exe
index 56cee9d..3a025e3 100644
Binary files a/Yasso.exe and b/Yasso.exe differ
diff --git a/core/plugin/all.go b/core/plugin/all.go
index 3830a35..0699b8f 100644
--- a/core/plugin/all.go
+++ b/core/plugin/all.go
@@ -372,6 +372,10 @@ func (s *scannerAll) RunEnumeration() {
if ok {
logger.JSONSave(ip, logger.InformationSave, "oxid", information)
}
+ ok, information = DceRpcOSVersion(ip, 135, s.timeout)
+ if ok {
+ logger.JSONSave(ip, logger.InformationSave, "dcerpc", information)
+ }
}(ip)
mutex.Unlock()
}
diff --git a/core/plugin/dcerpc.go b/core/plugin/dcerpc.go
new file mode 100644
index 0000000..7b225f7
--- /dev/null
+++ b/core/plugin/dcerpc.go
@@ -0,0 +1,71 @@
+package plugin
+
+import (
+ "Yasso/core/logger"
+ "bytes"
+ "encoding/binary"
+ "fmt"
+ "net"
+ "time"
+)
+
+const v1 = "\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00\x01\x00\x00\x00\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\x08\x83\xaf\xe1\x1f\x5d\xc9\x11\x91\xa4\x08\x00\x2b\x14\xa0\xfa\x03\x00\x00\x00\x33\x05\x71\x71\xba\xbe\x37\x49\x83\x19\xb5\xdb\xef\x9c\xcc\x36\x01\x00\x00\x00"
+
+const dce = "\x05\x00\x0b\x03\x10\x00\x00\x00\x78\x00\x28\x00\x03\x00\x00\x00\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x01\x00\xa0\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46\x00\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60\x02\x00\x00\x00\x0a\x02\x00\x00\x00\x00\x00\x00\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x01\xb1\x1d\x00\x00\x00\x0f"
+
+var length = 0
+
+func DceRpcOSVersion(ip string, port int, timeout time.Duration) (bool, string) {
+ conn, err := net.DialTimeout("tcp", fmt.Sprintf("%v:%v", ip, port), timeout)
+ if err != nil {
+ return false, ""
+ }
+ _, err = conn.Write([]byte(dce))
+ if err != nil {
+ return false, ""
+ }
+ var buffer = make([]byte, 4096)
+ _, err = conn.Read(buffer)
+ if err != nil {
+ return false, ""
+ }
+ digit := osDigits(ip) // 获取位数
+ osVersionBytes := buffer[int(0xa0)-54+10 : int(0xa0)-54+18]
+ majorVersion := osVersionBytes[0:1] // 主要版本
+ MinorVersion := osVersionBytes[1:2] // 次要版本
+ BuildNumber := osVersionBytes[2:4] // 构建号
+ osVersion := fmt.Sprintf("Windows Verison %d.%d Build %v %v", majorVersion[0], MinorVersion[0], binary.LittleEndian.Uint16(BuildNumber), digit)
+
+ //infoLengthBytes := buffer[int(0xa0)-54+2 : int(0xa0)-54+4]
+ //infoLength := int(binary.LittleEndian.Uint16(infoLengthBytes))
+ //infoBytes := buffer[n-infoLength : n-4]
+ //netBoisDomainName := attribute(infoBytes)
+ //dnsDomainName := attribute(infoBytes)
+ //dnsComputerName := attribute(infoBytes)
+ //dnsTreeName := attribute(infoBytes)
+ logger.Success(fmt.Sprintf("%v:%v %v", ip, port, osVersion))
