- 资产备案根域名信息收集
ENScanPublic_amd64_windows(需输入资产公司名字)
链接: 提取码: i2be
可选配置‘cookies:
aiqicha: '' # 爱企查 Cookie
tianyancha: '' # 天眼查 Cookie
qcc: '' # 企查查 Cookie
aldzs: '' # 阿拉神灯 Token
xlb: '' # 小蓝本 Token
用法:`ENScanPublic_amd64_windows -invest-num 100 -f gongsi.txt
//查询备案信息全资子公司 -invest-num 100 那么肯定时目标的资产
-branch 查询分支机构(分公司)信息
-delay int 每个请求延迟(S)-1为随机延迟1-5S (default 1)
-f string 包含公司关键词的文件一行一个
-field string 获取字段信息 eg website
-i string 公司ID(根据你查询的type不同ID不同)
-invest-num int 投资比例 eg 100
-invest-rd 投资比例不明确(可能不是完全控股)
-is-branch 查询分支机构(分公司)详细信息ICP备案APP等
-is-debug 是否显示debug详细信息
-is-group 查询集团信息
-is-merge 是否合并导出
-is-pid 批量查询文件是否为PID
-n string 公司名称关键词 eg 小米
-o string 结果输出的文件夹位置(可选)
-type string 收集渠道信息(默认爱企查)eg qcc (default "aqc") all为收集全部
-v 版本信息`
-
根域名子域名信息收集domain v3(目标不多使用man.py,资产很多建议kuai.py)
可使用这个脚本使用几个跑子域名工具进行收集整合
百度网盘 请输入提取码
推荐使用工具进行txt文本处理:http://www.txttool.com/
最好购买个软件版的。 -
批量解析子域名IP domaintoippasscdn.py
# BY KinFang
import os
import csv
import subprocess
file = './domain.txt'
# dst_file = 'url.txt'
dst_file = './domaintotp.csv'
# 去重
def DeDuplication(old_list):
new_list = [list(t) for t in set(tuple(_) for _ in old_list)] # 将源列表转换成集合,去重
# print(new_list)
sorted_list = sorted(new_list)
with open(dst_file, 'w', encoding='utf-8', newline='') as f:
csvwrite = csv.writer(f)
csvwrite.writerows(sorted_list)
def find_domain(domain, result_list):
if dns == '':
ret = subprocess.getoutput(f'nslookup {domain}')
else:
ret = subprocess.getoutput(f'nslookup {domain} {dns}')
lst = ret.split('\n') # str转为list
# print(lst)
for item in lst[6:]: # 从第7个元素开始循环
if item.startswith('Aliases'): # 循环到列表中的Aliases开头就停止循环
break
else:
if item.startswith('Address') or item.startswith('\t'): # 匹配ip地址,有以address开头,有以\t开头
if 'Address' in item:
newline = item.split(': ')[1].strip()
else:
newline = item.split(': ')[0].strip()
result_list.append([domain] + [newline])
def readconfig(result_list):
with open(file, 'r', encoding='utf-8') as f:
for line in f:
if line.startswith('#'):
continue
new_line = line.strip()
find_domain(new_line, result_list)
def main():
result_list = []
# 读取域名文件
print('-' * 30)
print(f'每个域名将执行{num}遍')
print('-'*30)
for i in range(1, num + 1):
print(f'第{i}遍开始执行...')
readconfig(result_list)
# print(result_list)
print('-' * 30)
print('结果处理中...')
print('-' * 30)
# 对数据进行去重
DeDuplication(result_list)
if __name__ == '__main__':
if not os.path.exists(file):
print('domain.txt文件不存在,请先创建文件')
os.system('pause')
exit()
for i in range(3):
try:
dns = input('请输入DNS地址(不输入将采用本机默认DNS):').strip()
num = input('输入需要循环几次(默认3次):').strip()
if num == '':
num = 3
else:
num = int(num)
main()
print('执行完成!!!')
print()
break
except:
print('输入有误,请重输!')
