MCPcopy
hub / github.com/shadow1ng/fscan

github.com/shadow1ng/fscan @v2.1.3 sqlite

repository ↗ · DeepWiki ↗ · release v2.1.3 ↗
2,635 symbols 9,082 edges 261 files 1,653 documented · 63%
README

Fscan

中文

Comprehensive intranet scanning tool for automated vulnerability assessment.

Version: 2.1.2

Features

Scanning

  • Host Discovery - ICMP/Ping alive detection, B/C segment statistics for large networks
  • Port Scanning - TCP connect scan, 133 built-in ports, port groups (web/db/service/all)
  • Service Detection - Smart protocol identification, 20+ service fingerprint matching
  • Web Detection - Website title, CMS fingerprint, web middleware, WAF/CDN detection (40+ signatures)

Brute Force

  • Password Cracking - 28 services (SSH/RDP/SMB/FTP/MySQL/MSSQL/Oracle/Redis, etc.)
  • Hash Authentication - NTLM Hash support (SMB/WMI)
  • SSH Key Login - Private key authentication
  • Smart Dictionary - 100+ common passwords, {user} variable substitution

Vulnerability Detection

  • Critical Vulns - MS17-010 (EternalBlue), SMBGhost (CVE-2020-0796)
  • Unauthorized Access - Redis/MongoDB/Memcached/Elasticsearch unauthorized detection
  • POC Scanning - Integrated web POC, Xray POC format support
  • DNSLog - DNSLog out-of-band detection

Exploitation

  • Redis Exploit - Write pubkey, crontab, webshell, master-slave RCE
  • MS17-010 Exploit - ShellCode injection, add user, execute commands
  • SSH Command Exec - Auto command execution after authentication

Local Modules

  • Info Gathering - System info, environment variables, DC info, NIC config
  • Credential Access - Memory dump (MiniDump), keylogger, registry export
  • Persistence - Systemd service, Windows service, scheduled tasks, startup, LD_PRELOAD
  • Reverse Shell - Forward shell, reverse shell, SOCKS5 proxy service
  • AV Detection - Identify installed security software
  • Trace Cleanup - Log cleaning tool

Input/Output

  • Target Input - IP/CIDR/domain/URL, batch file import
  • Exclusion Rules - Exclude specific hosts, ports
  • Output Formats - TXT/JSON/CSV multi-format output
  • Silent Mode - No banner, no progress bar, no color output

Network Control

  • Proxy Support - HTTP/SOCKS5 proxy, network interface binding
  • Rate Control - Rate limiting, max packet count control
  • Timeout Control - Port/Web/Global timeout independent config
  • Concurrency - Port scan threads, service scan threads independent config

Extensions

  • Web Management UI - Visual scan task management (build with -tags web)
  • Lab Environment - Built-in Docker lab for testing and learning
  • Plugin Architecture - Service/Web/Local plugins separated, easy to extend
  • Multi-language - Chinese/English interface (-lang zh/en)
  • Performance Stats - JSON format performance report (-perf)

v2.1.0 Changelog

This update includes 262 commits: 30 new features, 120 fixes, 54 refactors, 14 performance optimizations, 20 test enhancements.

Architecture Refactoring

  • Global Variable Elimination - Migrated to Config/State objects for better concurrency safety and testability
  • SMB Plugin Consolidation - Merged smb/smb2/smbghost/smbinfo into unified plugin with new smb_protocol.go
  • Service Probe Refactoring - Implemented Nmap-style fallback mechanism, optimized port fingerprint strategy
  • Output System Refactoring - TXT real-time flush + dual-write mechanism, resolved result loss and ordering issues
  • i18n Framework Upgrade - Migrated to go-i18n, full coverage of core/plugins/webscan modules
  • HostInfo Refactoring - Ports field changed from string to int for type safety
  • Function Complexity Optimization - clusterpoc (125→30), EnhancedPortScan (111→20)
  • Code Audit - Fixed P0-P2 level issues, cleaned up deadcode
  • Logging System Optimization - LogDebug call cleanup (71→18), streamlined startup log output

