source/fscan
1
0
Fork 0
mirror of https://github.com/shadow1ng/fscan.git synced 2026-02-09 02:09:17 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
dev-2.1.1
fscan/core/port_scan.go
ZacharyZcR 1bfd5ac92e fix(proxy): 修复透明代理环境下 SOCKS5 代理全端口误报问题 
问题:在透明代理(TUN模式)环境下使用 SOCKS5 代理扫描时,
会出现全端口开放的误报,因为代理可靠性检测被透明代理污染。

修复方案(参考 fscanx):
1. 将探针从 CRLF 改为 HTTP GET,更有效检测真实连接状态
2. 删除 "uncertain" 状态,无响应一律判定为端口关闭
3. 调整超时时间以适应代理链路延迟

Fixes #524
2026-01-23 15:11:26 +08:00

650 lines
18 KiB
Go
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
package core
import (
"fmt"
"net"
"strings"
"sync"
"sync/atomic"
"time"
"github.com/shadow1ng/fscan/common"
"github.com/shadow1ng/fscan/common/i18n"
"github.com/shadow1ng/fscan/common/output"
"github.com/shadow1ng/fscan/common/parsers"
)
// proxyFailurePatterns 代理连接失败的错误模式(小写)
var proxyFailurePatterns = []string{
"connection reset by peer",
"connection refused",
"no route to host",
"network is unreachable",
"host is unreachable",
"general socks server failure",
"connection not allowed",
"host unreachable",
"network unreachable",
"connection refused by destination host",
}
// resourceExhaustedPatterns 资源耗尽类错误模式
var resourceExhaustedPatterns = []string{
"too many open files",
"no buffer space available",
"cannot assign requested address",
"connection reset by peer",
"发包受限",
}
// resultCollector 结果收集器,用于并发安全地收集扫描结果
// 使用 map 实现O(1) 的添加和删除,无顺序依赖问题
type resultCollector struct {
mu sync.Mutex
addrs map[string]struct{}
}
// newResultCollector 创建结果收集器
func newResultCollector() *resultCollector {
return &resultCollector{
addrs: make(map[string]struct{}),
}
}
// Add 添加一个扫描结果
func (c *resultCollector) Add(addr string) {
c.mu.Lock()
c.addrs[addr] = struct{}{}
c.mu.Unlock()
}
// GetAll 获取所有结果
func (c *resultCollector) GetAll() []string {
c.mu.Lock()
result := make([]string, 0, len(c.addrs))
for addr := range c.addrs {
result = append(result, addr)
}
c.mu.Unlock()
return result
}
// portScanTask 端口扫描任务(轻量级,用于滑动窗口调度)
type portScanTask struct {
host string
port int
semaphore chan struct{} // 完成时释放窗口槽位
}
// failedPortInfo 失败端口信息
type failedPortInfo struct {
Host string
Port int
Addr string
}
// failedPortCollector 失败端口收集器,用于记录需要重扫的端口
type failedPortCollector struct {
mu sync.Mutex
ports []failedPortInfo
}
// Add 添加失败的端口
func (f *failedPortCollector) Add(host string, port int, addr string) {
f.mu.Lock()
f.ports = append(f.ports, failedPortInfo{
Host: host,
Port: port,
Addr: addr,
})
f.mu.Unlock()
}
// Count 获取失败端口数量
func (f *failedPortCollector) Count() int {
f.mu.Lock()
count := len(f.ports)
f.mu.Unlock()
return count
}
// EnhancedPortScan 高性能端口扫描函数
// 使用滑动窗口调度 + 自适应线程池 + 流式迭代器
func EnhancedPortScan(hosts []string, ports string, timeout int64, config *common.Config, state *common.State) []string {
common.LogDebug(fmt.Sprintf("[PortScan] 开始: %d个主机, 线程数=%d", len(hosts), config.ThreadNum))
// 解析端口和排除端口
portList := parsers.ParsePort(ports)
if len(portList) == 0 {
common.LogError(i18n.Tr("invalid_port", ports))
return nil
}
common.LogDebug(fmt.Sprintf("[PortScan] 端口解析完成: %d个端口", len(portList)))
