• 小白日记5:kali渗透测试之被动信息收集(四)--theHarvester,metagoofil,meltag,个人专属密码字典--CUPP


    1、theHarvester

    theHarvester是一个社会工程学工具,它通过搜索引擎、PGP服务器以及SHODAN数据库收集用户的email,子域名,主机,雇员名,开放端口和banner信息。

    注:一般需要FQ                

    #可使用proxychains指定代理

    root@kali:~# theharvester -h
    
    *******************************************************************
    *                                                                 *
    * | |_| |__   ___    /  /\__ _ _ ____   _____  ___| |_ ___ _ __  *
    * | __| '_  / _   / /_/ / _` | '__  / / _ / __| __/ _  '__| *
    * | |_| | | |  __/ / __  / (_| | |    V /  __/\__  ||  __/ |    *
    *  \__|_| |_|\___| / /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *
    *                                                                 *
    * TheHarvester Ver. 2.6                                           *
    * Coded by Christian Martorella                                   *
    * Edge-Security Research                                          *
    * cmartorella@edge-security.com                                   *
    *******************************************************************
    
    
    Usage: theharvester options 
    
           -d: Domain to search or company name
           -b: data source: google, googleCSE, bing, bingapi, pgp #指定搜索引擎或社交媒体
                            linkedin, google-profiles, people123, jigsaw, 
                            twitter, googleplus, all
    
           -s: Start in result number X (default: 0)
           -v: Verify host name via dns resolution and search for virtual hosts
           -f: Save the results into an HTML and XML file                          #保存文件
           -n: Perform a DNS reverse query on all ranges discovered
           -c: Perform a DNS brute force for the domain name
           -t: Perform a DNS TLD expansion discovery
           -e: Use this DNS server
           -l: Limit the number of results to work with(bing goes from 50 to 50 results,#限制搜索结果数,默认每次并发为50
           -h: use SHODAN database to query discovered hosts
                google 100 to 100, and pgp doesn't use this option)
    
    <span style="color:#ff0000;">Examples:                                #例子</span>
            theharvester -d microsoft.com -l 500 -b google
            theharvester -d microsoft.com -b pgp
            theharvester -d microsoft -l 200 -b linkedin
            theharvester -d apple.com -b googleCSE -l 500 -s 300
    
    范例:theharvester -d sina.com -l 300 -b bing

    二、metagoofil #kali2.0不自带

    metagoofil是一款收集文档信息的工具,可以从目标域的可用文档中收集信息。利用的搜索引擎是google。其支持的格式如下:.doc  .odt  .xls  .ods    .ppt   .odp   .PDF 

    metagoofil  -d 目标域名 -l 10 -f all -o a.html -t a

    三、meltago

    注:首次使用前需申请账号,需要FQ

    综合性信息收集软件,用户体验友好,为图形化操作界面。向导可使用不同类型的搜索,也可自定义。

    1、选择类型(自定义)

    切换类型

    新建

    ……

    四、Host

    查询主机使用的域名

    #host 163.com 
    #host -t MX 163.com 

    五、其他途径

    社交网络、工商注册、新闻组/论坛、招聘网站(当公司招收哪类人才,说明其该方向有短板。如:招web渗透工程师)、某些专门做历史归档的网站archive.org(可了解一些其历史信息【技术情况】)

    六、个人专属密码字典--CUPP(命中率相对较高)【默认不在kali】

    用python编写的,适合社会工程学,当你收集到目标的具体信息后,你就可以通过这个脚本来智能化生成关于目标的字典。【需考虑外国人与中国人密码习惯】

    注:若源有问题,可换中科大源

    deb http://mirrors.ustc.edu.cn/kali sana main non-free contrib
    deb http://mirrors.ustc.edu.cn/kali-security/ sana/updates main contrib non-free
    deb-src http://mirrors.ustc.edu.cn/kali-security/ sana/updates main contrib non-free

    安装:

    <span style="font-size:18px;">git clone https://github.com/Mebus/cupp.git                    #克隆,文件放置位置</span>

    用法:

    <span style="font-size:18px;">root@kali:~# cd cupp/
    root@kali:~/cupp# ls
    CHANGELOG.md  cupp3.py  cupp.cfg  cupp.py  LICENSE  README.md  test_cupp.py
    root@kali:~/cupp# cat README.md                      #用户手册
    # cupp.py - Common User Passwords Profiler
    
     
    ## About
    
      The most common form of authentication is the combination of a username
      and a password or passphrase. If both match values stored within a locally
      stored table, the user is authenticated for a connection. Password strength is
      a measure of the difficulty involved in guessing or breaking the password
      through cryptographic techniques or library-based automated testing of
      alternate values.
    
      A weak password might be very short or only use alphanumberic characters,
      making decryption simple. A weak password can also be one that is easily
      guessed by someone profiling the user, such as a birthday, nickname, address,
      name of a pet or relative, or a common word such as God, love, money or password.
    
      That is why CUPP has born, and it can be used in situations like legal
      penetration tests or forensic crime investigations.
    
    
    
    ## Options
    
      Usage: cupp.py [OPTIONS]
    
            -h      this menu
            -i      Interactive questions for user password profiling     #交互问题密码分析,【常用】,产生向导生成专属字典
            -w      Use this option to profile existing dictionary,
                    or WyD.pl output to make some pwnsauce :)
            -l      Download huge wordlists from repository
            -a      Parse default usernames and passwords directly from Alecto DB.
                    Project Alecto uses purified databases of Phenoelit and CIRT which where merged and enhanced.
            -v      Version of the program
    
    ## Configuration
    
       CUPP has configuration file cupp.cfg with instructions.</span>
    <span style="font-size:18px;">## License
    
      This program is free software; you can redistribute it and/or modify
      it under the terms of the GNU General Public License as published by
      the Free Software Foundation; either version 3 of the License, or
      any later version.
    
