jakobfriedl/asyncscan-bof

AsyncScan is a small piece of offensive security tooling, written in C, that adds a port scanner to a red team operator's toolbox. It is shipped as what the security community calls a BOF, which stands for Beacon Object File. A BOF is a small program that loads into the memory of an existing agent running on a target machine and runs there, rather than being a separate executable. The agent in this case is the one provided by an open source command and control framework called Conquest, written by the same author. Conquest is required because the scanner depends on its ability to load object files asynchronously, which lets the scan run in the background without freezing the agent. The scanner accepts one or more targets and one or more ports. Targets can be plain IP addresses, hostnames, hyphen-separated IP ranges, or CIDR network blocks like 192.168.1.0/24. Ports can be individual numbers or ranges, and if no port list is given the scanner uses nmap's well-known list of the top one thousand ports. Under the hood the scan keeps a pool of non-blocking TCP sockets. For each target and port pair it calls the operating system's address resolution function, then fires a connect attempt without waiting for the result. A polling call called WSAPoll waits up to a configurable timeout for any of those sockets to respond, and the result tells the scanner whether the port is open or closed. The pool size and timeout are tunable so the operator can scan faster on a local network or more carefully across the internet. In verbose mode each open port is reported as soon as it is found, and a built-in function called BeaconWakeup nudges the agent so the result reaches the operator without waiting for the next scheduled check-in. After all ports have been tried the scanner prints a final summary grouped by host. The repository also ships a Python module that registers an asyncscan command inside Conquest, and the project is built with a simple make command after cloning.