// 使用config中的排除端口配置
excludePorts := parsers.ParsePort(config.Target.ExcludePorts)
exclude := make(map[int]struct{}, len(excludePorts))
for _, p := range excludePorts {
exclude[p] = struct{}{}
}
// 检查代理可靠性,如果存在全回显问题则警告
if common.IsProxyEnabled() && !common.IsProxyReliable() {
common.LogError("检测到代理存在全回显问题,端口扫描结果可能不准确")
}
// 创建流式迭代器O(1) 内存,端口喷洒策略)
iter := NewSocketIterator(hosts, portList, exclude)
totalTasks := iter.Total()
common.LogDebug(fmt.Sprintf("[PortScan] 总任务数: %d", totalTasks))
// 使用传入的配置
threadNum := config.ThreadNum
// 大规模扫描警告和线程数自动调整
if totalTasks > 100000 {
common.LogInfo(fmt.Sprintf("大规模扫描: %d 个目标 (%d主机 × %d端口)", totalTasks, len(hosts), len(portList)))
// 如果任务数超过100万且线程数大于300自动降低线程数
if totalTasks > 1000000 && threadNum > 300 {
oldThreadNum := threadNum
threadNum = 300
common.LogInfo(fmt.Sprintf("自动调整线程数: %d -> %d (大规模扫描优化)", oldThreadNum, threadNum))
}
}
// 初始化端口扫描进度条
if totalTasks > 0 && config.Output.ShowProgress {
description := fmt.Sprintf("端口扫描中(%d线程", threadNum)
common.InitProgressBar(int64(totalTasks), description)
}
common.LogDebug("[PortScan] 进度条初始化完成")
// 初始化并发控制
to := time.Duration(timeout) * time.Second
var count int64
collector := newResultCollector()
failedCollector := &failedPortCollector{}
var wg sync.WaitGroup
common.LogDebug(fmt.Sprintf("[PortScan] 开始创建线程池, size=%d", threadNum))
// 创建自适应线程池(支持动态调整)
pool, err := NewAdaptivePool(threadNum, func(task interface{}) {
taskInfo, ok := task.(portScanTask)
if !ok {
return
}
defer func() {
<-taskInfo.semaphore // 释放窗口槽位
wg.Done()
}()
addr := fmt.Sprintf("%s:%d", taskInfo.host, taskInfo.port)
scanSinglePort(taskInfo.host, taskInfo.port, addr, to, &count, collector, failedCollector, config, state)
common.UpdateProgressBar(1)
}, state)
if err != nil {
common.LogError(i18n.Tr("thread_pool_create_failed", err))
return nil
}
common.LogDebug("[PortScan] 线程池创建成功")
defer pool.Release()
common.LogDebug("[PortScan] 开始滑动窗口调度")
// 滑动窗口调度:维护固定数量的"飞行中"任务
slidingWindowSchedule(iter, pool, &wg, threadNum)
common.LogDebug("[PortScan] 滑动窗口调度完成")
// 收集结果
aliveAddrs := collector.GetAll()
// 完成端口扫描进度条
if common.IsProgressActive() {
common.FinishProgressBar()
}
common.LogInfo(i18n.Tr("port_scan_complete", count))
// 检查扫描失败率,如果过高则警告用户
resourceErrors := state.GetResourceExhaustedCount()
failedCount := failedCollector.Count()
if failedCount > 0 {
failureRate := float64(failedCount) / float64(totalTasks) * 100
if failureRate > 20 {
// 失败率超过20%,严重警告
common.LogError(i18n.Tr("scan_failure_rate_high", fmt.Sprintf("%.1f%%", failureRate), failedCount, totalTasks))
common.LogError(i18n.GetText("scan_failure_reason"))
common.LogError(i18n.Tr("scan_reduce_threads_suggestion", threadNum))
} else if failureRate > 5 {
// 失败率5-20%,一般警告
common.LogInfo(i18n.Tr("scan_partial_failure", fmt.Sprintf("%.1f%%", failureRate), failedCount, totalTasks))
common.LogInfo(i18n.Tr("scan_reduce_threads_accuracy", threadNum))
}
}
if resourceErrors > 0 {
common.LogError(i18n.Tr("resource_exhausted_warning", resourceErrors))
}
return aliveAddrs
}
// slidingWindowSchedule 滑动窗口调度器
