zmap/zgrab2 zmap/zgrab2

  • Stars
    star
    1,726
  • Rank 27,025 (Top 0.6 %)
  • Language
    Go
  • License
    Other
  • Created about 8 years ago
  • Updated 3 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
zmap/zgrab2
github

zmap

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Fast Go Application Scanner

ZGrab 2.0

ZGrab is a fast, modular application-layer network scanner designed for completing large Internet-wide surveys. ZGrab is built to work with ZMap (ZMap identifies L4 responsive hosts, ZGrab performs in-depth, follow-up L7 handshakes). Unlike many other network scanners, ZGrab outputs detailed transcripts of network handshakes (e.g., all messages exchanged in a TLS handshake) for offline analysis.

ZGrab 2.0 contains a new, modular ZGrab framework, which fully supersedes https://github.com/zmap/zgrab.

Building

You will need to have a valid $GOPATH set up, for more information about $GOPATH, see https://golang.org/doc/code.html.

Once you have a working $GOPATH, run:

$ go get github.com/zmap/zgrab2

This will install zgrab under $GOPATH/src/github.com/zmap/zgrab2

$ cd $GOPATH/src/github.com/zmap/zgrab2
$ make

Single Module Usage

ZGrab2 supports modules. For example, to run the ssh module use

./zgrab2 ssh

Module specific options must be included after the module. Application specific options can be specified at any time.

Input Format

Targets are specified with input files or from stdin, in CSV format. Each input line has three fields:

IP, DOMAIN, TAG

Each line must specify IP, DOMAIN, or both. If only DOMAIN is provided, scanners perform a DNS hostname lookup to determine the IP address. If both IP and DOMAIN are provided, scanners connect to IP but use DOMAIN in protocol-specific contexts, such as the HTTP HOST header and TLS SNI extension.

If the IP field contains a CIDR block, the framework will expand it to one target for each IP address in the block.

The TAG field is optional and used with the --trigger scanner argument.

Unused fields can be blank, and trailing unused fields can be omitted entirely. For backwards compatibility, the parser allows lines with only one field to contain DOMAIN.

These are examples of valid input lines:

10.0.0.1
domain.com
10.0.0.1, domain.com
10.0.0.1, domain.com, tag
10.0.0.1, , tag
, domain.com, tag
192.168.0.0/24, , tag

Multiple Module Usage

To run a scan with multiple modules, a .ini file must be used with the multiple module. Below is an example .ini file with the corresponding zgrab2 command.

multiple.ini

[Application Options]
output-file="output.txt"
input-file="input.txt"
[http]
name="http80"
port=80
endpoint="/"
[http]
name="http8080"
port=8080
endpoint="/"
[ssh]
port=22

./zgrab2 multiple -c multiple.ini

Application Options must be the initial section name. Other section names should correspond exactly to the relevant zgrab2 module name. The default name for each module is the command name. If the same module is to be used multiple times then name must be specified and unique.

Multiple module support is particularly powerful when combined with input tags and the --trigger scanner argument. For example, this input contains targets with two different tags:

141.212.113.199, , tagA
216.239.38.21, censys.io, tagB

Invoking zgrab2 with the following multiple configuration will perform an SSH grab on the first target above and an HTTP grab on the second target:

[ssh]
trigger="tagA"
name="ssh22"
port=22

[http]
trigger="tagB"
name="http80"
port=80

Adding New Protocols

Add module to modules/ that satisfies the following interfaces: Scanner, ScanModule, ScanFlags.

The flags struct must embed zgrab2.BaseFlags. In the modules init() function the following must be included.

func init() {
    var newModule NewModule
    _, err := zgrab2.AddCommand("module", "short description", "long description of module", portNumber, &newModule)
    if err != nil {
        log.Fatal(err)
    }
}

Output schema

To add a schema for the new module, add a module under schemas, and update schemas/__init__.py to ensure that it is loaded.

See zgrab2_schemas/README.md for details.

Integration tests

To add integration tests for the new module, run integration_tests/new.sh [your_new_protocol_name]. This will add stub shell scripts in integration_tests/your_new_protocol_name; update these as needed. See integration_tests/mysql/* for an example. The only hard requirement is that the test.sh script drops its output in $ZGRAB_OUTPUT/[your-module]/*.json, so that it can be validated against the schema.

How to Run Integration Tests

To run integration tests, you must have Docker installed. Then, you can follow the following steps to run integration tests:

$ go get github.com/jmespath/jp && go build github.com/jmespath/jp
$ pip install --user zschema
$ make integration-test

Running the integration tests will generate quite a bit of debug output. To ensure that tests completed successfully, you can check for a successful exit code after the tests complete:

$ echo $?
0

License

ZGrab2.0 is licensed under Apache 2.0 and ISC. For more information, see the LICENSE file.

More Repositories

1

zmap

ZMap is a fast single packet network scanner designed for Internet-wide network surveys.
C
5,453
star
2

zdns

Fast DNS Lookup Library and CLI Tool
Go
920
star
3

zgrab

**DEPRECATED** This project has been replaced by https://github.com/zmap/zgrab2
Go
748
star
4

zlint

X.509 Certificate Linter focused on Web PKI standards and requirements.
Go
356
star
5

zcrypto

Liberal Go TLS + X.509 Library for Research
Go
134
star
6

celerybeat-mongo

A Celery Beat Scheduler that uses MongoDB to store both schedule definitions and status information
Python
126
star
7

go-iptree

GoLang IP Radix Tree
Go
113
star
8

ztag

Tagging and annotation framework for scan data
Python
101
star
9

zannotate

Utility for annotating Internet datasets with contextual metadata (e.g., origin AS, MaxMind GeoIP2, reverse DNS, and WHOIS)
Go
94
star
10

zbrowse

Headless Chrome-based browser
JavaScript
60
star
11

zcertificate

Command line utility for parsing certificates
Go
59
star
12

zschema

A schema language for JSON documents that allows validation and compilation into various database engines
Python
40
star
13

pybulkwhois

Python framework for manipulating bulk WHOIS data from RIRs
Python
19
star
14

iptree

A space-optimized binary tree for storing IP addresses
C++
13
star
15

constants

Repository of constants used in TLS and X509 parsing
12
star
16

rootfetch

Python egg for fetching common certificate root stores
Python
9
star
17

cachehash

An efficient C hash-table like data structure with static size that evicts LRU object on insertion
C
9
star
18

zson

A python library that allows easily encoding and decoding objects into JSON
Python
7
star
19

zflags

go command line option parser http://godoc.org/github.com/jessevdk/…
Go
6
star
20

website

ZMap's Public Website
HTML
5
star
21

zdb

[deprecated] Backend database for Internet-wide scans
C++
4
star
22

zlint-test-corpus

Test certificates for ZLint CI tests
2
star
23

homebrew-formula

Dependencies not included in standard Homebrew taps
Ruby
1
star