{"id":13841861,"url":"https://github.com/u21h2/nacs","last_synced_at":"2025-07-11T13:33:11.994Z","repository":{"id":41523364,"uuid":"495917708","full_name":"u21h2/nacs","owner":"u21h2","description":"事件驱动的渗透测试扫描器 Event-driven pentest scanner","archived":false,"fork":false,"pushed_at":"2024-07-07T07:36:21.000Z","size":18558,"stargazers_count":623,"open_issues_count":5,"forks_count":72,"subscribers_count":13,"default_branch":"main","last_synced_at":"2024-08-05T17:29:33.286Z","etag":null,"topics":["cve","exploit","fofa","fscan","golang","log4j","nuclei","pentest","redteam","scanner","security","shiro","xray"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/u21h2.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-05-24T17:09:51.000Z","updated_at":"2024-08-03T14:22:01.000Z","dependencies_parsed_at":"2024-07-07T08:53:14.361Z","dependency_job_id":null,"html_url":"https://github.com/u21h2/nacs","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/u21h2%2Fnacs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/u21h2%2Fnacs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/u21h2%2Fnacs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/u21h2%2Fnacs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/u21h2","download_url":"https://codeload.github.com/u21h2/nacs/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225729742,"owners_count":17515158,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve","exploit","fofa","fscan","golang","log4j","nuclei","pentest","redteam","scanner","security","shiro","xray"],"created_at":"2024-08-04T17:01:23.065Z","updated_at":"2024-11-21T12:30:39.054Z","avatar_url":"https://github.com/u21h2.png","language":"Go","readme":"# nacs 事件驱动的扫描器\n\n[[中文 Readme]](https://github.com/u21h2/nacs/blob/main/README.md)\n|\n[[English Readme]](https://github.com/u21h2/nacs/blob/main/README_EN.md)\n\n\n\u003ca href=\"https://github.com/u21h2/nacs\"\u003e\u003cimg alt=\"Release\" src=\"https://img.shields.io/github/go-mod/go-version/u21h2/nacs?filename=go.mod\"\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/u21h2/nacs\"\u003e\u003cimg alt=\"Release\" src=\"https://img.shields.io/badge/nacs-0.0.4-ff69b4\"\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/u21h2/nacs/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/downloads/u21h2/nacs/total\"\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/u21h2/nacs\"\u003e\u003cimg src=\"https://img.shields.io/github/forks/u21h2/nacs\"\u003e\u003c/a\u003e\n\n## ✨ 功能\n- 探活\n- 服务扫描(常规\u0026非常规端口)\n- poc探测(xray\u0026nuclei格式)\n- 数据库等弱口令爆破\n- 内网常见漏洞利用\n\n\n## ⭐️ 亮点\n- 常见组件及常见HTTP请求头的log4j漏洞检测\n  ![image](utils/3.png)\n- 非常规端口的服务扫描和利用(比如2222端口的ssh等等)\n- 识别为公网IP时, 从fofa检索可用的资产作为扫描的补充(正在写)\n- 自动识别简单web页面的输入框，用于弱口令爆破及log4j的检测(正在写)\n\n\n# 利用过程\n    环境配置\n        弱口令配置、要写入的公钥、反弹的地址、ceye的API等等\n    探活\n        icmp ping\n    资产初筛\n        确定哪个端口对应哪种服务，尤其是非常规端口\n    漏洞打点(根据指纹信息发送到相应的模块)\n        可以RCE的非web服务 进行探测或者利用(redis、永恒之蓝等)\n        web服务 扫poc 如log4j\n        非web服务 未授权及爆破\n        web服务 自动爆破登录 (未实现)\n        重点服务 OA、VPN、Weblogic、蜜罐等\n\n\n\n## 使用方法\n\n### 快速使用\n```\nsudo ./nacs -h IP或IP段 -o result.txt\nsudo ./nacs -hf IP或IP段的文件 -o