信息收集-工具使用
- Layer
- Sublist3r
- subDomainsBrute
- whatweb
- dirbuster
- dirsearch
- 御剑
- ffuf
- wafw00f
- google hack
- Github信息泄露
Layer子域名挖掘机-子域名挖掘
-
启动软件
-
左侧输入域名和要扫描的端口
-
要使用自定义字典,将字典命名为dic.txt,放在程序的同目录下,程序自动加载字典
-
按下启动键后等待
-
收集的子域名可以查看解析ip,开发端口,web服务器,状态。点击标题栏可以进行排序显示
-
点击右键可以打开网站,复制域名,ip等,还可导出
Sublist3r-子域名挖掘
下载链接 点我
-
使用python写的子域名发现工具,使用OSINT技术(公开来源情报),搜索源包括有百度、Yahoo、Google、Bing、Ask、Netcraft等等除此之外使用通过查找SSL证书、DNS、暴力枚举等这些手段去查找子域名。
-
工具代码原理 点我
-
查看帮助信息
┌──(root㉿kali)-[/home/roott/桌面/st] └─# python Sublist3r/sublist3r.py -h usage: sublist3r.py [-h] -d DOMAIN [-b [BRUTEFORCE]] [-p PORTS] [-v [VERBOSE]] [-t THREADS] [-e ENGINES] [-o OUTPUT] [-n] OPTIONS: -h, --help show this help message and exit -d DOMAIN, --domain DOMAIN Domain name to enumerate it's subdomains -b [BRUTEFORCE], --bruteforce [BRUTEFORCE] Enable the subbrute bruteforce module -p PORTS, --ports PORTS Scan the found subdomains against specified tcp ports -v [VERBOSE], --verbose [VERBOSE] Enable Verbosity and display results in realtime -t THREADS, --threads THREADS Number of threads to use for subbrute bruteforce -e ENGINES, --engines ENGINES Specify a comma-separated list of search engines -o OUTPUT, --output OUTPUT Save the results to text file -n, --no-color Output without color Example: python Sublist3r/sublist3r.py -d google.com -d -domain要枚举子域的域名 -b -bruteforce启用subbrute bruteforce模块 -p -ports根据特定的tcp端口扫描找到的子域 -v --verbose启用详细模式并实时显示结果 -t -threads用于subbrute bruteforce的线程数 -e -engines 指定以逗号分隔的搜索引擎列表 -o -output将结果保存到文本文件 -n, --no-color无颜色输出 -
运行
python Sublist3r/sublist3r.py -d qq.com -b -v -t 100
-
virustotal 报错
问题不在于发送请求,似乎virustotal完全改变了网址
https://www.virustotal.com/ui/domains/{domain}/subdomains
这个导致了这个错误
在源文件中把上面地址,改为以下地址即可
https://www.virustotal.com/gui/domain/{{dommain}}/details
subDomainsBrute-子域名挖掘
下载链接 点我
-
用小字典递归地发现三级域名,四级域名、五级域名等域名。小字典就包括1万5千条,大字典多达6万3千条。默认使用Public DNS,114DNS、百度DNS、阿里DNS等
-
帮助信息
┌──(root㉿kali)-[/home/roott/桌面/st] └─# python subDomainsBrute/subDomainsBrute.py --h Usage: subDomainsBrute.py [options] target.com Options: --version show program's version number and exit -h, --help show this help message and exit -f FILE File contains new line delimited subs, default is subnames.txt. --full Full scan, NAMES FILE subnames_full.txt will be used to brute -i, --ignore-intranet Ignore domains pointed to private IPs -w, --wildcard Force scan after wildcard test fail -t THREADS, --threads=THREADS Num of scan threads, 200 by default -p PROCESS, --process=PROCESS Num of scan Process, 6 by default -o OUTPUT, --output=OUTPUT Output file name. default is {target}.txt --version 显示版本号并退出 -h, --help 帮助 -f FILE 指定暴力猜解字典,默认使用subnames.txt. --full 全扫描,使用subnames_full.txt -i, --ignore-intranet 忽略不想采集的IP地址 -t THREADS, --threads=THREADS 扫描线程数,默认200 -p PROCESS, --process=PROCESS 扫描进程数,默认为6 -o OUTPUT, --output=OUTPUT 输出文件名称 {target}.txt -
运行
python subDomainsBrute.py -t 20 baidu.com -o baidu.txt
扫描完成后会在py文件同目录下生成txt文件
whatweb-cms识别
-
WhatWeb 可识别 Web 技术,包括内容管理系统(CMS),博客平台,统计/分析包,Javascript 库,服务器和嵌入式设备
-
常规使用
