Add support for network interface selection

[edermi]

Hi,

it would be great to have a command switch to specify which interface gobuster uses for scanning.

[OJ]

Not a bad idea. I shall look into it.

[0xdevalias]

https://stackoverflow.com/questions/44571331/specify-network-interface-for-http-request-in-golang

Go's http.Client makes requests using a http.RoundTripper. This, in turn, uses a net.Dialer to establish the outbound network connections. net.Dialer has a field LocalAddr which specifies the local address from which the connections will be made. You can use your own Client, with your own RoundTripper, with your own net.Dialer, specifying the LocalAddr you want to use. You can see how each of these is instantiated in the stdlib code linked from the documentation, and copy the mechanisms used to create the default instances to maintain default behavior while overriding the LocalAddr as needed.

[firefart]

Is there any benefit on doing this in code? I think this should be rather done on the OS level using routes to keep things simple

[hlein]

Is there any benefit on doing this in code? I think this should be rather done on the OS level using routes to keep things simple

Sure. Suppose you have a scanning box w/multiple IPs. You are scanning some target that might have active defenses (https://github.com/fail2ban/fail2ban, etc.) and don't want to get yourself blocked during an enumeration run. gobuster -S or gobuster --interface while doing other things from other source IPs concurrently.

Another similar case would be if you have multiple IPs you can rotate requests through. Say a host will block after 10 404s in 3 minutes. Combine a pool of source IPs (obvs this requires a more complicated implementation than just "set my source") with --delay in order to maximize throughput without getting blocked.

You could achieve much the same with iptables rules, but that'd be quite cumbersome, require root to update, etc.

[firefart]

@hlein @edermi @0xdevalias I added a first try on the dev branch to specify either the interface name or the ip directly. Would be great if you can try it out (go install github.com/OJ/gobuster/v3@dev)

[hlein]

@hlein @edermi @0xdevalias I added a first try on the dev branch to specify either the interface name or the ip directly. Would be great if you can try it out (go install github.com/OJ/gobuster/v3@dev)

Thank you! Hm, I see --local-ip, --interface, --iface options now. But... when I add another IP to eth0 and use --local-ip otherip, the requests still originate from my default IP on that interface.

[firefart]

@hlein ok I thanks I will try to reproduce it. Seems like it's not that easy like described in the stack overflow article :D

[firefart]

@hlein sorry for the delay, could you please try again with the latest dev version? I currently have no VPS available that supports multiple public ipv4s per machine to test this properly. The options are --iface and --local-ip