+ //logger.Info(fmt.Sprintf("NetBios (%v) DomainName (%v) ComputerName (%v)", netBoisDomainName, dnsDomainName, dnsComputerName))
+ return true, osVersion
+}
+
+func osDigits(ip string) string {
+ conn, err := net.DialTimeout("tcp", fmt.Sprintf("%v:%v", ip, 135), time.Second*5)
+ if err != nil {
+ return ""
+ }
+ conn.Write([]byte(v1))
+ var buffer = make([]byte, 1024)
+ conn.Read(buffer)
+ var digits = "x86"
+ if bytes.Contains(buffer, []byte("\x33\x05\x71\x71\xBA\xBE\x37\x49\x83\x19\xB5\xDB\xEF\x9C\xCC\x36")) {
+ digits = "x64"
+ }
+ return digits
+}
+
+func attribute(info []byte) string {
+ nameLength := int(binary.LittleEndian.Uint16(info[length+2 : length+4]))
+ name := bytes.Replace(info[length+4:length+4+nameLength], []byte("\x00"), []byte(""), -1)
+ length = length + 4 + nameLength
+ return string(name)
+}
diff --git a/core/plugin/eternalblue.go b/core/plugin/eternalblue.go
index f7c7cae..28576bf 100644
--- a/core/plugin/eternalblue.go
+++ b/core/plugin/eternalblue.go
@@ -112,12 +112,8 @@ func RequestMs17010(conn net.Conn, ip string) (bool, error) {
}
if reply[9] == 0x05 && reply[10] == 0x02 && reply[11] == 0x00 && reply[12] == 0xc0 {
- //fmt.Printf("%s\tMS17-010\t(%s)\n", ip, os)
- //if runtime.GOOS=="windows" {fmt.Printf("%s\tMS17-010\t(%s)\n", ip, os)
- //} else{fmt.Printf("\033[33m%s\tMS17-010\t(%s)\033[0m\n", ip, os)}
- //color.Magenta("%s\tMS17-010\t(%s)\n", ip, os)
+
logger.Info(fmt.Sprintf("%v Find MS17010 (%s)", ip, os))
- // detect present of DOUBLEPULSAR SMB implant
trans2SessionSetupRequest[28] = treeID[0]
trans2SessionSetupRequest[29] = treeID[1]
trans2SessionSetupRequest[32] = userID[0]
diff --git a/core/plugin/nbns_test.go b/core/plugin/nbns_test.go
new file mode 100644
index 0000000..6fb37d3
--- /dev/null
+++ b/core/plugin/nbns_test.go
@@ -0,0 +1,7 @@
+package plugin
+
+import "testing"
+
+func TestNbnsScanConn(t *testing.T) {
+
+}
diff --git a/result.txt b/result.txt
index 4d1c8c4..01269c8 100644
--- a/result.txt
+++ b/result.txt
@@ -1158,3 +1158,249 @@
[+] [LAPTOP-ESQC1EPT 192.168.23.1 192.168.248.1 2.0.0.1 192.168.0.184]
[+] 192.168.248.1 Find CVE-2020-0796
[*] Yasso scan complete
+[*] 192.168.248.1 is alive (ping)
+[*] 192.168.248.1:135 is open
+[*] 192.168.248.1:25 is open
+[*] 192.168.248.1:445 is open
+[*] 192.168.248.1:139 is open
+[*] 192.168.248.1:110 is open
+[*] 192.168.248.1:8443 is open
+[+] https://192.168.248.1:8443 200 [Apache2 Ubuntu Default Page: It works]
+[+] [192.168.248.1:445]
+[10.0.19041 (version) || LAPTOP-ESQC1EPT (FQDN Name) ||LAPTOP-ESQC1EPT (Domain Name) ||LAPTOP-ESQC1EPT (Netbios Name)]
+[+] [LAPTOP-ESQC1EPT 192.168.0.184 192.168.23.1 192.168.248.1 2.0.0.1]
+[+] 192.168.248.1 Find CVE-2020-0796
