HTTP服务怎么就被nmap探测到是Golang实现的呢?
Opened this issue · 0 comments
bingoohuang commented
起
同事发来图,说,监控服务能扫出来语言和数据库 你们要不要屏蔽一下?然后还提供了一个线索,另外一个端口,也是go服务,没被扫描出来。
度
先百度一下
核
赶紧,确认一下,使用netstat的吐鲁拼(-tulpn)
选项,看看是不是自己的程序暴露的端口,是不是我的程序暴露的端口。
$ sud netstat -tulpn | grep LISTEN
tcp 0 0 127.0.0.1:9001 0.0.0.0:* LISTEN 1351/friday
tcp 0 0 127.0.0.1:23306 0.0.0.0:* LISTEN 1408/haproxy
tcp 0 0 0.0.0.0:8022 0.0.0.0:* LISTEN 1424/sshd: /usr/sbi
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1804/master
tcp 0 0 127.0.0.1:13306 0.0.0.0:* LISTEN 1408/haproxy
tcp 0 0 0.0.0.0:1947 0.0.0.0:* LISTEN 808/hasplmd_x86_64
tcp6 0 0 :::9633 :::* LISTEN 1827/mysqld
tcp6 0 0 :::31010 :::* LISTEN 19691/rigaga
tcp6 0 0 :::7569 :::* LISTEN 1321/kerb-proxy
tcp6 0 0 :::8022 :::* LISTEN 1424/sshd: /usr/sbi
tcp6 0 0 :::8759 :::* LISTEN 9761/java
tcp6 0 0 :::10999 :::* LISTEN 8205/java
tcp6 0 0 :::11000 :::* LISTEN 19691/rigaga
tcp6 0 0 ::1:25 :::* LISTEN 1804/master
如上,确实是。
复
赶紧自己装一个brew install nmap
,然后复现一下:
🕙[2020-09-11 11:28:10.063] ❯ nmap -p 11000 -T4 -A -v 127.0.0.1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-11 11:28 CST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating Ping Scan at 11:28
Scanning 127.0.0.1 [2 ports]
Completed Ping Scan at 11:28, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 11:28
Scanning localhost (127.0.0.1) [1 port]
Discovered open port 11000/tcp on 127.0.0.1
Completed Connect Scan at 11:28, 0.00s elapsed (1 total ports)
Initiating Service scan at 11:28
Scanning 1 service on localhost (127.0.0.1)
Completed Service scan at 11:28, 6.01s elapsed (1 service on 1 host)
NSE: Script scanning 127.0.0.1.
Initiating NSE at 11:28
Completed NSE at 11:28, 0.02s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00029s latency).
PORT STATE SERVICE VERSION
11000/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
NSE: Script Post-scanning.
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.61 seconds
果然如此。
独
马上单独写最简单的代码,看看是否能重现问题
package main
import (
"log"
"net/http"
)
func main() {
addr := ":8812"
log.Println("start go server on", addr)
log.Fatal(http.ListenAndServe(addr, nil))
}
成功复现
再换一种形式:
func main() {
addr := ":8812"
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {})
log.Println("start go server on", addr)
log.Fatal(http.ListenAndServe(addr, nil))
}
没有被识别为Golang Server,结果是这样子的:
🕙[2020-09-11 12:55:34.556] ❯ nmap -p 8812 -T4 -A -v 127.0.0.1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-11 12:55 CST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:55
Completed NSE at 12:55, 0.00s elapsed
Initiating NSE at 12:55
Completed NSE at 12:55, 0.00s elapsed
Initiating NSE at 12:55
Completed NSE at 12:55, 0.00s elapsed
Initiating Ping Scan at 12:55
Scanning 127.0.0.1 [2 ports]
Completed Ping Scan at 12:55, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 12:55
Scanning localhost (127.0.0.1) [1 port]
Discovered open port 8812/tcp on 127.0.0.1
Completed Connect Scan at 12:55, 0.00s elapsed (1 total ports)
Initiating Service scan at 12:55
Scanning 1 service on localhost (127.0.0.1)
Completed Service scan at 12:57, 86.08s elapsed (1 service on 1 host)
NSE: Script scanning 127.0.0.1.