Performance Optimization

  • Regex Precompilation - Global regex precompilation to avoid repeated compilation overhead
  • Memory Optimization - Changed map[string]bool to map[string]struct{} for memory savings
  • Concurrent Fingerprint Matching - Multi-goroutine parallel matching for faster identification
  • Connection Reuse - SOCKS5 global dialer reuse to avoid repeated handshakes
  • Sliding Window Scheduling - Adaptive thread pool + streaming iterator for port scan optimization
  • CEL Cache Optimization - POC scan CEL environment caching to reduce repeated initialization
  • Package-level Variable Extraction - proxyFailurePatterns/resourceExhaustedPatterns/sslSecondProbes etc.
  • Capacity Pre-allocation - Simplified conversion chains, single-pass string replacement
  • Concurrency Safety Optimization - Optimized lock granularity and memory allocation

New Features

  • Web Management UI - Visual scan task management with responsive layout and progress display
  • Multi-format POC Adapter - Support for xray and afrog format POCs
  • Smart Scan Mode - Bloom filter deduplication + proxy optimization
  • Enhanced Fingerprint Library - Integrated FingerprintHub (3139 fingerprints)
  • Favicon Fingerprinting - Support for mmh3 and MD5 dual-format hash matching
  • Universal Version Extractor - Auto-extract service version information
  • Fingerprint Priority Sorting - Smart sorting of match results
  • Smart Protocol Detection - Auto-detect HTTP/HTTPS protocol type
  • Network Interface Binding - Support for VPN scenarios (-iface parameter)
  • Exclude Hosts File - Read excluded hosts from file (-ehf parameter)
  • ICMP Token Bucket Rate Limiting - Prevent router crashes from high-speed scanning
  • Port Scan Retry - Automatic retry mechanism for failed scans
  • RDP Real Authentication - Integrated grdp library for system fingerprinting
  • SMB/FTP File Listing - Auto-list files on anonymous access
  • 302 Redirect Dual Detection - Identify fingerprints from both original and redirected responses
  • TXT Output URL Summary - Append web service URL list for batch testing
  • gonmap Core Integration - Three improvements: probe strategy/matching engine/version parsing
  • Selective Plugin Compilation - Build Tags system for independent service/local/web plugin compilation
  • Default Port Expansion - Extended from 62 to 133 common ports
  • Full Port Scan Support - Expanded port range limits
  • HTTP Redirect Control - Configurable redirect count limit
  • Performance Profiling Support - Added pprof profiling and benchmark tests
  • TCP Packet Statistics - Service plugins support TCP packet send statistics
  • fscan-lab Environment - Intranet penetration training platform covering all vulnerability scenarios
  • Redis Exploitation Enhancement - Ported complete Redis exploitation (write pubkey/crontab/webshell/master-slave RCE)
  • rsync Plugin Refactoring - Restructured authentication logic using go-rsync library

Bug Fixes (120 items, key fixes listed)