// 核心思想:维护固定数量的"飞行中"任务,一个完成立即补充新的
// 优势:避免任务队列堆积,内存使用恒定
func slidingWindowSchedule(iter *SocketIterator, pool *AdaptivePool, wg *sync.WaitGroup, windowSize int) {
// 使用信号量控制窗口大小
semaphore := make(chan struct{}, windowSize)
for {
host, port, ok := iter.Next()
if !ok {
break
}
// 获取窗口槽位(阻塞直到有空位)
semaphore <- struct{}{}
wg.Add(1)
task := portScanTask{
host: host,
port: port,
semaphore: semaphore,
}
_ = pool.Invoke(task)
}
// 等待所有任务完成
wg.Wait()
}
// connectWithRetry 带重试的TCP连接 - 只对资源耗尽错误重试
func connectWithRetry(addr string, timeout time.Duration, maxRetries int, state *common.State) (net.Conn, error) {
var lastErr error
for attempt := 0; attempt < maxRetries; attempt++ {
conn, err := common.WrapperTcpWithTimeout("tcp", addr, timeout)
if err == nil {
return conn, nil
}
lastErr = err
// 只对资源耗尽类错误重试,端口关闭直接返回
if !isResourceExhaustedError(err) {
return nil, err
}
// 记录资源耗尽错误
state.IncrementResourceExhaustedCount()
// 指数退避第1次等50ms第2次等150ms
if attempt < maxRetries-1 {
waitTime := time.Duration(50*(attempt+1)) * time.Millisecond
time.Sleep(waitTime)
}
}
return nil, lastErr
}
// isResourceExhaustedError 判断是否为资源耗尽类错误
func isResourceExhaustedError(err error) bool {
if err == nil {
return false
}
errStr := err.Error()
for _, pattern := range resourceExhaustedPatterns {
if strings.Contains(errStr, pattern) {
return true
}
}
return false
}
// buildServiceLogMessage 构建服务识别的日志信息
// 格式: addr service [Product:xxx ||Version:xxx] Banner:(xxx)
func buildServiceLogMessage(addr string, serviceInfo *ServiceInfo, isWeb bool) string {
var msg strings.Builder
msg.WriteString(fmt.Sprintf("%-21s", addr))
if serviceInfo.Name != "unknown" {
msg.WriteString(fmt.Sprintf(" %-8s", serviceInfo.Name))
}
// 构建 [Product:xxx ||Version:xxx] 格式
var info []string
if product, ok := serviceInfo.Extras["vendor_product"]; ok && product != "" {
info = append(info, fmt.Sprintf("Product:%s", product))
}
if serviceInfo.Version != "" {
info = append(info, fmt.Sprintf("Version:%s", serviceInfo.Version))
}
if len(info) > 0 {
msg.WriteString(fmt.Sprintf(" [%s]", strings.Join(info, " ||")))
}
// Banner 信息
if len(serviceInfo.Banner) > 0 {
banner := strings.TrimSpace(serviceInfo.Banner)
if len(banner) > 80 {
banner = banner[:80] + "..."
}
msg.WriteString(fmt.Sprintf(" Banner:(%s)", banner))
}
return msg.String()
}
// scanSinglePort 扫描单个端口并进行服务识别(重构后的简洁版本)
func scanSinglePort(host string, port int, addr string, timeout time.Duration, count *int64, collector *resultCollector, failedCollector *failedPortCollector, config *common.Config, state *common.State) {
// 步骤1建立连接
conn, err := connectWithRetry(addr, timeout, 3, state)
if err != nil {
handleConnectionFailure(err, host, port, addr, failedCollector)
return
}
// 步骤1.5:代理连接深度验证(防止透明代理/全回显代理的假连接问题)
valid, verifyMethod := verifyProxyConnectionDeep(conn, addr)
if !valid {
common.LogDebug(fmt.Sprintf("代理验证失败 %s: %s", addr, verifyMethod))
_ = conn.Close()
return
}
// 步骤1.6:如果使用了代理且进行了数据交互,需要重建连接
// 因为验证阶段可能读取了Banner或发送了HTTP GET探测污染了连接状态
if common.IsProxyEnabled() && verifyMethod != "direct" {
_ = conn.Close()
// 重新建立干净的连接用于服务识别
