前言
本篇整理信息收集阶段,大概会占渗透测试总时间的60%,视能力和情况而定,做到不影响企业业务正常运行的情况下,收集更多的资产信息,细心和耐心很关键。
主站
快速定位,快速产出
先浏览下主站,可以很直观的了解目标站点的大致业务/性质/模式,会对整个渗透过程起到很大的帮助。
对于boss要求的部分站点需要快速产出漏洞(销售好谈客户),主站很多都是可以拿下的,比如四位数字无限制爆破验证码,sqli,备份文件,组件框架历史漏洞,后台弱口令,邮箱收集/爆破/社工theHarvester等等。
对于无范围全网测的厂商,可通过以下途径获取相关资产,比如收集开发运维专用的域名和解析到内网的域名,主机ip所属等。
搜索引擎hacking语法,搜target.com|公司名字,有时也能查到,但是数据需要清洗。
whois查询/注册人反查/邮箱反查/相关资产
站长之家
爱站
微步在线(企业版)
ip反查
天眼查
虎妈查
历史漏洞查询
Github泄露
本阶段收集的信息,为下一步收集/爆破子域名做好准备。
子域名
子域名的收集途径很多,Layer子域名挖掘机4.2纪念版,subDomainsBrute李劼杰,wydomain猪猪侠,Sublist3r,site:target.com,Github代码仓库,抓包分析请求返回值(跳转/文件上传/app/api接口等),站长帮手links等在线查询网站,部分会受到泛解析的影响,记录下学习到的,
域传送漏洞
linux:
[dig @ns.example.com example=.com AXFR]
windows:
[nslookup -> set type=ns ->target.com -> server ns.target.com -> ls target.com]
GetDomainsBySSL
censys.io证书
crt.sh证书查询
shodan/fofa.so/zoomeye
dnsdb.io
api.hackertarget
community.riskiq.com
n级子域名爆破
subdomain3
FuzzDomain
端口服务
假设从layer导出来的子域名列表为target.com.txt,使用nmap扫默认端口
nmap -v -A -F -iL target.com.txt -oX target_f.xml
扫描全端口
nmap -v -A -p1-65535 -iL target.com.txt -oX target_all.xml
端口扫描脚本
端口渗透总结
web探测
探测每个站点的web信息,假设所有子域名都在:target.com_domains.txt(Layer直接导出域名)
BSDR_Banners密码:rzv0
web指纹识别
邮箱命名规则收集/爆破/社工
详细可参考:渗透标准
qq群,微信公众号和百度文库等社交途径有时也能收集到一页特定规则的密码表,直接附上一个小脚本
main.py
实现批量扫描target.com_domains.txt站点
#-*-coding:UTF-8-*-
importrequests
importre
importos
frombs4importBeautifulSoup
frommultiprocessing.poolimportPool
importthreading
importtime
#from whatcms import *
fromdirscanimport*
frombaidu_siteimport*
#from baidu_inurl import *
#from getalllink import *
importwarnings
warnings.filterwarnings("ignore")
importsys
reload(sys)
sys.setdefaultencoding('utf-8')
globalcookie
cookie='1'
output_file=sys.argv[1].split('.')[0]+time.strftime('%Y-%m-%d',time.localtime(time.time()))+'.html'#-%H-%I-%S
defcheck(url):
try:
printurl
header={
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Encoding':'gzip, deflate, sdch',
'Upgrade-Insecure-Requests':'1',
'Accept-Language':'zh-CN,zh;q=0.8',
'Cookie':cookie,
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36'}
req=requests.get(url,headers=header,timeout=5,allow_redirects=False)
status=req.status_code
html=req.content
soup=BeautifulSoup(html,from_encoding="utf-8")
server=' '
try:
server=req.headers['Server']
except:pass
title=' '
try:
title=soup.title.string
except:pass
X_Powered_By=' '
try:
X_Powered_By=req.headers['X-Powered-By']
except:pass
output=open(output_file,"a")
str1='''
【%s】 %s %s %s %s %s %s
'''%(str(status),server,X_Powered_By,url,url,title,baidu_site(url),dirscan(url))#,dirlink(url))#,baidu_inurl(url)whatcms(url),dirscan(url),yunxi_cmsapi(url)%s
output.write(str1)
output.close()
return1
except:
return0
finally:
return0
defget_domain(adr):
files=open(adr,'r')
regex=re.compile(r"(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+",re.IGNORECASE)
whileTrue:
line=files.readline()
ifline:
urls=regex.findall(line)
foriinurls:
forportinweb_port:
domain_http='http://'+i+':'+port
ifdomain_httpnotindomains:
domains.append(domain_http)
str=line.split('\n')
domain_https='https://'+str[0]
ifdomain_httpsnotindomains:
domains.append(domain_https)
else:break
if__name__=='__main__':
domains=[]
web_port=['80',]#,'8080',] #
in_domain=sys.argv[1]
get_domain(in_domain)
output=open(output_file,"w")
str1=""
output.write(str1)
output.close()
pool=Pool(2)
pool.map(check,domains)
pool.close()
pool.join()
os._exit(0)
dirscan.py
实现简单的目录fuzz,
import requests
import sys
import urlparse
import random
import re
def list(url):
keys = []
f = open('list.txt','r')
bak = urlparse.urlparse(url).hostname#.netloc.replace(':8080','').replace(':80','')
for i in f.readlines():
key = i.strip().replace('%flag%',bak)
if key not in keys:
keys.append(key)
return keys
def dirscan(url):
flag = []
keys = list(url)
headers = {
'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Encoding': 'gzip, deflate, sdch',
'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4'}
user_agent = ['Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0',
'Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.6 Safari/532.0',
'Mozilla/5.0 (Windows; U; Windows NT 5.1 ; x64; en-US; rv:1.9.1b2pre) Gecko/20081026 Firefox/3.1b2pre',