+[*] Yasso scan complete
+[*] 192.168.248.207 is alive (ping)
+[*] 192.168.248.206 is alive (ping)
+[*] 192.168.248.203 is alive (ping)
+[*] 192.168.248.1 is alive (ping)
+[*] 192.168.248.207:22 is open
+[*] 192.168.248.206:135 is open
+[*] 192.168.248.206:139 is open
+[*] 192.168.248.206:3389 is open
+[*] 192.168.248.206:445 is open
+[*] 192.168.248.203:22 is open
+[*] 192.168.248.1:135 is open
+[*] 192.168.248.1:139 is open
+[*] 192.168.248.1:445 is open
+[*] 192.168.248.206:3389 [Windows 10/Windows 11/Windows Server 2019]
+[*] 192.168.248.203:22 [SSH-2.0-OpenSSH_8.9p1\x20Debian-3]
+[+] brute 192.168.248.203:22 success [root:kali][ssh]
+[*] 192.168.248.207:22 [SSH-2.0-OpenSSH_7.4]
+[+] [192.168.248.206:137] WORKGROUP\DESKTOP-Q258H04
+[+] [192.168.248.206:445]
+[10.0.19041 (version) || DESKTOP-Q258H04 (FQDN Name) ||DESKTOP-Q258H04 (Domain Name) ||DESKTOP-Q258H04 (Netbios Name)]
+[+] [DESKTOP-Q258H04 192.168.248.206]
+[+] [192.168.248.1:445]
+[10.0.19041 (version) || LAPTOP-ESQC1EPT (FQDN Name) ||LAPTOP-ESQC1EPT (Domain Name) ||LAPTOP-ESQC1EPT (Netbios Name)]
+[+] [LAPTOP-ESQC1EPT 192.168.100.175 192.168.23.1 192.168.248.1 2.0.0.1]
+[+] 192.168.248.206 Find CVE-2020-0796
+[+] 192.168.248.1 Find CVE-2020-0796
+[*] Yasso scan complete
+[*] 192.168.248.1 is alive (ping)
+[*] 192.168.248.1:8443 is open
+[*] 192.168.248.1:135 is open
+[*] 192.168.248.1:139 is open
+[*] 192.168.248.1:445 is open
+[*] 192.168.248.1:8080 is open
+[+] http://192.168.248.1:8080 200 [Node.js] [None]
+[+] https://192.168.248.1:8443 200 [Apache2 Ubuntu Default Page: It works]
+[+] [192.168.248.1:445]
+[10.0.19041 (version) || LAPTOP-ESQC1EPT (FQDN Name) ||LAPTOP-ESQC1EPT (Domain Name) ||LAPTOP-ESQC1EPT (Netbios Name)]
+[+] [LAPTOP-ESQC1EPT 192.168.23.1 192.168.248.1 192.168.100.175 2.0.0.1]
+[+] 192.168.248.1 Find CVE-2020-0796
+[*] Yasso scan complete
+[*] 192.168.248.1 is alive (ping)
+[*] 192.168.248.1:135 is open
+[*] 192.168.248.1:139 is open
+[*] 192.168.248.1:445 is open
+[+] [192.168.248.1:445]
+[10.0.19041 (version) || LAPTOP-ESQC1EPT (FQDN Name) ||LAPTOP-ESQC1EPT (Domain Name) ||LAPTOP-ESQC1EPT (Netbios Name)]
+[+] [LAPTOP-ESQC1EPT 192.168.23.1 192.168.248.1 192.168.100.175 2.0.0.1]
+[+] 192.168.248.1 Find CVE-2020-0796
+[*] Yasso scan complete
+[*] 192.168.248.203 is alive (ping)
+[*] 192.168.248.217 is alive (ping)
+[*] 192.168.248.1 is alive (ping)
+[*] 192.168.248.203:22 is open
+[*] 192.168.248.203:445 is open
+[*] 192.168.248.203:139 is open
+[*] 192.168.248.217:3389 is open
+[*] 192.168.248.217:135 is open
+[*] 192.168.248.217:139 is open
+[*] 192.168.248.217:445 is open
+[*] 192.168.248.1:135 is open
+[*] 192.168.248.1:139 is open
