二级域名或ip收集
<h2>一、子域名探测方法</h2><h3><span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)">1、DNS域传送漏洞</span></h3>
<p><span style="font-family: 楷体; font-size: 14pt">在kali下直接dnsenum oldboyedu.com </span></p>
<p><span style="font-family: 楷体; font-size: 14pt"><img src="https://img2020.cnblogs.com/blog/1197910/202012/1197910-20201215160108123-1958609970.png" alt="" loading="lazy"></span></p>
<p> </p>
<p> </p>
<p><span style="font-family: 楷体; font-size: 18px; color: rgba(255, 0, 0, 1)"><strong>工具说明及用法可参考如下:</strong></span></p>
<p><span style="font-family: 楷体; font-size: 18px"> dnsenum的目的是尽可能收集一个域的信息,它能够通过谷歌或者字典文件猜测可能存在的域名,以及对一个网段进行反向查询。它可以查询网站的主机地址信息、域名服务器、mx record(函件交换记录),在域名服务器上执行axfr请求,通过谷歌脚本得到扩展域名信息(google hacking),提取自域名并查询,计算C类地址并执行whois查询,执行反向查询,把地址段写入文件。</span></p>
<p><span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)"><strong>参数说明:</strong></span></p>
<p><span style="font-family: 楷体; font-size: 14pt"> -h 查看工具使用帮助</span></p>
<p><span style="font-family: 楷体; font-size: 14pt">--dnsserver <server> 指定域名服务器</span></p>
<p><span style="font-family: 楷体; font-size: 14pt">--enum 快捷选项,相当于"--threads 5 -s 15 -w"</span></p>
<p><span style="font-family: 楷体; font-size: 14pt">--noreverse 跳过反向查询操作</span></p>
<p><span style="font-family: 楷体; font-size: 14pt">--nocolor 无彩色输出</span></p>
<p><span style="font-family: 楷体; font-size: 14pt">--private 显示并在"domain_ips.txt"文件结尾保存私有的ips</span></p>
<p><span style="font-family: 楷体; font-size: 14pt">--subfile <file> 写入所有有效的子域名到指定文件</span></p>
<p><span style="font-family: 楷体; font-size: 14pt">-t, --timeout <value> tcp或者udp的连接超时时间,默认为10s(时间单位:秒)</span></p>
<p><span style="font-family: 楷体; font-size: 14pt">--threads <value> 查询线程数</span></p>
<p><span style="font-family: 楷体; font-size: 14pt">-v, --verbose 显示所有的进度和错误消息</span></p>
<p><span style="font-family: 楷体; font-size: 14pt">-o ,--output <file> 输出选项,将输出信息保存到指定文件</span></p>
<p><span style="font-family: 楷体; font-size: 14pt">-e, --exclude <regexp> 反向查询选项,从反向查询结果中排除与正则表达式相符的PTR记录,在排查无效主机上非常有用</span></p>
<p><span style="font-family: 楷体; font-size: 14pt">-w, --whois 在一个C段网络地址范围提供whois查询</span></p>
<p><span style="font-family: 楷体; font-size: 14pt">-f dns.txt 指定字典文件,可以换成 dns-big.txt 也可以自定义字典</span></p>
<p><span style="font-family: 楷体; color: rgba(255, 0, 0, 1); font-size: 14pt"><strong>相关解析记录说明可参考:</strong>https://wenku.baidu.com/view/d2d597b669dc5022aaea0030.html</span></p>
<h3><span style="font-family: 楷体; color: rgba(255, 0, 0, 1); font-size: 14pt">2.备案号查询</span></h3>
<p><span style="font-family: 楷体; color: rgba(255, 0, 0, 1); font-size: 14pt">通过查询系统域名备案号,再反差备案号相关的域名</span></p>
<p><strong>网站备案查询地址:</strong><strong>http://www.beianbeian.com</strong><strong>、</strong>http://icp.bugscaner.com/</p>
<p><span style="font-family: 楷体; color: rgba(255, 0, 0, 1); font-size: 14pt"><img src="https://img2020.cnblogs.com/blog/1197910/202012/1197910-20201215165952171-1869396766.png" alt="" loading="lazy"></span></p>
<p> </p>
<p> </p>
<p><img src="https://img2020.cnblogs.com/blog/1197910/202012/1197910-20201215170059090-585809328.png" alt="" loading="lazy"></p>
<p> </p>
<h3><span style="font-family: 楷体; color: rgba(255, 0, 0, 1); font-size: 14pt"> 3.ssl证书</span></h3>
<p><span style="font-family: 楷体; color: rgba(255, 0, 0, 1); font-size: 14pt">通过查询SSL证书,获取的域名存活率很高</span></p>