┌──(root㉿kali)-[/home/roott/桌面/st/subDomainsBrute] └─# whatweb baidu.com http://baidu.com [200 OK] Apache, Country[CHINA][CN], HTTPServer[Apache], IP[220.181.38.251], Meta-Refresh-Redirect[http://www.baidu.com/] http://www.baidu.com/ [200 OK] Cookies[BAIDUID,BDSVRTM,BD_HOME,BIDUPSID,H_PS_PSSID,PSTM], Country[CHINA][CN], Email[index@2.png,pop_tri@1x-f4a02fac82.png,qrcode-hover@2x-f9b106a848.png,qrcode@2x-daf987ad02.png,result@2.png], HTML5, HTTPServer[BWS/1.1], IP[39.156.66.18], JQuery, Meta-Refresh-Redirect[http://www.baidu.com/baidu.html?from=noscript], OpenSearch[/content-search.xml], Script[application/json,text/javascript], Title[百度一下,你就知道], UncommonHeaders[bdpagetype,bdqid,traceid], X-Frame-Options[sameorigin], X-UA-Compatible[IE=Edge,chrome=1,IE=edge] http://www.baidu.com/baidu.html?from=noscript [200 OK] Apache, Cookies[BAIDUID], Country[CHINA][CN], HTML5, HTTPServer[Apache], IP[39.156.66.18], Script, Title[百度一下,你就知道], X-UA-Compatible[IE=Edge] -
批量扫描
将域名写入文件,用-i参数
┌──(root㉿kali)-[/home/roott/桌面] └─# whatweb -i 666 http://www.csdn.net [301 Moved Permanently] Country[HONG KONG][HK], HTTPServer[openresty], IP[39.106.226.142], OpenResty, RedirectLocation[https://www.csdn.net/], Title[301 Moved Permanently] http://www.baidu.com [200 OK] Cookies[BAIDUID,BDSVRTM,BD_HOME,BIDUPSID,H_PS_PSSID,PSTM], Country[CHINA][CN], Email[index@2.png,pop_tri@1x-f4a02fac82.png,qrcode-hover@2x-f9b106a848.png,qrcode@2x-daf987ad02.png,result@2.png], HTML5, HTTPServer[BWS/1.1], IP[39.156.66.18], JQuery, Meta-Refresh-Redirect[http://www.baidu.com/baidu.html?from=noscript], OpenSearch[/content-search.xml], Script[application/json,text/javascript], Title[百度一下,你就知道], UncommonHeaders[bdpagetype,bdqid,traceid], X-Frame-Options[sameorigin], X-UA-Compatible[IE=Edge,chrome=1,IE=edge] http://www.baidu.com/baidu.html?from=noscript [200 OK] Apache, Cookies[BAIDUID], Country[CHINA][CN], HTML5, HTTPServer[Apache], IP[39.156.66.18], Script, Title[百度一下,你就知道], X-UA-Compatible[IE=Edge] https://www.csdn.net/ [200 OK] Cookies[csrfToken,dc_session_id,uuid_tt_dd], Country[HONG KONG][HK], Django, Email[u002F2941f33f1bd6418ca4b13d3bbce5dd29@sentry.csdn.net], HTML5, HTTPServer[openresty], IP[39.106.226.142], JQuery[1.12.4], Script[text/javascript], Shopify, Strict-Transport-Security[max-age=31536000], Title[CSDN - 专业开发者社区], UncommonHeaders[x-response-time,x-content-type-options,x-download-options,x-readtime], X-XSS-Protection[1; mode=block] -
详细回显扫描
-v参数,
┌──(root㉿kali)-[/home/roott/桌面] └─# whatweb -v baidu.com WhatWeb report for http://baidu.com Status : 200 OK Title : <None> IP : 220.181.38.251 Country : CHINA, CN Summary : HTTPServer[Apache], Apache, Meta-Refresh-Redirect[http://www.baidu.com/] Detected Plugins: [ Apache ] The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Google Dorks: (3) Website : http://httpd.apache.org/ [ HTTPServer ] HTTP server header string. This plugin also attempts to identify the operating system from the server header. String : Apache (from server string) [ Meta-Refresh-Redirect ] Meta refresh tag is a deprecated URL element that can be used to optionally wait x seconds before reloading the current page or loading a new page. More info: https://secure.wikimedia.org/wikipedia/en/wiki/Meta_refresh String : http://www.baidu.com/ HTTP Headers: HTTP/1.1 200 OK Date: Fri, 18 Mar 2022 12:35:27 GMT Server: Apache Last-Modified: Tue, 12 Jan 2010 13:48:00 GMT ETag: "51-47cf7e6ee8400" Accept-Ranges: bytes Content-Length: 81 Cache-Control: max-age=86400 Expires: Sat, 19 Mar 2022 12:35:27 