今天要分享的是 OSINT當中對網站或domain 進行資料的收集,在平常打網頁漏洞或者滲透測試時也會需要先對這個網站進行一些偵查找出可以突破的入口,今天會分享一些平常會使用到的一些工具
網站連結:http://web.archive.org/
這個網站是由 Internet Archive 維護的一個線上服務。它可以定期將網站的網頁內容snapshot存檔,讓人們能夠查看某個網站在過去不同時間點的樣子
例如我想要看一下 https://yunshiuan.com/ 網站之前的樣子,就可以將網址輸入進去後看看。
發現他在8/15 有被打了一個snapshot,點進去看看後就可以看到在8/15這個網頁時的樣子
下載方式
apt-get update && apt-get install recon-ng
Recon-ng 是一個用 Python 寫成、以模組化、指令列互動介面為設計的 OSINT 收集框架。它把各類資訊收集功能(DNS、WHOIS、搜尋引擎、API 查詢等)包成「模組」,用戶可以在工作區(workspace)中逐步執行、存檔與匯出調查結果
Recon-ng 的 tutorial 連結: https://hackertarget.com/recon-ng-tutorial/
整體的操作會類似於Metasploit , 一樣會先引入模組,設定參數然後執行
直接執行recon-ng 後可以使用marketplace search 查看有什麼可以用的 modules
$ [recon-ng][default] > marketplace search
+--------------------------------------------------------------------------------------------------+
| Path | Version | Status | Updated | D | K |
+--------------------------------------------------------------------------------------------------+
| discovery/info_disclosure/cache_snoop | 1.1 | not installed | 2020-10-13 | | |
| discovery/info_disclosure/interesting_files | 1.2 | not installed | 2021-10-04 | | |
| exploitation/injection/command_injector | 1.0 | not installed | 2019-06-24 | | |
| exploitation/injection/xpath_bruter | 1.2 | not installed | 2019-10-08 | | |
| import/csv_file | 1.1 | not installed | 2019-08-09 | | |
| import/list | 1.1 | not installed | 2019-06-24 | | |
| import/masscan | 1.0 | not installed | 2020-04-07 | | |
| import/nmap | 1.1 | not installed | 2020-10-06 | | |
| recon/companies-contacts/bing_linkedin_cache | 1.0 | not installed | 2019-06-24 | | * |
| recon/companies-contacts/censys_email_address | 2.1 | not installed | 2022-01-31 | * | * |
| recon/companies-contacts/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/companies-domains/censys_subdomains | 2.1 | not installed | 2022-01-31 | * | * |
| recon/companies-domains/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/companies-domains/viewdns_reverse_whois | 1.1 | not installed | 2021-08-24 | | |
| recon/companies-domains/whoxy_dns | 1.1 | not installed | 2020-06-17 | | * |
| recon/companies-multi/censys_org | 2.1 | not installed | 2022-01-31 | * | * |
| recon/companies-multi/censys_tls_subjects | 2.1 | not installed | 2022-01-31 | * | * |
| recon/companies-multi/github_miner | 1.1 | not installed | 2020-05-15 | | * |
| recon/companies-multi/shodan_org | 1.1 | not installed | 2020-07-01 | * | * |
| recon/companies-multi/whois_miner | 1.1 | not installed | 2019-10-15 | | |
| recon/contacts-contacts/abc | 1.0 | not installed | 2019-10-11 | * | |
| recon/contacts-contacts/mailtester | 1.0 | not installed | 2019-06-24 | | |
| recon/contacts-contacts/mangle | 1.0 | not installed | 2019-06-24 | | |
| recon/contacts-contacts/unmangle | 1.1 | not installed | 2019-10-27 | | |
| recon/contacts-credentials/hibp_breach | 1.2 | not installed | 2019-09-10 | | * |
| recon/contacts-credentials/hibp_paste | 1.1 | not installed | 2019-09-10 | | * |
| recon/contacts-domains/censys_email_to_domains | 2.1 | not installed | 2022-01-31 | * | * |
| recon/contacts-domains/migrate_contacts | 1.1 | not installed | 2020-05-17 | | |
| recon/contacts-profiles/fullcontact | 1.1 | not installed | 2019-07-24 | | * |
| recon/credentials-credentials/adobe | 1.0 | not installed | 2019-06-24 | | |
| recon/credentials-credentials/bozocrack | 1.0 | not installed | 2019-06-24 | | |
| recon/credentials-credentials/hashes_org | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-companies/censys_companies | 2.1 | not installed | 2022-01-31 | * | * |