os.system('pause')
exit()
先遍历3-5遍,得到excel格式结果,然后去重,再导入excel里面
Excel 删除重复值 一个不留
假设你的数据在A列
在B1输入公式
=if(countif(a:a,a1)>1,"删除","")
双击B1右下角的实心小黑点完成全列填充
选择AB两列后按B列排序,把要删除的排在一起,批量删除掉即可
得到不是反向代理和cdn的 子域名和ip,
- 使用webfinder2.3 扫描web服务(如果目标ip不多扫1-65535,多的话扫常见web端口,所有子域名扫80,443,8080即可)
链接: 提取码: 8any 复制这段内容后打开
常见web端口:
443,7000-7021,7050-7080,7171,7272,7322,7396,7443,7474,7480,7530,7630,7777,8000-8010,801,8014,8016,8019,8020,8021,8033,8037,8041,8043,8060,8065,8069,8070,8075,808,8080-8090,80-90,8091,8099,8100,8105,8110,8118,8123,8143,8172,8180,8181,8182,8201,8207,8222,8243,8280,8281,8282,832,8333,8383,843,8443,8444,8445,8500,8512,8521,8585,8600,8680,8681,8719,8720,873,8777,8800,8818,8834,886,888,8880-8890,8898,8906,8983,8989,8992,8996,8998,9000-9010,9043,9060,9066,9080,9081,9090,9091,9092,9093,9094,9100,9115,9127,9191,9200,9203,9300,9443,9445,9500,9643,97,9700,9722,9797,9800,981,9981,9988,9994,9997,9998
常见服务端口全:
10050,10051,10061,10080,1010,10443,1080,10801,10802,1090,1099,10999,110,111,11211,1158,11931,12056,12292,123,12443,1246,12945,13,1311,13256,13306,135,1352,13529,1354,137,139,14005,14161,143,1433,15040,1521,16010,16080,161,1648,17,17000,17020,17024,17061,1720,17201,1721,1722,1726,17443,17536,17961,17999,18006,18007,1801,18023,18024,18025,18041,18051,18052,18053,18054,18055,18056,18057,18058,18071,18080,18092,18225,18264,1883,1905,1908,1922,1935,1936,1937,19694,1999,2001,20048,2012,20124,2013,2014,2015,20160,20164,20180,20181,2019,2020,2049,20720,2082,2087,2095,2096,21,2103,2105,2107,2122,21378,21422,21808,2181,2182,21878,21999,22,22022,2222,22222,23,2323,2324,2325,2326,2327,2328,2329,2331,2334,2375,2379,23792,2380,2383,23943,2480,25,25774,264,2669,27001,27017,28017,28080,2888,28883,28884,300,3000,30001,3128,31695,32306,3306,3333,33344,3389,33899,34037,350,3888,389,39788,39950,39951,39952,39953,3999,4000,4009,4100,42,4201,4243,43832,441,44122,442,443,444,4443,449,4567,465,47001,4711,4712,48080,48443,4848,49152,49153,49154,49155,49156,49157,49158,49159,49160,49161,49162,49163,49164,49165,49166,49167,49168,49169,49170,49172,49173,49174,49175,49177,49179,49388,49555,4993,5000,50010,50022,50223,51001,5104,5108,51111,512,513,514,51593,5222,52273,5239,52667,53,53316,53503,5432,5520,555,5555,55580,5601,5632,5656,57533,5800,58080,58226,58422,5900,59000,5901,591,593,59551,5985,5986,6000,60001,60002,60010,60088,60089,60443,60446,61111,61591,6200,62131,62133,62170,62171,62173,62200,62251,63426,63513,6379,64059,6443,6543,67,68,6802,6886,69,6999,70,7000-7021,7050-7080,7171,7272,7322,7396,7443,7474,7480,7530,7630,7777,8000-8010,801,8014,8016,8019,8020,8021,8033,8037,8041,8043,8060,8065,8069,8070,8075,808,8080-8090,80-90,8091,8099,8100,8105,8110,8118,8123,8143,8172,8180,8181,8182,8201,8207,8222,8243,8280,8281,8282,832,8333,8383,843,8443,8444,8445,8500,8512,8521,8585,8600,8680,8681,8719,8720,873,8777,8800,8818,8834,886,888,8880-8890,8906,8983,8989,8992,8996,8998,90,9000-9010,9043,9060,9066,9080,9081,9090,9091,9092,9093,9094,9100,9115,9127,9191,9200,9203,9300,9443,9445,9500,9643,97,9700,9722,9797,9800,981,993,995,9981,9988,9994,9997,9998
- 然后使用批量扫描工具进行扫描
目标多:尽量使用轻量级扫描器和字典
目标少:可使用自动化综合扫描器
爬行一遍
手工一遍
筛选出可以搞的站点及后台.
弱口令一遍
批量poc工具一遍
综合自动化扫描工具进行扫描。