GMT Connection: Close Content-Type: text/html WhatWeb report for http://www.baidu.com/ Status : 200 OK Title : 百度一下,你就知道 IP : 39.156.66.18 Country : CHINA, CN Summary : UncommonHeaders[bdpagetype,bdqid,traceid], HTML5, X-Frame-Options[sameorigin], HTTPServer[BWS/1.1], OpenSearch[/content-search.xml], X-UA-Compatible[IE=Edge,chrome=1,IE=edge], Cookies[BAIDUID,BDSVRTM,BD_HOME,BIDUPSID,H_PS_PSSID,PSTM], Script[application/json,text/javascript], Meta-Refresh-Redirect[http://www.baidu.com/baidu.html?from=noscript], JQuery, Email[index@2.png,pop_tri@1x-f4a02fac82.png,qrcode-hover@2x-f9b106a848.png,qrcode@2x-daf987ad02.png,result@2.png] Detected Plugins: [ Cookies ] Display the names of cookies in the HTTP headers. The values are not returned to save on space. String : BAIDUID String : BIDUPSID String : PSTM String : BAIDUID String : BDSVRTM String : BD_HOME String : H_PS_PSSID [ Email ] Extract email addresses. Find valid email address and syntactically invalid email addresses from mailto: link tags. We match syntactically invalid links containing mailto: to catch anti-spam email addresses, eg. bob at gmail.com. This uses the simplified email regular expression from http://www.regular-expressions.info/email.html for valid email address matching. String : index@2.png,pop_tri@1x-f4a02fac82.png,qrcode-hover@2x-f9b106a848.png,qrcode@2x-daf987ad02.png,result@2.png [ HTML5 ] HTML version 5, detected by the doctype declaration [ HTTPServer ] HTTP server header string. This plugin also attempts to identify the operating system from the server header. String : BWS/1.1 (from server string) [ JQuery ] A fast, concise, JavaScript that simplifies how to traverse HTML documents, handle events, perform animations, and add AJAX. Website : http://jquery.com/ [ Meta-Refresh-Redirect ] Meta refresh tag is a deprecated URL element that can be used to optionally wait x seconds before reloading the current page or loading a new page. More info: https://secure.wikimedia.org/wikipedia/en/wiki/Meta_refresh String : http://www.baidu.com/baidu.html?from=noscript [ OpenSearch ] This plugin identifies open search and extracts the URL. OpenSearch is a collection of simple formats for the sharing of search results. String : /content-search.xml [ Script ] This plugin detects instances of script HTML elements and returns the script language/type. String : application/json,text/javascript [ UncommonHeaders ] Uncommon HTTP server headers. The blacklist includes all the standard headers and many non standard but common ones. Interesting but fairly common headers should have their own plugins, eg. x-powered-by, server and x-aspnet-version. Info about headers can be found at www.http-stats.com String : bdpagetype,bdqid,traceid (from headers) [ X-Frame-Options ] This plugin retrieves the X-Frame-Options value from the HTTP header. - More Info: http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29. aspx String : sameorigin [ X-UA-Compatible ] This plugin retrieves the X-UA-Compatible value from the HTTP header and meta http-equiv tag. - More Info: http://msdn.microsoft.com/en-us/library/cc817574.aspx String : IE=edge String : IE=Edge,chrome=1 HTTP Headers: HTTP/1.1 200 OK Bdpagetype: 1 Bdqid: 0xeab2f9da0007f83d Cache-Control: private Content-Encoding: gzip