| recon/domains-companies/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/domains-companies/whoxy_whois | 1.1 | not installed | 2020-06-24 | | * |
| recon/domains-contacts/hunter_io | 1.3 | not installed | 2020-04-14 | | * |
| recon/domains-contacts/metacrawler | 1.1 | not installed | 2019-06-24 | * | |
| recon/domains-contacts/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/domains-contacts/pgp_search | 1.4 | not installed | 2019-10-16 | | |
| recon/domains-contacts/whois_pocs | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-contacts/wikileaker | 1.0 | not installed | 2020-04-08 | | |
| recon/domains-domains/brute_suffix | 1.1 | not installed | 2020-05-17 | | |
| recon/domains-hosts/binaryedge | 1.2 | not installed | 2020-06-18 | | * |
| recon/domains-hosts/bing_domain_api | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-hosts/bing_domain_web | 1.1 | not installed | 2019-07-04 | | |
| recon/domains-hosts/brute_hosts | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/builtwith | 1.1 | not installed | 2021-08-24 | | * |
| recon/domains-hosts/censys_domain | 2.1 | not installed | 2022-01-31 | * | * |
| recon/domains-hosts/certificate_transparency | 1.3 | not installed | 2019-09-16 | | |
| recon/domains-hosts/google_site_web | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/hackertarget | 1.1 | installed | 2020-05-17 | | |
| recon/domains-hosts/mx_spf_ip | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/netcraft | 1.1 | not installed | 2020-02-05 | | |
| recon/domains-hosts/shodan_hostname | 1.1 | not installed | 2020-07-01 | * | * |
| recon/domains-hosts/spyse_subdomains | 1.1 | not installed | 2021-08-24 | | * |
| recon/domains-hosts/ssl_san | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/threatcrowd | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/threatminer | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-vulnerabilities/ghdb | 1.1 | not installed | 2019-06-26 | | |
| recon/domains-vulnerabilities/xssed | 1.1 | not installed | 2020-10-18 | | |
| recon/hosts-domains/migrate_hosts | 1.1 | not installed | 2020-05-17 | | |
| recon/hosts-hosts/bing_ip | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-hosts/censys_hostname | 2.1 | not installed | 2022-01-31 | * | * |
| recon/hosts-hosts/censys_ip | 2.1 | not installed | 2022-01-31 | * | * |
| recon/hosts-hosts/censys_query | 2.1 | not installed | 2022-01-31 | * | * |
| recon/hosts-hosts/ipinfodb | 1.2 | not installed | 2021-08-24 | | * |
| recon/hosts-hosts/ipstack | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-hosts/resolve | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/reverse_resolve | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/ssltools | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/virustotal | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-locations/migrate_hosts | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-ports/binaryedge | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-ports/shodan_ip | 1.2 | not installed | 2020-07-01 | * | * |
| recon/locations-locations/geocode | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-locations/reverse_geocode | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-pushpins/flickr | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-pushpins/shodan | 1.1 | not installed | 2020-07-07 | * | * |
| recon/locations-pushpins/twitter | 1.1 | not installed | 2019-10-17 | | * |
| recon/locations-pushpins/youtube | 1.2 | not installed | 2020-09-02 | | * |