  • RDP Null Pointer Panic - Fixed certificate parsing crash (#551)
  • Batch Scan Missing Results - Fixed large-scale scan omissions (#304)
  • JSON Output Format - Fixed output format errors (#446)
  • Redis Weak Password Detection - Fixed detection omissions (#447)
  • Real-time Result Saving - Fixed scan results not saved timely (#469)
  • Nmap Parse Overflow - Fixed octal escape parsing bug (#478)
  • Fingerprint Race Condition - Fixed webtitle/webpoc race issues (#474)
  • MySQL Connection Validation - Changed to information_schema for validation
  • Proxy Port Misjudgment - Fixed port status judgment in proxy mode
  • Context Timeout - Fixed 22 plugin timeout unresponsive issues
  • ICMP Race Condition - Fixed concurrent scan race issues
  • IPv6 Address Format - Fixed 4 address formatting issues
  • POC High Concurrency Hang - Fixed Context propagation issues
  • Ctrl+C Result Loss - Added signal handling for proper result saving
  • SOCKS5 Echo Issue - Added proxy connection validation
  • Service Probe Leak - Fixed connection not properly closed
  • webtitle Response Discard - Fixed partial response data being discarded causing identification failure
  • TXT Vulnerability Info Missing - Fixed output missing vulnerability details
  • JSON Fingerprint Missing - Unified SERVICE result Target format
  • Scan Duration Display - Fixed completion time showing as 0
  • False Vulnerability Records - Refactored TXT output system to eliminate false positives
  • Redis Cross-platform Path - Fixed exploitation path and timeout issues
  • Windows Compilation Warnings - Fixed fscan-lite platform compatibility
  • Go 1.20 Compatibility - Downgraded dependencies for compatibility

Test Enhancements (20 items)

  • Unit Tests - Core module coverage at 74-100%
  • Concurrency Safety Tests - Dedicated tests for State object and fingerprint matching engine
  • Integration Tests - Web scan/port scan/service probe/SSH auth/ICMP probe
  • CLI Parameter Tests - Command-line argument parsing verification
  • Performance Benchmarks - AdaptivePool and service probe strategy benchmarks
  • ResultBuffer Tests - Deduplication and completeness scoring verification

Engineering Improvements

  • CI Pipeline Optimization - Upgraded to golangci-lint v2, simplified build steps
  • Issue Automation - GitHub Issue template optimization, Project automation workflow
  • Full Lint Fixes - revive/errcheck/shadow/staticcheck/gosimple all passing
  • README Rewrite - Comprehensive Chinese and English documentation update
  • Code Format Unification - gofmt/goimports standardization

Quick Start

# Scan C-class network
./fscan -h 192.168.1.1/24

# Specify ports
./fscan -h 192.168.1.1 -p 22,80,443,3389

# Alive detection only
./fscan -h 192.168.1.1/24 -ao

# Disable brute force
./fscan -h 192.168.1.1/24 -nobr

# Web scanning
./fscan -u http://192.168.1.1

# Local plugin
./fscan -local systeminfo

# Hash authentication
./fscan -h 192.168.1.1 -m smb2 -user admin -hash xxxxx

# Redis write pubkey
./fscan -h 192.168.1.1 -m redis -rf id_rsa.pub

Build

# Standard build
go build -ldflags="-s -w" -trimpath -o fscan main.go

# With Web UI
go build -tags web -ldflags="-s -w" -trimpath -o fscan main.go

Install

# Arch Linux
yay -S fscan-git

Screenshots

fscan.exe -h 192.168.x.x

fscan.exe -h 192.168.x.x -rf id_rsa.pub (Redis write pubkey)

fscan.exe -h 192.168.x.x -m ssh -user root -pwd password

fscan.exe -h 192.168.x.x -p80 -proxy http://127.0.0.1:8080

fscan.exe -h 192.168.x.x -p 139 -m netbios

fscan.exe -h 192.0.0.0/8 -m icmp img.png

2.0-1

2.0-2

Roadmap

Release Schedule

  • Release Cycle - Monthly release
  • First 2 Weeks - New features and enhancements
  • Last 2 Weeks - Bug fixes and code integration
  • PRs Welcome - Contributions are appreciated!

Plugin Ecosystem

  • Continuously expand service plugin coverage
  • Develop more vulnerability detection and exploitation capabilities for each service plugin
  • Maintain backward compatibility of plugin APIs to ensure legacy POCs remain functional

Fscan-lite

  • Lightweight version rewritten in C
  • Smaller binary size, fewer dependencies
  • Support for embedded/restricted environments
  • Directory: fscan-lite

Fscan-lab

  • Intranet penetration testing lab environment
  • Covers all vulnerability scenarios supported by fscan
  • Development testing and feature verification platform
  • Learning and practice environment for beginners
  • Directory: fscan-lab

Disclaimer

This tool is intended for legally authorized enterprise security testing only. Obtain proper authorization, comply with local laws, do not scan unauthorized targets. The author assumes no liability for any illegal use.

