HTTP服务怎么就被nmap探测到是Golang实现的呢？

[bingoohuang]

起

同事发来图，说，监控服务能扫出来语言和数据库 你们要不要屏蔽一下？然后还提供了一个线索，另外一个端口，也是go服务，没被扫描出来。

度

先百度一下

核

赶紧，确认一下，使用netstat的吐鲁拼(-tulpn)选项，看看是不是自己的程序暴露的端口，是不是我的程序暴露的端口。

$ sud netstat -tulpn | grep LISTEN
tcp        0      0 127.0.0.1:9001          0.0.0.0:*               LISTEN      1351/friday         
tcp        0      0 127.0.0.1:23306         0.0.0.0:*               LISTEN      1408/haproxy        
tcp        0      0 0.0.0.0:8022            0.0.0.0:*               LISTEN      1424/sshd: /usr/sbi 
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1804/master         
tcp        0      0 127.0.0.1:13306         0.0.0.0:*               LISTEN      1408/haproxy        
tcp        0      0 0.0.0.0:1947            0.0.0.0:*               LISTEN      808/hasplmd_x86_64  
tcp6       0      0 :::9633                 :::*                    LISTEN      1827/mysqld         
tcp6       0      0 :::31010                :::*                    LISTEN      19691/rigaga        
tcp6       0      0 :::7569                 :::*                    LISTEN      1321/kerb-proxy     
tcp6       0      0 :::8022                 :::*                    LISTEN      1424/sshd: /usr/sbi 
tcp6       0      0 :::8759                 :::*                    LISTEN      9761/java           
tcp6       0      0 :::10999                :::*                    LISTEN      8205/java           
tcp6       0      0 :::11000                :::*                    LISTEN      19691/rigaga        
tcp6       0      0 ::1:25                  :::*                    LISTEN      1804/master         

如上，确实是。

复

赶紧自己装一个brew install nmap，然后复现一下：

🕙[2020-09-11 11:28:10.063] ❯ nmap -p 11000 -T4 -A -v  127.0.0.1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-11 11:28 CST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating Ping Scan at 11:28
Scanning 127.0.0.1 [2 ports]
Completed Ping Scan at 11:28, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 11:28
Scanning localhost (127.0.0.1) [1 port]
Discovered open port 11000/tcp on 127.0.0.1
Completed Connect Scan at 11:28, 0.00s elapsed (1 total ports)
Initiating Service scan at 11:28
Scanning 1 service on localhost (127.0.0.1)
Completed Service scan at 11:28, 6.01s elapsed (1 service on 1 host)
NSE: Script scanning 127.0.0.1.
Initiating NSE at 11:28
Completed NSE at 11:28, 0.02s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00029s latency).

PORT      STATE SERVICE VERSION
11000/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).

NSE: Script Post-scanning.
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.61 seconds

果然如此。

独

马上单独写最简单的代码，看看是否能重现问题

package main

import (
	"log"
	"net/http"
)

func main() {
	addr := ":8812"
	log.Println("start go server on", addr)
	log.Fatal(http.ListenAndServe(addr, nil))
}

成功复现

再换一种形式：

func main() {
	addr := ":8812"
	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {})

	log.Println("start go server on", addr)
	log.Fatal(http.ListenAndServe(addr, nil))
}

没有被识别为Golang Server，结果是这样子的：

🕙[2020-09-11 12:55:34.556] ❯ nmap -p 8812 -T4 -A -v  127.0.0.1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-11 12:55 CST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:55
Completed NSE at 12:55, 0.00s elapsed
Initiating NSE at 12:55
Completed NSE at 12:55, 0.00s elapsed
Initiating NSE at 12:55
Completed NSE at 12:55, 0.00s elapsed
Initiating Ping Scan at 12:55
Scanning 127.0.0.1 [2 ports]
Completed Ping Scan at 12:55, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 12:55
Scanning localhost (127.0.0.1) [1 port]
Discovered open port 8812/tcp on 127.0.0.1
Completed Connect Scan at 12:55, 0.00s elapsed (1 total ports)
Initiating Service scan at 12:55
Scanning 1 service on localhost (127.0.0.1)
Completed Service scan at 12:57, 86.08s elapsed (1 service on 1 host)
NSE: Script scanning 127.0.0.1.
Initiating NSE at 12:57
Completed NSE at 12:57, 0.01s elapsed
Initiating NSE at 12:57
Completed NSE at 12:57, 1.01s elapsed
Initiating NSE at 12:57
Completed NSE at 12:57, 0.00s elapsed
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00025s latency).

