Chapter 5: Web Hacking Reconnaissance
在Google Dorking,有关于google搜索方法的详细介绍。(有机会研究)
Scope Discovery
$ whois facebook.com
$ nslookup facebook.comCertificate Parsing
推荐地址crt.sh,在线查询
https://crt.sh/?q=facebook.com&output=json.Subdomain Enumeration
Tools like Sublist3r, SubBrute, Amass, and Gobuster can enumerate subdomains automatically with a variety of wordlists and strategies.
枚举需要的wordlist推荐:
- https://github.com/danielmiessler/SecLists/
- You can also use a wordlist generation tool like Commonspeak2 (https://github.com/assetnote/commonspeak2/) to generate wordlists based on the most current internet data.
你可以把网上找到的或者你自己生成的几个单词列表合并起来,以获得最全面的结果。下面是一个简单的命令,用于从一组两个单词列表中删除重复项:
sort -u wordlist1.txt wordlist2.txt这个-u选项告诉sort只返回排序列表中唯一的项。
Gobuster是一个用于强制发现目标web服务器上的子域、目录和文件的工具。其DNS模式用于子域暴力攻击。在这种模式下,您可以使用-d标志指定要强制执行的域,使用-w标志指定要使用的单词列表:
gobuster dns -d target_domain -w wordlistA good tool for automating this process is Altdns (https://github.com/infosec-au/altdns/), which discovers subdomains with names that are permutations of other subdomain names.
Service Enumeration
Nmap or Masscan for active scanning
$ nmap scanme.nmap.org另一方面,在被动扫描中,您使用第三方资源来了解机器的端口,而无需与服务器交互。
要想在一台机器上找到服务而不主动扫描它,你可以使用Shodan,这是一个搜索引擎,可以让用户找到连接到互联网的机器。
Directory Brute-Forcing
You can use Dirsearch or Gobuster for directory brute-forcing.
下面是一个运行Dirsearch命令的示例。-u标志指定主机名,-e标志指定构建URL时要使用的文件扩展名:
$ ./dirsearch.py -u scanme.nmap.org -e phpGobuster的Dir模式用于查找特定域或子域上的其他内容。这包括隐藏的目录和文件。在此模式下,您可以使用-u标志指定要强制执行的域或子域,并使用-w指定要使用的字列表:
gobuster dir -u target_url -w wordlist使用像EyeWitness这样的截图工具(https://github.com/FortyNorthSecurity/EyeWitness/)或Snaper(https://github.com/dxa4481/Snapper/)自动验证页面是否位于每个位置。
Spidering the Site
OWASP Zed Attack Proxy (ZAP)
Burp Suite has an equivalent tool called the crawler
第三方托管(云平台。利用类似Google的dork)
GrayhatWarfare (https://buckets.grayhatwarfare.com/) is an online search engine you can use to find publicly exposed S3 buckets
GitHub Recon(代码仓库中查找敏感数据)
在发现泄露的凭据后,可以使用Keyhack(https://github.com/streaak/keyhacks/)检查凭据是否有效,并了解如何使用它们访问目标的服务。
Gitrob和TruffleHog等工具可以自动化GitHub侦察过程。
(https://github.com/michenriksen/gitrob/)查找推送到GitHub上公共存储库的潜在敏感文件。
(https://github.com/trufflesecurity/truffleHog/)专门通过执行正则表达式搜索和扫描高熵字符串来查找存储库中的秘密。
Other Sneaky OSINT Techniques
open source intelligence (OSINT)
Tools Mentioned in This Chapter
Scope Discovery
WHOIS looks for the owner of a domain or IP.
ViewDNS.info reverse WHOIS (https://viewdns.info/reversewhois/) is a tool
that searches for reverse WHOIS data by using a keyword.
nslookup queries internet name servers for IP information about a host.
ViewDNS reverse IP (https://viewdns.info/reverseip/) looks for domains
hosted on the same server, given an IP or domain.
crt.sh (https://crt.sh/), Censys (https://censys.io/), and Cert Spotter (https://
sslmate.com/certspotter/) are platforms you can use to find certificate
information about a domain.
Sublist3r (https://github.com/aboul3la/Sublist3r/), SubBrute (https://github
.com/TheRook/subbrute/), Amass (https://github.com/OWASP/Amass/), and
Gobuster (https://github.com/OJ/gobuster/) enumerate subdomains.
Daniel Miessler’s SecLists (https://github.com/danielmiessler/SecLists/) is a
list of keywords that can be used during various phases of recon and
hacking. For example, it contains lists that can be used to brute-force
subdomains and filepaths.
Commonspeak2 (https://github.com/assetnote/commonspeak2/) generates
lists that can be used to brute-force subdomains and filepaths using
publicly available data.
Altdns (https://github.com/infosec-au/altdns) brute-forces subdomains by
using permutations of common subdomain names.
Nmap (https://nmap.org/) and Masscan (https://github.com/robertdavidgraham/
masscan/) scan the target for open ports.
Shodan (https://www.shodan.io/), Censys (https://censys.io/), and Project
Sonar (https://www.rapid7.com/research/project-sonar/) can be used to find
services on targets without actively scanning them.
Dirsearch (https://github.com/maurosoria/dirsearch/) and Gobuster (https://
github.com/OJ/gobuster) are directory brute-forcers used to find hidden
filepaths.
EyeWitness (https://github.com/FortyNorthSecurity/EyeWitness/) and Snapper
(https://github.com/dxa4481/Snapper/) grab screenshots of a list of URLs.
They can be used to quickly scan for interesting pages among a list of
enumerated paths.
OWASP ZAP (https://owasp.org/www-project-zap/) is a security tool that
includes a scanner, proxy, and much more. Its web spider can be used
to discover content on a web server.
GrayhatWarfare (https://buckets.grayhatwarfare.com/) is an online search
engine you can use to find public Amazon S3 buckets.
Lazys3 (https://github.com/nahamsec/lazys3/) and Bucket Stream (https://
github.com/eth0izzle/bucket-stream/) brute-force buckets by using keywords.OSINT
The Google Hacking Database (https://www.exploit-db.com/google
-hacking-database/) contains useful Google search terms that frequently reveal vulnerabilities or sensitive files.
KeyHacks (https://github.com/streaak/keyhacks/) helps you determine
whether a set of credentials is valid and learn how to use them to
access the target’s services.
Gitrob (https://github.com/michenriksen/gitrob/) finds potentially sensitive
files that are pushed to public repositories on GitHub.
TruffleHog (https://github.com/trufflesecurity/truffleHog/) specializes in
finding secrets in public GitHub repositories by searching for string
patterns and high-entropy strings.
PasteHunter (https://github.com/kevthehermit/PasteHunter/) scans online
paste sites for sensitive information.
Wayback Machine (https://archive.org/web/) is a digital archive of internet
content. You can use it to find old versions of sites and their files.
Waybackurls (https://github.com/tomnomnom/waybackurls/) fetches URLs
from the Wayback Machine.Tech Stack Fingerprinting
The CVE database (https://cve.mitre.org/cve/search_cve_list.html) contains
publicly disclosed vulnerabilities. You can use its website to search for
vulnerabilities that might affect your target.
Wappalyzer (https://www.wappalyzer.com/) identifies content management systems, frameworks, and programming languages used on a site.
BuiltWith (https://builtwith.com/) is a website that shows you which web
technologies a website is built with.
StackShare (https://stackshare.io/) is an online platform that allows developers to share the tech they use. You can use it to collect information
about your target.
Retire.js (https://retirejs.github.io/retire.js/) detects outdated JavaScript
libraries and Node.js packages.
扫一扫
414
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
