┌──(root💀B)-[~] └─# dmitry -iwns dansemal.cn Deepmagic Information Gathering Tool "There be some deep magic going on"
HostIP:183.240.60.175 HostName:dansemal.cn
Gathered Inet-whois information for 183.240.60.175 ---------------------------------
inetnum: 182.161.64.0 - 184.255.255.255 netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK descr: IPv4 address block not managed by the RIPE NCC remarks: ------------------------------------------------------ remarks: ration information, remarks: you can consult the following sources: remarks: remarks: IANA remarks: http://www.iana.org/assignments/ipv4-address-space remarks: http://www.iana.org/assignments/iana-ipv4-special-registry remarks: http://www.iana.org/assignments/ipv4-recovered-address-space remarks: remarks: AFRINIC (Africa) remarks: http://www.afrinic.net/ whois.afrinic.net remarks: remarks: APNIC (Asia Pacific) ic.net/ whois.apnic.net remarks: remarks: ARIN (Northern America) remarks: http://www.arin.net/ whois.arin.net remarks: remarks: LACNIC (Latin America and the Carribean) remarks: http://www.lacnic.net/ whois.lacnic.net remarks: remarks: ------------------------------------------------------ country: EU # Country is really world wide admin-c: IANA1-RIPE tech-c: IANA1-RIPE status: ALLOCATED UNSPECIFIED
created: 2021-12-21T16:03:56Z last-modified: 2021-12-21T16:03:56Z source: RIPE role: Internet Assigned Numbers Authority address: see http://www.iana.org. admin-c: IANA1-RIPE tech-c: IANA1-RIPE nic-hdl: IANA1-RIPE remarks: For more information on IANA services remarks: go to IANA web site at http://www.iana.org. mnt-by: RIPE-NCC-MNT created: 1970-01-01T00:00:00Z last-modified: 2001-09-22T09:31:27Z source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.102.2 (HEREFORD)
Gathered Inic-whois information for dansemal.cn --------------------------------- Domain Name: dansemal.cn ROID: 20210322s10001s35063278-cn Domain Status: clientTransferProhibited Registrant: 该域名已采取WHOIS隐私保护服务 Sponsoring Registrar: 广州云讯信息科技有限公司 Name Server: brook.dnspod.net Name Server: record.dnspod.net Registration Time: 2021-03-22 15:32:05 Expiration Time: 2023-03-22 15:32:05 DNSSEC: signedDelegation
Gathered Netcraft information for dansemal.cn ---------------------------------
Retrieving Netcraft.com information for dansemal.cn Netcraft.com Information gathered
Gathered Subdomain information for dansemal.cn --------------------------------- Searching Google.com:80... HostName:www.dansemal.cn HostIP:183.240.60.174 HostName:cloud.dansemal.cn HostIP:112.3.31.146 Searching Altavista.com:80... Found 2 possible subdomain(s) for host dansemal.cn, Searched 0 pages containing 0 results
[-] Enumerating subdomains now for qq.com [-] Searching now in Baidu.. [-] Searching now in Yahoo.. [-] Searching now in Google.. [-] Searching now in Bing.. [-] Searching now in Ask.. [-] Searching now in Netcraft.. [-] Searching now in DNSdumpster.. [-] Searching now in Virustotal.. [-] Searching now in ThreatCrowd.. [-] Searching now in SSL Certificates.. [-] Searching now in PassiveDNS.. [-] Total Unique Subdomains Found: 2690 login.imqq.com localhost.ptlogin2.imqq.com ssl.ptlogin2.imqq.com ssl.ui.ptlogin2.imqq.com ssl.xui.ptlogin2.imqq.com www.qq.com 0.qq.com 007.qq.c 021.qq.com 1.qq.com 10.qq.com 100.qq.com file.100.qq.com res.100.qq.com 1000.qq.com 101.qq.com pick.101.qq.com game.108.qq.com 110.qq.com 1108.qq.com 111.qq.com 1111.qq.com 124bjg0.qq.com 12530.qq.com 176.qq.com 17roco.qq.com m.17roco.qq.com m1.17roco.qq.com mres.17roco.qq.com
[-] Enumerating subdomains now for dansemal.cn [-] Searching now in Baidu.. [-] Searching now in Yahoo.. [-] Searching now in Google.. [-] Searching now in Bing.. [-] Searching now in Ask.. [-] Searching now in Netcraft.. [-] Searching now in DNSdumpster.. [-] Searching now in Virustotal.. [-] Searching now in ThreatCrowd.. [-] Searching now in SSL Certificates.. [-] Searching now in PassiveDNS.. [!] Error: Virustotal probably now is blocking our requests [-] Total Unique Subdomains Found: 12 www.dansemal.cn blog.dansemal.cn cdn.dansemal.cn cloud.dansemal.cn joe.dansemal.cn mail.dansemal.cn pl.dansemal.cn qh.dansemal.cn ur.dansemal.cn vercel.dansemal.cn vul.dansemal.cn waline.dansemal.cn
