l9tcpid

package module
v1.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 9, 2021 License: MIT Imports: 29 Imported by: 0

README

l9tcpid

GitHub Release Follow on Twitter

l9tcpid takes hosts ( by IP ) from stdin in l9format ( try ip4scout as input ? ) and identifies the socket protocol and capabilities :

Content

Features

  • Identifies SSL/TLS connection and details connection + certificate state
  • Grab JARM fingerprint ( including upgraded connection from STARTTLS/AUTH TLS )
  • Gets a banner
  • Tries to identify protocol from that banner
  • Provides detailed HTTP application information
  • TODO: defaults to default port/software mapping

Usage

▶ l9tcpid service -h

Displays help for the service command (only implementation atm)

Flag Description
--deep-http Runs additional http checks to identify the software and populates the http event
--max-threads Maximum number of threads used for identification
--debug Prints developer information for now

Installation Instructions

From Binary

The installation is easy. You can download the pre-built binaries for your platform from the Releases page.

▶ chmod +x l9tcpid-linux-64
▶ mv l9tcpid-linux-64 /usr/local/bin/l9tcpid
From Source
▶ GO111MODULE=on go get -u -v github.com/LeakIX/l9tcpid/cmd/l9tcpid
▶ ${GOPATH}/bin/l9tcpid service -h

Running l9tcpid

l9format

l9tcpid speaks l9format. l9filter can be used to manage input/output from this module.

Running with ip4scout
▶ ip4scout random -r 10000 -p 3306|l9tcpid service --max-threads=100|l9filter transform -i l9 -o human
IP: 163.197.193.175, PORT:3306, PROTO:mysql, SSL:false
mysql_native_password

Raw connection:
00000000  4e 00 00 00 0a 35 2e 35  2e 36 32 2d 6c 6f 67 00  |N....5.5.62-log.|
....

IP: 103.57.220.151, PORT:3306, PROTO:mysql, SSL:false
mysql_native_password

Raw connection:
00000000  65 00 00 00 0a 35 2e 35  2e 35 2d 31 30 2e 33 2e  |e....5.5.5-10.3.|
...

IP: 45.150.6.240, PORT:3306, PROTO:http, SSL:false
HTTP/1.1 400 Bad Request
Server: squid/4.10
.....

Raw connection:
00000000  48 54 54 50 2f 31 2e 31  20 34 30 30 20 42 61 64  |HTTP/1.1 400 Bad|
Running with masscan
▶ masscan --rate 100000 -p1-65535 192.168.1.0/24|l9filter transform -i masscan -o l9|l9tcpid service --max-threads=10
Running with nmap
▶ nmap 192.168.1.0/24 -p80  -T insane -oG -|l9filter transform -i nmap -o l9|l9tcpid service --max-threads=100|l9filter transform -i l9 -o human
Complex example

One can also use JQ to filter results :

▶ ./ip4scout random -r 10000 -p 443,587,21|./l9tcpid service --max-threads=100 |tee services.json|jq -c 'select(.ssl.certificate.domain != null)'|jq -r '.ssl.certificate.domain[]'
  • Scan random host on port 443,587 and 21
  • Try to connect to synack ones and upgrade to SSL if possible
  • Tee the output to services.json for later usage
  • JQ to select services with domains in their SSL certificate
  • Display domains

This single command provides a continuous flux of random domains and subdomains found in certs over HTTP, FTP and SMTP connections.

Thanks

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var HttpIdentifiers = []HttpIdentifier{
	http.TagDrupal,
	http.TagJoomla,
	http.TagWordpress,
	http.TagVMWare,
	http.TagPLC,
	http.TagPHP,
	http.TagNginx,
	http.TagPrinter,
	http.IdentifyElasticSearch,
	http.IdentifyKibana,
	http.IdentifyCouchDb,
	http.IdentifyGrafana,
}
View Source 
var HttpTestRequest = "GET %s HTTP/1.1\r\n" +
	"Host: %s\r\n" +
	"User-Agent: l9tcpid/v1.1.0\r\n" +
	"Connection: close\r\n"
View Source 
var TCPIdentifiers = []TcpIdentifier{
	tcp.IdentifyHttp,
	tcp.IdentifyKibana,
	tcp.IdentifyMongoDb,
	tcp.IdentifySSH,
	tcp.IdentifyMysql,
	tcp.IdentifySMTP,
	tcp.IdentifyFTP,
	tcp.IdentifyRedis,
	tcp.IdentifyRTSP,
	tcp.IdentifyTelnet,
	tcp.IdentifyCassandra,
}

Functions

func ApplyDefaultProtocol 

func ApplyDefaultProtocol(event *l9format.L9Event) (found bool)

func FillSSLDetails 

func FillSSLDetails(state tls.ConnectionState, event *l9format.L9Event)

func FuzzConnection 

func FuzzConnection(connection net.Conn, event *l9format.L9Event) (err error)

takes a connection and populates hostService with findings

func GetBanner 

func GetBanner(event *l9format.L9Event) (err error)

func GetHttpBanner 

func GetHttpBanner(event *l9format.L9Event, path string) (err error)

func GetHttpClient 

func GetHttpClient(event *l9format.L9Event) *http.Client

func GetJARM 

func GetJARM(event *l9format.L9Event) (err error)

func GetNetworkConnection 

func GetNetworkConnection(event *l9format.L9Event) (conn net.Conn, err error)

func GetTLSVersionName 

func GetTLSVersionName(version uint16) string

func SendHttpTestRequest 

func SendHttpTestRequest(hostname string, path string, connection net.Conn) (err error)

func SendLine 

func SendLine(line string, conn net.Conn) (err error)

func SendLineAndWait 

func SendLineAndWait(line string, conn net.Conn) (err error)

func UpgradeConnection 

func UpgradeConnection(protocol string, connection net.Conn) (err error)

Types

type HttpIdentifier 

type HttpIdentifier func(event *l9format.L9Event, body string, document *goquery.Document) bool

type TcpIdCommand 

type TcpIdCommand struct {
	MaxThreads    int                       `default:"10"`
	ThreadManager *goccm.ConcurrencyManager `kong:"-"`
	DeepHttp      bool
	HttpPath      string `default:"/"`
	Debug         bool
}

func (*TcpIdCommand) Run 

func (cmd *TcpIdCommand) Run() error

type TcpIdentifier 

type TcpIdentifier func(event *l9format.L9Event, banner []byte, lines []string) bool

Source Files

View all Source files

Directories

Path Synopsis
cmd
l9tcpid
identifiers
http
tcp

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.