渗透测试之信息收集
1. 渗透测试之信息收集 1.1 收集域名信息 1.1.1 whois查询
$ whois starbucks.com Domain Name: STARBUCKS.COM
Registry Domain ID: 993367_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.corporatedomains.com
Registrar URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.html
Updated Date: 2018-10-20T05:46:56Z
Creation Date: 1993-10-25T04:00:00Z
Registry Expiry Date: 2019-10-24T04:00:00Z
Registrar: CSC Corporate Domains, Inc.
Registrar IANA ID: 299
Registrar Abuse Contact Email: domainabuse@cscglobal.com
Registrar Abuse Contact Phone: 8887802723
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Name Server: A4.NSTLD.COM
Name Server: F4.NSTLD.COM
Name Server: G4.NSTLD.COM
Name Server: H4.NSTLD.COM
Name Server: J4.NSTLD.COM
Name Server: L4.NSTLD.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2019-03-12T12:43:59Z <<>> Last update of WHOIS database: 2018-10-20T05:46:56Z << 还可以在以下网站查询域名的信息
https://whois.aizhan.com/
http://whois.chinaz.com/
https://www.virustotal.com/#/home/url
1.1.2 备案信息 http://www.beianbeian.com
| 序号 | 单位名称 | 单位性质 | 网站备案/许可证号 | 网站名称 | 网站首页网址 | 审核时间 |
|---|---|---|---|---|---|---|
| 1 | 星巴克企业管理(中国)有限公司 | 企业 | 沪ICP备17003747号-1[反查] | 星巴克中国官网 | www.starbucks.com.cn | 2018-07-09 |
https://www.tianyancha.com/company/803257297
1.2 收集敏感信息 利用搜索引擎的语法
| 关键字 | 说明 |
|---|---|
| site | 指定域名 |
| inurl | url中存在关键字的网页 |
| intext | 网页正文中的关键字 |
| filetype | 指定文件类型 |
| intitle | 网页标题中的关键字 |
| link | link:baidu.com 即表示返回所有和baidu.com做了链接的URL |
| info | 查找指定的一些基本信息 |
| cache | 搜索google里关于某些内容的缓存 |
https://github.com/aboul3la/Sublist3r
python sublist3r.py -d starbucks.com.cnhttps://github.com/lijiejie/subDomainsBrute
python subDomainsBrute.py starbucks.com.cn
【渗透测试之信息收集】subDomainsBrute 从dns暴力枚举子域名,可以枚举到搜索引擎搜不到的域名
sublist3r 从搜索引擎查询子域名
https://dnsdumpster.com/
证书透明度公开日志枚举 查看https证书的日志
https://crt.sh/?q=starbucks.com.cn
https://censys.io/ipv4?q=starbucks.com.cn
1.4 收集常用端口信息
?~ nmap -A 180.153.48.188
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-13 21:35 CST
Nmap scan report for 180.153.48.188
Host is up (0.030s latency).
Not shown: 980 closed ports
PORTSTATESERVICEVERSION
42/tcpfiltered nameserver
80/tcpopenhttp-proxyHAProxy http proxy 1.3.1 or later
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Did not follow redirect to https://180.153.48.188/
88/tcpopenhttp-proxyHAProxy http proxy 1.3.1 or later
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Did not follow redirect to https://180.153.48.188:88/
135/tcpfiltered msrpc
139/tcpfiltered netbios-ssn
443/tcpopenssl/httpnginx
|_http-server-header: nginx
|_http-title: \xE6\x98\x9F\xE5\xB7\xB4\xE5\x85\x8B | \xE7\x94\xA8\xE6\xAF\x8F\xE4\xB8\x80\xE6\x9D\xAF\xE5\x92\x96\xE5\x95\xA1\xE4\xBC\xA0\xE9\x80\x92\xE6\x98\x9F\xE5\xB7\xB4\xE5\x85\x8B\xE7\x8B\xAC\xE7\x89\xB9\xE7\x9A\x84\xE5\x92\x96\xE5\x95\xA1\xE4\xBD...
| ssl-cert: Subject: commonName=www.starbucks.com.cn/organizationName=Starbucks Coffee Company/stateOrProvinceName=Washington/countryName=US
| Subject Alternative Name: DNS:www.starbucks.com.cn, DNS:achievement.starbucks.com.cn, DNS:api.starbucks.com.cn, DNS:auth.starbucks.com.cn, DNS:callcenter.starbucks.com.cn, DNS:cards.starbucks.com.cn, DNS:coupons.starbucks.com.cn, DNS:emsr.starbucks.com.cn, DNS:giftcard.starbucks.com.cn, DNS:old.giftcard.starbucks.com.cn, DNS:old.rewards.starbucks.com.cn, DNS:profile.starbucks.com.cn, DNS:rewards.starbucks.com.cn
| Not valid before: 2018-06-26T00:00:00
|_Not valid after:2019-06-26T23:59:59
|_ssl-date: TLS randomness does not represent time
445/tcpfiltered microsoft-ds
593/tcpfiltered http-rpc-epmap
901/tcpfiltered samba-swat
1025/tcp filtered NFS-or-IIS
1068/tcp filtered instl_bootc
1434/tcp filtered ms-sql-m
3128/tcp filtered squid-http
3333/tcp filtered dec-notes
4444/tcp filtered krb524
5800/tcp filtered vnc-http
5900/tcp filtered vnc
6129/tcp filtered unknown
6667/tcp filtered irc
9999/tcp openssl/abyss?