Content-Type: text/html;charset=utf-8 Date: Fri, 18 Mar 2022 12:35:29 GMT Expires: Fri, 18 Mar 2022 12:35:29 GMT P3p: CP=" OTI DSP COR IVA OUR IND COM " P3p: CP=" OTI DSP COR IVA OUR IND COM " Server: BWS/1.1 Set-Cookie: BAIDUID=843ACE191CAF5BDF641FA4856CEF748E:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com Set-Cookie: BIDUPSID=843ACE191CAF5BDF641FA4856CEF748E; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com Set-Cookie: PSTM=1647606929; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com Set-Cookie: BAIDUID=843ACE191CAF5BDF760373BF08C47CC4:FG=1; max-age=31536000; expires=Sat, 18-Mar-23 12:35:29 GMT; domain=.baidu.com; path=/; version=1; comment=bd Set-Cookie: BDSVRTM=10; path=/ Set-Cookie: BD_HOME=1; path=/ Set-Cookie: H_PS_PSSID=36067_35106_31253_36021_34812_35911_34584_36120_36074_36109_35984_35320_26350_36101_36062; path=/; domain=.baidu.com Traceid: 1647606929262280909816911854265428342845 X-Frame-Options: sameorigin X-Ua-Compatible: IE=Edge,chrome=1 Connection: close Transfer-Encoding: chunked WhatWeb report for http://www.baidu.com/baidu.html?from=noscript Status : 200 OK Title : 百度一下,你就知道 IP : 39.156.66.18 Country : CHINA, CN Summary : HTML5, HTTPServer[Apache], Apache, X-UA-Compatible[IE=Edge], Cookies[BAIDUID], Script Detected Plugins: [ Apache ] The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Google Dorks: (3) Website : http://httpd.apache.org/ [ Cookies ] Display the names of cookies in the HTTP headers. The values are not returned to save on space. String : BAIDUID [ HTML5 ] HTML version 5, detected by the doctype declaration [ HTTPServer ] HTTP server header string. This plugin also attempts to identify the operating system from the server header. String : Apache (from server string) [ Script ] This plugin detects instances of script HTML elements and returns the script language/type. [ X-UA-Compatible ] This plugin retrieves the X-UA-Compatible value from the HTTP header and meta http-equiv tag. - More Info: http://msdn.microsoft.com/en-us/library/cc817574.aspx String : IE=Edge HTTP Headers: HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: max-age=86400 Content-Encoding: gzip Content-Length: 1131 Content-Type: text/html Date: Fri, 18 Mar 2022 12:35:35 GMT Etag: "b83-59bafefa98680" Expires: Sat, 19 Mar 2022 12:35:35 GMT Last-Modified: Thu, 09 Jan 2020 07:27:06 GMT P3p: CP=" OTI DSP COR IVA OUR IND COM " Server: Apache Set-Cookie: BAIDUID=931BB16E756618D76A155B2EB8A4263B:FG=1; expires=Sat, 18-Mar-23 12:35:35 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1 Vary: Accept-Encoding,User-Agent Connection: close -
强度扫描控制
--aggression,-a扫描等级控制,1,3,4设置不同的级别,默认为1,
┌──(root㉿kali)-[/home/roott/桌面] └─# whatweb -a 3 www.baidu.com http://www.baidu.com [200 OK] Cookies[BAIDUID,BDSVRTM,BD_HOME,BIDUPSID,H_PS_PSSID,PSTM], Country[CHINA][CN], Email[index@2.png,pop_tri@1x-f4a02fac82.png,qrcode-hover@2x-f9b106a848.png,qrcode@2x-daf987ad02.png,result@2.png], HTML5, HTTPServer[BWS/1.1], IP[39.156.66.18], JQuery, Meta-Refresh-Redirect[http://www.baidu.com/baidu.html?from=noscript], OpenSearch[/content-search.xml], Script[application/json,text/javascript], Title[百度一下,你就知道], UncommonHeaders[bdpagetype,bdqid,traceid], X-Frame-Options[sameorigin], X-UA-Compatible[IE=Edge,chrome=1,IE=edge] http://www.baidu.com/baidu.html?from=noscript [200 OK] Apache, Cookies[BAIDUID], Country[CHINA][CN], HTML5, HTTPServer[Apache], IP[39.156.66.18], Script, Title[百度一下,你就知道], X-UA-Compatible[IE=Edge] -