<p><span style="font-family: 楷体; font-size: 14pt">查询网址: https://myssl.com/ssl.html 和https://www.chinassl.net/ssltools/ssl-checker.html</span></p>
<p><span style="font-family: 楷体; color: rgba(255, 0, 0, 1); font-size: 14pt"><img src="https://img2020.cnblogs.com/blog/1197910/202012/1197910-20201215171128656-263133587.png" alt="" loading="lazy"></span></p>
<p> </p>
<p> </p>
<p><span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)"><img src="https://img2020.cnblogs.com/blog/1197910/202012/1197910-20201215171328552-1699103535.png" alt="" loading="lazy"></span></p>
<p> </p>
<h3> <span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)"><strong>4.google</strong><strong>搜索</strong><strong>C</strong><strong>段</strong></span></h3>
<p>方法一:参考GoogleHack用法</p>
<p>方法二:用k8工具,前提条件记得注册bing接口</p>
<p> <img src="https://img2020.cnblogs.com/blog/1197910/202012/1197910-20201215173008426-635812598.png" alt="" loading="lazy"></p>
<p> </p>
<p> </p>
<p><span style="font-family: 楷体; font-size: 14pt"><strong>什么是C</strong><strong>段:</strong>比如在:127.127.127.4 这个IP上面有一个网站 127.4 这个服务器上面有网站我们可以想想..他是一个非常大的站几乎没什么漏洞!但是在他同C段 127.127.127.1~127.127.127.255 这 1~255 上面也有服务器而且也有网站并且存在漏洞,那么我们就可以来渗透 1~255任何一个站 之后提权来嗅探得到127.4 这台服务器的密码 甚至3389连接的密码后台登录的密码 如果运气好会得到很多的密码…</span></p>
<h3><span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)">5.APP提取</span></h3>
<p><span style="font-family: 楷体; font-size: 14pt">反编译APP进行提取相关IP地址,此外在APP上挖洞的时候,可以发现前面招式找不到的域名,在APP里面有大量的接口IP和内网 IP,同时可获取不少安全漏洞。</span></p>
<p><span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)">在网站搜索出没有加密的是可以直接反编译的</span></p>
<p><span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)"><img src="https://img2020.cnblogs.com/blog/1197910/202012/1197910-20201215175704618-497786659.png" alt="" loading="lazy"></span></p>
<p> </p>
<p> </p>
<p> <img src="https://img2020.cnblogs.com/blog/1197910/202012/1197910-20201215175717672-196637823.png" alt="" loading="lazy"></p>
<p> </p>
<p> </p>
<h3><span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)">6.微信公众号(后续详细介绍)</span></h3>
<p><span style="font-family: 楷体; font-size: 14pt">企业的另一通道,渗透相关公众号,绝对会有意外收获:不少漏洞+域名,有关Burp如何抓取微信公众号数据可参考 Burp APP抓包。</span></p>
<h3><span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)">7.<strong>字典枚举法</strong></span></h3>
<p><span style="font-family: 楷体; font-size: 14pt"> 字典枚举法是一种传统查找子域名的技术,这类工具有 DNSReconcile、Layer子域名挖掘机、DirBuster等。</span></p>
<h3><span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)">8.<strong>公开DNS源</strong></span></h3>
<p><span style="font-family: 楷体; font-size: 14pt">Rapid7下Sonar项目发布的: https://scans.io/study/sonar.fdns_v2。</span></p>
<p><span style="font-family: 楷体; font-size: 14pt">DNS历史解析: https://dnsdb.io/zh-cn/</span></p>
<h3><span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)">9.<strong>威胁情报查询</strong></span></h3>
<p><span style="font-family: 楷体; font-size: 14pt">华为安全情报 https://isecurity.huawei.com</span></p>
<h3><span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)">10.GoogleHack</span></h3>
<h4><span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)">①:功能介绍</span></h4>
