redhoundinfosec/portdiff

# portdiff **比较网络扫描结果并检测攻击面变化。** `portdiff` 是一个单二进制、跨平台的 CLI 工具，用于比较两次 [nmap](https://nmap.org) 或 [masscan](https://github.com/robertdavidgraham/masscan) 的扫描结果，并生成清晰、可操作的差异报告，显示新增主机、移除的主机、新增/移除的端口以及发生变化的服务。 专为防御者、安全团队、渗透测试人员以及跟踪基础设施漂移的合规团队打造。 ## 为什么选择 portdiff？ - **nmap 的 `ndiff`** 属于 Python 2 时代，无人维护，且输出质量较差 - **没有单二进制** 的跨平台工具能很好地完成扫描差异对比 - **现有工具均不** 支持输出结构化的 JSON 差异，或无法干净地集成到自动化流水线中 - `portdiff` **零依赖**，可在 Go 支持的任何平台上运行，并返回有意义的退出码以便脚本调用 ## 安装 ### 预编译二进制文件 从 [Releases](https://github.com/redhoundinfosec/portdiff/releases) 页面下载。 ### 从源码构建 ``` git clone https://github.com/redhoundinfosec/portdiff cd portdiff make build # 二进制文件：./portdiff ``` ### Go install ``` go install github.com/redhoundinfosec/portdiff/cmd/portdiff@latest ``` ## 快速开始 ``` # 比较两次 nmap 扫描 portdiff diff scan-before.xml scan-after.xml # 用于自动化的 JSON output portdiff diff scan-before.xml scan-after.xml -f json # 仅显示新主机和端口（减少噪音） portdiff diff scan-before.xml scan-after.xml --only-new # 忽略临时/噪音端口 portdiff diff scan-before.xml scan-after.xml --ignore-ports 8080,8443 # 汇总单次扫描 portdiff summary scan-before.xml # 将报告写入文件 portdiff diff baseline.xml current.xml -f json -o report.json ``` ## 命令 ### `portdiff diff ` 比较两个扫描文件并显示变化。 ``` Flags: -f, --format string Output format: text, json, csv (default: text) -o, --output string Write output to file (default: stdout) --only-new Show only new hosts and ports --ignore-ports string Comma-separated ports to ignore (e.g. 80,443) --no-color Disable colored output -q, --quiet Suppress output; use exit code only -v, --verbose Show all details including unchanged hosts/ports ``` ### `portdiff summary ` 汇总单个扫描文件 —— 主机、端口、服务。 ``` Flags: -f, --format string Output format: text, json, csv (default: text) -o, --output string Write output to file --no-color Disable colors -q, --quiet Suppress output ``` ### `portdiff version` 打印版本和许可证信息。 ## 支持的输入格式 `portdiff` 自动检测每个输入文件的格式。 | Format | Scanner Flag | Notes | |--------|-------------|-------| | nmap XML | `nmap -oX ` | 推荐 —— 数据最丰富 | | nmap grepable | `nmap -oG ` | 支持 | | masscan JSON | `masscan -oJ ` | 支持 | ## 示例输出 ``` portdiff v0.1.0 — Scan Comparison Baseline: scan-before.xml (3 hosts, 6 ports) Current: scan-after.xml (3 hosts, 7 ports) NEW HOSTS ● 192.168.1.30 (newserver.internal) ├─ 139/tcp open netbios-ssn [CRITICAL] └─ 445/tcp open microsoft-ds [CRITICAL] REMOVED HOSTS ○ 192.168.1.20 (dbserver.internal) ├─ 22/tcp was open ssh └─ 3306/tcp was open mysql CHANGED HOSTS △ 192.168.1.1 (gateway.internal) + 3389/tcp open ms-wbt-server [CRITICAL] new port ~ 80/tcp open http [WARNING] Apache httpd 2.4.41 → Apache httpd 2.4.52 UNCHANGED HOSTS 192.168.1.10 (2 port(s), no changes) Summary: 1 new host(s), 1 removed host(s), 1 changed host(s), 1 unchanged Critical: 3 | Warning: 1 | Info: 0 ``` ## JSON 输出 ``` portdiff diff scan-before.xml scan-after.xml -f json ``` ``` { "portdiff_version": "0.1.0", "baseline": { "source": "scan-before.xml", "format": "nmap-xml", "hosts": 3, "open_ports": 6 }, "current": { "source": "scan-after.xml", "format": "nmap-xml", "hosts": 3, "open_ports": 7 }, "hosts": [ { "ip": "192.168.1.1", "hostname": "gateway.internal", "change": "changed_host", "severity": "CRITICAL", "port_changes": [ { "port": "3389", "protocol": "tcp", "state": "open", "service": "ms-wbt-server", "change": "new_port", "severity": "CRITICAL" }, { "port": "80", "protocol": "tcp", "state": "open", "service": "http", "change": "changed_port", "severity": "WARNING", "old_version": "Apache httpd 2.4.41", "product": "Apache httpd", "version": "2.4.52" } ] } ], "summary": { "new_hosts": 1, "removed_hosts": 1, "changed_hosts": 1, "unchanged_hosts": 1, "new_ports": 3, "removed_ports": 2, "changed_ports": 1, "critical": 3, "warning": 1, "info": 0, "has_changes": true } } ``` ## 严重性分类 | Level | Triggers | |-------|----------| | **CRITICAL** | 高风险端口集中出现新端口：21, 22, 23, 25, 53, 139, 445, 1433, 1521, 3306, 3389, 5432, 5900, 6379, 8080, 9200, 11211, 27017 | | **WARNING** | 服务版本发生变化；出现新端口（非高风险）；主机被移除 | | **INFO** | 端口被移除；无变化 | ## 退出码 | Code | Meaning | |------|---------| | `0` | 未检测到变化 | | `1` | 检测到变化 | | `2` | 错误（解析失败、参数错误等） | 这使得 `portdiff` 易于在 CI 流水线中使用： ``` portdiff diff baseline.xml current.xml -q if [ $? -eq 1 ]; then echo "Attack surface changed!" portdiff diff baseline.xml current.xml -f json -o report.json fi ``` ## 工作流示例 ### 持续监控 ``` # 每日扫描 nmap -sV -oX /scans/$(date +%F).xml 10.0.0.0/24 # 与昨天进行 Diff portdiff diff /scans/$(date -d yesterday +%F).xml /scans/$(date +%F).xml ``` ### 渗透测试前后对比 ``` # 利用前 nmap -sV -oX before-exploit.xml 192.168.1.0/24 # 横向移动后 nmap -sV -oX after-exploit.xml 192.168.1.0/24 # 发生了什么变化？ portdiff diff before-exploit.xml after-exploit.xml --only-new ``` ### CI/CD 流水线关卡 ``` - name: Scan production run: nmap -sV -oX current.xml $PROD_RANGE - name: Check for attack surface drift run: | portdiff diff baseline.xml current.xml -q if [ $? -ne 0 ]; then portdiff diff baseline.xml current.xml -f json -o drift-report.json exit 1 fi ``` ### masscan 集成 ``` # 使用 masscan 进行快速扫描 masscan -p1-65535 10.0.0.0/24 --rate 1000 -oJ masscan-current.json # 与上一次 masscan 结果进行 Diff portdiff diff masscan-previous.json masscan-current.json ``` ## 架构 ``` portdiff/ ├── cmd/portdiff/main.go Entry point ├── internal/ │ ├── parser/ Scan file parsers + data model │ │ ├── parser.go Common types (Host, Port, ScanResult) │ │ ├── nmap_xml.go nmap -oX parser │ │ ├── nmap_grep.go nmap -oG parser │ │ ├── masscan.go masscan -oJ parser │ │ └── detect.go Auto-format detection │ ├── diff/ Diff engine │ │ ├── diff.go Core comparison logic │ │ └── severity.go Severity classification rules │ └── output/ Output formatters │ └── output.go Text, JSON, CSV renderers └── examples/ Sample scan files ``` ## 构建 ``` make build # Build for current platform make test # Run all tests make release # Cross-compile for Linux, macOS, Windows make clean # Remove build artifacts make lint # Run go vet ``` ## 贡献 参见 [CONTRIBUTING.md](CONTRIBUTING.md)。 ## 许可证 MIT —— 详见 [LICENSE](LICENSE)。 版权所有 2026 Red Hound Information Security LLC。

标签：EVTX分析, Go, GPT, HTTP/HTTPS抓包, IT合规, Linux安全, Masscan, Nmap, PB级数据处理, Ruby工具, 云存储安全, 子域名侦测, 安全运维, 密码管理, 差异对比, 态势感知, 插件系统, 日志审计, 漏洞管理, 端口监控, 网络安全, 网络扫描, 虚拟驱动器, 配置漂移, 防御绕过, 隐私保护