      This program is distributed in the hope that it will be useful,
      but WITHOUT ANY WARRANTY; without even the implied warranty of
      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      GNU General Public License for more details.
    
      You should have received a copy of the GNU General Public License
      along with this program; if not, write to the Free Software
      Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
    
      See './LICENSE' for more information.
    
    ## Github import
    
    This project was imported into https://github.com/Mebus/cupp by Mebus from:  
    http://www.remote-exploit.org/content/cupp-3.0.tar.gz  
    http://www.remote-exploit.org/articles/misc_research__amp_code/index.html  
    to encourage further developement of the tool.
    
    ## Original author
    
      Muris Kurgas aka j0rgan  
      j0rgan@remote-exploit.org  
      http://www.remote-exploit.org  
      http://www.azuzi.me  
    
    ## Contributors
    
      * Bosko Petrovic aka bolexxx  
      bole_loser@hotmail.com  
      http://www.offensive-security.com  
      http://www.bolexxx.net  
    
      * Mebus  
        https://github.com/Mebus/  
    
      * Abhro  
        https://github.com/Abhro/  
    
      * Andrea Giacomo  
        https://github.com/codepr
    </span>

    需使用python调用
    <span style="font-size:18px;">root@kali:~/cupp# python cupp.py -i</span>

    七、图片信息

    METADATA

    元数据(Metadata)是描述其它数据的数据(data about other data),或者说是用于提供某种资源的有关信息的结构数据(structured data)。元数据是描述信息资源或数据等对象的数据,其使用目的在于:识别资源;评价资源;追踪资源在使用过程中的变化;实现简单高效地管理大量网络化数据;实现信息资源的有效发现、查找、一体化组织和对使用资源的有效管理。可以为数据说明其元素或属性(名称、大小、数据类型、等),或其结构(长度、字段、数据列),或其相关数据(位于何处、如何联系、拥有者)。

    Exif图片信息:默认情况下,会记录物理位置。【http://baike.baidu.com/link?url=lsZXsROoT4fsYGDT9ilOrJFD_l82wK25U3dKVjIu_wrbX7ifCtGc5z8NmjkvjKlT00QrYG4L_qDebQT227uefq

    Foca信息收集器

    Foca是款西班牙同僚开发的信息收集安全利器,主要对DNS和metadata元数据扫描分析。其文件分析可以是多种多样的,最常见的Microsoft Office文件,Open Office或PDF文件,甚至还可以分析Adobe InDesign或者SVG文件。

    分析图片:

    exiftool +图片名  #root@kali:~# exif QQ图片20160907233944.jpg

    <span style="font-size:18px;">root@kali:~# exif QQ图片20160907233944.jpg 
    ‘QQ图片20160907233944.jpg’中的EXIF 信息标识(‘英特尔’字节顺序):
    --------------------+----------------------------------------------------------
    信息标识                |值
    --------------------+----------------------------------------------------------
    Date and Time       |2016:08:05 14:20:30
    Model               |MX4 Pro
    Image Width         |2592
    YCbCr Positioning   |Centered
    Image Length        |1944
    Orientation         |Top-left
    Software            |Flyme5.0              #操作系统
    Manufacturer        |MEIZU 
    X-Resolution        |72
    Y-Resolution        |72
    Resolution Unit     |英寸
    Image Width         |160
    Resolution Unit     |英寸
    Image Length        |120
    Y-Resolution        |72
    Orientation         |Top-left
    Compression         |JPEG 压缩
    X-Resolution        |72
    色彩空间                |sRGB
    Date and Time (Digit|2016:08:05 14:20:30
    F-Number            |f/2.2
    Exposure Program    |普通模式
    焦距                  |4.8 mm
    光圈                  |2.27 EV (f/2.2)
    白平衡                 |自动白平衡
    Pixel X Dimension   |2592
    图像唯一 ID             |
    Shutter Speed       |8.77 EV (1/436 sec.)
    测距模式                |Center-weighted average
    曝光模式                |自动曝光
    Date and Time (Origi|2016:08:05 14:20:30
    用户备注                |
    Pixel Y Dimension   |1944
    闪光灯                 |未闪光
    Exif Version        |Exif版本2.2
    Focal Length in 35mm|31
    曝光偏差                |0.50 EV
    Maximum Aperture Val|2.27 EV (f/2.2)
    亮度                  |3.08 EV (28.97 cd/m^2)
    场景捕获类型              |标准
    ISO Speed Ratings   |40
    Exposure Time       |1/438 sec.
    FlashPixVersion     |FlashPix版本 1.0
    <strong>GPS Image Direction |46
    GPS Image Direction |M</strong>
    --------------------+----------------------------------------------------------
    EXIF 数据中含有缩略图(2944 个字节)。
    </span>

    windows下可用foca或查看图片属性
  • 相关阅读:
    Ubuntu 16.04 LTS安装好之后需要做的15件事
    双目立体视觉
    Win7、Ubuntu双系统正确卸载Ubuntu系统
    推荐一个计算机视觉图书:python计算机视觉编程
    深度学习从被监督走向互动
    详细解读神经网络十大误解,再也不会弄错它的工作原理
    不为人知的springboot的技巧
    并发情况下引发的血案
    slor6.6 在linux下的安装以及启动失败解决办法
    springmvc源码阅读2--dispatcherServlet及谈如何找源码入口
  • 原文地址:https://www.cnblogs.com/zixuanfy/p/5988662.html
Copyright © 2020-2023  润新知