Options: -ask+ 是否询问提交更新 yes 每次 (default) no 不询问,不发送 auto 不询问,自动发送 -Cgidirs+ 扫描CGI目录: "none", "all", 或者 "/cgi/ /cgi-a/" -config+ 使用此配置文件 -Display+ 打开/关闭显示输出: 1 显示重定向 2 显示 cookies received 3 显示所有 200/OK响应 4 显示需要身份验证的URL D 调试输出 E 显示所有HTTP错误 P 打印进展到STDOUT S Scrub输出IPS和主机名 V 详细输出 -dbcheck 检查数据库和其他密钥文件的语法错误 -evasion+ 编码技术: 1 随机URI编码(非UTF8) 2 目录自我引用 (/./) 3 Premature URL ending 4 预置长随机字符串 5 Fake parameter 6 TAB as request spacer 7 Change the case of the URL 8 Use Windows directory separator (\) A Use a carriage return (0x0d) as a request spacer B Use binary value 0x0b as a request spacer -Format+ Save file (-o) format: csv Comma-separated-value json JSON Format htm HTML Format nbe Nessus NBE format sql Generic SQL (see docs for schema) txt Plain text xml XML Format (if not specified the format will be taken from the file extension passed to -output) -Help Extended help information -host+ Target host/URL -404code Ignore these HTTP codes as negative responses (always). Format is "302,301". -404string Ignore this string in response body content as negative response (always). Can be a regular expression. -id+ Host authentication to use, format is id:pass or id:pass:realm -key+ Client certificate key file -list-plugins List all available plugins, perform no testing -maxtime+ Maximum testing time per host (e.g., 1h, 60m, 3600s) -mutate+ Guess additional file names: 1 Test all files with all root directories 2 Guess for password file names 3 Enumerate user names via Apache (/~user type requests) 4 Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests) 5 Attempt to brute force sub-domain names, assume that the host name is the parent domain 6 Attempt to guess directory names from the supplied dictionary file -mutate-options Provide information for mutates -nointeractive Disables interactive features -nolookup Disables DNS lookups -nossl Disables the use of SSL -no404 Disables nikto attempting to guess a 404 page -Option Over-ride an option in nikto.conf, can be issued multiple times -output+ Write output to this file ('.' for auto-name) -Pause+ Pause between tests (seconds, integer or float) -Plugins+ List of plugins to run (default: ALL) -port+ Port to use (default 80) -RSAcert+ Client certificate file -root+ Prepend root value to all requests, format is /directory -Save Save positive responses to this directory ('.' for auto-name) -ssl Force ssl mode on port -Tuning+ Scan tuning: 1 Interesting File / Seen in logs 2 Misconfiguration / Default File 3 Information Disclosure 4 Injection (XSS/Script/HTML) 5 Remote File Retrieval - Inside Web Root 6 Denial of Service 7 Remote File Retrieval - Server Wide 8 Command Execution / Remote Shell 9 SQL Injection 0 File Upload a Authentication Bypass b Software Identification c Remote Source Inclusion d WebService e Administrative Console x Reverse Tuning Options (i.e., include all except specified) -timeout+ Timeout for requests (default 10 seconds) -Userdbs Load only user databases, not the standard databases all Disable standard dbs and load only user dbs tests Disable only db_tests and load udb_tests -useragent Over-rides the default useragent -until Run until the specified time or duration -update Update databases and plugins from CIRT.net -url+ Target host/URL (alias of -host) -useproxy Use the proxy defined in nikto.conf, or argument http://server:port -Version Print plugin and database versions -vhost+ Virtual host (for Host header) + requires a value
Options: --version show program's version number and exit -h, --help show this help message and exit
Mandatory: -u URL, --url=URL Target URL -l FILE, --url-list=FILE Target URL list file --stdin Target URL list from STDIN --cidr=CIDR Target CIDR --raw=FILE Load raw HTTP request from file (use `--scheme` flag to set the scheme) -e EXTENSIONS, --extensions=EXTENSIONS Extension list separated by commas (Example: php,asp) -X EXTENSIONS, --exclude-extensions=EXTENSIONS Exclude extension list separated by commas (Example: asp,jsp) -f, --force-extensions Add extensions to every wordlist entry. By default dirsearch only replaces the %EXT% keyword with extensions
Dictionary Settings: -w WORDLIST, --wordlists=WORDLIST Customize wordlists (separated by commas) --prefixes=PREFIXES Add custom prefixes to all wordlist entries (separated by commas) --suffixes=SUFFIXES Add custom suffixes to all wordlist entries, ignore directories (separated by commas) --only-selected Remove paths have different extensions from selected ones via `-e` (keep entries don't have extensions) --remove-extensions Remove extensions in all paths (Example: admin.php -> admin) -U, --uppercase Uppercase wordlist -L, --lowercase Lowercase wordlist -C, --capital Capital wordlist
General Settings: -t THREADS, --threads=THREADS Number of threads -r, --recursive Brute-force recursively --deep-recursive Perform recursive scan on every directory depth (Example: api/users -> api/) --force-recursive Do recursive brute-force for every found path, not only paths end with slash -R DEPTH, --recursion-depth=DEPTH Maximum recursion depth --recursion-status=CODES Valid status codes to perform recursive scan, support ranges (separated by commas) --subdirs=SUBDIRS Scan sub-directories of the given URL[s] (separated by commas) --exclude-subdirs=SUBDIRS Exclude the following subdirectories during recursive scan (separated by commas) -i CODES, --include-status=CODES Include status codes, separated by commas, support ranges (Example: 200,300-399) -x CODES, --exclude-status=CODES Exclude status codes, separated by commas, support ranges (Example: 301,500-599) --exclude-sizes=SIZES Exclude responses by sizes, separated by commas (Example: 123B,4KB) --exclude-texts=TEXTS Exclude responses by texts, separated by commas (Example: 'Not found', 'Error') --exclude-regexps=REGEXPS Exclude responses by regexps, separated by commas (Example: 'Not foun[a-z]{1}', '^Error$') --exclude-redirects=REGEXPS Exclude responses by redirect regexps or texts, separated by commas (Example: 'https://okta.com/*') --exclude-response=PATH Exclude responses by response of this page (path as input) --skip-on-status=CODES Skip target whenever hit one of these status codes, separated by commas, support ranges --minimal=LENGTH Minimal response length --maximal=LENGTH Maximal response length --max-time=SECONDS Maximal runtime for the scan -q, --quiet-mode Quiet mode --full-url Full URLs in the output (enabled automatically in quiet mode) --no-color No colored output
Request Settings: -m METHOD, --http-method=METHOD HTTP method (default: GET) -d DATA, --data=DATA HTTP request data -H HEADERS, --header=HEADERS HTTP request header, support multiple flags (Example: -H 'Referer: example.com') --header-list=FILE File contains HTTP request headers -F, --follow-redirects Follow HTTP redirects --random-agent Choose a random User-Agent for each request --auth-type=TYPE Authentication type (basic, digest, bearer, ntlm) --auth=CREDENTIAL Authentication credential (user:password or bearer token) --user-agent=USERAGENT --cookie=COOKIE
Connection Settings: --timeout=TIMEOUT Connection timeout -s DELAY, --delay=DELAY Delay between requests --proxy=PROXY Proxy URL, support HTTP and SOCKS proxies (Example: localhost:8080, socks5://localhost:8088) --proxy-list=FILE File contains proxy servers --replay-proxy=PROXY Proxy to replay with found paths --scheme=SCHEME Default scheme (for raw request or if there is no scheme in the URL) --max-rate=RATE Max requests per second --retries=RETRIES Number of retries for failed requests -b, --request-by-hostname By default dirsearch requests by IP for speed. This will force dirsearch to request by hostname --ip=IP Server IP address --exit-on-error Exit whenever an error occurs
You can change the dirsearch default configurations (default extensions, timeout, wordlist location, ...) by editing the "/etc/dirsearch/default.conf" file. More information at https://github.com/maurosoria/dirsearch.