conn, err = connectWithRetry(addr, timeout, 3, state)
if err != nil {
handleConnectionFailure(err, host, port, addr, failedCollector)
return
}
}
// 步骤2记录开放端口
atomic.AddInt64(count, 1)
collector.Add(addr)
saveOpenPort(host, port)
// 步骤3服务识别Scanner负责关闭连接包括探测中可能创建的新连接
scanner := NewSmartPortInfoScanner(host, port, conn, timeout, config)
defer scanner.Close()
serviceInfo, _ := scanner.SmartIdentify()
// 步骤4处理结果
processServiceResult(host, port, addr, serviceInfo, config)
}
// handleConnectionFailure 处理连接失败
func handleConnectionFailure(err error, host string, port int, addr string, failedCollector *failedPortCollector) {
if isResourceExhaustedError(err) || isTimeoutError(err) {
failedCollector.Add(host, port, addr)
}
}
// isTimeoutError 判断是否为超时错误
func isTimeoutError(err error) bool {
return err != nil && strings.Contains(err.Error(), "i/o timeout")
}
// verifyProxyConnectionDeep 深度验证代理连接是否真正可用
// 防止透明代理/全回显代理的假连接问题
// 返回: (是否有效, 验证方式)
//
// 优化策略:
// 1. 快速 Banner 检测 (100ms) - 大部分服务会主动发送数据
// 2. 轻量探测 (发送 \r\n) - 触发某些服务响应,同时不污染协议状态
// 3. 短超时等待 (500ms) - 平衡准确性和性能
func verifyProxyConnectionDeep(conn net.Conn, addr string) (bool, string) {
// 如果没有使用代理,跳过验证
if !common.IsProxyEnabled() {
return true, "direct"
}
buf := make([]byte, 256)
// 阶段1: 读取 Banner (500ms)
// 大部分服务SSH、FTP、SMTP、MySQL等会主动发送欢迎消息
// 不能等太久,否则代理可能因空闲而关闭连接
_ = conn.SetReadDeadline(time.Now().Add(500 * time.Millisecond))
n, _ := conn.Read(buf)
_ = conn.SetReadDeadline(time.Time{})
if n > 0 {
if isProxyErrorResponse(buf[:n]) {
common.LogDebug(fmt.Sprintf("代理返回错误响应 %s", addr))
return false, "proxy_error"
}
return true, "banner"
}
// 阶段2: HTTP 探针探测(参考 fscanx
// 使用 HTTP GET 而非 CRLF因为
// - 大部分服务会对 HTTP 请求有明确响应(即使是错误响应)
// - 在透明代理环境下能更有效地检测真实连接状态
// - 即使是非 HTTP 服务也会返回某种响应或关闭连接
httpProbe := []byte("GET / HTTP/1.0\r\n\r\n")
_ = conn.SetWriteDeadline(time.Now().Add(100 * time.Millisecond))
_, writeErr := conn.Write(httpProbe)
_ = conn.SetWriteDeadline(time.Time{})
if writeErr != nil && isConnectionClosed(writeErr) {
common.LogDebug(fmt.Sprintf("探测写入失败 %s: %v", addr, writeErr))
return false, "write_failed"
}
// 阶段3: 等待探测响应 (2s)
// TUN 模式下代理链路延迟较大,需要更长超时
_ = conn.SetReadDeadline(time.Now().Add(2 * time.Second))
n, readErr := conn.Read(buf)
_ = conn.SetReadDeadline(time.Time{})
if n > 0 {
if isProxyErrorResponse(buf[:n]) {
common.LogDebug(fmt.Sprintf("代理探测返回错误 %s", addr))
return false, "proxy_error"
}
return true, "probe"
}
// 阶段4: 最终判断
if readErr != nil {
errLower := strings.ToLower(readErr.Error())
for _, pattern := range proxyFailurePatterns {
if strings.Contains(errLower, pattern) {
common.LogDebug(fmt.Sprintf("代理连接被拒绝 %s: %v", addr, readErr))
return false, "proxy_reject"
}
}
}
// 无响应 = 端口关闭(参考 fscanx 方案)
// 在透明代理环境下ProxyReliable 检测可能被污染,不可信
// 因此采用更保守的策略:无响应一律判定为关闭
// 这样可以避免透明代理导致的全端口误报问题
common.LogDebug(fmt.Sprintf("代理连接无响应,判定为端口关闭 %s", addr))
return false, "no_response"
}
// isProxyErrorResponse 检查是否为代理错误响应
// 支持 SOCKS5 错误码和常见代理错误模式
func isProxyErrorResponse(data []byte) bool {
if len(data) == 0 {
return false
}
// SOCKS5 错误响应检查
// SOCKS5 响应格式: [VER][REP][RSV][ATYP]...
