This page contains some examples to get your nray experience started quickly.
All examples assume that the binary is called nray, of course you have to adapt this to the name of your binary.
Unfortunately, due to a bug in the upstream project of the configuration parser, currently some options mustn’t be omitted. See this issue for more information. The following configuration has therefore all options listed, albeit most of them are disabled. The relevant settings are marked with a comment.
config.yaml) to contain the following:debug: false
listen: [8601] # Port to listen
host: "127.0.0.1" # host to listen (only localhost)
pools: 1 # Only use a single pool
TLS:
enabled: false
CA: "/path/to/ca.pem"
cert: "/path/to/servercert.pem"
key: "/path/to/servercert-key.pem"
forceClientAuth: false
considerClientPoolPreference: true
allowMultipleNodesPerHost: false
internal:
nodeExpiryTime: 30
nodeExpiryCheckInterval: 10
targetgenerator:
bufferSize: 5
standard:
enabled: true
targets: ["192.168.178.1/28"] # target network to scan
tcpports: ["top25"] # which TCP ports to scan
udpports: [] # don't scan UDP
blacklist: [] # no blacklist
maxHostsPerBatch: 20
maxTcpPortsPerBatch: 25
maxUdpPortsPerBatch: 25
certificatetransparency:
enabled: false
domainRegex: '^(www[.]).*([.]com)$'
tcpports: [top25]
udpports: [top25]
blacklist: []
maxHostsPerBatch: 150
maxTcpPortsPerBatch: 25
maxUdpPortsPerBatch: 25
ldap:
enabled: false
ldapSearchString: "(objectCategory=computer)"
baseDN: "dc=contoso,dc=com"
ldapAttribute: "dNSHostName"
ldapServer: ""
ldapPort: 636
insecure: false
ldapUser: ""
ldapPass: ""
tcpports: [top25]
udpports: [top25]
blacklist: []
maxHostsPerBatch: 5
maxTcpPortsPerBatch: 25
maxUdpPortsPerBatch: 25
scannerconfig:
workers: 250 # Run with 250 workers
ratelimit: "none" # No rate limit
tcp:
timeout: 2500ms # 2.5s TCP timeout
udp:
fast: false
defaultHexPayload: "\x6e\x72\x61\x79"
timeout: 2500ms
zgrab2:
enabledModules: []
ssh:
subscribePorts: ["tcp/22"]
timeout: 2500ms
ClientID: "SSH-2.0-Go-nray"
CollectUserAuth: true
http:
subscribeHTTPPorts: ["tcp/80", "tcp/8080", "tcp/8000"]
subscribeHTTPSPorts: ["tcp/443", "tcp/8443"]
timeout: 2500ms
method: "GET"
endpoint: "/"
userAgent: "nray"
retryHTTPS: true
maxRedirects: 2
events:
terminal:
enabled: true # print events to terminal
internal:
channelsize: 1000
json-file:
enabled: true # write events to file
filename: "nray-output.json" # filename
overwriteExisting: false
internal:
channelsize: 10000
synctimer: 10s
elasticsearch:
enabled: false
server: "elasticsearch.local"
useTLS: true
port: 443
internal:
indexname: "nray"
channelsize: 10000
committimer: 3
./nray server -c /path/to/config.yaml../nray node. If no server and port is specified, nodes always try to connect to localhost:8601 whereas other values can be injected at compile time or can be passed via -s <server> and -p <port> parameter.nray-output.jsonjq is an excellent command line JSON processor. It allows to view and query JSON documents and you may give it a shot for accessing the event file.
For live viewing, jq -C '<expr>' <outputfile> | less -R gives you scrollable, colorized output. During a scan, you can also tail -f <outputfile> | jq '<expr>'.
Here are some example queries to get you started:
jq '. | select(.result.port == 22)' <outputfile>
This includes TCP, UDP and ZGrab2 events.
jq '. | select(.result.portscan.port == 80 and .result.portscan.open == true and .result.portscan.scantype == "tcpconnect")' <outputfile>
Actually, the result.portscan.open can be omitted since closed ports do not generate events.
jq '. | select(.result.portscan.port == 80 and .result.portscan.open == true and .result.portscan.scantype == "tcpconnect") | .result.target' <outputfile>