masscan icon indicating copy to clipboard operation
masscan copied to clipboard
verified publisher icon robertdavidgraham

Specify multiple http urls to probe

Open Frky opened this issue 1 year ago • 0 comments

This PR aims to bring the possibility to hit multiple HTTP endpoints with --banners for open ports. The multiple endpoints can be specified in command-line with the option --http-url "/endpoint1,/endpoint2,/endpoint3".

It uses the linked-list of banners introduced to try multiple protocols on one port.

In addition, it add an option (--output-probes) to output in some formats the probe used to get a banner. This allows to keep info about what banner corresponds to what probe.

For example:

# masscan --banners -p 80 --http-url "/index.html,/index.php" -oX output.xml --output-probes X.Y.Z.T

In the output XML, we will have two different lines:

<host endtime="1717406668"><address addr="X.Y.Z.T" addrtype="ipv4"/><ports><port protocol="tcp" portid="80"><state state="open" reason="response" reason_ttl="64" /><service name="http" probe="GET /index.html HTTP/1.0\x0d\x0aUser-Agent: ivre-masscan/1.3 https://github.com/robertdavidgraham/\x0d\x0aAccept: */*\x0d\x0a\x0d\x0a" banner="HTTP/1.0 200 OK\x0d\x0a[...]"></service></port></ports></host>
<host endtime="1717406668"><address addr="X.Y.Z.T" addrtype="ipv4"/><ports><port protocol="tcp" portid="80"><state state="open" reason="response" reason_ttl="255" /><service name="http" probe="GET /index.php HTTP/1.0\x0d\x0aUser-Agent: ivre-masscan/1.3 https://github.com/robertdavidgraham/\x0d\x0aAccept: */*\x0d\x0a\x0d\x0a" banner="HTTP/1.0 404 File not found\x0d\x0a[...]"></service></port></ports></host>

In this example, the HTTP GET request to /index.html gives a HTTP 200 OK while /index.php gives a HTTP 404 File not found.

Note that without --output-probes, masscan output is not modified, which ensures compatibility with current parsing tools.

Disclaimers:

  • some output formats have not been updated to output probes (for instance binary and redis outputs),
  • only TCP banners are being output for now, the same should be done for udp probes.

Finally, note that @p-l- already drafted the support of this new output format in Ivre (see https://github.com/ivre/ivre/pull/1574).

Frky avatar Jun 03 '24 07:06 Frky