🧂 前言 今天要分享的是 OSINT 當中對網站或 domain 進行資料的收集,在平常打網頁漏洞或者滲透測試時也會需要先對這個網站進行一些偵查找出可以突破的入口,今天會分享一些平常會使用到的工具
WaybackMachine 網站連結:http://web.archive.org/
這個網站是由 Internet Archive 維護的一個線上服務。它可以定期將網站的網頁內容 snapshot 存檔,讓人們能夠查看某個網站在過去不同時間點的樣子
例如我想要看一下 https://yunshiuan.com/ 網站之前的樣子,就可以將網址輸入進去後看看。
發現它在 8/15 有被打了一個 snapshot,點進去看看後就可以看到在 8/15 這個網頁時的樣子
Recon-ng 下載方式
1 apt-get update && apt-get install recon-ng
Recon-ng 是一個用 Python 寫成、以模組化、指令列互動介面為設計的 OSINT 收集框架。它把各類資訊收集功能(DNS、WHOIS、搜尋引擎、API 查詢等)包成「模組」,用戶可以在工作區(workspace)中逐步執行、存檔與匯出調查結果
Recon-ng 的 tutorial 連結: https://hackertarget.com/recon-ng-tutorial/
整體的操作會類似於 Metasploit,一樣會先引入模組,設定參數然後執行
直接執行 recon-ng 後可以使用 marketplace search 查看有什麼可以用的 modules
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 $ [recon-ng][default] > marketplace search +--------------------------------------------------------------------------------------------------+ | Path | Version | Status | Updated | D | K | +--------------------------------------------------------------------------------------------------+ | discovery/info_disclosure/cache_snoop | 1.1 | not installed | 2020-10-13 | | | | discovery/info_disclosure/interesting_files | 1.2 | not installed | 2021-10-04 | | | | exploitation/injection/command_injector | 1.0 | not installed | 2019-06-24 | | | | exploitation/injection/xpath_bruter | 1.2 | not installed | 2019-10-08 | | | | import/csv_file | 1.1 | not installed | 2019-08-09 | | | | import/list | 1.1 | not installed | 2019-06-24 | | | | import/masscan | 1.0 | not installed | 2020-04-07 | | | | import/nmap | 1.1 | not installed | 2020-10-06 | | | | recon/companies-contacts/bing_linkedin_cache | 1.0 | not installed | 2019-06-24 | | * | | recon/companies-contacts/censys_email_address | 2.1 | not installed | 2022-01-31 | * | * | | recon/companies-contacts/pen | 1.1 | not installed | 2019-10-15 | | | | recon/companies-domains/censys_subdomains | 2.1 | not installed | 2022-01-31 | * | * | | recon/companies-domains/pen | 1.1 | not installed | 2019-10-15 | | | | recon/companies-domains/viewdns_reverse_whois | 1.1 | not installed | 2021-08-24 | | | | recon/companies-domains/whoxy_dns | 1.1 | not installed | 2020-06-17 | | * | | recon/companies-multi/censys_org | 2.1 | not installed | 2022-01-31 | * | * | | recon/companies-multi/censys_tls_subjects | 2.1 | not installed | 2022-01-31 | * | * | | recon/companies-multi/github_miner | 1.1 | not installed | 2020-05-15 | | * | | recon/companies-multi/shodan_org | 1.1 | not installed | 2020-07-01 | * | * | | recon/companies-multi/whois_miner | 1.1 | not installed | 2019-10-15 | | | | recon/contacts-contacts/abc | 1.0 | not installed | 2019-10-11 | * | | | recon/contacts-contacts/mailtester | 1.0 | not installed | 2019-06-24 | | | | recon/contacts-contacts/mangle | 1.0 | not installed | 2019-06-24 | | | | recon/contacts-contacts/unmangle | 1.1 | not installed | 2019-10-27 | | | | recon/contacts-credentials/hibp_breach | 1.2 | not installed | 2019-09-10 | | * | | recon/contacts-credentials/hibp_paste | 1.1 | not installed | 2019-09-10 | | * | | recon/contacts-domains/censys_email_to_domains | 2.1 | not installed | 2022-01-31 | * | * | | recon/contacts-domains/migrate_contacts | 1.1 | not installed | 2020-05-17 | | | | recon/contacts-profiles/fullcontact | 1.1 | not installed | 2019-07-24 | | * | | recon/credentials-credentials/adobe | 1.0 | not installed | 2019-06-24 | | | | recon/credentials-credentials/bozocrack | 1.0 | not installed | 2019-06-24 | | | | recon/credentials-credentials/hashes_org | 1.0 | not installed | 2019-06-24 | | * | | recon/domains-companies/censys_companies | 2.1 | not installed | 2022-01-31 | * | * | | recon/domains-companies/pen | 1.1 | not installed | 2019-10-15 | | | | recon/domains-companies/whoxy_whois | 1.1 | not