<p><span style="font-family: 楷体; font-size: 14pt; color: rgba(0, 0, 0, 1)">使用<span style="color: rgba(0, 0, 0, 1)">Google</span>等搜索引擎对某些特定的<span style="color: rgba(0, 0, 0, 1)">网络</span>主机漏洞(通常是服务器上的脚本漏洞)进行搜索,以达到快速找到漏洞主机或特定主机的漏洞的目的。Google毫无疑问是当今世界上最强大的搜索引擎。然而,在黑客手中,它也是一个秘密武器,它能搜索到一些你意想不到的信息。</span></p>
<h4><span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)">②:</span><span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)">部署指南</span></h4>
<p><span style="color: rgba(0, 0, 0, 1); font-family: 楷体; font-size: 14pt">a) 一台可以正常访问互联网的设备(通常为PC)</span></p>
<p><span style="color: rgba(0, 0, 0, 1); font-family: 楷体; font-size: 14pt">b) 一个常用浏览器(IE、Chrome等等)</span></p>
<p><span style="color: rgba(0, 0, 0, 1); font-family: 楷体; font-size: 14pt">c) 掌握强大的搜索关键词</span></p>
<h4><span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)">③:实战</span></h4>
<p><span style="font-family: 楷体; font-size: 14pt">Google搜索引擎之所以强大,关键在于它详细的搜索关键词,以下是几个常用的搜索关键词:(更多详细教程,参见http://user.qzone.qq.com/568311803/main)</span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt">inurl: 用于搜索网页上包含的URL. 这个语法对寻找网页上的搜索,帮助之类的很有用. </span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt">intext: 只搜索网页部分中包含的文字(也就是忽略了标题,URL等的文字).</span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt">site: 可以限制你搜索范围的域名. </span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt">filetype: 搜索文件的后缀或者扩展名</span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt">intitle: 限制你搜索的网页标题.</span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt">allintitle: 搜索所有关键字构成标题的网页. 但是推荐不要使用</span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt">link: 可以得到一个所有包含了某个指定URL的页面列表. 例如:link:www.google.com 就可以得到所有连接到Google的页面。</span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt"><strong>一般常见用法有:</strong></span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt"><strong>site</strong>:ooxx.com <strong>filetype</strong>:xls</span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt"><strong>site</strong><strong>:xxx.xxx</strong><strong>admin</strong></span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt"><strong>site</strong><strong>:xxx.xxx</strong><strong>login</strong></span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt"><strong>site</strong><strong>:xxx.xxx</strong><strong>system</strong></span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt"><strong>site</strong><strong>:xxx.xxx</strong><strong>管理</strong></span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt"><strong>site</strong><strong>:xxx.xxx</strong><strong>登录</strong></span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt"><strong>site</strong><strong>:xxx.xxx</strong><strong>内部</strong></span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt"><strong>site</strong><strong>:xxx.xxx</strong><strong>系统</strong></span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt"><strong>site</strong><strong>:xxx.xxx</strong><strong>邮件</strong></span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt"><strong>site</strong><strong>:xxx.xxx</strong><strong>email</strong></span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt"><strong>site</strong><strong>:xxx.xxx</strong><strong>qq</strong></span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt"><strong>site</strong><strong>:xxx.xxx</strong><strong>群</strong></span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt"><strong>site</strong><strong>:xxx.xxx</strong><strong>企鹅</strong></span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt"><strong>site</strong><strong>:xxx.xxx</strong><strong>腾讯</strong></span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt"><strong>site:ooxx.com</strong></span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt"><strong>inurl:jmx-console</strong></span></p>