404StarLink

fscan is a member of 404Team StarLink 2.0.

Star History

Stargazers over time

Donate

Buy the author a drink

References

  • https://github.com/Adminisme/ServerScan
  • https://github.com/netxfly/x-crack
  • https://github.com/hack2fun/Gscan
  • https://github.com/k8gege/LadonGo
  • https://github.com/jjf012/gopoc
  • https://github.com/chainreactors/gogo
  • https://github.com/0x727/FingerprintHub
  • https://github.com/killmonday/fscanx

Extension points exported contracts — how you extend this code

Message (Interface)
(no doc) [15 implementers]
mylib/grdp/protocol/nla/ntlm.go
UniversalPoc (Interface)
UniversalPoc 通用POC接口 - 所有格式都要实现这个接口 [4 implementers]
webscan/lib/poc_adapter.go
Dialer (Interface)
Dialer 拨号器接口 [4 implementers]
common/proxy/types.go
Writer (Interface)
Writer 输出写入器接口 [3 implementers]
common/output/types.go
SMBAuthenticator (Interface)
SMBAuthenticator 统一认证接口 [2 implementers]
plugins/services/smb_protocol.go
ScanStrategy (Interface)
ScanStrategy 定义扫描策略接口 [1 implementers]
core/scanner.go
Exploiter (Interface)
Exploiter 利用接口 [1 implementers]
plugins/init.go
ResultCallback (FuncType)
ResultCallback 扫描结果回调函数类型
common/callback.go

Core symbols most depended-on inside this repo

Write
called by 305
common/output/types.go
Run
called by 285
web/ws/hub.go
Error
called by 222
common/logging/logger.go
Tr
called by 204
common/i18n/i18n.go
Close
called by 187
common/output/types.go
t
called by 156
fscan-lab/frontend/src/contexts/I18nContext.tsx
GetText
called by 121
common/i18n/i18n.go
Write
called by 103
mylib/grdp/core/types.go

Shape

Function 1,174
Method 999
Struct 349
Interface 56
TypeAlias 51
FuncType 6

Languages

Go96%
TypeScript4%
Python1%

Modules by API surface

mylib/grdp/protocol/pdu/data.go97 symbols
mylib/grdp/protocol/pdu/caps.go76 symbols
mylib/grdp/protocol/t125/gcc/gcc.go61 symbols
mylib/grdp/protocol/sec/sec.go55 symbols
webscan/lib/http.pb.go50 symbols
common/state.go43 symbols
common/output/writers.go42 symbols
common/parsers/parse_test.go40 symbols
mylib/grdp/protocol/t125/mcs.go35 symbols
common/progress_manager.go35 symbols
plugins/services/telnet.go34 symbols
plugins/services/smb_protocol.go34 symbols

Dependencies from manifests, versioned

filippo.io/edwards25519v1.1.0 · 1×
github.com/Azure/go-ntlmsspv0.0.0-2022112819355 · 1×
github.com/IBM/saramav1.43.3 · 1×
github.com/alexbrainman/sspiv0.0.0-2023101608002 · 1×
github.com/bytedance/sonicv1.11.2 · 1×
github.com/chenzhuoyu/base64xv0.0.0-2023071712174 · 1×
github.com/chenzhuoyu/iasmv0.9.1 · 1×
github.com/eapache/go-xerial-snappyv0.0.0-2023073122305 · 1×

Datastores touched

(mysql)Database · 1 repos
(mongodb)Database · 1 repos
postgresDatabase · 1 repos

For agents

$ claude mcp add fscan \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact