go-netscan
Welcome back! Every year the CCDC Red Team gets together a little early to write new tooling we wish we had. 90% of those tools never see public release, but this is one of those rare tools that doesn't give away too many of our TTPs so we are publicizing it. I also love tool release days! Introducing go-netscan!! It's actually an evolution of an old tool I developed but Lucas has helped make substantially better; believe it or not this is a direct evolution of GoRedShell. You may remember the inspiration behind GoRedShell was our own cross platform version of Hydra and/or CrackMapExec. But GoRedShell had a lot of problems towards the end of last year. I developed it as one massive monolithic switch statement, which meant adding new modules could easily break the whole thing and making that whole mess multi-threaded for speed improvements wasn't very straight forward. After showing Lucas the idea he helped me take it to the next level, bypassing many of the limitations I was encountering and refactoring the whole project during the process. To start, all of the previous scanner modules have been copied over with the addition of smb authentication checks! It also now supports modular scanners, meaning you can easily plug and play new scanners without having to insert them directly into main. Adding a new module is really simple, checkout this example, you only need to change two files. First, in main make sure to include your package, as well as including it in the scanners array. Next, drop your package's files into the scanners directory. There is also a template in the scanners directory for getting started. Mega simple and no more messy in-lining of the commands. It's also all multi-threaded now. Go-netscan uses channels and wait groups to let the user specify how fast they want this bad boy to run, a major evolution of it's previous single-threaded form. In the end, this design looks much cleaner, the threading of runtime is clearer and the scanning modules are all in their own packages now. The entire project also includes great code comments and templating, so it's easy to follow along and learn from. Finally, lets look at some examples of how to use this in practice:
./go-netscan -p smb -aF creds -tF targets -o results
./go-netscan -p ssh -c whoami -aF creds -tF targets -o results -tP wide
./go-netscan -p winrm -v 3 -threads 3 -aF creds -tF targets -o results -tP deep
The biggest difference in my opinion is that the cred files are no long "un:pw" format, but now "authtype,un,pw" format. The nice part is this means we can support things like ssh keys for some usernames and passwords for others in the same ssh sweep. In the above format, you would put the path to the sshkey in the pw location after specifying the "sshkey" authtype. I think the goal moving forward is to keep adding more scanner types now that the project has been refactored. Looking forward to seeing peoples thoughts in the comments and as always pull requests are welcome!
./go-netscan -p smb -aF creds -tF targets -o results
./go-netscan -p ssh -c whoami -aF creds -tF targets -o results -tP wide
./go-netscan -p winrm -v 3 -threads 3 -aF creds -tF targets -o results -tP deep
The biggest difference in my opinion is that the cred files are no long "un:pw" format, but now "authtype,un,pw" format. The nice part is this means we can support things like ssh keys for some usernames and passwords for others in the same ssh sweep. In the above format, you would put the path to the sshkey in the pw location after specifying the "sshkey" authtype. I think the goal moving forward is to keep adding more scanner types now that the project has been refactored. Looking forward to seeing peoples thoughts in the comments and as always pull requests are welcome!