| recon/netblocks-companies/censys_netblock_company | 2.1 | not installed | 2022-01-31 | * | * |
| recon/netblocks-companies/whois_orgs | 1.0 | not installed | 2019-06-24 | | |
| recon/netblocks-hosts/censys_netblock | 2.1 | not installed | 2022-01-31 | * | * |
| recon/netblocks-hosts/reverse_resolve | 1.0 | not installed | 2019-06-24 | | |
| recon/netblocks-hosts/shodan_net | 1.2 | not installed | 2020-07-21 | * | * |
| recon/netblocks-hosts/virustotal | 1.0 | not installed | 2019-06-24 | | * |
| recon/netblocks-ports/census_2012 | 1.0 | not installed | 2019-06-24 | | |
| recon/netblocks-ports/censysio | 1.0 | not installed | 2019-06-24 | | * |
| recon/ports-hosts/migrate_ports | 1.0 | not installed | 2019-06-24 | | |
| recon/ports-hosts/ssl_scan | 1.1 | not installed | 2021-08-24 | | |
| recon/profiles-contacts/bing_linkedin_contacts | 1.2 | not installed | 2021-08-24 | | * |
| recon/profiles-contacts/dev_diver | 1.1 | not installed | 2020-05-15 | | |
| recon/profiles-contacts/github_users | 1.0 | not installed | 2019-06-24 | | * |
| recon/profiles-profiles/namechk | 1.0 | not installed | 2019-06-24 | | * |
| recon/profiles-profiles/profiler | 1.2 | not installed | 2023-12-30 | | |
| recon/profiles-profiles/twitter_mentioned | 1.0 | not installed | 2019-06-24 | | * |
| recon/profiles-profiles/twitter_mentions | 1.0 | not installed | 2019-06-24 | | * |
| recon/profiles-repositories/github_repos | 1.1 | not installed | 2020-05-15 | | * |
| recon/repositories-profiles/github_commits | 1.0 | not installed | 2019-06-24 | | * |
| recon/repositories-vulnerabilities/gists_search | 1.0 | not installed | 2019-06-24 | | |
| recon/repositories-vulnerabilities/github_dorks | 1.0 | not installed | 2019-06-24 | | * |
| reporting/csv | 1.0 | not installed | 2019-06-24 | | |
| reporting/html | 1.0 | not installed | 2019-06-24 | | |
| reporting/json | 1.0 | not installed | 2019-06-24 | | |
| reporting/list | 1.0 | not installed | 2019-06-24 | | |
| reporting/proxifier | 1.0 | not installed | 2019-06-24 | | |
| reporting/pushpin | 1.0 | not installed | 2019-06-24 | | * |
| reporting/xlsx | 1.0 | not installed | 2019-06-24 | | |
| reporting/xml | 1.1 | not installed | 2019-06-24 | | |
+--------------------------------------------------------------------------------------------------+
接下來示範用hackertarget去尋找 hostname
首先先把hackertarget先下載下來
marketplace install hackertarget
在把它load 進來
modules load hackertarget
接下來用info 看一下會需要什麼參數
$ [recon-ng][default][hackertarget] > info
Name: HackerTarget Lookup
Author: Michael Henriksen (@michenriksen)
Version: 1.1
Description:
Uses the HackerTarget.com API to find host names. Updates the 'hosts' table with the results.
Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE yes source of input (see 'info' for details)
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs
接下來可以看到SOURCE 會需要填東西,那這欄就是要填要偵查的domain,以google.com舉例。
用下面指令設定SOURCE
options set SOURCE google.com
再看一次info,可以看到他被設定成了 google.com
$ [recon-ng][default][hackertarget] > info
Name: HackerTarget Lookup
Author: Michael Henriksen (@michenriksen)
Version: 1.1
Description:
Uses the HackerTarget.com API to find host names. Updates the 'hosts' table with the results.
Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE google.com yes source of input (see 'info' for details)
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs
接下來打 run 就會開始執行
執行的過程中也會出現結果,最後在下show hosts 指令就會出現表格樣式的結果
網站連結:https://whois.domaintools.com/
這個網站可以找到關於domain 的一些資訊,包括註冊商、何時註冊、何時到期與最後更新時間等等
今天介紹了幾個可以得知到網站domain 上一些資訊的工具,幫助我們在之後需要對網站進行滲透測試或者當作線索都有幫助。
iThome鐵人賽
看影片追技術