0x1 Fofa

ip="192.168.1.1/16" && title="keyword"
ip="192.168.1.1/16" && body="keyword"
ip="192.168.1.1/16" && cert="baidu.com"
cert="baidu.com"

0x2 Google

site:targets.com.cn AND (filetype:doc OR filetype:ppt OR filetype:pps OR filetype:xls OR filetype:docx OR filetype:pptx OR filetype:ppsx OR filetype:xlsx OR filetype:odt OR filetype:ods OR filetype:odg OR filetype:odp OR filetype:wpd OR filetype:svg OR filetype:svgz OR filetype:indd OR filetype:rdp OR filetype:sql OR filetype:xml OR filetype:db OR filetype:mdb OR filetype:sqlite  OR filetype:zip  OR filetype:tar  OR filetype:tar.gz  OR filetype:rar)
site:www.targets.com 收件人
site:www.targets.com 手机号
site:www.targets.com 收货地址
site:www.targets.com 基本信息
site:www.targets.com 订单号
site:www.targets.com 姓名 手机号
site:www.targets.com intitle:列表
site:www.targets.com intitle:基本信息

0x3 httpx

oneforall + gosint 合并去重复输出一份带有标题的存活域名

cat targets.txt | httpx -silent -timeout 3 -threads 500 -title -content-length -follow-redirects -status-code -no-color -ip -o domain_all_title.txt

过滤出域名链接

cat domain_all_title.txt |grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"* 

过滤出IP地址

cat domain_all_title.txt | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'

项目地址:https://github.com/projectdiscovery/httpx


0x4 naabu

请使用  v2.0.2 版本或以下版本,高版本有变更删除 -unprivileged 参数。

centos7.0 运行 v2.0.3 版本会提示(建议使用v2.0.2版本)

./naabu-linux-amd64: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory

常见WEB端口扫描

naabu -silent -verify -p 80-89,443,8080-8089,7000-7010 -rate 1000 -timeout 1000 -unprivileged -iL targets.txt -o naabu_log.txt

项目地址:https://github.com/projectdiscovery/naabu


0x5 KsubDomain

ksubdomain 基于无状态子域名爆破工具,进行DNS爆破,在Mac和Windows上理论最大发包速度在30w/s,linux上为160w/s的速度。

ksubdomain 常用命令:

ksubdomain_linux -d seebug.org -b 4 -l 2 -skip-wild
ksubdomain_linux -d baidu.com -f dns-wordlist/subnames-oneforall.txt -b 4M -l 2 -skip-wild
ksubdomain_linux -dl dianli.txt -f dns-wordlist/subnames-oneforall.txt -b 4M -l 2 -skip-wild
ksubdomain_linux -dl domain.txt -f dns-wordlist/subname-so-big.txt -b 4M -l 2 -skip-wild

项目地址:https://github.com/knownsec/ksubdomain


0x6 dirsearch

python3 dirsearch.py -L domains.txt -e "php,jsp,html,json" --timeout=10 --exclude-status=502

0x7 MasScan

masscan -p 1433,445,135,5985,3389,22,1521,3306,6379,5432,389,25,110,143,443,5900,21,873,27017,23,3690,1099,5984,5632,80-100,7000-10000,13389,13306,11433,18080 --max-rate 100000 -iL ipscaned.log

0x8 Nmap

nmap -sS -Pn -p 1433,445,135,5985,3389,22,1521,3306,6379,5432,389,25,110,143,443,5900,21,873,27017,23,3690,1099,5984,5632,80-100,7000-10000,13389,13306,11433,18080 -n --open --min-hostgroup 1024 --min-parallelism 1024 --host-timeout 30 -T4 -iL ips.txt -v -oN save.txt

0x9 Gosint

87147f97ac540ccc742d07a0c161e93c
142768db4a699065b2efc96645aef6fa

0x10 资产整理

在线去重(少量数据):http://www.secbook.info/qc
link114: http://www.link114.cn
josn 格式化:https://www.huatools.com/comma-split
在线正则:https://www.bejson.com/othertools/regex
EmEditor:https://www.emeditor.com

标签: Web pen test

添加新评论