快速扫描内网主机
└─# whatweb --no-errors -t 255 192.168.1.0/24 http://192.168.1.1 [302 Found] Boa-WebServer[0.94.13], Country[RESERVED][ZZ], HTTPServer[Boa/0.94.13], IP[192.168.1.1], RedirectLocation[/cgi-bin/index2.asp], Title[302 Moved Temporarily], X-Frame-Options[SAMEORIGIN] http://192.168.1.1/cgi-bin/index2.asp [200 OK] Country[RESERVED][ZZ], IP[192.168.1.1], JQuery[1.8.3], MetaGenerator[Microsoft FrontPage 5.0], PasswordField[Password], Script[javascript,text/JavaScript], Title[Login], X-Frame-Options[SAMEORIGIN] -
扫描结果导出
在目录下出现baidu.xml文件,还可导出其他格式
┌──(root㉿kali)-[/home/roott/桌面] └─# whatweb www.baidu.com --log-xml=baidu.xml --log-brief=FILE 简单的记录,每个网站只记录一条返回信息 --log-verbose=FILE 详细输出 --log-xml=FILE 返回xml格式的日志 --log-json=FILE 以json格式记录日志 --log-json-verbose=FILE 记录详细的json日志 --log-magictree=FILE xml的树形结构 --log-object=FILE ruby对象格式 --log-mongo-database mongo数据库格式
dirbuster-子目录
-
配置文件 /usr/share/dirbuster
-
标注
-
查看扫描出的文件
- 查看树状
- 扫描完成后可以导出报告
dirsearch-子目录
-
配置文件
/etc/dirsearch/default.conf
-
常用参数
- -u 指定网址
- -e 指定网站语言
- -w 指定字典
- -t 线程
- -r 递归目录(跑出目录后,继续跑目录下面的目录)
- --random-agent 随机一个User-agent 对每一个请求
- -i,包含状态,逗号分割 200,300
- -x,排除状态 ,逗号分割 301,500-599
- -h
-
实践
使用--random-agent,随机改变User-agent
1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 OPR/50.0.2762.58 2 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 3 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36不使用User-agent
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
御剑
可以选择,线程,超时,使用的字典,显示的状态码等
字典放在同目录下的配置文件
ffuf(太过强大,暂未掌握)
- Go 编写的模糊测试器
• -u url地址/后面家FUZZ
• -w 设置字典,指定多个字典用 , 分隔
• -c 将响应状态码用颜色区分,windows下无法实现该效果。
• -t 线程率,默认40
• -p 请求延时: 0.1、0.2s
• -ac 自动校准fuzz结果
• -H Header头,格式为 “Name: Value”
• -X HTTP method to use
• -d POST data
• -r 跟随重定向
• -recursion num 递归扫描
• -x 设置代理 http 或 socks5://127.0.0.1:8080
• -s 不打印附加信息,简洁输出
• -e 设置脚本语言 -e .asp,.php,.html,.txt等
• -o 输出文本
• -of 输出格式文件,支持html、json、md、csv、或者all
-
简单的网站目录扫描
ffuf -u http://site.com/FUZZ -w ./wordlist.txt FUZZ指定爆破位置 -
需要递归的目录扫描
ffuf -u http://site.com/FUZZ -w ./wordlist.txt -recursion -recursion-depth 1 -recursion 指定进行递归扫描。默认不递归 -recursion-depth 指定递归的深度。默认是1 -
扫描敏感文件
ffuf -u http://site.com/FUZZ -w ./wordlist.txt -e .bak -e 扫描指定后缀的文件 -
多个字典扫描
ffuf -u http://FUZZDOMAIN/FUZZDIR -w ./domain.txt:FUZZDOMAIN,./wordlist.txt:FUZZDIR 执行多个字典时,采用顺序模式 -
文件中获取
ffuf -request /request.txt -w ./wordlist.txt -request指定需要读取的文件 -
fuzz子域名
ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200
wafw00f
- 帮助信息
Usage: wafw00f url1 [url2 [url3 ... ]]
example: wafw00f http://www.victim.org/
Options:
-h, --help show this help message and exit
-v, --verbose Enable verbosity, multiple -v options increase verbosity
# 启用详细程度,多个 -v 选项会增加详细程度
-a, --findall Find all WAFs which match the signatures, do not stop testing on the first one
# 查找与签名匹配的所有 WAF,不要停止测试第一个
-r, --noredirect Do not follow redirections given by 3xx responses
# 不要遵循 3xx 响应给出的重定向
-t TEST, --test=TEST Test for one specific WAF
# 测试一种特定的 WAF
-o OUTPUT, --output=OUTPUT
Write output to csv, json or text file depending on file extension. For stdout, specify - as filename.