PORT     STATE SERVICE VERSION
8812/tcp open  unknown
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.0 200 OK
|     Date: Fri, 11 Sep 2020 04:56:07 GMT
|     Content-Length: 0
|   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest, HTTPOptions:
|     HTTP/1.0 200 OK
|     Date: Fri, 11 Sep 2020 04:55:42 GMT
|_    Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8812-TCP:V=7.80%I=7%D=9/11%Time=5F5B034E%P=x86_64-apple-darwin19.5.
SF:0%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type
SF::\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x2
SF:0Bad\x20Request")%r(GetRequest,4B,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20F
SF:ri,\x2011\x20Sep\x202020\x2004:55:42\x20GMT\r\nContent-Length:\x200\r\n
SF:\r\n")%r(HTTPOptions,4B,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Fri,\x2011\
SF:x20Sep\x202020\x2004:55:42\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(R
SF:TSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Requ
SF:est\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20
SF:close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\
SF:.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=
SF:utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessi
SF:onReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/p
SF:lain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Req
SF:uest")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Typ
SF:e:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x
SF:20Bad\x20Request")%r(FourOhFourRequest,4B,"HTTP/1\.0\x20200\x20OK\r\nDa
SF:te:\x20Fri,\x2011\x20Sep\x202020\x2004:56:07\x20GMT\r\nContent-Length:\
SF:x200\r\n\r\n")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCo
SF:ntent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n
SF:\r\n400\x20Bad\x20Request")%r(LDAPSearchReq,67,"HTTP/1\.1\x20400\x20Bad
SF:\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnect
SF:ion:\x20close\r\n\r\n400\x20Bad\x20Request")%r(SIPOptions,67,"HTTP/1\.1
SF:\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=ut
SF:f-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request");

NSE: Script Post-scanning.
Initiating NSE at 12:57
Completed NSE at 12:57, 0.00s elapsed
Initiating NSE at 12:57
Completed NSE at 12:57, 0.00s elapsed
Initiating NSE at 12:57
Completed NSE at 12:57, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.71 seconds

找

寻找可能的被套路的原因，在go源代码中，找到/net/http/server.go如下NotFound的实现，猜测是这段返回被套路

// Error replies to the request with the specified error message and HTTP code.
// It does not otherwise end the request; the caller should ensure no further
// writes are done to w.
// The error message should be plain text.
func Error(w ResponseWriter, error string, code int) {
	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
	w.Header().Set("X-Content-Type-Options", "nosniff")
	w.WriteHeader(code)
	fmt.Fprintln(w, error)
}

// NotFound replies to the request with an HTTP 404 not found error.
func NotFound(w ResponseWriter, r *Request) { Error(w, "404 page not found", StatusNotFound) }

使用以下代码验证，复现：

func main() {
	addr := ":8812"
	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		http.NotFound(w, r)
	})

	log.Println("start go server on", addr)
	log.Fatal(http.ListenAndServe(addr, nil))
}

因

翻阅nmap源代码，搜索Golang，然后就真相大白了：

match http m|^HTTP/1\.0 404 Not Found\r\nContent-Type: text/plain; charset=utf-8\r\nX-Content-Type-Options: nosniff\r\nDate: .*\r\nContent-Length: 19\r\n\r\n404 page not found\n| p|Golang net/http server| i/Go-IPFS json-rpc or InfluxDB API/ cpe:/a:golang:go/ cpe:/a:influxdata:influxdb/ cpe:/a:protocol_labs:go-ipfs/

结

添加http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {})，规避nmap套路。