// REP 字段: 0x00=成功, 0x01-0x08=各种失败
if len(data) >= 2 && data[0] == 0x05 {
rep := data[1]
if rep >= 0x01 && rep <= 0x08 {
return true
}
}
// 检查常见的代理错误文本
dataStr := strings.ToLower(string(data))
proxyErrorTexts := []string{
"connection refused",
"host unreachable",
"network unreachable",
"connection timed out",
"proxy error",
"gateway error",
"bad gateway",
"502",
"503",
}
for _, errText := range proxyErrorTexts {
if strings.Contains(dataStr, errText) {
return true
}
}
return false
}
// isConnectionClosed 检查错误是否表示连接已关闭
func isConnectionClosed(err error) bool {
if err == nil {
return false
}
errStr := strings.ToLower(err.Error())
closedPatterns := []string{
"broken pipe",
"connection reset",
"connection refused",
"use of closed network connection",
"connection was forcibly closed",
}
for _, pattern := range closedPatterns {
if strings.Contains(errStr, pattern) {
return true
}
}
return false
}
// saveOpenPort 保存开放端口结果
func saveOpenPort(host string, port int) {
_ = common.SaveResult(&output.ScanResult{
Time: time.Now(),
Type: output.TypePort,
Target: host,
Status: "open",
Details: map[string]interface{}{"port": port},
})
}
// processServiceResult 处理服务识别结果
func processServiceResult(host string, port int, addr string, serviceInfo *ServiceInfo, config *common.Config) {
if serviceInfo == nil {
// 服务识别失败,尝试 HTTP 回退探测
if !tryHTTPFallbackDetection(host, port, addr, config) {
common.LogInfo(i18n.Tr("port_open", addr))
}
return
}
// 保存并输出服务信息
details := buildServiceDetails(port, serviceInfo)
isWeb := IsWebServiceByFingerprint(serviceInfo)
if isWeb {
details["is_web"] = true
MarkAsWebService(host, port, serviceInfo)
}
_ = common.SaveResult(&output.ScanResult{
Time: time.Now(),
Type: output.TypeService,
Target: fmt.Sprintf("%s:%d", host, port),
Status: "identified",
Details: details,
})
common.LogInfo(buildServiceLogMessage(addr, serviceInfo, isWeb))
}
// buildServiceDetails 构建服务详情 map
func buildServiceDetails(port int, info *ServiceInfo) map[string]interface{} {
details := map[string]interface{}{
"port": port,
"service": info.Name,
}
if info.Version != "" {
details["version"] = info.Version
}
extraKeyMap := map[string]string{
"vendor_product": "product",
"os": "os",
"info": "info",
}
for k, v := range info.Extras {
if v == "" {
continue
}
if mappedKey, ok := extraKeyMap[k]; ok {
details[mappedKey] = v
}
}
if len(info.Banner) > 0 {
details["banner"] = strings.TrimSpace(info.Banner)
}
return details
}
// tryHTTPFallbackDetection 尝试HTTP回退探测返回是否成功识别为HTTP服务
func tryHTTPFallbackDetection(host string, port int, addr string, config *common.Config) bool {
// 使用WebDetection进行HTTP协议探测
webDetector := GetWebPortDetector()
if !webDetector.DetectHTTPServiceOnly(host, port, config) {
return false
}
// HTTP探测成功标记为Web服务
webServiceInfo := &ServiceInfo{
Name: "http",
Version: "",
Banner: "",
Extras: map[string]string{"detected_by": "http_probe"},
}
MarkAsWebService(host, port, webServiceInfo)
// 保存HTTP服务结果
details := map[string]interface{}{
"port": port,
"service": "http",
"is_web": true,
"detected_by": "http_probe",
}
_ = common.SaveResult(&output.ScanResult{
Time: time.Now(),
Type: output.TypeService,
Target: fmt.Sprintf("%s:%d", host, port),
Status: "identified",
Details: details,
})
common.LogInfo(i18n.Tr("port_open_http", addr))
return true
}
Reference in New Issue View Git Blame Copy Permalink