iT邦幫忙

2025 iThome 鐵人賽

DAY 14
0

🧂 前言

今天要分享的是 OSINT當中對網站或domain 進行資料的收集,在平常打網頁漏洞或者滲透測試時也會需要先對這個網站進行一些偵查找出可以突破的入口,今天會分享一些平常會使用到的一些工具


WaybackMachine

網站連結:http://web.archive.org/

這個網站是由 Internet Archive 維護的一個線上服務。它可以定期將網站的網頁內容snapshot存檔,讓人們能夠查看某個網站在過去不同時間點的樣子

例如我想要看一下 https://yunshiuan.com/ 網站之前的樣子,就可以將網址輸入進去後看看。

發現他在8/15 有被打了一個snapshot,點進去看看後就可以看到在8/15這個網頁時的樣子


Recon-ng

下載方式

apt-get update && apt-get install recon-ng

Recon-ng 是一個用 Python 寫成、以模組化、指令列互動介面為設計的 OSINT 收集框架。它把各類資訊收集功能(DNS、WHOIS、搜尋引擎、API 查詢等)包成「模組」,用戶可以在工作區(workspace)中逐步執行、存檔與匯出調查結果

Recon-ng 的 tutorial 連結: https://hackertarget.com/recon-ng-tutorial/

整體的操作會類似於Metasploit , 一樣會先引入模組,設定參數然後執行

直接執行recon-ng 後可以使用marketplace search 查看有什麼可以用的 modules

$ [recon-ng][default] > marketplace search

  +--------------------------------------------------------------------------------------------------+
  |                        Path                       | Version |     Status    |  Updated   | D | K |
  +--------------------------------------------------------------------------------------------------+
  | discovery/info_disclosure/cache_snoop             | 1.1     | not installed | 2020-10-13 |   |   |
  | discovery/info_disclosure/interesting_files       | 1.2     | not installed | 2021-10-04 |   |   |
  | exploitation/injection/command_injector           | 1.0     | not installed | 2019-06-24 |   |   |
  | exploitation/injection/xpath_bruter               | 1.2     | not installed | 2019-10-08 |   |   |
  | import/csv_file                                   | 1.1     | not installed | 2019-08-09 |   |   |
  | import/list                                       | 1.1     | not installed | 2019-06-24 |   |   |
  | import/masscan                                    | 1.0     | not installed | 2020-04-07 |   |   |
  | import/nmap                                       | 1.1     | not installed | 2020-10-06 |   |   |
  | recon/companies-contacts/bing_linkedin_cache      | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/companies-contacts/censys_email_address     | 2.1     | not installed | 2022-01-31 | * | * |
  | recon/companies-contacts/pen                      | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/companies-domains/censys_subdomains         | 2.1     | not installed | 2022-01-31 | * | * |
  | recon/companies-domains/pen                       | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/companies-domains/viewdns_reverse_whois     | 1.1     | not installed | 2021-08-24 |   |   |
  | recon/companies-domains/whoxy_dns                 | 1.1     | not installed | 2020-06-17 |   | * |
  | recon/companies-multi/censys_org                  | 2.1     | not installed | 2022-01-31 | * | * |
  | recon/companies-multi/censys_tls_subjects         | 2.1     | not installed | 2022-01-31 | * | * |
  | recon/companies-multi/github_miner                | 1.1     | not installed | 2020-05-15 |   | * |
  | recon/companies-multi/shodan_org                  | 1.1     | not installed | 2020-07-01 | * | * |
  | recon/companies-multi/whois_miner                 | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/contacts-contacts/abc                       | 1.0     | not installed | 2019-10-11 | * |   |
  | recon/contacts-contacts/mailtester                | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/contacts-contacts/mangle                    | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/contacts-contacts/unmangle                  | 1.1     | not installed | 2019-10-27 |   |   |
  | recon/contacts-credentials/hibp_breach            | 1.2     | not installed | 2019-09-10 |   | * |
  | recon/contacts-credentials/hibp_paste             | 1.1     | not installed | 2019-09-10 |   | * |
  | recon/contacts-domains/censys_email_to_domains    | 2.1     | not installed | 2022-01-31 | * | * |
  | recon/contacts-domains/migrate_contacts           | 1.1     | not installed | 2020-05-17 |   |   |
  | recon/contacts-profiles/fullcontact               | 1.1     | not installed | 2019-07-24 |   | * |
  | recon/credentials-credentials/adobe               | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/credentials-credentials/bozocrack           | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/credentials-credentials/hashes_org          | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-companies/censys_companies          | 2.1     | not installed | 2022-01-31 | * | * |
  | recon/domains-companies/pen                       | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/domains-companies/whoxy_whois               | 1.1     | not installed | 2020-06-24 |   | * |
  | recon/domains-contacts/hunter_io                  | 1.3     | not installed | 2020-04-14 |   | * |
  | recon/domains-contacts/metacrawler                | 1.1     | not installed | 2019-06-24 | * |   |
  | recon/domains-contacts/pen                        | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/domains-contacts/pgp_search                 | 1.4     | not installed | 2019-10-16 |   |   |
  | recon/domains-contacts/whois_pocs                 | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-contacts/wikileaker                 | 1.0     | not installed | 2020-04-08 |   |   |
  | recon/domains-domains/brute_suffix                | 1.1     | not installed | 2020-05-17 |   |   |
  | recon/domains-hosts/binaryedge                    | 1.2     | not installed | 2020-06-18 |   | * |
  | recon/domains-hosts/bing_domain_api               | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-hosts/bing_domain_web               | 1.1     | not installed | 2019-07-04 |   |   |
  | recon/domains-hosts/brute_hosts                   | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/builtwith                     | 1.1     | not installed | 2021-08-24 |   | * |
  | recon/domains-hosts/censys_domain                 | 2.1     | not installed | 2022-01-31 | * | * |
  | recon/domains-hosts/certificate_transparency      | 1.3     | not installed | 2019-09-16 |   |   |
