l9tcpid takes hosts ( by IP ) from stdin in l9format ( try ip4scout as input ? ) and identifies the socket protocol and capabilities :
This software is an open-source security scanning tool provided "as is," without any warranty of any kind, express or implied. The developers and contributors of this project disclaim all liability and responsibility for any damage, direct or indirect, resulting from the use or misuse of this software.
This tool is intended for security professionals, researchers, and system administrators to identify vulnerabilities and assess the security posture of systems that they own or have explicit, written permission to test.
By downloading, installing, or using this software, you agree to the following terms:
-
Authorization is Required: You will only use this tool to scan networks, applications, and systems for which you have obtained prior, explicit, and verifiable authorization from the system owner.
-
Legal Compliance: You will use this software in strict compliance with all applicable local, state, national, and international laws and regulations.
-
No Malicious Intent: You will not use this software for any malicious or illegal purposes, including but not limited to, unauthorized access, data exfiltration, disruption of services, or any other activity that could be considered a cybercrime.
Unauthorized scanning of computer systems is illegal and can lead to severe civil and criminal penalties. The developers and contributors of this project do not condone any illegal use of this software and will not be held responsible for your actions.
Your use of this software is your own responsibility and at your own risk. If you do not agree to these terms, you are not permitted to use this software.
- Identifies SSL/TLS connection and details connection + certificate state
- Grab JARM fingerprint ( including upgraded connection from STARTTLS/AUTH TLS )
- Gets a banner
- Tries to identify protocol from that banner
- Provides detailed HTTP application information
- TODO: defaults to default port/software mapping
▶ l9tcpid service -hDisplays help for the service command (only implementation atm)
| Flag | Description |
|---|---|
| --deep-http | Runs additional http checks to identify the software and populates the http event |
| --max-threads | Maximum number of threads used for identification |
| --debug | Prints developer information for now |
The installation is easy. You can download the pre-built binaries for your platform from the Releases page.
▶ chmod +x l9tcpid-linux-64
▶ mv l9tcpid-linux-64 /usr/local/bin/l9tcpid▶ GO111MODULE=on go get -u -v github.com/LeakIX/l9tcpid/cmd/l9tcpid
▶ ${GOPATH}/bin/l9tcpid service -hl9tcpid speaks l9format. l9filter can be used to manage input/output from this module.
▶ ip4scout random -r 10000 -p 3306|l9tcpid service --max-threads=100|l9filter transform -i l9 -o human
IP: 163.197.193.175, PORT:3306, PROTO:mysql, SSL:false
mysql_native_password
Raw connection:
00000000 4e 00 00 00 0a 35 2e 35 2e 36 32 2d 6c 6f 67 00 |N....5.5.62-log.|
....
IP: 103.57.220.151, PORT:3306, PROTO:mysql, SSL:false
mysql_native_password
Raw connection:
00000000 65 00 00 00 0a 35 2e 35 2e 35 2d 31 30 2e 33 2e |e....5.5.5-10.3.|
...
IP: 45.150.6.240, PORT:3306, PROTO:http, SSL:false
HTTP/1.1 400 Bad Request
Server: squid/4.10
.....
Raw connection:
00000000 48 54 54 50 2f 31 2e 31 20 34 30 30 20 42 61 64 |HTTP/1.1 400 Bad|▶ masscan --rate 100000 -p1-65535 192.168.1.0/24|l9filter transform -i masscan -o l9|l9tcpid service --max-threads=10▶ nmap 192.168.1.0/24 -p80 -T insane -oG -|l9filter transform -i nmap -o l9|l9tcpid service --max-threads=100|l9filter transform -i l9 -o humanOne can also use JQ to filter results :
▶ ./ip4scout random -r 10000 -p 443,587,21|./l9tcpid service --max-threads=100 |tee services.json|jq -c 'select(.ssl.certificate.domain != null)'|jq -r '.ssl.certificate.domain[]'- Scan random host on port 443,587 and 21
- Try to connect to synack ones and upgrade to SSL if possible
- Tee the output to services.json for later usage
- JQ to select services with domains in their SSL certificate
- Display domains
This single command provides a continuous flux of random domains and subdomains found in certs over HTTP, FTP and SMTP connections.
- hdmoore & RumbleDiscovery (Golang JARM library)