Historical Tracking in GoScan

Recently I’ve been reading the great “The Hacker Playbook 3” from Peter Kim.

In Chapter 2 (“Red Team Recon”) a Lab exercise challenges readers to build a better network diff scanner, able to continuously monitor the target’s network over time. In particular, Peter suggested to implement the following features:

  1. Build a better port list than the default nmap
  2. Keep historical tracking of ports
  3. Implement nmap banners
  4. Build email slerting/notification system

Reading this made me think that I already developed a framework able to deal with a similar situation: GoScan.

Point 1 was already implemented, point 3 was already in my todo-list, but point 2 caught my eye as a potential nice addition to GoScan. I left point 4 for the future as alerting is not something I need right now.

In the end, it was pretty straightfoward to extend GoScan to provide support for an historical tracking of ports, which I’ve now released in V1.3.

Example

Let’s perform a quick portscan on a sample host:

As you can see different ports have been found as open. Now, let’s stop the webserver running on port 80 and run another scan. You’ll be notified a port is not open anymore:

You will still have the entire history tracked in the supporting databse, but the CLI will only report the more recent information collected for every host.

GoScan can be found on Github: https://github.com/marco-lancini/goscan.