Enumeration is one of the essential phases in penetration testing (pentesting) of a network. Let’s see how to perform this using GoScan.

Many network scanners like Nmap, zmap takes effort and a long time to scan depending on the size of the network, and while there is a learning curve, they are convenient.

However, GoScan, an interactive network scanner, automates the tasks and swiftly enumerates the networks and services.

What is GoScan?

GoScan is a network scanner with an interactive interface that automates some Nmap enumeration functions. It has clever tab auto-completion and an SQLite database on the back end to keep connections and data stable even in unreliable circumstances.

It isn’t the same as different community scanners. It’s far greater of a framework constructed on the pinnacle of different equipment for the abstraction and automation of several tasks. GoScan primarily uses Nmap’s port scanning and service enumeration capabilities, employing other port scanners, such as the Nikto scanner.

GoScan can perform all the main steps of network scanning:

  • Host Discovery (ARP + ping sweep)
  • DNS enumeration
  • Service Enumeration
  • Port scanning
  • Domain enumeration

Tool Installation

Build from Source

Clone the repo:

$ git clone https://github.com/marco-lancini/goscan.git

Navigate to the GoScan directory and build:

$ cd goscan/goscan 
$ make setup 
$ make build

Run the following command to create a multi-platform binary:

$ make cross

Install Via Docker

$ git clone https://github.com/marco-lancini/goscan.git 
$ cd goscan/ 
$ docker-compose up --build

Binary Install

This is the method of installation that is advised. Obtain binary:

# Linux (64bit)
$ wget https://github.com/marco-lancini/goscan/releases/download/v2.4/goscan_2.4_linux_amd64.zip
$ unzip goscan_2.4_linux_amd64.zip

# Linux (32bit)
$ wget https://github.com/marco-lancini/goscan/releases/download/v2.4/goscan_2.4_linux_386.zip
$ unzip goscan_2.4_linux_386.zip

# Next step is to place the executable in the PATH
$ chmod +x goscan
$ sudo mv ./goscan /usr/local/bin/goscan

Working with GoScan

Ping Sweep

GoScan is simple to use because it has automatic command suggestions and tab completion. Start entering a command, and a suggestion with a description will appear.

goscan-1

We’ll start by loading a target. We can load several IP addresses or, in our case, our target machine’s single IP address:

[goscan] > load target SINGLE 10.0.1.24

[*] Imported target: 10.0.1.24

Next, let’s perform a ping sweep:

goscan-2

GoScan first establishes a directory in which the results will be stored. The directory can be set to a different place, although the default is fine. Following that, we can see the Nmap command it uses and performs and the time it takes to complete it. We can see the output in a few different formats if we browse to the newly formed directory where the results are stored.

Port Scan

The port scanning capabilities of GoScan are likely its most powerful feature. When we type portscan, we can see the several types of scans it can perform:

goscan-3

Any information presently stored by GoScan tool can be displayed using the show command. We can view targets:

[goscan] > show targets

+------------+---------+
|  ADDRESS   |  STEP   |
+------------+---------+
| 10.0.1.24 | SWEEPED |
+------------+---------+

Enumerate Services

GoScan also allows us to enumerate running services on the target in addition to port scanning. We can see the available modules by typing enumerate, including FINGER, FTP, HTTP, RDP, and SMB.

goscan-4

Each service also includes a few alternatives, such as DRY, which performs a dry run; POLITE, which runs but avoids brute-forcing; and BRUTEFORCE, which runs but avoids brute-forcing.

Special Scans

There are a few specific scans in GoScan that can be useful for reconnaissance. To see the available options, type special at the prompt:

[goscan] > special
                    eyewitness  Takes screenshots of websites and open VNC servers 
                    domain      Extracts domain information from enumerated data
                    dns         Performs DNS enumeration

The EyeWitness function, which takes screenshots of webpages and VNC servers, is included in the eyewitness scan. The only constraint is that EyeWitness must be installed in the system PATH for it to function. The domain scan can also be used to enumerate domain information such as users, hosts, and servers.

Final Note ✍

While the GoScan tool is quite useful for quickly discovering networks and services, it might be improved in a few areas.  First, within the framework,  There could be more service enumeration modules like SNMP and SMTP. But overall, GoScan is a fantastic tool that simplifies some Nmap enumeration tasks.