<h4 align="left"><span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)"><strong>⑤举例:</strong></span></h4>
<p align="left"><span style="font-size: 14pt; font-family: 楷体; color: rgba(255, 0, 0, 1)"><strong>1.</strong><strong>site: baidu.com filetype:txt </strong><strong>查找TXT文件 其他的依次类推</strong></span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)"><strong><img src="https://img2020.cnblogs.com/blog/1197910/202012/1197910-20201215194701686-2132814666.png" alt="" loading="lazy"></strong></span></p>
<p> </p>
<p align="left"> </p>
<p><span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)"> 2.<strong> </strong><strong>site:baidu.com intext:</strong><strong>管理</strong></span></p>
<p> </p>
<p><span style="color: rgba(255, 0, 0, 1); font-family: 楷体; font-size: 14pt"> 3.<strong>site:baidu.com inurl:login</strong></span></p>
<p align="left"><span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)"><strong><img src="https://img2020.cnblogs.com/blog/1197910/202012/1197910-20201215195352502-593532551.png" alt="" loading="lazy"></strong></span></p>
<p> </p>
<p align="left"> </p>
<p><span style="color: rgba(255, 0, 0, 1); font-family: 楷体; font-size: 14pt"> 4.<strong> </strong><strong>site:baidu.com intitle:</strong><strong>后台</strong></span></p>
<p><span style="color: rgba(255, 0, 0, 1); font-family: 楷体; font-size: 14pt"><strong><img src="https://img2020.cnblogs.com/blog/1197910/202012/1197910-20201215195506447-1732776746.png" alt="" loading="lazy"></strong></span></p>
<p> </p>
<p> </p>
<p><span style="color: rgba(255, 0, 0, 1); font-family: 楷体; font-size: 14pt"> 5.<strong> </strong><strong>site:baidu.com inurl:file</strong></span></p>
<p><span style="color: rgba(255, 0, 0, 1); font-family: 楷体; font-size: 14pt"><strong><img src="https://img2020.cnblogs.com/blog/1197910/202012/1197910-20201215200040789-1850920188.png" alt="" loading="lazy"></strong></span></p>
<p> </p>
<p> </p>
<p><span style="color: rgba(255, 0, 0, 1); font-family: 楷体; font-size: 14pt"> 6.<strong>site: baidu.com inurl:load</strong></span></p>
<p><span style="color: rgba(255, 0, 0, 1); font-family: 楷体; font-size: 14pt"><strong><img src="https://img2020.cnblogs.com/blog/1197910/202012/1197910-20201215200606086-1921168587.png" alt="" loading="lazy"></strong></span></p>
<p><span style="color: rgba(255, 0, 0, 1); font-family: 楷体; font-size: 14pt"><strong>7.<strong><span lang="EN-US">site:tw inurl:asp?id= </span></strong><strong><span lang="EN-US"> (这个是找台湾的)</span></strong></strong></span></p>
<p><span style="color: rgba(255, 0, 0, 1); font-family: 楷体; font-size: 14pt"><strong><strong><span lang="EN-US"><img src="https://img2020.cnblogs.com/blog/1197910/202012/1197910-20201215201509235-2142339345.png" alt="" loading="lazy"></span></strong></strong></span></p>
<p> </p>
<p> </p>