installed | 2020-06-24 | | * | | recon/domains-contacts/hunter_io | 1.3 | not installed | 2020-04-14 | | * | | recon/domains-contacts/metacrawler | 1.1 | not installed | 2019-06-24 | * | | | recon/domains-contacts/pen | 1.1 | not installed | 2019-10-15 | | | | recon/domains-contacts/pgp_search | 1.4 | not installed | 2019-10-16 | | | | recon/domains-contacts/whois_pocs | 1.0 | not installed | 2019-06-24 | | | | recon/domains-contacts/wikileaker | 1.0 | not installed | 2020-04-08 | | | | recon/domains-domains/brute_suffix | 1.1 | not installed | 2020-05-17 | | | | recon/domains-hosts/binaryedge | 1.2 | not installed | 2020-06-18 | | * | | recon/domains-hosts/bing_domain_api | 1.0 | not installed | 2019-06-24 | | * | | recon/domains-hosts/bing_domain_web | 1.1 | not installed | 2019-07-04 | | | | recon/domains-hosts/brute_hosts | 1.0 | not installed | 2019-06-24 | | | | recon/domains-hosts/builtwith | 1.1 | not installed | 2021-08-24 | | * | | recon/domains-hosts/censys_domain | 2.1 | not installed | 2022-01-31 | * | * | | recon/domains-hosts/certificate_transparency | 1.3 | not installed | 2019-09-16 | | | | recon/domains-hosts/google_site_web | 1.0 | not installed | 2019-06-24 | | | | recon/domains-hosts/hackertarget | 1.1 | installed | 2020-05-17 | | | | recon/domains-hosts/mx_spf_ip | 1.0 | not installed | 2019-06-24 | | | | recon/domains-hosts/netcraft | 1.1 | not installed | 2020-02-05 | | | | recon/domains-hosts/shodan_hostname | 1.1 | not installed | 2020-07-01 | * | * | | recon/domains-hosts/spyse_subdomains | 1.1 | not installed | 2021-08-24 | | * | | recon/domains-hosts/ssl_san | 1.0 | not installed | 2019-06-24 | | | | recon/domains-hosts/threatcrowd | 1.0 | not installed | 2019-06-24 | | | | recon/domains-hosts/threatminer | 1.0 | not installed | 2019-06-24 | | | | recon/domains-vulnerabilities/ghdb | 1.1 | not installed | 2019-06-26 | | | | recon/domains-vulnerabilities/xssed | 1.1 | not installed | 2020-10-18 | | | | recon/hosts-domains/migrate_hosts | 1.1 | not installed | 2020-05-17 | | | | recon/hosts-hosts/bing_ip | 1.0 | not installed | 2019-06-24 | | * | | recon/hosts-hosts/censys_hostname | 2.1 | not installed | 2022-01-31 | * | * | | recon/hosts-hosts/censys_ip | 2.1 | not installed | 2022-01-31 | * | * | | recon/hosts-hosts/censys_query | 2.1 | not installed | 2022-01-31 | * | * | | recon/hosts-hosts/ipinfodb | 1.2 | not installed | 2021-08-24 | | * | | recon/hosts-hosts/ipstack | 1.0 | not installed | 2019-06-24 | | * | | recon/hosts-hosts/resolve | 1.0 | not installed | 2019-06-24 | | | | recon/hosts-hosts/reverse_resolve | 1.0 | not installed | 2019-06-24 | | | | recon/hosts-hosts/ssltools | 1.0 | not installed | 2019-06-24 | | | | recon/hosts-hosts/virustotal | 1.0 | not installed | 2019-06-24 | | * | | recon/hosts-locations/migrate_hosts | 1.0 | not installed | 2019-06-24 | | | | recon/hosts-ports/binaryedge | 1.0 | not installed | 2019-06-24 | | * | | recon/hosts-ports/shodan_ip | 1.2 | not installed | 2020-07-01 | * | * | | recon/locations-locations/geocode | 1.0 | not installed | 2019-06-24 | | * | | recon/locations-locations/reverse_geocode | 1.0 | not installed | 2019-06-24 | | * | | recon/locations-pushpins/flickr | 1.0 | not installed | 2019-06-24 | | * | | recon/locations-pushpins/shodan | 1.1 | not installed | 2020-07-07 | * | * | | recon/locations-pushpins/twitter | 1.1 | not installed | 2019-10-17 | | * | | recon/locations-pushpins/youtube | 1.2 | not installed | 2020-09-02 | | * | | recon/netblocks-companies/censys_netblock_company | 2.1 | not installed | 2022-01-31 | * | * | | recon/netblocks-companies/whois_orgs | 1.0 | not installed | 2019-06-24 | | | | recon/netblocks-hosts/censys_netblock | 2.1 | not installed | 2022-01-31 | * | * | | recon/netblocks-hosts/reverse_resolve | 1.0 | not installed | 2019-06-24 | | | | recon/netblocks-hosts/shodan_net | 1.2 | not installed | 2020-07-21 | * | * | | recon/netblocks-hosts/virustotal | 1.0 | not installed | 2019-06-24 | | * | | recon/netblocks-ports/census_2012 | 1.0 | not installed | 2019-06-24 | | | | recon/netblocks-ports/censysio | 1.0 | not installed | 2019-06-24 | | * | | recon/ports-hosts/migrate_ports | 1.0 | not installed | 2019-06-24 | | | | recon/ports-hosts/ssl_scan | 1.1 | not installed | 2021-08-24 | | | | recon/profiles-contacts/bing_linkedin_contacts | 1.2 | not installed | 2021-08-24 | | * | | recon/profiles-contacts/dev_diver | 1.1 | not installed | 2020-05-15 | | | | recon/profiles-contacts/github_users | 1.0 | not installed | 2019-06-24 | | * | | recon/profiles-profiles/namechk | 1.0 | not installed | 2019-06-24 | | * | | recon/profiles-profiles/profiler | 1.2 | not installed | 2023-12-30 | | | | recon/profiles-profiles/twitter_mentioned | 1.0 | not installed | 2019-06-24 | | * | | recon/profiles-profiles/twitter_mentions | 1.0 | not installed | 2019-06-24 | | * | | recon/profiles-repositories/github_repos | 1.1 | not installed | 2020-05-15 | | * | | recon/repositories-profiles/github_commits | 1.0 | not installed | 2019-06-24 | | * | | recon/repositories-vulnerabilities/gists_search | 1.0 | not installed | 2019-06-24 | | | | recon/repositories-vulnerabilities/github_dorks | 1.0 | not installed | 2019-06-24 | | * | | reporting/csv | 1.0 | not installed | 2019-06-24 | | | | reporting/html | 1.0 | not installed | 2019-06-24 | | | | reporting/json | 1.0 | not installed | 2019-06-24 | | | | reporting/list | 1.0 | not installed | 2019-06-24 | | | | reporting/proxifier | 1.0 | not installed | 2019-06-24 | | | | reporting/pushpin | 1.0 | not installed | 2019-06-24 | | * | | reporting/xlsx | 1.0 | not installed | 2019-06-24 | | | | reporting/xml | 1.1 | not installed | 2019-06-24 | | | +--------------------------------------------------------------------------------------------------+
接下來示範用 hackertarget 去尋找 hostname
首先先把 hackertarget 先下載下來
1 marketplace install hackertarget
再把它 load 進來
1 modules load hackertarget
接下來用 info 看一下會需要什麼參數
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 $ [recon-ng][default][hackertarget] > info Name: HackerTarget Lookup Author: Michael Henriksen (@michenriksen) Version: 1.1 Description: Uses the HackerTarget.com API to find host names. Updates the 'hosts' table with the results. Options: Name Current Value Required Description SOURCE yes source of input (see 'info' for details) Source Options: default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL <string > string representing a single input <path> path to a file containing a list of inputs query <sql> database query returning one column of inputs
接下來可以看到 SOURCE 會需要填東西,那這欄就是要填要偵查的 domain,以 google.com 舉例。
用下面指令設定 SOURCE
再看一次 info,可以看到它被設定成了 google.com
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 $ [recon-ng][default][hackertarget] > info Name: HackerTarget Lookup Author: Michael Henriksen (@michenriksen) Version: 1.1 Description: Uses the HackerTarget.com API to find host names. Updates the 'hosts' table with the results. Options: Name Current Value Required Description SOURCE google.com yes source of input (see 'info' for details) Source Options: default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL <string > string representing a single input <path> path to a file containing a list of inputs query <sql> database query returning one column of inputs
接下來打 run 就會開始執行
執行的過程中也會出現結果,最後在下 show hosts 指令就會出現表格樣式的結果
Whois.domaintools 網站連結:https://whois.domaintools.com/
這個網站可以找到關於 domain 的一些資訊,包括註冊商、何時註冊、何時到期與最後更新時間等等
總結 今天介紹了幾個可以得知網站 domain 上一些資訊的工具,幫助我們在之後需要對網站進行滲透測試或者當作線索都有幫助。
