A portscanner BOF (COFF) that replicates Cobalt Strikes Port Scanning functionality including the wide variety of input parameters and provides the same amount of information as it's output.
A pingscanner BOF that perform an ICMP ping scan on target input.
For more information about design considerations and OPSEC notes, see the following blog.
To run the BOFs use the following commands:
portscan [targets] [ports]
pingscan [targets]
The following options are supported:
[targets]: a comma separated list of hosts to scan (hostnames and IPs supported). Additionally, you can specify any IPv4 ranges and CIDR (eg.192.168.1.128-192.168.2.240,192.168.1.0/24)[ports]: a comma separated list of ports to scan (eg. "53,80,443,8000-8050")
CS already has a builtin portscan command so the BOF's command have been set to the following:
portscan_alt [targets] [ports]
pingscan [targets]
10/01/2025 03:05:49 [danielward] Demon » portscan "10.10.121.100-10.10.121.120,10.10.123.100-10.10.123.120,10.10.120.0-10.10.120.20" "22,139,445"
[*] [7DBE165A] Running port scan
[+] Send Task to Agent [31 bytes]
[+] Received Output [118 bytes]:
[.] portscanner: Scanning 10.10.121.100-10.10.121.120,10.10.123.100-10.10.123.120,10.10.120.0-10.10.120.20 22,139,445
[+] Received Output [948 bytes]:
10.10.121.107:139
10.10.121.107:445 (platform: 500 version: 10.0 name: WS02 domain: RLAB)
10.10.121.108:139
10.10.121.108:445 (platform: 500 version: 10.0 name: WS06 domain: RLAB)
10.10.121.112:139
10.10.121.112:445 (platform: 500 version: 10.0 name: WS01 domain: RLAB)
10.10.123.100:139
10.10.123.100:445 (platform: 500 version: 10.0 name: WS03 domain: RLAB)
10.10.123.101:139
10.10.123.101:445 (platform: 500 version: 10.0 name: WS04 domain: RLAB)
10.10.123.110:139
10.10.123.110:445 (platform: 500 version: 10.0 name: WS05 domain: RLAB)
10.10.120.1:139
10.10.120.1:445 (platform: 500 version: 10.0 name: DC01 domain: RLAB)
10.10.120.5:139
10.10.120.5:445 (platform: 500 version: 10.0 name: FS01 domain: RLAB)
10.10.120.10:139
10.10.120.10:445 (platform: 500 version: 10.0 name: MX01 domain: RLAB)
10.10.120.15:139
10.10.120.15:445 (platform: 500 version: 10.0 name: SRV01 domain: RLAB)
10.10.120.20:22 (SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11)
[*] BOF execution completed
10/01/2025 03:02:42 [danielward] Demon » pingscan 10.10.121.100-10.10.121.120
[*] [51273B8E] Running ping scan
[+] Send Task to Agent [31 bytes]
[+] Received Output [60 bytes]:
[.] Attempting to ping targets: 10.10.121.100-10.10.121.120
[+] Received Output [157 bytes]:
Reply from 10.10.121.107: bytes=32 time=16ms TTL=128
Reply from 10.10.121.108: bytes=32 time=0ms TTL=128
Reply from 10.10.121.112: bytes=32 time=2ms TTL=128
[*] BOF execution completed
- Havoc:
havoc-portscan.py - Cobalt strike:
portscan.cna - Any C2 that can run a BOF (COFF)
make
The timeouts have been #defined in the portscanner bof. Additionally, the number of concurrent sockets is also defined in portscanner.c
Some OPSEC considerations have been incorporated into the tool. Nevertheless, needs further improvements, test in a Lab environment before using in PROD.
-
SMB enumeration is loud: Calling
NetWkstaGetInfoon port 445 generates Windows event logs (Security/System). Future improvement will make this optional via a flag. -
DNS resolution via
getaddrinfo: Hostname lookups use system DNS, which may be logged/monitored. Future improvements will make it an option to skip DNS. -
Hardcoded timeouts: The
CONN_TIMEOUT(100ms) andREAD_TIMEOUT(500ms) are quite aggressive and may cause detection. Future improvement...
-
Randomize port order: Sequential port scanning is easily fingerprinted by IDS. Shuffling the port order would reduce detection.
-
Add jitter/delays: Option to add random delays between connection batches to avoid triggering rate-based detection.
-
TCP SYN scanning: Current
connect()scan completes the full handshake. Raw sockets (if available) could do SYN scanning for stealth. -
IPv6 support:
AF_INETis hardcoded everywhere. IPv6 targets won't work.