A tool: small Mifan web Finder: quickly scan and identify web application port
working principle:
Fast port scanning.
Port to open quickly identify http / https.
If identified as http / https, then crawl home title, Server headers, response headers.
If the port is a non-http / https, then crawled its way through the socket banner information.
Functions and features:
1, built-in browser plug-in tools, in addition to the default browser to open for open ports support the right to use the system.
2, support export data, import.
3, ip support a variety of formats:
192.168.0.0/24
192.168.1.1-123
192.168.1.123
www.baidu.com
4, support for flexible port format:
1-1024,8080,8000,8000-9000
5, automatic identification http / https, non http / https automatically crawl banner.
6, support for custom timeout, the number of threads.
7, supports real-time task creation, the new task will be automatically placed into the task queue.
8, support for a key to extract all the http or https port URL.
Two: Small Mifan web directory scanner: detect web directory of directories and files that may exist
working principle:
, The target site for directory enumerate the basic built-in dictionary.
Functions and features:
1, supports http / https.
2, support status code match, keyword filtering, Content-Length header filters (error pages for a fixed size).
3, support for 3xx type of request, after the jump page keyword filtering.
4, support for a key skipped during batch scanning url in due to network reasons (such as target sweep hung up) stuck in a url, you can click to skip the current url.
5, support setting Referer header to the current url (usually less).
6, User-Agent header, the number of threads may be provided on their own.
7, url can be found using the built-in browser view, you can right system's default browser opens.
8, support real-time to create the task, the task will be automatically placed in the newly created task queue.
9, support for import and export.
Tools III: small Mifan subdomain collection tools: collecting subdomain (secondary domain name, the domain name three, four domain)
working principle:
1, commonly used acquisition record types. MX NS SOA
2, transmitting each test area dns server, DNS acquires pan ip blacklist list (blacklist can manually enter ip).
3, through search engine queries for additional interfaces second-level domain (Baidu, Bing, netcraft, crawling thread can also set the number of crawling)
4, by the two blasting dictionary domain (i.e., the number of threads can be customized dictionary).
5, to obtain a list of domain names corresponding ip address to collect a few steps above.
6, reverse lookup domain name on the list ip (Love Station) obtained by step, because the love of stations is limited, this step is single-threaded.
7, the fifth step of the acquired list ip ip C corresponding segment.
8, address ip C segment in the reverse lookup domain names, because the love station interface has the number of restrictions, currently only implements bing (This step is time-consuming, is optional)
9, recursive (3,4-level domain blasting, customizable level, the default is level 2, that is not recursive, ie, the number of threads can be customized dictionary)
Functions and features:
Support for multiple DNS servers, load balancing and the use of polling.
Support automatic identification of the Pan-domain analysis ip, you can manually specify.
Found in the detection process of pan-domain ip or similar qq space, Taobao shop, personal blog and other useless domain name information, direct right to delete all records of this ip, ip then this will be added to the blacklist.
Grade 3 and 4 support recursive Domain Name blasting.
Blasting number of threads, the number of threads reptiles, several reptiles crawling, the DNS timeout self disposed.
Love got reverse lookup if the current ip has been closed automatically skip, does not affect the mission to continue.
Support for multiple domain names or create tasks in real time, all domain names will not begin probing into the task queue.
Dictionary self Alternatively, two, three, four corresponding domain dictionary level2.txt, level3.txt, level4.txt.
Domain names that have been found using the built-in browser view, you can right to use the system default browser to open.
After the task automatically count the number of ip address, C segment, at all levels of the domain name.
Tools four: small quantities Mifan contract is HTTP: the constructed send a series of requests to a large ip address for batch exploit
working principle:
Add the constructed request, then caught directly by the request to go into head.
The request needs to be replaced with the local destination address set to $$, such as Host header.
Destination can use ip: port format into a good target detection, can also be placed in or ip ip of the list, and specify a port, send bulk, failed to send will be automatically skipped.
Functions and features:
If the request is good general configuration exploits requests or reused directly derived, directly into the next can.
如果请求序列中后边的请求需要前边的请求接收cookie,比如第一步是登录请求,则可勾选接收cookie。
下图为将jboss某getshell请求发送到一个C段的80端口的设置方法。
工具五:小米范越权漏洞检测工具:越权漏洞检测
工作原理:
此工具内置了三个完全独立的浏览器,可以为他们设置不同的cookie,或者用三个不同权限的用户登录同一个网站。然后通过控制三个浏览器以各自的权限访问同一个URL或发送同样的请求,来观察其页面返回,来判断是否存在越权。
功能及特性:
1、工具支持两种工作模式
模式一:
2、3号浏览器与1号浏览器同步
勾选此选项后,可操作一号浏览器,2、3号浏览器会自动访问同样的地址,但如果是POST请求或手机app测试则无法使用模式一。
模式二:
所有浏览器与表格同步。
此模式需先用代理进行抓包,原理跟burp一样,首先启动代理(默认监听0.0.0.0:8088),然后为浏览器设置代理(可以是Firefox等浏览器、也可以是手机app)。
勾选所有浏览器与表格同步后,点击表格中抓到的请求,三个浏览器会自动发送被点击的请求。
2、如果使用模式二抓到的请求太多,可通过搜索功能查找需要的请求。
工具六:小米范渗透测试浏览器:一款集成了常用渗透测试功能的浏览器
工作原理:
此工具以chrome内核为基础,依托其强大的api,添加了一些常用的渗透测试功能。
功能及特性:
1、可自动修改http头(Host、 Referer、Cookie、User-Agent);
2、支持自定义POST提交。
3、请求拦截、修改(此拦截并非使用代理的方式,不存在https安装证书的问题,但是有些地方也没有代理拦截那么方便)。
4、多个代理快速切换。
5、网页URL提取。
6、端口扫描,可自行指定端口,在设置栏设置即可。
7、目录扫描,可自行替换目录字典,路径为dict目录下的asp.txt、php.txt、aspx.txt、jsp.txt。
8, basic authentication cracks, alternatively own dictionary, route dict / basic-username.txt, dict / basic-password.txt.
9, the authentication cracks form (analog browser operation, and then enter the account password in the password box click log or press Enter. Js front end encryption may be bypassed, but slower, a small amount of password cracking), alternatively its own dictionary, route dict / form-username.txt, dict / form-password.txt.
10, reverse lookup domain name (call love station).
11, the secondary domain name queries (call netcraft).
12, sent to the right SqlMap (Automatic Identification https / http), need to install SqlMap support sqlmap -r / -u parameters support the POST (right to select the playback Ethereal form).
13, capture / playback modification.
14, page source code formatting / edit and save to the current page to dom way.
15, FUZZ, customizable rules, after an argument, followed by the URL, URL root, URL payload inserted after the question mark, or a custom HTTP header, the POST support (in the right table selection can capture playback).
Other instructions and tools Download: Download