  | recon/domains-hosts/google_site_web               | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/hackertarget                  | 1.1     | installed     | 2020-05-17 |   |   |
  | recon/domains-hosts/mx_spf_ip                     | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/netcraft                      | 1.1     | not installed | 2020-02-05 |   |   |
  | recon/domains-hosts/shodan_hostname               | 1.1     | not installed | 2020-07-01 | * | * |
  | recon/domains-hosts/spyse_subdomains              | 1.1     | not installed | 2021-08-24 |   | * |
  | recon/domains-hosts/ssl_san                       | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/threatcrowd                   | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/threatminer                   | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-vulnerabilities/ghdb                | 1.1     | not installed | 2019-06-26 |   |   |
  | recon/domains-vulnerabilities/xssed               | 1.1     | not installed | 2020-10-18 |   |   |
  | recon/hosts-domains/migrate_hosts                 | 1.1     | not installed | 2020-05-17 |   |   |
  | recon/hosts-hosts/bing_ip                         | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/hosts-hosts/censys_hostname                 | 2.1     | not installed | 2022-01-31 | * | * |
  | recon/hosts-hosts/censys_ip                       | 2.1     | not installed | 2022-01-31 | * | * |
  | recon/hosts-hosts/censys_query                    | 2.1     | not installed | 2022-01-31 | * | * |
  | recon/hosts-hosts/ipinfodb                        | 1.2     | not installed | 2021-08-24 |   | * |
  | recon/hosts-hosts/ipstack                         | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/hosts-hosts/resolve                         | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-hosts/reverse_resolve                 | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-hosts/ssltools                        | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-hosts/virustotal                      | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/hosts-locations/migrate_hosts               | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-ports/binaryedge                      | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/hosts-ports/shodan_ip                       | 1.2     | not installed | 2020-07-01 | * | * |
  | recon/locations-locations/geocode                 | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/locations-locations/reverse_geocode         | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/locations-pushpins/flickr                   | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/locations-pushpins/shodan                   | 1.1     | not installed | 2020-07-07 | * | * |
  | recon/locations-pushpins/twitter                  | 1.1     | not installed | 2019-10-17 |   | * |
  | recon/locations-pushpins/youtube                  | 1.2     | not installed | 2020-09-02 |   | * |
  | recon/netblocks-companies/censys_netblock_company | 2.1     | not installed | 2022-01-31 | * | * |
  | recon/netblocks-companies/whois_orgs              | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/netblocks-hosts/censys_netblock             | 2.1     | not installed | 2022-01-31 | * | * |
  | recon/netblocks-hosts/reverse_resolve             | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/netblocks-hosts/shodan_net                  | 1.2     | not installed | 2020-07-21 | * | * |
  | recon/netblocks-hosts/virustotal                  | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/netblocks-ports/census_2012                 | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/netblocks-ports/censysio                    | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/ports-hosts/migrate_ports                   | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/ports-hosts/ssl_scan                        | 1.1     | not installed | 2021-08-24 |   |   |
  | recon/profiles-contacts/bing_linkedin_contacts    | 1.2     | not installed | 2021-08-24 |   | * |
  | recon/profiles-contacts/dev_diver                 | 1.1     | not installed | 2020-05-15 |   |   |
  | recon/profiles-contacts/github_users              | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/profiles-profiles/namechk                   | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/profiles-profiles/profiler                  | 1.2     | not installed | 2023-12-30 |   |   |
  | recon/profiles-profiles/twitter_mentioned         | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/profiles-profiles/twitter_mentions          | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/profiles-repositories/github_repos          | 1.1     | not installed | 2020-05-15 |   | * |
  | recon/repositories-profiles/github_commits        | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/repositories-vulnerabilities/gists_search   | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/repositories-vulnerabilities/github_dorks   | 1.0     | not installed | 2019-06-24 |   | * |
  | reporting/csv                                     | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/html                                    | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/json                                    | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/list                                    | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/proxifier                               | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/pushpin                                 | 1.0     | not installed | 2019-06-24 |   | * |
  | reporting/xlsx                                    | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/xml                                     | 1.1     | not installed | 2019-06-24 |   |   |
  +--------------------------------------------------------------------------------------------------+

