Kali-子域名爆破
簡介
時隔許久,已經很久沒有寫過關於web滲透的東西了,閒暇之餘自學,希望以後有機會能往這方面發展,但願現實不要那麼殘酷,會開發,又會運維看起來是一種非常牛批的雙修大神。
whois查詢
web域名查詢網址
ICP備案資訊查詢
使用Kali自帶的指令碼查詢
子域名爆破
關於查詢子域名的方法有很多,比如使用第三方網站,第三方工具
下面演示常用的方法
1.
子域名查詢網
子域名查詢網
子域名查詢網
2.使用第三方工具
wydomain下載
在倉庫下方有相關使用文件的介紹
演示:
檢視官方文件進行檔案配置
配置成功資訊
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (2.21.0)
Requirement already satisfied: dnspython in /usr/lib/python3/dist-packages (from -r requirements.txt (line 2)) (1.16.0)
安裝好之後需要對指令碼進行shell提權,綠色指令碼即為提權指令碼
pip install -r requirements.txt
如果電腦上沒有配置pip的話,這個命令是無法執行的
解決辦法:
在終端當中執行下面三條命令,命令執行完之後,再去執行安裝wydomain命令一般就沒有什麼問題了。
wget https://bootstrap.pypa.io/get-pip.py
python3 get-pip.py
pip3 -V
爆破命令:
./dnsburte.py -d aliyun.com -f dnspod.csv -o message.txt
檢視:
cat message.txt
使用API查詢目標的子域名:
./wydomain.py -d ahdy.top -o andy.log
顯示樣例
oot@kali:~/Desktop/wydomain# ./wydomain.py -d baidu.com -o andy.log 2019-12-17 00:44:49,894 [INFO] starting alexa fetcher... 2019-12-17 00:44:50,322 [INFO] sign_fetch_is_failed 2019-12-17 00:44:50,323 [INFO] alexa fetcher subdomains(22) successfully... 2019-12-17 00:44:50,323 [INFO] starting threatminer fetcher... 2019-12-17 00:44:53,139 [INFO] threatminer fetcher subdomains(0) successfully... 2019-12-17 00:44:53,139 [INFO] starting threatcrowd fetcher... 2019-12-17 00:44:55,187 [INFO] No JSON object could be decoded 2019-12-17 00:44:55,187 [INFO] threatcrowd fetcher subdomains(0) successfully... 2019-12-17 00:44:55,188 [INFO] starting sitedossier fetcher... 2019-12-17 00:44:55,188 [INFO] request: http://www.sitedossier.com/parentdomain/baidu.com 2019-12-17 00:44:57,185 [INFO] request: http://www.sitedossier.com/parentdomain/baidu.com/101 2019-12-17 00:44:57,795 [INFO] request: http://www.sitedossier.com/parentdomain/baidu.com/201 2019-12-17 00:45:00,199 [INFO] request: http://www.sitedossier.com/parentdomain/baidu.com/301 2019-12-17 00:45:05,813 [INFO] sitedossier fetcher subdomains(300) successfully... 2019-12-17 00:45:05,813 [INFO] starting netcraft fetcher... 2019-12-17 00:45:17,687 [INFO] netcraft fetcher subdomains(0) successfully... 2019-12-17 00:45:17,687 [INFO] starting ilinks fetcher... 2019-12-17 00:45:22,707 [INFO] ilinks fetcher subdomains(0) successfully... 2019-12-17 00:45:22,707 [INFO] starting chaxunla fetcher... 2019-12-17 00:45:37,737 [INFO] HTTPConnectionPool(host='api.chaxun.la', port=80): Max retries exceeded with url: /toolsAPI/getDomain/?0.1576561522.71&callback=&k=baidu.com&page=1&order=default&sort=desc&action=moreson&_=1576561522.71&verify= (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f044169d9d0>: Failed to establish a new connection: [Errno -2] Name or service not known',)) 2019-12-17 00:45:37,738 [INFO] chaxunla fetcher subdomains(0) successfully... 2019-12-17 00:45:37,738 [INFO] starting google TransparencyReport fetcher... 2019-12-17 00:45:42,760 [INFO] 'NoneType' object has no attribute '__getitem__' 2019-12-17 00:45:42,761 [INFO] google TransparencyReport fetcher subdomains(0) successfully... 2019-12-17 00:45:42,765 [INFO] baidu.com 485 subdomains save to /root/Desktop/wydomain/andy.log root@kali:~/Desktop/wydomain# cat message.txt [ "0.baidu.com", "1.baidu.com", "01.baidu.com", "11.baidu.com", "1111.baidu.com", "123.baidu.com", "2012.baidu.com", "2014.baidu.com", "360.baidu.com", "3g.baidu.com", "8.baidu.com", "IN.baidu.com", "a.baidu.com", "ab.baidu.com", "abc.baidu.com", "act.baidu.com", "activity.baidu.com", "ac.baidu.com", "access.baidu.com", "ad.baidu.com", "admin.baidu.com", "ads.baidu.com", "ag.baidu.com", "adm.baidu.com", "ai.baidu.com", "api.baidu.com", "ap.baidu.com", "app.baidu.com", "ar.baidu.com", "aq.baidu.com", "as.baidu.com", "ask.baidu.com", "auth.baidu.com", "auto.baidu.com", "avatar.baidu.com", "asp.baidu.com", "b.baidu.com", "b2b.baidu.com", "bai.baidu.com", "backup.baidu.com", "baike.baidu.com", "bao.baidu.com", "bbs.baidu.com", "bc.baidu.com", "beian.baidu.com", "beta.baidu.com", "bh.baidu.com", "bit.baidu.com", "bk.baidu.com", "box.baidu.com", "book.baidu.com", "brand.baidu.com", "bx.baidu.com", "cache.baidu.com", "ca.baidu.com", "cas.baidu.com", "cb.baidu.com", "ce.baidu.com", "cdn.baidu.com", "cc.baidu.com", "ceshi.baidu.com", "cf.baidu.com", "cha.baidu.com", "check.baidu.com", "ci.baidu.com", "city.baidu.com", "ck.baidu.com", "cloud.baidu.com", "autodiscover.baidu.com", "client.baidu.com", "cm.baidu.com", "code.baidu.com", "com.baidu.com", "company.baidu.com", "credit.baidu.com", "cs.baidu.com", "cp.baidu.com", "crm.baidu.com", "d.baidu.com", "daohang.baidu.com", "db.baidu.com", "dc.baidu.com", "demo.baidu.com", "desk.baidu.com", "dev.baidu.com", "df.baidu.com", "dh.baidu.com", "diy.baidu.com", "disk.baidu.com", "dj.baidu.com", "dm.baidu.com", "dns1.baidu.com", "dn.baidu.com", "doc.baidu.com", "docs.baidu.com", "dp.baidu.com", "dq.baidu.com", "ds.baidu.com", "dx.baidu.com", "du.baidu.com", "dy.baidu.com", "edm.baidu.com", "e.baidu.com", "edu.baidu.com", "ee.baidu.com", "em.baidu.com", "email.baidu.com", "ent.baidu.com", "er.baidu.com", "fang.baidu.com", "f.baidu.com", "fb.baidu.com", "fashion.baidu.com", "fc.baidu.com", "feed.baidu.com", "fff.baidu.com", "file.baidu.com", "finance.baidu.com", "flash.baidu.com", "fk.baidu.com", "fm.baidu.com", "focus.baidu.com", "forum.baidu.com", "fun.baidu.com", "fund.baidu.com", "g.baidu.com", "g1.baidu.com", "fz.baidu.com", "g2.baidu.com", "g3.baidu.com", "g5.baidu.com", "game.baidu.com", "games.baidu.com", "gb.baidu.com", "gd.baidu.com", "gh.baidu.com", "git.baidu.com", "gitlab.baidu.com", "gl.baidu.com", "gk.baidu.com", "gongyi.baidu.com", "go.baidu.com", "gp.baidu.com", "gps.baidu.com", "gx.baidu.com", "gy.baidu.com", "h5.baidu.com", "hao123.baidu.com", "hao.baidu.com", "health.baidu.com", "hb.baidu.com", "hd.baidu.com", "help.baidu.com", "hf.baidu.com", "hi.baidu.com", "hk.baidu.com", "history.baidu.com", "hm.baidu.com", "home.baidu.com", "house.baidu.com", "hotel.baidu.com", "houtai.baidu.com", "hr.baidu.com", "hot.baidu.com", "ht.baidu.com", "huodong.baidu.com", "i.baidu.com", "i1.baidu.com", "hx.baidu.com", "i2.baidu.com", "hz.baidu.com", "hy.baidu.com", "id.baidu.com", "im.baidu.com", "global.baidu.com", "images.baidu.com", "ie.baidu.com", "image.baidu.com", "img.baidu.com", "index.baidu.com", "info.baidu.com", "ip.baidu.com", "ipv6.baidu.com", "j.baidu.com", "item.baidu.com", "jia.baidu.com", "jian.baidu.com", "jiankang.baidu.com", "jira.baidu.com", "jj.baidu.com", "job.baidu.com", "jn.baidu.com", "jq.baidu.com", "js.baidu.com", "ka.baidu.com", "kb.baidu.com", "kefu.baidu.com", "kk.baidu.com", "kl.baidu.com", "km.baidu.com", "ks.baidu.com", "kr.baidu.com", "lab.baidu.com", "la.baidu.com", "l.baidu.com"
關於文中shell指令碼的解釋
使用shell 命令對指令碼提權
chmod +x 加上指令碼名稱(或者指令碼的絕對路徑)
進行提權後腳本會在目錄當中以綠色顯示
cd 目錄
ls 顯示當前資料夾路徑
注意,一定要寫成 ./test.sh,而不是 test.sh,執行其它二進位制的程式也一樣,直接寫 test.sh,linux 系統會去 PATH 裡尋找有沒有叫 test.sh 的,而只有 /bin, /sbin, /usr/bin,/usr/sbin 等在 PATH 裡,你的當前目錄通常不在 PATH 裡,所以寫成 test.sh 是會找不到命令的,要用 ./test.sh 告訴系統說,就在當前目錄找。
2、作為直譯器引數
這種執行方式是,直接執行直譯器,其引數就是 shell 指令碼的檔名,如:
/bin/sh test.sh
/bin/php test.php