Initiating NSE at 12:57
Completed NSE at 12:57, 0.01s elapsed
Initiating NSE at 12:57
Completed NSE at 12:57, 1.01s elapsed
Initiating NSE at 12:57
Completed NSE at 12:57, 0.00s elapsed
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00025s latency).
PORT STATE SERVICE VERSION
8812/tcp open unknown
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 200 OK
| Date: Fri, 11 Sep 2020 04:56:07 GMT
| Content-Length: 0
| GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest, HTTPOptions:
| HTTP/1.0 200 OK
| Date: Fri, 11 Sep 2020 04:55:42 GMT
|_ Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8812-TCP:V=7.80%I=7%D=9/11%Time=5F5B034E%P=x86_64-apple-darwin19.5.
SF:0%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type
SF::\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x2
SF:0Bad\x20Request")%r(GetRequest,4B,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20F
SF:ri,\x2011\x20Sep\x202020\x2004:55:42\x20GMT\r\nContent-Length:\x200\r\n
SF:\r\n")%r(HTTPOptions,4B,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Fri,\x2011\
SF:x20Sep\x202020\x2004:55:42\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(R
SF:TSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Requ
SF:est\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20
SF:close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\
SF:.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=
SF:utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessi
SF:onReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/p
SF:lain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Req
SF:uest")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Typ
SF:e:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x
SF:20Bad\x20Request")%r(FourOhFourRequest,4B,"HTTP/1\.0\x20200\x20OK\r\nDa
SF:te:\x20Fri,\x2011\x20Sep\x202020\x2004:56:07\x20GMT\r\nContent-Length:\
SF:x200\r\n\r\n")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCo
SF:ntent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n
SF:\r\n400\x20Bad\x20Request")%r(LDAPSearchReq,67,"HTTP/1\.1\x20400\x20Bad
SF:\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnect
SF:ion:\x20close\r\n\r\n400\x20Bad\x20Request")%r(SIPOptions,67,"HTTP/1\.1
SF:\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=ut
SF:f-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request");
NSE: Script Post-scanning.
Initiating NSE at 12:57
Completed NSE at 12:57, 0.00s elapsed
Initiating NSE at 12:57
Completed NSE at 12:57, 0.00s elapsed
Initiating NSE at 12:57
Completed NSE at 12:57, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.71 seconds
找
寻找可能的被套路
的原因,在go源代码中,找到/net/http/server.go
如下NotFound的实现,猜测是这段返回被套路
// Error replies to the request with the specified error message and HTTP code.
// It does not otherwise end the request; the caller should ensure no further
// writes are done to w.
// The error message should be plain text.
func Error(w ResponseWriter, error string, code int) {
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
w.Header().Set("X-Content-Type-Options", "nosniff")
w.WriteHeader(code)
fmt.Fprintln(w, error)
}
// NotFound replies to the request with an HTTP 404 not found error.
func NotFound(w ResponseWriter, r *Request) { Error(w, "404 page not found", StatusNotFound) }
使用以下代码验证,复现:
func main() {
addr := ":8812"
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
http.NotFound(w, r)
})
log.Println("start go server on", addr)
log.Fatal(http.ListenAndServe(addr, nil))
}
因
翻阅nmap源代码,搜索Golang
,然后就真相大白了:
match http m|^HTTP/1\.0 404 Not Found\r\nContent-Type: text/plain; charset=utf-8\r\nX-Content-Type-Options: nosniff\r\nDate: .*\r\nContent-Length: 19\r\n\r\n404 page not found\n| p|Golang net/http server| i/Go-IPFS json-rpc or InfluxDB API/ cpe:/a:golang:go/ cpe:/a:influxdata:influxdb/ cpe:/a:protocol_labs:go-ipfs/
结
添加http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {})
,规避nmap套路。