┌──(root💀kali)-[~] └─# nmap -v -A -p1-65535 127.0.0.1 Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-10 13:58 CST NSE: Loaded 153 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 13:58 Completed NSE at 13:58, 0.00s elapsed Initiating NSE at 13:58 Completed NSE at 13:58, 0.00s elapsed Initiating NSE at 13:58 Completed NSE at 13:58, 0.00s elapsed Initiating SYN Stealth Scan at 13:58 Scanning localhost (127.0.0.1) [65535 ports] Discovered open port 22/tcp on 127.0.0.1 Completed SYN Stealth Scan at 13:58, 0.37s elapsed (65535 total ports) Initiating Service scan at 13:58 Scanning 1 service on localhost (127.0.0.1) Completed Service scan at 13:58, 0.01s elapsed (1 service on 1 host) Initiating OS detection (try #1) against localhost (127.0.0.1) Retrying OS detection (try #2) against localhost (127.0.0.1) Retrying OS detection (try #3) against localhost (127.0.0.1) Retrying OS detection (try #4) against localhost (127.0.0.1) Retrying OS detection (try #5) against localhost (127.0.0.1) NSE: Script scanning 127.0.0.1. Initiating NSE at 13:58 Completed NSE at 13:58, 0.08s elapsed Initiating NSE at 13:58 Completed NSE at 13:58, 0.00s elapsed Initiating NSE at 13:58 Completed NSE at 13:58, 0.00s elapsed Nmap scan report for localhost (127.0.0.1) Host is up (0.000018s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0) | ssh-hostkey: | 3072 95:24:8a:70:02:c1:7c:b9:63:1d:57:bd:c4:ba:59:84 (RSA) | 256 ac:24:26:ce:c9:34:47:e7:62:38:13:d1:03:6d:c7:54 (ECDSA) |_ 256 79:e3:be:ae:1e:ee:87:ed:bd:3d:b3:23:e6:de:92:08 (ED25519) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=4/10%OT=22%CT=1%CU=43844%PV=N%DS=0%DC=L%G=Y%TM=60713E8 OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS OS:(O1=MFFD7ST11NWA%O2=MFFD7ST11NWA%O3=MFFD7NNT11NWA%O4=MFFD7ST11NWA%O5=MFF OS:D7ST11NWA%O6=MFFD7ST11)WIN(W1=FFCB%W2=FFCB%W3=FFCB%W4=FFCB%W5=FFCB%W6=FF OS:CB)ECN(R=Y%DF=Y%T=40%W=FFD7%O=MFFD7NNSNWA%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0% OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S= OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R= OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N% OS:T=40%CD=S)
Uptime guess: 22.103 days (since Fri Mar 19 11:30:10 2021) Network Distance: 0 hops TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning. Initiating NSE at 13:58 Completed NSE at 13:58, 0.00s elapsed Initiating NSE at 13:58 Completed NSE at 13:58, 0.00s elapsed Initiating NSE at 13:58 Completed NSE at 13:58, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.35 seconds Raw packets sent: 65645 (2.892MB) | Rcvd: 131283 (5.520MB)