众所周知渗透测试的本质就是信息收集
在白帽人员进行常规渗透测试以及漏洞挖掘时通常会遇到一些域名资产 or IP资产,那么怎么快速又准确的定位资产脆弱点呢,那肯定是扩大咱们的资产范围,像IP段就直接简单粗暴扫网段加端口,那域名就涉及到一个子域名的收集,通常有Layer子域名挖掘机、在线子域名收集、oneforall等工具,今天给大家介绍一种几个工具的联合使用实现子域名收集+验证+简单指纹识别
1 工具介绍
-
ksubdomain (https://github.com/boy-hack/ksubdomain) -
subfinder (https://github.com/projectdiscovery/subfinder) -
httpx (https://github.com/projectdiscovery/httpx)
2 工具简介
-
ksubdomain
ksubdomain是一款基于无状态的子域名爆破工具,类似无状态端口扫描,支持在Windows/Linux/Mac上进行快速的DNS爆破,拥有重发机制不用担心漏包。
USAGE:
./ksubdomain enum -h
NAME:
ksubdomain enum - 枚举域名
USAGE:
ksubdomain enum [command options] [arguments...]
OPTIONS:
--band value, -b value 宽带的下行速度,可以5M,5K,5G (default: "2m")
--resolvers value, -r value dns服务器文件路径,一行一个dns地址
--output value, -o value 输出文件名
--silent 使用后屏幕将仅输出域名 (default: false)
--retry value 重试次数,当为-1时将一直重试 (default: 3)
--timeout value 超时时间 (default: 6)
--stdin 接受stdin输入 (default: false)
--only-domain, --od 只打印域名,不显示ip (default: false)
--not-print, --np 不打印域名结果 (default: false)
--dns-type value dns类型 1为a记录 2为ns记录 5为cname记录 16为txt (default: 1)
--domain value, -d value 爆破的域名
--domainList value, --dl value 从文件中指定域名
--filename value, -f value 字典路径
--skip-wild 跳过泛解析域名 (default: false)
--level value, -l value 枚举几级域名,默认为2,二级域名 (default: 2)
--level-dict value, --ld value 枚举多级域名的字典文件,当level大于2时候使用,不填则会默认
--help, -h show help (default: false)
-
subfinder
Subfinder 是一个子域发现工具,它通过使用被动在线资源来发现网站的有效子域。它具有简单的模块化架构,并针对速度进行了优化。subfinder 是为只做一件事而构建的——被动子域枚举,它做得很好。
USAGE:
subfinder -h
Flags:
INPUT:
-d, -domain string[] domains to find subdomains for
-dL, -list string file containing list of domains for subdomain discovery
SOURCE:
-s, -sources string[] sources to use for discovery (-s crtsh,github)
-recursive use only recursive sources
-all Use all sources (slow) for enumeration
-es, -exclude-sources string[] sources to exclude from enumeration (-es archiveis,zoomeye)
RATE-LIMIT:
-rl, -rate-limit int maximum number of http requests to send per second
-t int number of concurrent goroutines for resolving (-active only) (default 10)
OUTPUT:
-o, -output string file to write output to
-oJ, -json write output in JSONL(ines) format
-oD, -output-dir string directory to write output (-dL only)
-cs, -collect-sources include all sources in the output (-json only)
-oI, -ip include host IP in output (-active only)
CONFIGURATION:
-config string flag config file (default "$HOME/.config/subfinder/config.yaml")
-pc, -provider-config string provider config file (default "$HOME/.config/subfinder/provider-config.yaml")
-r string[] comma separated list of resolvers to use
-rL, -rlist string file containing list of resolvers to use
-nW, -active display active subdomains only
-proxy string http proxy to use with subfinder
DEBUG:
-ls list all available sources
-silent show only subdomains in output
-version show version of subfinder
-v show verbose output
-nc, -no-color disable color in output
OPTIMIZATION:
-timeout int seconds to wait before timing out (default 30)
-max-time int minutes to wait for enumeration results (default 10)
-
httpx
httpx 是一个快速且多用途的 HTTP 工具包,允许使用 retryablehttp 库运行多个探测器,它旨在通过增加线程来保持结果的可靠性。
USAGE:
./httpx [flags]
Flags:
INPUT:
-l, -list string input file containing list of hosts to process
-rr, -request string file containing raw request
PROBES:
-sc, -status-code display response status-code
-cl, -content-length display response content-length
-ct, -content-type display response content-type
-location display response redirect location
-favicon display mmh3 hash for '/favicon.ico' file
-hash string display response body hash (supported: md5,mmh3,simhash,sha1,sha256,sha512)
-jarm display jarm fingerprint hash
-rt, -response-time display response time
-lc, -line-count display response body line count
-wc, -word-count display response body word count
-title display page title
-server, -web-server display server name
-td, -tech-detect display technology in use based on wappalyzer dataset
-method display http request method
-websocket display server using websocket
-ip display host ip
-cname display host cname
-asn display host asn information
-cdn display cdn in use
-probe display probe status
MATCHERS:
-mc, -match-code string match response with specified status code (-mc 200,302)
-ml, -match-length string match response with specified content length (-ml 100,102)
-mlc, -match-line-count string match response body with specified line count (-mlc 423,532)
-mwc, -match-word-count string match response body with specified word count (-mwc 43,55)
-mfc, -match-favicon string[] match response with specified favicon hash (-mfc 1494302000)
-ms, -match-string string match response with specified string (-ms admin)
-mr, -match-regex string match response with specified regex (-mr admin)
-mcdn, -match-cdn string[] match host with specified cdn provider (azure, cloudflare, cloudfront, fastly, incapsula, oracle, google, akamai, sucuri, leaseweb)
-mrt, -match-response-time string match response with specified response time in seconds (-mrt '< 1')
EXTRACTOR:
-er, -extract-regex string[] Display response content with matched regex
-ep, -extract-preset string[] Display response content with matched preset regex
FILTERS:
-fc, -filter-code string filter response with specified status code (-fc 403,401)
-fl, -filter-length string filter response with specified content length (-fl 23,33)
-flc, -filter-line-count string filter response body with specified line count (-flc 423,532)
-fwc, -filter-word-count string filter response body with specified word count (-fwc 423,532)
-ffc, -filter-favicon string[] filter response with specified favicon hash (-mfc 1494302000)
-fs, -filter-string string filter response with specified string (-fs admin)
-fe, -filter-regex string filter response with specified regex (-fe admin)
-fcdn, -filter-cdn string[] filter host with specified cdn provider (azure, cloudflare, cloudfront, fastly, incapsula, oracle, google, akamai, sucuri, leaseweb)
-frt, -filter-response-time string filter response with specified response time in seconds (-frt '> 1')
RATE-LIMIT:
-t, -threads int number of threads to use (default 50)
-rl, -rate-limit int maximum requests to send per second (default 150)
-rlm, -rate-limit-minute int maximum number of requests to send per minute
MISCELLANEOUS:
-pa, -probe-all-ips probe all the ips associated with same host
-p, -ports string[] ports to probe (nmap syntax: eg 1,2-10,11)
-path string path or list of paths to probe (comma-separated, file)
-tls-probe send http probes on the extracted TLS domains (dns_name)
-csp-probe send http probes on the extracted CSP domains
-tls-grab perform TLS(SSL) data grabbing
-pipeline probe and display server supporting HTTP1.1 pipeline
-http2 probe and display server supporting HTTP2
-vhost probe and display server supporting VHOST
OUTPUT:
-o, -output string file to write output results
-sr, -store-response store http response to output directory
-srd, -store-response-dir string store http response to custom directory
-csv store output in csv format
-json store output in JSONL(ines) format
-irr, -include-response include http request/response in JSON output (-json only)
-include-chain include redirect http chain in JSON output (-json only)
-store-chain include http redirect chain in responses (-sr only)
CONFIGURATIONS:
-r, -resolvers string[] list of custom resolver (file or comma separated)
-allow string[] allowed list of IP/CIDR's to process (file or comma separated)
-deny string[] denied list of IP/CIDR's to process (file or comma separated)
-sni, -sni-name string Custom TLS SNI name
-random-agent Enable Random User-Agent to use (default true)
-H, -header string[] custom http headers to send with request
-http-proxy, -proxy string http proxy to use (eg http://127.0.0.1:8080)
-unsafe send raw requests skipping golang normalization
-resume resume scan using resume.cfg
-fr, -follow-redirects follow http redirects
-maxr, -max-redirects int max number of redirects to follow per host (default 10)
-fhr, -follow-host-redirects follow redirects on the same host
-vhost-input get a list of vhosts as input
-x string request methods to probe, use 'all' to probe all HTTP methods
-body string post body to include in http request
-s, -stream stream mode - start elaborating input targets without sorting
-sd, -skip-dedupe disable dedupe input items (only used with stream mode)
-ldp, -leave-default-ports leave default http/https ports in host header (eg. http://host:80 - https//host:443
DEBUG:
-health-check, -hc run diagnostic check up
-debug display request/response content in cli
-debug-req display request content in cli
-debug-resp display response content in cli
-version display httpx version
-stats display scan statistic
-silent silent mode
-v, -verbose verbose mode
-si, -stats-interval int number of seconds to wait between showing a statistics update (default: 5)
-nc, -no-color disable colors in cli output
OPTIMIZATIONS:
-nf, -no-fallback display both probed protocol (HTTPS and HTTP)
-nfs, -no-fallback-scheme probe with protocol scheme specified in input
-maxhr, -max-host-error int max error count per host before skipping remaining path/s (default 30)
-ec, -exclude-cdn skip full port scans for CDNs (only checks for 80,443)
-retries int number of retries
-timeout int timeout in seconds (default 5)
-rsts, -response-size-to-save int max response size to save in bytes (default 2147483647)
-rstr, -response-size-to-read int max response size to read in bytes (default 2147483647)
3 工具使用
我们在使用的时候首先需要配置subfinder的各个搜索引擎的api文件, 然后通过调用他们来获取子域名,在使用ksubdomain来验证或爆破域名,最后使用httpx来访问存活并输出
是不是听起来比较麻烦,其实我们可以用管道符直接来连接起来,一条命令一气呵成。
管道符的符号:|管道符的作用:是用于两个命令或者多个命令相链接,将前边的命令的执行结果传递到后边的命令
比如收集百度的子域名
.subfinder.exe -d baidu.com -silent | .ksubdomain.exe v --silent --only-domain --stdin | .httpx.exe -title -td -status-code -title -follow-redirects -ip
最后输出结果就是这样的,是不是肥肠的方便呢。
- 本文初衷为分享网络安全知识,请勿利用技术做出任何危害网络安全的行为,由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,与本作者无关!
原文始发于微信公众号(XK Team):一键搞定子域名收集
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论