+[*] 192.168.248.1:445 is open
+[*] 192.168.248.203:22 [SSH-2.0-OpenSSH_8.9p1\x20Debian-3]
+[+] brute 192.168.248.203:22 success [root:kali][ssh]
+[*] smb 192.168.248.203 unauthorized
+[*] 192.168.248.217:3389 [Windows 10/Windows 11/Windows Server 2019]
+[+] [192.168.248.203:445]
+[6.1.0 (version) || kali (FQDN Name) ||KALI (Domain Name) ||KALI (Netbios Name)]
+[+] [192.168.248.217:137] WORKGROUP\DESKTOP-Q258H04
+[+] [192.168.248.217:445]
+[10.0.19041 (version) || DESKTOP-Q258H04 (FQDN Name) ||DESKTOP-Q258H04 (Domain Name) ||DESKTOP-Q258H04 (Netbios Name)]
+[+] [DESKTOP-Q258H04 192.168.248.217]
+[+] [192.168.248.1:445]
+[10.0.19041 (version) || LAPTOP-ESQC1EPT (FQDN Name) ||LAPTOP-ESQC1EPT (Domain Name) ||LAPTOP-ESQC1EPT (Netbios Name)]
+[+] [LAPTOP-ESQC1EPT 192.168.23.1 192.168.248.1 192.168.100.175 2.0.0.1]
+[+] 192.168.248.217 Find CVE-2020-0796
+[+] 192.168.248.1 Find CVE-2020-0796
+[*] Yasso scan complete
+[*] 192.168.248.1 is alive (ping)
+[*] 192.168.248.212 is alive (ping)
+[*] 192.168.248.223 is alive (ping)
+[*] 192.168.248.203 is alive (ping)
+[*] 192.168.248.1:135 is open
+[*] 192.168.248.1:445 is open
+[*] 192.168.248.1:139 is open
+[*] 192.168.248.212:53 is open
+[*] 192.168.248.223:135 is open
+[*] 192.168.248.223:139 is open
+[*] 192.168.248.223:445 is open
+[*] 192.168.248.223:3389 is open
+[*] 192.168.248.203:445 is open
+[*] 192.168.248.203:22 is open
+[*] 192.168.248.203:139 is open
+[*] 192.168.248.223:3389 [Windows 10/Windows 11/Windows Server 2019]
+[*] 192.168.248.203:22 [SSH-2.0-OpenSSH_8.9p1\x20Debian-3]
+[+] brute 192.168.248.203:22 success [kali:kali][ssh]
+[*] smb 192.168.248.203 unauthorized
+[+] [192.168.248.1:445]
+[10.0.19041 (version) || LAPTOP-ESQC1EPT (FQDN Name) ||LAPTOP-ESQC1EPT (Domain Name) ||LAPTOP-ESQC1EPT (Netbios Name)]
+[+] [LAPTOP-ESQC1EPT 192.168.248.1 192.168.100.175 192.168.23.1 2.0.0.1]
+[+] [192.168.248.212:137] KLION\DC02 [�[31;1mDomain Controllers�[0m]
+[+] [192.168.248.212:445]
+[6.3.9600 (version) || Dc02.klion.local (FQDN Name) ||KLION (Domain Name) ||DC02 (Netbios Name)]
+[+] [Dc02 192.168.248.212]
+[+] [192.168.248.223:137] WORKGROUP\DESKTOP-Q258H04
+[+] [192.168.248.223:445]
+[10.0.19041 (version) || DESKTOP-Q258H04 (FQDN Name) ||DESKTOP-Q258H04 (Domain Name) ||DESKTOP-Q258H04 (Netbios Name)]
+[+] [DESKTOP-Q258H04 192.168.248.223]
+[+] [192.168.248.203:445]
+[6.1.0 (version) || kali (FQDN Name) ||KALI (Domain Name) ||KALI (Netbios Name)]
+[+] 192.168.248.1 Find CVE-2020-0796
+[*] 192.168.248.212 Find MS17010 (Windows Server 2012 R2 Standard 9600)
+[+] 192.168.248.223 Find CVE-2020-0796
+[*] Yasso scan complete
+[*] 192.168.248.1 is alive (ping)
+[*] 192.168.248.223 is alive (ping)