# 根据文件扩展名将输出写入 csv、json 或文本文件。 对于标准输出,指定 - 作为文件名。
-i INPUT, --input-file=INPUT
Read targets from a file. Input format can be csv,json or text. For csv and json, a `url` column name or element is required.
# 从文件中读取目标。 输入格式可以是 csv、json 或文本。 对于 csv 和 json,需要一个 `url` 列名或元素
-l, --list List all WAFs that WAFW00F is able to detect
#列出 WAFW00F 能够检测到的所有 WAF
-p PROXY, --proxy=PROXY
Use an HTTP proxy to perform requests, examples:
http://hostname:8080, socks5://hostname:1080,
http://user:pass@hostname:8080
# http代理
-V, --version Print out the current version of WafW00f and exit.
# 打印出当前版本的 WafW00f 并退出
-H HEADERS, --headers=HEADERS
Pass custom headers via a text file to overwrite the
default header set.
# 通过文本文件传递自定义标题以覆盖默认标题集。
-
原理
-
发送正常的http请求并分析响应;这样来确定WAF。
-
如果失败了,它将发送多个(可能是恶意的)http请求,并使用简单的逻辑来推断出它是哪个WAF。
-
如果还是不成功,它将分析先前返回的响应,并使用另一种简单算法来猜测WAF或安全方案是否正在主动响应我们的攻击
-
-
扫描单个
┌──(root㉿kali)-[/home/roott/桌面/st] └─# wafw00f http://www.qq.com -
扫描多个
┌──(root㉿kali)-[/home/roott/桌面/st] └─# wafw00f http://www.qq.com http://www.baidu.com
google hack
-
用法
- Site:特定域名下进行搜索。
- Domain:查询自身网站的外部链接。
- Inurl:指令用于搜索查询词出现在url中的页面。
- Intitle:进行搜索含关键字的标题。
- Info:查找指定站点的一些基本信息。
- Filetype:只搜索某些特定类型的文件格式。
- Link:返回所有和xxxxxxx做了链接的URL
- Index:返回的网页中在正文部分包含关键词。
- Define:搜索某个词语的定义
- And:利用and表示前后两个关键词是“与”的逻辑关系
- cache:缓存里的内容
github信息泄露
in:name test #仓库标题搜索含有关键字test
in:description test #仓库描述搜索含有关键字
in:readme test #Readme文件搜素含有关键字
stars:>3000 test #stars数量大于3000的搜索关键字
stars:1000..3000 test #stars数量大于1000小于3000的搜索关键字
forks:>1000 test #forks数量大于1000的搜索关键字
forks:1000..3000 test #forks数量大于1000小于3000的搜索关键字
size:>=5000 test #指定仓库大于5000k(5M)的搜索关键字
pushed:>2019-02-12 test #发布时间大于2019-02-12的搜索关键字
created:>2019-02-12 test #创建时间大于2019-02-12的搜索关键字
user:test #用户名搜素
license:apache-2.0 test #明确仓库的 LICENSE 搜索关键字
language:java test #在java语言的代码中搜索关键字
user:test in:name test #组合搜索,用户名test的标题含有test的
-
使用github进行邮件配置信息收集
site:Github.com smtp site:Github.com smtp @qq.com site:Github.com smtp @126.com site:Github.com smtp @163.com site:Github.com smtp @sina.com.cn site:Github.com smtp password site:Github.com String password smtp 我们也可以锁定域名搜索结合厂商域名 灵活运用例如搜百度的 site:Github.com smtp @baidu.com -
github数据库收集