result.txt\nsudo ./nacs -u url(支持http、ssh、ftp、smb等, 可以指定或者不指定) -o result.txt\nsudo ./nacs -uf url文件 -o result.txt\n```\n\n### 示例\n- (1) 添加目标IP: 对10.15.196.135机器进行扫描, 手动添加密码, 并关闭反连平台的测试(即不测试log4j等)\n    ```\n    sudo ./nacs -h 10.15.196.135 -passwordadd \"xxx,xxx\" -noreverse\n    ```\n    ![image](utils/1.png)\n    可见发现了nacos的权限绕过漏洞，以及各服务爆破成功\n\n- (2) 直接添加目标url: 对10.211.55.7的ssh端口进行爆破,添加用户名密码均为test,爆破成功后执行ifconfig;并对某靶场url尝试log4j漏洞\n  ```\n  sudo ./nacs -u \"ssh://10.211.55.7:22,http://123.58.224.8:13099\" -usernameadd test -passwordadd test -command ifconfig\n  ```\n  ![image](utils/2.png)\n  可见两个log4j的poc都检测成功了,注入点在请求头的X-Api-Version字段；ssh爆破也成功了\n    \n### 常用参数\n```\n-o 指定输出的日志文件\n-np 不探活, 直接扫端口\n-po 只使用这些端口\n-pa 添加这些端口\n-fscanpocpath fscan的poc路径 格式为\"web/pocs/\"\n-nucleipocpath nuclei的poc路径 格式为\"xxx/pocs/**\"\n-nopoc 不进行poc探测, 包括xray与nuclei\n-nuclei 使用nuclei进行探测(不强烈建议加上此参数,因为nuclei的poc太多了)\n-nobrute 不进行爆破\n-pocdebug poc探测时打印全部信息\n-brutedebug 爆破时打印全部信息\n-usernameadd 爆破时添加用户名\n-passwordadd 爆破时添加密码\n-noreverse 不使用反连平台\n-ceyekey 你自己的ceye token\n-ceyedomain 你自己的ceye domain\n```\n\n## 借鉴\n借鉴参考了下列优秀作品\n- [x] fscan https://github.com/shadow1ng/fscan 专注于内网 web和服务的poc 服务的爆破\n- [x] kscan https://github.com/lcvvvv/kscan 专注于信息收集 能探测到非常规端口开的服务 比如2222的ssh\n- [x] dismap https://github.com/zhzyker/dismap 资产收集\n- [ ] Ladon https://github.com/k8gege/LadonGo\n- [x] xray https://github.com/chaitin/xray 主动/被动扫常见web漏洞 扫poc\n- [ ] goby https://cn.gobies.org/\n- [x] vulmap https://github.com/zhzyker/vulmap\n- [ ] nali https://github.com/zu1k/nali 查询IP地理信息和CDN提供商\n- [ ] ehole https://github.com/EdgeSecurityTeam/EHole 重点攻击系统指纹探测 暂时不能用了\n- [x] Nuclei https://github.com/projectdiscovery/nuclei 基于poc的快速扫描\n- [x] pocV https://github.com/WAY29/pocV 能扫描xray和nuclei的poc\n- [x] afrog https://github.com/zan8in/afrog CVE、CNVD、默认口令、信息泄露、指纹识别、未授权访问、任意文件读取、命令执行\n- [ ] woodpecker https://github.com/Ciyfly/woodpecker\n- [x] xray-poc-scan-engine https://github.com/h1iba1/xray-poc-scan-engine\n- [x] pocassist https://github.com/jweny/pocassist 可视化编辑导入和运行\n- [ ] Aopo https://github.com/ExpLangcn/Aopo\n- [x] SpringExploit https://github.com/SummerSec/SpringExploit\n- [ ] fscanpoc补充 https://github.com/chaosec2021/fscan-POC\n\n\n# TODO 动态更新\n- [ ] 从fofa中自动扫描搜集资产补充到扫描结果\n- [ ] 支持自定义header来进行host碰撞等\n- [ ] 完善代理功能\n- [ ] 加进度条\n- [ ] 支持xrayV2, 本来想参考pocV, 不过不太稳定, 暂时先用fscan的v1版本\n- [ ] 弱口令自动生成, 根据前缀、后缀、已获得信息等来动态补充爆破的字典\n- [ ] 常见Spring漏洞的自动利用\n- [ ] 简单的web登录服务自动探测接口及参数实现爆破\n- [ ] ...\n\n# 免责声明\n本工具仅面向合法授权的企业安全建设行为，如您需要测试本工具的可用性，请自行搭建靶机环境。\n为避免被恶意使用，本项目所有收录的poc均为漏洞的理论判断，不存在漏洞利用过程，不会对目标发起真实攻击和漏洞利用。\n在使用本工具进行检测时，您应确保该行为符合当地的法律法规，并且已经取得了足够的授权。请勿对非授权目标进行扫描。\n如您在使用本工具的过程中存在任何非法行为，您需自行承担相应后果，我们将不承担任何法律及连带责任。\n\n\n\n# Stargazers over time\n## 访问\n![Visitor Count](https://profile-counter.glitch.me/u21h2-nacs/count.svg)\n## Star\n[![Stargazers over time](https://starchart.cc/u21h2/nacs.svg)](https://starchart.cc/u21h2/nacs)\n","funding_links":[],"categories":["LLM分析过程","Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fu21h2%2Fnacs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fu21h2%2Fnacs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fu21h2%2Fnacs/lists"}