<p><span style="font-family: 楷体; font-size: 14pt; color: rgba(255, 0, 0, 1)"> 8.site:*.jp inurl:asp?id=(找日本的)</span></p>
<p><img src="https://img2020.cnblogs.com/blog/1197910/202012/1197910-20201215201705484-1349267861.png" alt="" loading="lazy"></p>
<p> </p>
<h2><span style="color: rgba(255, 0, 0, 1); font-family: 楷体"> 11. ZoomEye hack</span></h2>
<p><span style="font-family: 楷体; font-size: 14pt"><code>ZoomEye</code> 支持公网设备指纹检索和 Web指纹检索的网站,指纹检索包括应用名称、版本、前端框架、后端框架、服务端语言、服务器操作系统、网站容器、内容管理系统和数据库等。</span><br><span style="font-family: 楷体; font-size: 14pt">
设备指纹包括应用名、版本、开放端口、操作系统、服务名、地理位置等。</span></p>
<p><span style="font-family: 楷体; font-size: 14pt"><strong>1</strong><strong>、实战搜索</strong></span></p>
<p><span style="font-family: 楷体; font-size: 14pt">我们今天主要讲下如何使用他的语法规则去高级搜索,搜索有用信息。</span></p>
<ul>
<li><span style="font-family: 楷体; font-size: 14pt"><strong>主机设备搜索组件名称</strong></span><br><span style="font-family: 楷体; font-size: 14pt">
app: 组件名</span><br><span style="font-family: 楷体; font-size: 14pt">
ver: 组件版本</span><br><span style="font-family: 楷体; font-size: 14pt">
例1:搜索使用iis6.0主机:app:"Microsoft-IIS" ver"6.0",可以看到0.6秒搜索到41,781,210左右的使用iis6.0的主机。</span></li>
</ul>
<p><span style="font-family: 楷体; font-size: 14pt">例2:搜索使weblogic主机:<code>app:"weblogic httpd" port:7001</code>,可以看到0.078秒搜索到42万左右的使用weblogic的主机。</span></p>
<p><span style="font-family: 楷体; font-size: 14pt">例3:查询开放3389端口的主机:<code>port:3389</code></span></p>
<p><span style="font-family: 楷体; font-size: 14pt">例4:查询操作系统为Linux系统的服务器,<code>os:linux</code></span></p>
<p><span style="font-family: 楷体; font-size: 14pt">例5:查询公网摄像头:<code>service:”routersetup”</code></span></p>
<p><span style="font-family: 楷体; font-size: 14pt">例6:搜索美国的 Apache 服务器:<code>app:Apache country:US </code><code>后面还可以接</code><code>city: </code><code>城市名称</code><code></code></span></p>
<p><span style="font-family: 楷体; font-size: 14pt">例7:搜索指定ip信息,<code>ip:121.42.173.26</code></span></p>
<p><span style="font-family: 楷体; font-size: 14pt">例8:查询有关taobao.com域名的信息,<code>site:taobao.com</code></span></p>
<p><span style="font-family: 楷体; font-size: 14pt">例9:搜索标题中包含该字符的网站,<code>title:weblogic</code></span></p>
<p><span style="font-family: 楷体; font-size: 14pt">例10:<code>keywords:Nginx</code></span></p>
<h2><span style="font-family: 楷体; color: rgba(255, 0, 0, 1)"><span style="font-size: 14pt">12.</span>fofa hack</span></h2>
<p><span style="font-family: 楷体; font-size: 14pt"><code>domain=""||ip=""||host=""||title=""||header=""</code></span><br><span style="font-family: 楷体; font-size: 14pt">
<code>protocol="https"</code>,搜索指定协议类型</span></p>
<p><span style="font-family: 楷体; font-size: 14pt"><code>app="phpinfo"</code>搜索某些组件相关系统</span></p>
<p><span style="font-family: 楷体; font-size: 14pt"><code>host="oldboyedu.com/"</code>搜索包含有特定字符的URL</span></p>
<p><span style="font-family: 楷体; font-size: 14pt"><code>title="powered by" && os==windows</code>搜索网页标题中包含有特定字符并且系统是windows的网页</span></p>
<p><span style="font-family: 楷体; font-size: 14pt">详细请看官方详细文档; https://fofa.so/help</span></p>
<p><span style="font-family: 楷体; font-size: 14pt"> </span></p>
<p><span style="font-family: 楷体; font-size: 14pt">https://github.com/Threezh1/JSFinder</span></p>
<p> </p><br><br>
来源:https://www.cnblogs.com/1996-11-01-614lb/p/14140710.html
頁:
[1]