域名信息收集
- 域名注册信息查询:
- https://whois.aliyun.com/
- https://www.whois365.com/cn/
- http://whois.chinaz.com/
- https://icplishi.com/
whois 命令python whois.py 脚本
- 备案信息查询:
- https://beian.miit.gov.cn/
- http://www.beian.gov.cn/portal/registerSystemInfo
- http://icp.chinaz.com/
- https://icplishi.com/
子域名收集
- 搜索引擎:
site:hetianlab.com (Google, Bing, Baidu)
- 第三方工具:
- https://dnsdumpster.com/
- https://www.dnsgrep.cn/
- https://developers.virustotal.com/reference/domains-relationships
- http://tool.chinaz.com/subdomain
- https://phpinfo.me/domain/
- https://www.nmmapper.com/sys/tools/subdomainfinder/
- 网络空间安全搜索引擎:
- https://fofa.info/
- https://www.zoomeye.org/
- https://hunter.qianxin.com/
- https://www.shodan.io/
- SSL证书查询:
- https://crt.sh/
- https://developers.facebook.com/tools/ct/search/
- JS文件发现子域名:
- https://github.com/Threezh1/JSFinder
- 子域名挖掘工具:
- 子域名挖掘机
- OneForAll (https://github.com/shmilylty/OneForAll)
- Subdomainsbrute (https://github.com/lijiejie/subDomainsBrute)
- Sublist3r (https://github.com/aboul3la/Sublist3r)
- ESD (https://github.com/FeeiCN/ESD)
- dnsbrute (https://github.com/Q2h1Cg/dnsbrute)
- Anubis (https://github.com/jonluca/Anubis)
- subdomain3 (https://github.com/yanxiu0614/subdomain3)
- teemo (https://github.com/bit4woo/teemo)
- Sudomy (https://github.com/screetsec/Sudomy)
- ARL (https://github.com/TophantTechnology/ARL)
- SubFinder + KSubdomain + HttpX
- 旁站/C段收集:
- http://stool.chinaz.com/same
- https://tools.ipip.net/ipdomain.php
- https://www.dnsgrep.cn/
- https://site.ip138.com/
端口信息收集
- Nmap:
- https://nmap.org/man/zh/
- 常用命令:
nmap -A -T4 192.168.1.1 (全面扫描)nmap -sS -v -T4 -Pn -p 0-65535 -oN FullTCP -iL liveHosts.txt (扫描全部端口)nmap -O -T4 -Pn -oG OSDetect -iL LiveHosts.txt (系统扫描)nmap -sV -T4 -Pn -oG ServiceDetect -iL LiveHosts.txt (版本检测)nmap.exe -p445 -v --script smb-ghost 192.168.1.0/24 (漏洞扫描)
网站信息收集
- 操作系统:
- 网站服务/容器类型:
- 查看响应头
Server 字段 - WhatWeb (https://www.whatweb.net/)
- Wappalyzer 插件
- 脚本类型:
- 数据库类型:
- CMS 识别:
- WhatWeb (https://www.whatweb.bugscaner.com/look/ Onlinetools)
- https://github.com/iceyhexman/onlinetools
- https://pentest.gdpcisa.org/
- 敏感文件/目录:
- 御剑
- BBScan
dirsearch (https://github.com/maurosoria/dirsearch)dirmap (https://github.com/H4ckForJob/dirmap)
- 版本控制泄露:
.git 泄露 (GitHack: https://github.com/lijiejie/GitHack).svn 泄露 (svnExploit: https://github.com/admintony/svnExploit)
- 网站备份文件:
7kbscan-WebPathBrute (https://github.com/7kbstorm/7kbscan-WebPathBrute)
- WAF 识别:
wafw00f (https://github.com/EnableSecurity/wafw00f)nmap –p80,443 --script http-waf-detect ipnmap –p80,443 --script http-waf-fingerprint ip
其他
- C段存活主机探测:
nmap -sP www.XXX.com/24 - CDN 判断: 多地
ping、国外访问 - CDN 绕过: 查询子域名 IP、MX 记录邮件服务、查询历史 DNS 记录
