Alexis Kestler
Enumeration is one of the most important phases in penetration testing (pentesting) a network. It involves gathering detailed information about the target network‘s assets, including hosts, open ports, services, and vulnerabilities. This data is crucial for identifying attack vectors and potential entry points into the system.
In this article, we‘ll explore how to leverage GoScan, an open-source network scanner, to automate and streamline the enumeration process. We‘ll cover GoScan‘s key capabilities, installation, basic usage, and how it can help speed up your network reconnaissance efforts.
What is GoScan?
GoScan is an interactive network scanner written in Go. It provides a CLI interface and automation for common enumeration tasks normally performed manually with tools like Nmap.
Some of GoScan‘s key features include:
- Host discovery – Ping sweeps, ARP scanning, etc. to detect live hosts.
- Port scanning – FAST, comprehensive TCP/UDP port scans using Nmap.
- Service enumeration – Identify versions of running services via banner grabbing.
- Web scanning – Crawl sites for directories/files, grab screenshots with EyeWitness.
- Database backend – SQLite3 database keeps scan data persistent.
- Smart tab completion – Intuitive CLI with automatic suggestions.
Unlike many traditional network scanners, GoScan is designed to be a framework built on top of other tools like Nmap rather than a standalone port scanner. It aims to abstract and automate common workflows for simplicity and efficiency.
Next, we‘ll go through installing and setting up GoScan.
Installing GoScan
There are a few different ways to install GoScan:
Build from Source
To compile GoScan from source, first clone the GitHub repository:
$ git clone https://github.com/marco-lancini/goscan.gitNavigate into the project directory and use make to build:
$ cd goscan/goscan
$ make setup
$ make buildYou can also use make cross to compile a multi-platform binary.
Docker Image
A Docker image is available to quickly spin up GoScan:
$ git clone https://github.com/marco-lancini/goscan.git
$ cd goscan/
$ docker-compose up --buildBinary Install
For convenience, pre-built binaries are available for download:
# Linux (64-bit)
$ wget https://github.com/marco-lancini/goscan/releases/download/v2.4/goscan_2.4_linux_amd64.zip
$ unzip goscan_2.4_linux_amd64.zip
# Linux (32-bit)
$ wget https://github.com/marco-lancini/goscan/releases/download/v2.4/goscan_2.4_linux_386.zip
$ unzip goscan_2.4_linux_386.zip
# Make executable and move to PATH
$ chmod +x goscan
$ sudo mv ./goscan /usr/local/bin/goscanOnce installed via one of these methods, GoScan is ready to go! Let‘s look at how to use it.
Getting Started with GoScan
GoScan has an intuitive CLI interface with handy auto-completion. As you start typing a command, you‘ll see suggestions pop up to guide you.
Let‘s walk through a basic workflow for scanning a target network.
Load Targets
First, we need to load one or more IP addresses or ranges into GoScan‘s target list:
[goscan] > load target SINGLE 10.0.1.24
[*] Imported target: 10.0.1.24You can specify a target type of SINGLE, RANGE, or FILE. For larger target lists, FILE reads IPs from a text file.
Ping Sweep
Once our target is loaded, a ping sweep can find live hosts by sending ICMP echo requests:
[goscan] > sweep ping
[+] Created output directory ‘/root/.goscan/output-01-06-2023_17-24-38‘
[+] Running command ‘nmap -n -sn -PE -oA /root/.goscan/output-01-06-2023_17-24-38/results.nmap 10.0.1.24‘
Starting Nmap 7.93 ( https://nmap.org )
...
Nmap scan report for 10.0.1.24
Host is up (0.16s latency).
MAC Address: 02:42:AC:11:00:18 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds
[*] Ping sweep completed in 0m6sThe results are saved to an output directory, and we can see the Nmap command used under the hood. Only our single target IP is found alive.
Port Scanning
One of GoScan‘s most useful capabilities is quickly running various types of Nmap port scans:
[goscan] > portscan
tcp connect TCP Connect scan
tcp stealth TCP Stealth scan
tcp ack TCP ACK scan
tcp window TCP Window scan
tcp maimon TCP Maimon scan
...There are many scan types optimized for different goals. Let‘s use a fast TCP connect scan:
[goscan] > portscan tcp connect
[+] Running command ‘nmap -n -oA /root/.goscan/output-01-06-2023_17-24-38/tcp_connect --open -p- -T4 10.0.1.24‘
Starting Nmap 7.93 ( https://nmap.org )
...
Nmap scan report for 10.0.1.24
Host is up (0.16s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
[*] TCP connect scan completed in 6sThis scans all TCP ports in about 6 seconds and finds SSH, HTTP, and HTTPS open.
Service Enumeration
In addition to port scanning, we can also use GoScan to enumerate details about discovered services with modules like FTP, HTTP, SMB, etc:
[goscan] > enumerate
finger Query finger service
ftp Query ftp service
http Query http service
rdp Query RDP service
smb Query SMB service
smtp Query SMTP service
snmp Query SNMP service
...These will grab service banners, determine versions, and more. Let‘s use the HTTP enum module:
[goscan] > enumerate http polite 10.0.1.24
[+] Created output directory ‘/root/.goscan/output-01-06-2023_17-24-38‘
[+] Running command ‘nmap -n -oA /root/.goscan/output-01-06-2023_17-24-38/http --script=http-enum -p80,443 10.0.1.24‘
Starting Nmap 7.93 ( https://nmap.org )
...
Nmap scan report for 10.0.1.24
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41
| http-enum:
|_ /login.php: Possible admin folder
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn‘t have a title (text/html; charset=UTF-8).
443/tcp open ssl/http Apache httpd 2.4.41
| ssl-cert: Subject: commonName=localhost/organizationName=Faux India Pvt Ltd/stateOrProvinceName=Karnataka/countryName=IN
| Subject Alternative Name: DNS:localhost, IP Address:127.0.0.1
| Not valid before: 2022-10-23T09:16:38
|_Not valid after: 2023-10-23T09:16:38
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| http-enum:
|_ /login.php: Possible admin folder
| http-robots.txt: 1 disallowed entry
|_/
| http-title: Site doesn‘t have a title (text/html; charset=UTF-8).
...
[*] HTTP enumeration completed in 0m13sThis identifies the Apache version and finds clues like /login.php that could be interesting. Many enum modules are available.
Additional Modules
GoScan has some other handy modules, like special scans:
[goscan] > special
eyewitness Takes screenshots of websites and open VNC servers
domain Extracts domain information from enumerated data
dns Performs DNS enumerationThe eyewitness module launches EyeWitness to capture screenshots of web services and open VNC servers detected during scanning. This helps quickly visualize any running web apps.
Final Thoughts
GoScan brings together many common network enumeration tasks into an easy-to-use automated framework. It reduces the manual effort of running tools like Nmap and remembering commands.
That said, GoScan is not a full-featured vulnerability scanner. It is intended as a reconnaissance tool to help quickly enumerate and gain insight into an unknown network. Results should be verified and validated before launched any intrusive probing or attacks.
For seasoned penetration testers, GoScan can help streamline tedious enumeration steps and allow focusing energy on other areas. The simple CLI and tab completion lowers the barrier for newcomers to learn network scanning.
In summary, GoScan is a handy open-source tool to add to your reconnaissance toolkit. It simplifies the process of host discovery, port scanning, and service enumeration. If you conduct network pivoting, open source intelligence gathering, or penetration tests, give GoScan a try!
