l9tcpid takes hosts ( by IP ) from stdin in l9format ( try ip4scout as input ? ) and identifies the socket protocol and capabilities :
- Identifies SSL/TLS connection and details connection + certificate state
- Grab JARM fingerprint ( including upgraded connection from STARTTLS/AUTH TLS )
- Gets a banner
- Tries to identify protocol from that banner
- Provides detailed HTTP application information
- TODO: defaults to default port/software mapping
▶ l9tcpid service -h
Displays help for the service command (only implementation atm)
Flag | Description |
---|---|
--deep-http | Runs additional http checks to identify the software and populates the http event |
--max-threads | Maximum number of threads used for identification |
--debug | Prints developer information for now |
The installation is easy. You can download the pre-built binaries for your platform from the Releases page.
▶ chmod +x l9tcpid-linux-64
▶ mv l9tcpid-linux-64 /usr/local/bin/l9tcpid
▶ GO111MODULE=on go get -u -v github.com/LeakIX/l9tcpid/cmd/l9tcpid
▶ ${GOPATH}/bin/l9tcpid service -h
l9tcpid speaks l9format. l9filter can be used to manage input/output from this module.
▶ ip4scout random -r 10000 -p 3306|l9tcpid service --max-threads=100|l9filter transform -i l9 -o human
IP: 163.197.193.175, PORT:3306, PROTO:mysql, SSL:false
mysql_native_password
Raw connection:
00000000 4e 00 00 00 0a 35 2e 35 2e 36 32 2d 6c 6f 67 00 |N....5.5.62-log.|
....
IP: 103.57.220.151, PORT:3306, PROTO:mysql, SSL:false
mysql_native_password
Raw connection:
00000000 65 00 00 00 0a 35 2e 35 2e 35 2d 31 30 2e 33 2e |e....5.5.5-10.3.|
...
IP: 45.150.6.240, PORT:3306, PROTO:http, SSL:false
HTTP/1.1 400 Bad Request
Server: squid/4.10
.....
Raw connection:
00000000 48 54 54 50 2f 31 2e 31 20 34 30 30 20 42 61 64 |HTTP/1.1 400 Bad|
▶ masscan --rate 100000 -p1-65535 192.168.1.0/24|l9filter transform -i masscan -o l9|l9tcpid service --max-threads=10
▶ nmap 192.168.1.0/24 -p80 -T insane -oG -|l9filter transform -i nmap -o l9|l9tcpid service --max-threads=100|l9filter transform -i l9 -o human
One can also use JQ to filter results :
▶ ./ip4scout random -r 10000 -p 443,587,21|./l9tcpid service --max-threads=100 |tee services.json|jq -c 'select(.ssl.certificate.domain != null)'|jq -r '.ssl.certificate.domain[]'
- Scan random host on port 443,587 and 21
- Try to connect to synack ones and upgrade to SSL if possible
- Tee the output to services.json for later usage
- JQ to select services with domains in their SSL certificate
- Display domains
This single command provides a continuous flux of random domains and subdomains found in certs over HTTP, FTP and SMTP connections.
- hdmoore & RumbleDiscovery (Golang JARM library)