-
Notifications
You must be signed in to change notification settings - Fork 561
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Portscan CDN Detection #1970
Portscan CDN Detection #1970
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## dev #1970 +/- ##
======================================
+ Coverage 93% 93% +1%
======================================
Files 365 370 +5
Lines 27916 28326 +410
======================================
+ Hits 25723 26120 +397
- Misses 2193 2206 +13 ☔ View full report in Codecov by Sentry. 🚨 Try these New Features:
|
@Sh4d0wHunt3rX @Luoooio, should this take into consideration all cloud providers (i.e. Google, Amazon) or only clear-cut CDNs like cloudflare? There is a tradeoff, as including these will speed up scans but also increase the chance of missing stuff. |
@TheTechromancer My approach was using my friend's tool: Then exclude any IP that belongs to these CDNs for port scanning. |
@TheTechromancer In the current code, I noticed that you use cloudcheck to determine if it’s a cloud provider or CDN. I reviewed the code logic, and it adopts a fairly rigorous method for detection, making it quite accurate for known providers. I used a similar approach in my own tools but added CNAME checks and maintained a mapping of CDNs and CNAMEs (though it has since become outdated). Here's a small tip to share: I typically add two additional checks on top of this: 1. Checking if the CNAME contains a CDN-related string 2. If an IP has more than 10 open ports, I consider it not worth scanning further. This helps me cut down a lot of noise. As for your question, my suggestion would be to add an option allowing users to decide for themselves, as different users have different needs. |
Thanks guys; yeah right now we take both CNAMEs and IPs into consideration, and those lists are auto-updated daily. But for bigger cloud providers like Amazon, we don't distinguish between their CDN and the rest of their servers. This shouldn't be too hard to do, though. I think |
This PR adds the option to ignore certain open ports if their host belongs to a CDN.
To use it, you set the option
modules.portscan.allowed_cdn_ports
:Addresses #1967.
Congratulations @Sh4d0wHunt3rX, you win.
Exclude CDNs from Port Scan
If you want to exclude CDNs (e.g. Cloudflare) from port scanning, you can set the
allowed_cdn_ports
config option in theportscan
module. For example, to allow only port 80 (HTTP) and 443 (HTTPS), you can do the following:By default, if you set
allowed_cdn_ports
, it will skip only providers marked as CDNs. If you want to skip cloud providers as well, you can setcdn_tags
:...or via a preset: