If both an IP address and a domain are specified for a scan, have the
HTTP scanner use a fake resolver in the DialContext, so that we always
scan the intended IP and Domain name pair.
However, make sure redirects still function as normal, so only use our
fake resolver if the domain name matches the original targeted domain
name.
In addition, the custom resolver is only used if the network specified
is one that supports domain names.
This adds a custom resolver, that will always resolve to the specified
ip address. The intended usage is for when doing name-based scans,
but have a specified IP address as well. This will provide a resolver
that can be added to a Dialer, that will cause all DNS lookups to match
the specified IP address.
Commit a38194a added an optional port override as part of the
scan target. The HTTP and IPP modules, however, still compose
the URL (and select http vs https) by ignoring the override.
This checks for the override, and if present uses the scan target
port. Otherwise, it falls back to the config port.
https://github.com/zmap/zgrab2/pull/233
* Add support to HTTP for setting local interface
* Add net import
* use correct flag
* better CLI flag name
* Remove logged `\n`
* Remove extranneous if statement
Move ZGrab2's main function to a library, and call it in cmd/zgrab2
after importing all of our modules. Consumes of ZGrab2 as a library can
use the same approach to provide custom sets of modules, without having
to hack the build system or reimplement main.
https://github.com/zmap/zgrab2/pull/224
This pins dependencies via go mod init. Regular builds should still
work, so this won't affect CI. It overrides the default set of deps for
ZFlags, to point to v1.4.0-beta.1. This gets the ParseCommandLine
function.
The previous patch allows the port to be specified in the
`ScanTarget{}`.
Since the port option in the Config may not be the port currently being
scanned, delete the `GetPort()` function provided by each module.
The `GetPort()` function is also not used. While we could just change
the meaning of this function, to mean "Return the port in the Config",
it is probably better to go ahead and just remove all references to it
as there are no users.
The port field is tied to the configuration of each instance of
`Scanner` struct. However, applications using zgrab2 scan modules may
want to specify specific ports to scan, without needing to initialize a
whole new module.
This patch adds a pointer to a uint describing a port to `ScanTarget{}`.
If that is nil, the specified port will override the port in the Config.
If the probe for SMB2 fails, close the connection and then try probing
for SMB1 as a backup.
Since there are more SMB2 servers in the wild, that is the first
attempt.
Send SMB1 header, and Negotiation Request message for SMB1.
This brings the zgrab2 smb1 scanner to parity with the zgrab smb1
scanner, with presence detection via smbv1_support.
We check the ProtocolID in the raw data response, for two reasons:
1. Even if the full unmarshal fails for the message, we will log
that it is an smbv1 server
2. We need to add more response types structs, because the format
is different for various SMB1 dialects.
The negotiation response v1 structure is for the SMB1 "NT LM 0.12"
dialect, and is essentially placeholder for now for future parsing.
TODO: Unmarshal into the appropriate message struct based on
SMB1 dialect, and parse dialect and capabilities, and return those
results.
These two functions are largely duplicates, and only differ in the
boolean option passed to LoggedNegotiateProtocol(). Combine the
functions, and just take that option in as an argument to pass along.
The smb library bounds checks for a message size that is too large, but
does not check for a message size that is way too small. Error out if
the message size is not at least as large as the ProtocolID 4-byte
preamble.
This fixes slice out of bound panics when checking the buffer for the
protID string for certain hosts.
Signed-off-by: Jeff Cody <jcody@censys.io>