site:Github.com sa password site:Github.com root password site:Github.com User ID=’sa’;Password site:Github.com inurl:sql -
svn信息收集
site:Github.com svn site:Github.com svn username site:Github.com svn password site:Github.com svn username password -
综合信息收集
site:Github.com password site:Github.com ftp ftppassword site:Github.com 密码 site:Github.com 内部
masscan-端口扫描
-
TCP 端口进行扫描,使用 SYN 扫描的方式,不建立一个完全的 TCP 连接,而是首先发送一个 SYN 数据包到目标端口,然后等待接收。如果接收到 SYN-ACK 包,则说明该端口是开放的,此时发送一个 RST 结束建立过程即可;否则,若目标返回 RST,则端口不开放
-
帮助
1、单独的IPv4地址 2、类似"10.0.0.1-10.0.0.233"的范围地址 3、CIDR地址 类似于"0.0.0.0/0",多个目标可以用都好隔开 -p <ports,--ports <ports>> 指定端口进行扫描 --banners 获取banner信息,支持少量的协议 --rate <packets-per-second> 指定发包的速率 -c <filename>, --conf <filename> 读取配置文件进行扫描 --echo 将当前的配置重定向到一个配置文件中 -e <ifname> , --adapter <ifname> 指定用来发包的网卡接口名称 --adapter-ip <ip-address> 指定发包的IP地址 --adapter-port <port> 指定发包的源端口 --adapter-mac <mac-address> 指定发包的源MAC地址 --router-mac <mac address> 指定网关的MAC地址 --exclude <ip/range> IP地址范围黑名单,防止masscan扫描 --excludefile <filename> 指定IP地址范围黑名单文件 --includefile,-iL <filename> 读取一个范围列表进行扫描 --ping 扫描应该包含ICMP回应请求 --append-output 以附加的形式输出到文件 --iflist 列出可用的网络接口,然后退出 --retries 发送重试的次数,以1秒为间隔 --nmap 打印与nmap兼容的相关信息 --http-user-agent <user-agent> 设置user-agent字段的值 --show [open,close] 告诉要显示的端口状态,默认是显示开放端口 --noshow [open,close] 禁用端口状态显示 --pcap <filename> 将接收到的数据包以libpcap格式存储 --regress 运行回归测试,测试扫描器是否正常运行 --ttl <num> 指定传出数据包的TTL值,默认为255 --wait <seconds> 指定发送完包之后的等待时间,默认为10秒 --offline 没有实际的发包,主要用来测试开销 -sL 不执行扫描,主要是生成一个随机地址列表 --readscan <binary-files> 读取从-oB生成的二进制文件,可以转化为XML或者JSON格式. --connection-timeout <secs> 抓取banners时指定保持TCP连接的最大秒数,默认是30秒。 -
简单使用
-
单端口扫描
masscan 192.168.1.0/24 -p443 -
多端口扫描
masscan 10.11.0.0/16 -p80,443 -
扫描一系列端口
masscan 10.11.0.0/16 -p22-25 -
快速扫描
默认为一秒100个包,-rate
masscan 10.11.0.0/16 --top-ports 100 -rate 100000 -
排除目标
masscan 10.11.0.0/16 --top-ports 100 --excluedefile exclude.txt -
保存扫描结果
masscan 10.11.0.0/16 --top-ports 100 > result.txt -
支持的输出格式
-oX filename : 将扫描结果保存到xml格式的文件中 -oG filename : 将扫描结果保存到grepable格式的文件中 -oJ filename : 将扫描结果保存到json格式的文件中 -
扫描十大端口
masscan 10.11.0.0/16 -top-ten -rate 100000
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Manus爆火,是硬核还是营销?
· 终于写完轮子一部分:tcp代理 了,记录一下
· 别再用vector<bool>了!Google高级工程师:这可能是STL最大的设计失误
· 震惊!C++程序真的从main开始吗?99%的程序员都答错了
· 单元测试从入门到精通