接下來示範用hackertarget去尋找 hostname

首先先把hackertarget先下載下來

marketplace install hackertarget

在把它load 進來

modules load hackertarget

接下來用info 看一下會需要什麼參數

$ [recon-ng][default][hackertarget] > info

      Name: HackerTarget Lookup
    Author: Michael Henriksen (@michenriksen)
   Version: 1.1

Description:
  Uses the HackerTarget.com API to find host names. Updates the 'hosts' table with the results.

Options:
  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE                 yes       source of input (see 'info' for details)

Source Options:
  default        SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
  <string>       string representing a single input
  <path>         path to a file containing a list of inputs
  query <sql>    database query returning one column of inputs

接下來可以看到SOURCE 會需要填東西,那這欄就是要填要偵查的domain,以google.com舉例。

用下面指令設定SOURCE

options set SOURCE google.com

再看一次info,可以看到他被設定成了 google.com

$ [recon-ng][default][hackertarget] > info

      Name: HackerTarget Lookup
    Author: Michael Henriksen (@michenriksen)
   Version: 1.1

Description:
  Uses the HackerTarget.com API to find host names. Updates the 'hosts' table with the results.

Options:
  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  google.com     yes       source of input (see 'info' for details)

Source Options:
  default        SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
  <string>       string representing a single input
  <path>         path to a file containing a list of inputs
  query <sql>    database query returning one column of inputs

接下來打 run 就會開始執行

執行的過程中也會出現結果,最後在下show hosts 指令就會出現表格樣式的結果


Whois.domaintools

網站連結:https://whois.domaintools.com/

這個網站可以找到關於domain 的一些資訊,包括註冊商、何時註冊、何時到期與最後更新時間等等


總結

今天介紹了幾個可以得知到網站domain 上一些資訊的工具,幫助我們在之後需要對網站進行滲透測試或者當作線索都有幫助。


上一篇
Day13 在 GEOGUESSER 當個 Cheater
下一篇
Day15 🦈
系列文
Blue 了 Blue 了!只會看封包與log的我錯了嗎!17
圖片
  熱門推薦
圖片
{{ item.channelVendor }} | {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中

尚未有邦友留言

立即登入留言