| ssl-cert: Subject: commonName=www.starbucks.com.cn/organizationName=Starbucks Coffee Company/stateOrProvinceName=Washington/countryName=US
| Subject Alternative Name: DNS:www.starbucks.com.cn, DNS:achievement.starbucks.com.cn, DNS:api.starbucks.com.cn, DNS:auth.starbucks.com.cn, DNS:callcenter.starbucks.com.cn, DNS:cards.starbucks.com.cn, DNS:coupons.starbucks.com.cn, DNS:emsr.starbucks.com.cn, DNS:giftcard.starbucks.com.cn, DNS:old.giftcard.starbucks.com.cn, DNS:old.rewards.starbucks.com.cn, DNS:profile.starbucks.com.cn, DNS:rewards.starbucks.com.cn
| Not valid before: 2018-06-26T00:00:00
|_Not valid after:2019-06-26T23:59:59
|_ssl-date: 2019-03-13T13:37:13+00:00;
0s from scanner time.
Device type: load balancer|PBX|specialized|firewall
Running (JUST GUESSING): F5 Networks TMOS 11.6.X|11.4.X (87%), Vodavi embedded (85%), AVtech embedded (85%), OSRAM embedded (85%)
OS CPE: cpe:/o:f5:tmos:11.6 cpe:/h:vodavi:xts-ip cpe:/h:osram:lightify cpe:/o:f5:tmos:11.4
Aggressive OS guesses: F5 BIG-IP Local Traffic Manager load balancer (TMOS 11.6) (87%), Vodavi XTS-IP PBX (85%), AVtech Room Alert 26W environmental monitor (85%), OSRAM Lightify ZigBee gateway (85%), F5 BIG-IP AFM firewall (85%), F5 BIG-IP load balancer (TMOS 11.4) (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 14 hops
Service Info: Device: load balancerTRACEROUTE (using port 3389/tcp)
HOP RTTADDRESS
10.35 msXiaoQiang (192.168.31.1)
2... 3
43.12 ms124.65.61.21
58.41 ms123.126.0.125
631.16 ms 219.158.6.166
771.74 ms 219.158.8.230
876.11 ms 202.97.17.181
928.22 ms 202.97.46.25
10...
1134.20 ms 101.95.207.6
1232.55 ms 124.74.232.66
1328.14 ms 124.74.184.77
1428.57 ms 180.153.48.188OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.98 seconds
1.5 指纹识别
http://whatweb.bugscaner.com
http://www.yunsee.cn/
https://www.whatweb.net/
1.6 查找真实ip 目标服务器存在CDN 使用多地ping, 如果ip都是一样的,极有可能不存在CDN
https://ping.chinaz.com可以使用国内的多地ping,还可以使用海外多地ping
https://www.17ce.com/
绕过CDN寻找真实IP
内部邮箱源
扫描网站测试文件
分站域名
国外访问https://asm.ca.com/en/ping.php 可能会得到真实ip
查询域名的解析记录 https://www.netcraft.com/
如果有app, 尝试抓包
绕过CloudFlare CDN查找真实ip"cloudflare watch"
如何验证真实ip
如果是web, 直接用ip访问,看是否和域名访问
1.7 收集敏感目录文件
DirBuster (kali自带该工具,由OWASP用Java开发的工具)
御剑后台扫描珍藏版
wwwscan
Spinder.py
Sensitivefilescan
Weakfilescan
1.8 社会工程学
收集信息的过程中,可以给收集到的电子邮箱,发送邮件,然后等到回复邮件,可以分析邮件头来收集真实ip以及内部电子邮件服务器的相关信息。
。。。
推荐阅读
- Java|Java OpenCV图像处理之SIFT角点检测详解
- 【亲测好用】高逼格配色网站推荐
- 年国考行测备考(重要的题目做三遍)
- 人工智能|干货!人体姿态估计与运动预测
- 女生该不该用小号测试男朋友()
- BNC公链|BNC公链 | Eth2.0测试网Topaz已质押超100万枚ETH
- JS常见数组操作补充
- 我的软件测试开发工程师书单
- 性能测试中QPS和TPS的区别
- 《测量力的大小》课后反思