Wildcard ports handling

[ehsandeep]

Problem:-

• Port responds with "Open" status for any port you request.

Possible solution:-

• Detect hosts with wildcard ports and eliminate them from the scan.

It's an issue for the discussion, more things need to be explored to understand this issue better.

[osamahamad]

I scanned 1 host have cloudflare waf, tool output 11 ports opened. non of them worked actually.

I've been here because i though i could open an issue to talk about the fact of hosts which have a WAF like CloudFlare. Will mostly appears have a list of ports open when got scanned with this tool and i think because of response status code.
I guess this is may be related to your describtion.

I believe that we don't need scanning ports for hosts that uses popular firewalls protections like cloudflare and akami..etc. because it will generate a lot of false positives. These false positives is not something new as other famous great port scanning tools i.e: masscan , will failed with handling it too if u don't handle it by some code before standard execution.

For example, option will exclude these WAFs ips on provided cidrs to avoid scanning these annoying technologies. and hope other ranges will be added.

cloudflare="173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/12 172.64.0.0/13 131.0.72.0/22"
incapsula="199.83.128.0/21 198.143.32.0/19 149.126.72.0/21 103.28.248.0/22 45.64.64.0/22 185.11.124.0/22 192.230.64.0/18 107.154.0.0/16 45.60.0.0/16 45.223.0.0/16"
sucuri="185.93.228.0/24 185.93.229.0/24 185.93.230.0/24 185.93.231.0/24 192.124.249.0/24 192.161.0.0/24 192.88.134.0/24 192.88.135.0/24 193.19.224.0/24 193.19.225.0/24 66.248.200.0/24 66.248.201.0/24 66.248.202.0/24 66.248.203.0/24"
akamai="104.101.221.0/24 184.51.125.0/24 184.51.154.0/24 184.51.157.0/24 184.51.33.0/24 2.16.36.0/24 2.16.37.0/24 2.22.226.0/24 2.22.227.0/24 2.22.60.0/24 23.15.12.0/24 23.15.13.0/24 23.209.105.0/24 23.62.225.0/24 23.74.29.0/24 23.79.224.0/24 23.79.225.0/24 23.79.226.0/24 23.79.227.0/24 23.79.229.0/24 23.79.230.0/24 23.79.231.0/24 23.79.232.0/24 23.79.233.0/24 23.79.235.0/24 23.79.237.0/24 23.79.238.0/24 23.79.239.0/24 63.208.195.0/24 72.246.0.0/24 72.246.1.0/24 72.246.116.0/24 72.246.199.0/24 72.246.2.0/24 72.247.150.0/24 72.247.151.0/24 72.247.216.0/24 72.247.44.0/24 72.247.45.0/24 80.67.64.0/24 80.67.65.0/24 80.67.70.0/24 80.67.73.0/24 88.221.208.0/24 88.221.209.0/24 96.6.114.0/24"

I simply used bash to handle this a little bit , two solutions comes into my mind and got tested ;
1- Using another tool to detect waf and with some regex generating list of clean hosts ( not protected by 360 firewall ). $better than other mentioned possible solution.
2- Using these wafs cidrs which i found in a tool called Automated Scanner to avoid scanning IPs on these ranges . ( off course not enough ).

[ehsandeep]

Hi @osamahamad,

Thanks for sharing your insight on this, we solved the 2nd part internally by having another program which returns true or false based on the IP, if it's true, we move next IP for port scan, currently, we are doing this for 4 providers.

Cloudflare
Incapsula
Akamai
Sucuri

All thanks to @dwisiswant0 for the initial idea https://github.com/dwisiswant0/cf-check, that's how we come to know about this, but we can surely embed this to naabu with optional flag to use in the coming updates, and this issue is more specific for the hosts which returns true/open port for all the ports, that is another problem solve here.

Appreciate your detailed response and discussion around the topic.

[osamahamad]

Thank you for your detailed response @bauthard and @dwisiswant0 for bringing this to the team .
This gonna be much helpful and awsome enhancement to this tool. Hopefully other providers will be added in future too to avoid this kind of problems as much as possible.

Appreciate your given efforts guys.

[gy741]

Hi. @bauthard @osamahamad

That's a good story.

I was looking into the same problem.

Once this function is updated, it can speed up quickly.

[gy741]

It would be better if we could find the actual host and scan it.

Ref : https://github.com/tbiehn/CURRYFINGER

[ehsandeep]

Hey @gy741,

that's too far from the scope of "port" scanner, so most probably something to handle outside of this project, thank you for sharing the resources.

[osamahamad]

@gy741 Regarding actual host,

Imo, Not every time this successed in finding origin server and if it found then it is a vulnerability itself. It is rare case to find origin server behind waf and there is a ton of techniques and sometimes it require manual approach. I recommend filtering all the ignored hosts/domains < Not scanned cause it is behind a WAF > in a separate file to further analayis (output) < for example try to bypass those wafs or perform your tests to find origin server > . I know you can do this by making another tool to process this situation but if something like this existed in naabu as an option then it will much better regarding time and effort. Then after that if you successed in finding origin server for some of these hosts you can scan it using naabu again using -u option.

Update : meant -host option.

[ehsandeep]

@osamahamad this feature is added in naabu, -exclude-cdn flag will exclude IP's for port scanning and only looks for 80 and 443 port.