'Opera/10.60 (Windows NT 5.1; U; zh-cn) Presto/2.6.30 Version/10.60','Opera/8.01 (J2ME/MIDP; Opera Mini/2.0.4062; en; U; ssr)',
'Mozilla/5.0 (Windows; U; Windows NT 5.1; ; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14',
'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36',
'Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.2.4) Gecko/20100523 Firefox/3.6.4 ( .NET CLR 3.5.30729)',
'Mozilla/5.0 (Windows; U; Windows NT 6.0; fr-FR) AppleWebKit/528.16 (KHTML, like Gecko) Version/4.0 Safari/528.16',
'Mozilla/5.0 (Windows; U; Windows NT 6.0; fr-FR) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5']
check = requests.get(url=url,timeout=3,headers=headers)
if check.url[-1:] != '/':
check.url = check.url + '/'
#print check.url
#print url
try:
if check.headers['X-Frame-Options']:
return 'Nginx 404/401'
except:pass
if check.url[:-1] != url:
return check.url[:-1]
#url.replace(':8080','').replace(':80','')
#url = urlparse.urlsplit(check.url).scheme+'://'+urlparse.urlsplit(check.url).netloc
for i in keys:
urli = url + i
UA = random.choice(user_agent)
headers['User-Agent'] = UA
try:
r = requests.get(url=urli,timeout=3,headers=headers)
#print r.status_code
#print r.url
#print len(r.content),len(check.content)
if r.status_code == 200 and len(check.content) != len(r.content) and r.url == urli:
flag.append(i)
except:pass
if len(flag) > 25:
return
else:
return flag
'''
if re.findall(r"\['/robots\.txt', (.*?) '/tmp', '/file'\]",str(flag)):
return
else:
return flag'''
if __name__ == '__main__':
print dirscan(sys.argv[1])
# svn :text/plain
# Ds_stroe:'application/octet-stream' == r.headers['Content-Type']
#if 'application' in r.headers['Content-Type']:
# flag.append(i)
baidu_site.py
加入site:子域名,
importrequests
importre
importsys
importurlparse
importrandom
defbaidu_site(url):
url=urlparse.urlparse(url).hostname
baidu_url='https://www.baidu.com/s?ie=UTF-8&wd=site:{}'.format(url)
headers={
'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Encoding':'gzip, deflate, sdch',
'Accept-Language':'zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4'}
user_agent=['Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0',
'Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.6 Safari/532.0',
'Mozilla/5.0 (Windows; U; Windows NT 5.1 ; x64; en-US; rv:1.9.1b2pre) Gecko/20081026 Firefox/3.1b2pre',
'Opera/10.60 (Windows NT 5.1; U; zh-cn) Presto/2.6.30 Version/10.60','Opera/8.01 (J2ME/MIDP; Opera Mini/2.0.4062; en; U; ssr)',
'Mozilla/5.0 (Windows; U; Windows NT 5.1; ; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14',
'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36',
'Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.2.4) Gecko/20100523 Firefox/3.6.4 ( .NET CLR 3.5.30729)',
'Mozilla/5.0 (Windows; U; Windows NT 6.0; fr-FR) AppleWebKit/528.16 (KHTML, like Gecko) Version/4.0 Safari/528.16',
'Mozilla/5.0 (Windows; U; Windows NT 6.0; fr-FR) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5']
UA=random.choice(user_agent)
headers['User-Agent']=UA
try:
r=requests.get(url=baidu_url,headers=headers,timeout=5).content
if'class="nors"'notinr:
return'Baidu_site'%baidu_url
else:
return''
except:
pass
return''
if__name__=='__main__':
printbaidu_site(sys.argv[1])
list.txt
目录字典,
/robots.txt
/.git/config
/.svn/entries
/.svn/wc.db
/README.md
/.viminfo
/.bash_history
/.bashrc
/crossdomain.xml
/nginx.conf
/httpd.conf
/user.txt
/sitemap.xml
/username.txt
/pass.txt
/passwd.txt
/password.txt
/.DS_Store
/.htaccess
/log
/log.txt
/phpinfo.php
/info.php
/www.7z
/www.rar
/www.zip
/www.tar.gz
/wwwroot.zip
/wwwroot.rar
/wwwroot.7z
/wwwroot.tar.gz
/%flag%.7z
/%flag%.rar
/%flag%.zip
/%flag%.tar.gz
/backup
/backup.7z
/backup.rar
/backup.sql
/backup.tar
/backup.tar.gz
/backup.zip
/database.sql
/index.7z
/index.rar
/index.sql
/index.tar
/index.tar.gz
/index.zip
/index.html
/index.php
/index.asp
/index.aspx
/index.jsp
/index.action
/users.sql
/login
/phpmyadmin
/pma
/SiteServer
/admin
/install
/backup
/test
/tmp
/file
效果:
所需辅助小插件,可自行添加
推荐个完善的datasploit
转载:http://www.cnnetarmy.com/%e4%b9%99%e6%96%b9%e6%b8%97%e9%80%8f%e6%b5%8b%e8%af%95%e4%b9%8b%e4%bf%a1%e6%81%af%e6%94%b6%e9%9b%86/