+[*] 192.168.248.203 is alive (ping)
+[*] 192.168.248.212 is alive (ping)
+[*] 192.168.248.223:135 is open
+[*] 192.168.248.223:139 is open
+[*] 192.168.248.223:445 is open
+[*] 192.168.248.223:3389 is open
+[*] 192.168.248.1:139 is open
+[*] 192.168.248.1:135 is open
+[*] 192.168.248.1:445 is open
+[*] 192.168.248.203:445 is open
+[*] 192.168.248.203:22 is open
+[*] 192.168.248.203:139 is open
+[*] 192.168.248.212:88 is open
+[*] 192.168.248.212:139 is open
+[*] 192.168.248.212:135 is open
+[*] 192.168.248.212:445 is open
+[*] 192.168.248.212:3389 is open
+[*] 192.168.248.212:80 is open
+[*] 192.168.248.212:53 is open
+[*] 192.168.248.212:389 is open
+[*] 192.168.248.212:49155 is open
+[*] 192.168.248.223:3389 [Windows 10/Windows 11/Windows Server 2019]
+[*] 192.168.248.203:22 [SSH-2.0-OpenSSH_8.9p1\x20Debian-3]
+[+] brute 192.168.248.203:22 success [root:kali][ssh]
+[*] smb 192.168.248.203 unauthorized
+[+] http://192.168.248.212 200 [IIS] [IIS Windows Server]
+[*] 192.168.248.212:3389 [Windows 10/Windows 11/Windows Server 2019]
+[+] [192.168.248.1:445]
+[10.0.19041 (version) || LAPTOP-ESQC1EPT (FQDN Name) ||LAPTOP-ESQC1EPT (Domain Name) ||LAPTOP-ESQC1EPT (Netbios Name)]
+[+] [LAPTOP-ESQC1EPT 192.168.248.1 192.168.100.175 192.168.23.1 2.0.0.1]
+[*] Windows Verison 10.0 Build 19041 x64
+[*] NetBios (LAPTOP-ESQC1EPT) DomainName (LAPTOP-ESQC1EPT) ComputerName (LAPTOP-ESQC1EPT)
+[+] [192.168.248.223:137] WORKGROUP\DESKTOP-Q258H04
+[+] [192.168.248.223:445]
+[10.0.19041 (version) || DESKTOP-Q258H04 (FQDN Name) ||DESKTOP-Q258H04 (Domain Name) ||DESKTOP-Q258H04 (Netbios Name)]
+[+] [DESKTOP-Q258H04 192.168.248.223]
+[*] Windows Verison 10.0 Build 19041 x64
+[*] NetBios (DESKTOP-Q258H04) DomainName (��) ComputerName ()
+[+] [192.168.248.203:445]
+[6.1.0 (version) || kali (FQDN Name) ||KALI (Domain Name) ||KALI (Netbios Name)]
+[+] [192.168.248.212:137] KLION\DC02 [�[31;1mDomain Controllers�[0m]
+[+] [192.168.248.212:445]
+[6.3.9600 (version) || Dc02.klion.local (FQDN Name) ||KLION (Domain Name) ||DC02 (Netbios Name)]
+[+] [Dc02 192.168.248.212]
+[*] Windows Verison 6.3 Build 9600 x64
+[*] NetBios () DomainName () ComputerName ()
+[+] 192.168.248.1 Find CVE-2020-0796
+[+] 192.168.248.223 Find CVE-2020-0796
+[*] 192.168.248.212 Find MS17010 (Windows Server 2012 R2 Standard 9600)
+[*] Yasso scan complete
+[*] 192.168.248.212 is alive (ping)
+[*] 192.168.248.212:53 is open
+[*] 192.168.248.212:139 is open
+[*] 192.168.248.212:445 is open
+[*] 192.168.248.212:135 is open
+[*] 192.168.248.212:88 is open
+[*] 192.168.248.212:80 is open
+[*] 192.168.248.212:49155 is open
+[*] 192.168.248.212:389 is open
+[*] 192.168.248.212:3389 is open
