Recently, I am learning to write scripts. Here, the author analyzes several scripts for information collection, so that everyone can learn and understand the principles of some tools.
After finding a target during a penetration test, you first need to collect assets. Subdomain collection is very important. The more domain names, the greater the attack surface.
Subdomain collection
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
|
import time
import requests
import tldextract
head = {
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0' } #请求头
for yuming in open ( "yuming.txt" ): #导入目标域名
yuming = yuming.replace( '\n' , '') #去掉换行符
extracted = tldextract.extract(yuming) #提取根域名
root = extracted.registered_domain #提取根域名
print (root)
for name in open ( "ziyuming.txt" ): #导入子域名字典
name = name.replace( '\n' ,'') #去掉换行符
url = name + '.' + root #拼接URL
try :
response = requests.get(url = 'http://' + url, headers = head, timeout = 3 ) #尝试请求
if response.status_code in [ 200 , 302 , 403 ]: #如果为以上状态码则则证明该域名存在
print (url + '--存在' )
time.sleep( 0.1 ) #添加延迟
except Exception as e:
continue
url = ''
|
After getting the domain name, you need to reverse check the real IP to facilitate CD scanning
domain name reverse check IP
1
2
3
4
5
|
import socket #导包
for yuming in open ( "yuming.txt" ): #导入域名库
yuming = yuming.replace( '\n' , '') #去掉换行符
yuming = socket.gethostbyname(yuming) #调用socket中的gethostbyname()方法去反查IP
print (yuming) #打印出IP
|
(They are all CDN)
After the reverse domain name check, the obtained IP may not be the real IP, or most likely not the real IP, some large enterprises will usually hang up the CDN to judge the
CDN
01
02
03
04
05
06
07
08
09
10
|
import os #导包
for yuming in open ( "yuming.txt" ): #导入域名库
yuming = yuming.replace( '\n' , '') #去掉换行符
cdn_data = os.popen( 'nslookup ' + yuming).read() #调用终端命令行
x = cdn_data.count( "." ) #计算“.“的个数
# print(cdn_data)
if x> = 10 : #个数大于10则说明又cdn
print ( "有cdn" )
else :
print ( "无cdn" )
|
Principle: If there is a CDN, the number of "." in the cdn_data will be greater than 9, if there is no CDN, there will be only 9, so as to simply judge whether there is a CDN
If you get the real IP, then you can perform a C-segment scan on it
.
1
2
3
4
5
6
7
8
|
import nmap
for IP in open ( "IP.txt" ): #导入IP库
IP = IP.replace( '\n' , '') #去掉换行符
nm = nmap.PortScanner() #创建端口扫描对象
host = IP + '/24' #给ip加上/24 例:127.0.0.1/24
data = nm.scan(hosts = host,arguments = '-T4 -F' ) #开始扫描并将结果返回给data
print (nm.all_hosts()) #打印出扫描出来的其他IP
print (nm.csv()) #打印出IP的TCP服务端口
|
In fact, nmap is called to scan
After scanning a large number of other IPs in the C segment, perform port scanning in
batches
01
02
03
04
05
06
07
08
09
10
11
12
|
import socket
for IP in open ( "IP.txt" ): #导入IP库
IP = IP.replace( '\n' , '') #去掉换行符
for port in range ( 8060 , 8081 ): #遍历8060到8080的端口
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # 创建面向连接和网络的套接字
server.settimeout( 1 ) #限制重连时间
result = server.connect_ex((IP,port)) #尝试与服务端发起连接,并将结果返回给result(类似nmap全连接扫描)
if result = = 0 : #如果结果为0则便是端口开放
print ( str (port) + "端口---open" )
server.close() #关闭连接
else :
continue
|