Update: 增加IP扫描的masscan+nmap方法，masscan快速进行端口开放扫描，nmap用-sV进行详细扫描

README.md

@@ -99,6 +99,7 @@ Tested on [ubuntu18.04 LTS](docs/install_linux.md)、[macOS](docs/install_mac.md
 
 ## 版本更新
 
+- 2.4.3：2021-10-13，增加IP扫描的masscan+nmap方法，masscan快速进行端口开放扫描，nmap用-sV进行详细扫描；
 - 2.4.2：2021-10-9，增加IP扫描的“探测+扫描”模式任务，增加内网资产收集的便利性；去除whatweb的安装和使用（HTTPX已基本可替代其功能）；
 - 2.4.1：2021-9-15，支持扫描任务按IP和端口进行多维度切分，使任务在多个worker之间均衡分布执行；
 - 2.4.0：2021-9-10，使用RPC架构，优化server与worker之间的同步、server与worker的配置文件分离；增加在线的IP信息、登录验证码、按发现时间筛选资产功能。

pkg/task/portscan/masscan.go

@@ -17,6 +17,7 @@ type Masscan struct {
 
 // NewMasscan 创建masscan对象
 func NewMasscan(config Config) *Masscan {
+	config.CmdBin = "masscan"
 	return &Masscan{Config: config}
 }
 

pkg/task/portscan/nmap.go

@@ -19,6 +19,7 @@ type Nmap struct {
 
 //NewNmap 创建nmap对象
 func NewNmap(config Config) *Nmap {
+	config.CmdBin = "nmap"
 	return &Nmap{Config: config}
 }
 

pkg/task/workerapi/portscan.go

@@ -2,13 +2,19 @@ package workerapi
 
 import (
 	"context"
+	"fmt"
 	"github.com/hanc00l/nemo_go/pkg/comm"
 	"github.com/hanc00l/nemo_go/pkg/logging"
 	"github.com/hanc00l/nemo_go/pkg/task/fingerprint"
 	"github.com/hanc00l/nemo_go/pkg/task/portscan"
+	"github.com/remeh/sizedwaitgroup"
 	"strings"
 )
 
+const (
+	fpNmapThreadNumber = 10
+)
+
 // PortScan 端口扫描任务
 func PortScan(taskId, configJSON string) (result string, err error) {
 	var ok bool
@@ -21,14 +27,16 @@ func PortScan(taskId, configJSON string) (result string, err error) {
 	}
 	var resultPortScan portscan.Result
 	// 端口扫描
-	if config.CmdBin == "nmap" {
+	if config.CmdBin == "masnmap" {
+		resultPortScan = doMasscanPlusNmap(config)
+	} else if config.CmdBin == "nmap" {
 		nmap := portscan.NewNmap(config)
 		nmap.Do()
 		resultPortScan = nmap.Result
 	} else {
-		mascan := portscan.NewMasscan(config)
-		mascan.Do()
-		resultPortScan = mascan.Result
+		masscan := portscan.NewMasscan(config)
+		masscan.Do()
+		resultPortScan = masscan.Result
 	}
 	// IP位置
 	if config.IsIpLocation {
@@ -52,12 +60,11 @@ func PortScan(taskId, configJSON string) (result string, err error) {
 		wappalyzer.Do()
 	}
 	// 保存结果
-	x := comm.NewXClient()
-
 	resultArgs := comm.ScanResultArgs{
 		IPConfig: &config,
 		IPResult: resultPortScan.IPResult,
 	}
+	x := comm.NewXClient()
 	err = x.Call(context.Background(), "SaveScanResult", &resultArgs, &result)
 	if err != nil {
 		logging.RuntimeLog.Error(err)
@@ -80,3 +87,49 @@ func PortScan(taskId, configJSON string) (result string, err error) {
 
 	return SucceedTask(result), nil
 }
+
+// doMasscanPlusNmap masscan进行端口扫描，nmap -sV进行详细扫描
+func doMasscanPlusNmap(config portscan.Config) (resultPortScan portscan.Result) {
+	resultPortScan.IPResult = make(map[string]*portscan.IPResult)
+	//masscan扫描
+	masscan := portscan.NewMasscan(config)
+	masscan.Do()
+	ipPortMap := getResultIPPortMap(masscan.Result.IPResult)
+	//nmap多线程扫描
+	swg := sizedwaitgroup.New(fpNmapThreadNumber)
+	for ip, port := range ipPortMap {
+		nmapConfig := config
+		nmapConfig.Target = ip
+		nmapConfig.Port = port
+		nmapConfig.Tech = "-sV"
+		swg.Add()
+		go func(c portscan.Config) {
+			nmap := portscan.NewNmap(c)
+			nmap.Do()
+			resultPortScan.Lock()
+			for nip, r := range nmap.Result.IPResult {
+				resultPortScan.IPResult[nip] = r
+			}
+			resultPortScan.Unlock()
+			swg.Done()
+		}(nmapConfig)
+	}
+	swg.Wait()
+
+	return
+}
+
+// getResultIPPortMap 提取扫描结果的ip和port
+func getResultIPPortMap(result map[string]*portscan.IPResult) (ipPortMap map[string]string) {
+	ipPortMap = make(map[string]string)
+	for ip, r := range result {
+		var ports []string
+		for p, _ := range r.Ports {
+			ports = append(ports, fmt.Sprintf("%d", p))
+		}
+		if len(ports) > 0 {
+			ipPortMap[ip] = strings.Join(ports, ",")
+		}
+	}
+	return
+}

pkg/task/workerapi/portscan_test.go

@@ -11,15 +11,15 @@ func TestPortScan(t *testing.T) {
 	config := portscan.Config{
 		Target:        "192.168.3.0/24",
 		ExcludeTarget: "",
-		Port:          "--top-ports 1000",
+		Port:          "--top-ports 100",
 		OrgId:         nil,
 		Rate:          1000,
 		IsPing:        true,
 		Tech:          "-sS",
 		IsIpLocation:  true,
 		IsHttpx:       true,
 		IsWhatWeb:     false,
-		CmdBin:        "nmap",
+		CmdBin:        "masnmap",
 	}
 
 	configJSON, err := json.Marshal(config)

pkg/web/controllers/task.go

@@ -434,10 +434,10 @@ func (c *TaskController) doPortscan(target string, port string, req portscanRequ
 		IsWhatWeb:     req.IsWhatweb,
 		IsScreenshot:  req.IsScreenshot,
 		IsWappalyzer:  req.IsWappalyzer,
-		CmdBin:        "masscan",
+		CmdBin:        req.CmdBin,
 	}
-	if req.CmdBin == "nmap" {
-		config.CmdBin = "nmap"
+	if req.CmdBin == "" {
+		config.CmdBin = conf.GlobalWorkerConfig().Portscan.Cmdbin
 	}
 	if config.Port == "" {
 		config.Port = conf.GlobalWorkerConfig().Portscan.Port

web/views/ip-list.html

@@ -225,6 +225,8 @@ <h4 class="modal-title" id="myModalLabel">
                                                                             <option value="masscan" selected="selected">
                                                                                 masscan（默认）
                                                                             </option>
+                                                                            <option value="masnmap">masscan+nmap
+                                                                            </option>
                                                                         </select>
                                                                     </div>
                                                                     <div class="form-group col-md-4">