+[+] http://192.168.248.212 200 [IIS] [IIS Windows Server]
+[*] 192.168.248.212:3389 [Windows 10/Windows 11/Windows Server 2019]
+[+] [192.168.248.212:137] KLION\DC02 [�[31;1mDomain Controllers�[0m]
+[+] [192.168.248.212:445]
+[6.3.9600 (version) || Dc02.klion.local (FQDN Name) ||KLION (Domain Name) ||DC02 (Netbios Name)]
+[+] [Dc02 192.168.248.212]
+[+] Windows Verison 6.3 Build 9600 x64
+[*] 192.168.248.212 Find MS17010 (Windows Server 2012 R2 Standard 9600)
+[*] Yasso scan complete
+[*] 192.168.248.212 is alive (ping)
+[*] 192.168.248.212:3389 is open
+[*] 192.168.248.212:53 is open
+[*] 192.168.248.212:49155 is open
+[*] 192.168.248.212:139 is open
+[*] 192.168.248.212:445 is open
+[*] 192.168.248.212:389 is open
+[*] 192.168.248.212:80 is open
+[*] 192.168.248.212:135 is open
+[*] 192.168.248.212:88 is open
+[+] http://192.168.248.212 200 [IIS] [IIS Windows Server]
+[*] 192.168.248.212:3389 [Windows 10/Windows 11/Windows Server 2019]
+[+] [192.168.248.212:137] KLION\DC02 [�[31;1mDomain Controllers�[0m]
+[+] [192.168.248.212:445]
+[6.3.9600 (version) || Dc02.klion.local (FQDN Name) ||KLION (Domain Name) ||DC02 (Netbios Name)]
+[+] [Dc02 192.168.248.212]
+[+] %!v(MISSING):%!v(MISSING) %!v(MISSING) 192.168.248.212 135 Windows Verison 6.3 Build 9600 x64
+[*] 192.168.248.212 Find MS17010 (Windows Server 2012 R2 Standard 9600)
+[*] Yasso scan complete
+[*] 192.168.248.212 is alive (ping)
+[*] 192.168.248.212:53 is open
+[*] 192.168.248.212:445 is open
+[*] 192.168.248.212:49155 is open
+[*] 192.168.248.212:88 is open
+[*] 192.168.248.212:139 is open
+[*] 192.168.248.212:135 is open
+[*] 192.168.248.212:3389 is open
+[*] 192.168.248.212:389 is open
+[*] 192.168.248.212:80 is open
+[+] http://192.168.248.212 200 [IIS] [IIS Windows Server]
+[*] 192.168.248.212:3389 [Windows 10/Windows 11/Windows Server 2019]
+[+] [192.168.248.212:137] KLION\DC02 [�[31;1mDomain Controllers�[0m]
+[+] [192.168.248.212:445]
+[6.3.9600 (version) || Dc02.klion.local (FQDN Name) ||KLION (Domain Name) ||DC02 (Netbios Name)]
+[+] [Dc02 192.168.248.212]
+[+] 192.168.248.212:135 Windows Verison 6.3 Build 9600 x64
+[*] 192.168.248.212 Find MS17010 (Windows Server 2012 R2 Standard 9600)
+[*] Yasso scan complete
+[*] 192.168.248.1 is alive (ping)
+[*] 192.168.248.1:135 is open
+[*] 192.168.248.1:445 is open
+[*] 192.168.248.1:139 is open
+[+] [192.168.248.1:445]
+[10.0.19041 (version) || LAPTOP-ESQC1EPT (FQDN Name) ||LAPTOP-ESQC1EPT (Domain Name) ||LAPTOP-ESQC1EPT (Netbios Name)]
+[+] [LAPTOP-ESQC1EPT 192.168.248.1 192.168.100.175 192.168.23.1 2.0.0.1]
+[+] 192.168.248.1:135 Windows Verison 10.0 Build 19041 x64
+[+] 192.168.248.1 Find CVE-2020-0796
+[*] Yasso scan complete