Enumeration is one of the essential phases in penetration testing (pentesting) of a network. Let’s see how to perform this using GoScan.
Many network scanners like Nmap, zmap takes effort and a long time to scan depending on the size of the network, and while there is a learning curve, they are convenient.
However, GoScan, an interactive network scanner, automates the tasks and swiftly enumerates the networks and services.
What is GoScan?
GoScan is a network scanner with an interactive interface that automates some Nmap enumeration functions. It has clever tab auto-completion and an SQLite database on the back end to keep connections and data stable even in unreliable circumstances.
It isn’t the same as different community scanners. It’s far greater of a framework constructed on the pinnacle of different equipment for the abstraction and automation of several tasks. GoScan primarily uses Nmap’s port scanning and service enumeration capabilities, employing other port scanners, such as the Nikto scanner.
GoScan can perform all the main steps of network scanning:
- Host Discovery (ARP + ping sweep)
- DNS enumeration
- Service Enumeration
- Port scanning
- Domain enumeration
Build from Source
Clone the repo:
$ git clone https://github.com/marco-lancini/goscan.git
Navigate to the GoScan directory and build:
$ cd goscan/goscan $ make setup $ make build
Run the following command to create a multi-platform binary:
$ make cross
Install Via Docker
$ git clone https://github.com/marco-lancini/goscan.git $ cd goscan/ $ docker-compose up --build
This is the method of installation that is advised. Obtain binary:
# Linux (64bit) $ wget https://github.com/marco-lancini/goscan/releases/download/v2.4/goscan_2.4_linux_amd64.zip $ unzip goscan_2.4_linux_amd64.zip # Linux (32bit) $ wget https://github.com/marco-lancini/goscan/releases/download/v2.4/goscan_2.4_linux_386.zip $ unzip goscan_2.4_linux_386.zip # Next step is to place the executable in the PATH $ chmod +x goscan $ sudo mv ./goscan /usr/local/bin/goscan
Working with GoScan
GoScan is simple to use because it has automatic command suggestions and tab completion. Start entering a command, and a suggestion with a description will appear.
We’ll start by loading a target. We can load several IP addresses or, in our case, our target machine’s single IP address:
[goscan] > load target SINGLE 10.0.1.24 [*] Imported target: 10.0.1.24
Next, let’s perform a ping sweep:
GoScan first establishes a directory in which the results will be stored. The directory can be set to a different place, although the default is fine. Following that, we can see the Nmap command it uses and performs and the time it takes to complete it. We can see the output in a few different formats if we browse to the newly formed directory where the results are stored.
The port scanning capabilities of GoScan are likely its most powerful feature. When we type portscan, we can see the several types of scans it can perform:
Any information presently stored by GoScan tool can be displayed using the show command. We can view targets:
[goscan] > show targets +------------+---------+ | ADDRESS | STEP | +------------+---------+ | 10.0.1.24 | SWEEPED | +------------+---------+
GoScan also allows us to enumerate running services on the target in addition to port scanning. We can see the available modules by typing enumerate, including FINGER, FTP, HTTP, RDP, and SMB.
Each service also includes a few alternatives, such as DRY, which performs a dry run; POLITE, which runs but avoids brute-forcing; and BRUTEFORCE, which runs but avoids brute-forcing.
There are a few specific scans in GoScan that can be useful for reconnaissance. To see the available options, type special at the prompt:
[goscan] > special eyewitness Takes screenshots of websites and open VNC servers domain Extracts domain information from enumerated data dns Performs DNS enumeration
The EyeWitness function, which takes screenshots of webpages and VNC servers, is included in the eyewitness scan. The only constraint is that EyeWitness must be installed in the system PATH for it to function. The domain scan can also be used to enumerate domain information such as users, hosts, and servers.
Final Note ✍
While the GoScan tool is quite useful for quickly discovering networks and services, it might be improved in a few areas. First, within the framework, There could be more service enumeration modules like SNMP and SMTP. But overall, GoScan is a fantastic tool that simplifies some Nmap enumeration tasks.