-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wildcard ports handling #57
Comments
I scanned 1 host have cloudflare waf, tool output 11 ports opened. non of them worked actually. I've been here because i though i could open an issue to talk about the fact of hosts which have a WAF like CloudFlare. Will mostly appears have a list of ports open when got scanned with this tool and i think because of response status code. I believe that we don't need scanning ports for hosts that uses popular firewalls protections like cloudflare and akami..etc. because it will generate a lot of false positives. These false positives is not something new as other famous great port scanning tools i.e: masscan , will failed with handling it too if u don't handle it by some code before standard execution. For example, option will exclude these WAFs ips on provided cidrs to avoid scanning these annoying technologies. and hope other ranges will be added. cloudflare="173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/12 172.64.0.0/13 131.0.72.0/22" I simply used bash to handle this a little bit , two solutions comes into my mind and got tested ; |
Hi @osamahamad, Thanks for sharing your insight on this, we solved the 2nd part internally by having another program which returns true or false based on the IP, if it's true, we move next IP for port scan, currently, we are doing this for 4 providers.
All thanks to @dwisiswant0 for the initial idea https://github.com/dwisiswant0/cf-check, that's how we come to know about this, but we can surely embed this to naabu with optional flag to use in the coming updates, and this issue is more specific for the hosts which returns true/open port for all the ports, that is another problem solve here. Appreciate your detailed response and discussion around the topic. |
Thank you for your detailed response @bauthard and @dwisiswant0 for bringing this to the team . Appreciate your given efforts guys. |
Hi. @bauthard @osamahamad That's a good story. I was looking into the same problem. Once this function is updated, it can speed up quickly. |
It would be better if we could find the actual host and scan it. |
Hey @gy741, that's too far from the scope of "port" scanner, so most probably something to handle outside of this project, thank you for sharing the resources. |
@gy741 Regarding actual host, Imo, Not every time this successed in finding origin server and if it found then it is a vulnerability itself. It is rare case to find origin server behind waf and there is a ton of techniques and sometimes it require manual approach. I recommend filtering all the ignored hosts/domains < Not scanned cause it is behind a WAF > in a separate file to further analayis (output) < for example try to bypass those wafs or perform your tests to find origin server > . I know you can do this by making another tool to process this situation but if something like this existed in naabu as an option then it will much better regarding time and effort. Then after that if you successed in finding origin server for some of these hosts you can scan it using naabu again using -u option. Update : meant -host option. |
@osamahamad this feature is added in naabu, |
Problem:-
Possible solution:-
It's an issue for the discussion, more things need to be explored to understand this issue better.
The text was updated successfully, but these errors were encountered: