〖教程〗Ladon探測域名內網IP(只允許域名訪問站點)
阿新 • • 發佈:2020-07-18
前言
在內網滲透中,有時候你會發現有些WEB無法通過IP訪問,主要原因是目標對網站進行了域名繫結,尤其是同服上有多個域名站點的。這時候你訪問可能報401、403、404等錯誤,或者也不報錯返回IIS或APACHE等預設頁面,如果認為目標未搭建網站,則可能因此錯過一些存在漏洞的WEB。或者說你已經搞下內網其中一臺機器,想通過該機器搞主站,但是使用Ladon的WebScan或WhatCms均未探測到主網IP,原因多半也是網站綁定了域名(IIS設定顯示為主機頭),所以本文主要是解決這個問題。
解決方案
1.通過修改Hosts檔案,繫結IP域名,訪問IP看返回頁面與目標主站對比。
2.訪問網站,設定HTTP主機頭,訪問IP看返回頁面與目標主站頁面對比。
實戰用途
1.探測域名對應內網IP
2.探測主站繫結多個IP
C#程式碼
namespace hostscan { class Program { //hostscan for ladon //http://k8gege.org static void Main(string[] args) { string ip = ""; //string host = "qq.com";//掃C段或批量時寫目標對應域名 string host = ""; //不設主機頭,預設獲取IP對應WEB標題 if (args.Length == 1) { ip = args[0]; } else if (args.Length == 2) { ip = args[0]; host = args[1]; } else { Console.WriteLine("hostscan ip"); Console.WriteLine("hostscan ip domain"); return; } string url = "http://" + ip; if (ip.Contains("http://") || ip.Contains("https://")) url = ip; HttpWebRequest req = (HttpWebRequest)HttpWebRequest.Create(url); req.Method = "GET"; //req.ContentLength = data.Length; //req.ContentType = "application/x-www-form-urlencoded"; req.ContentType = "application/octet-stream"; if (host != "") req.Host = host; req.Accept = "image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-silverlight, application/vnd.ms-xpsdocument, application/x-ms-application, application/x-ms-xbap, application/xaml+xml, */*"; try { HttpWebResponse response = (HttpWebResponse)req.GetResponse(); Stream myResponseStream = response.GetResponseStream(); StreamReader myStreamReader = new StreamReader(myResponseStream, System.Text.Encoding.Default); string retString = myStreamReader.ReadToEnd(); myStreamReader.Close(); myResponseStream.Close(); Console.WriteLine(ip + " " + GetTitle(retString)); } catch (Exception ex) { ; } } private static string GetTitle(string html) { String regex = @"<title>.+</title>"; String title = Regex.Match(html, regex).ToString(); title = Regex.Replace(title, @"[\""]+", ""); return title; } } }
指定主機頭訪問IP,並獲取標題(如果不指定我們將獲取不到標題)
C:\Users\k8gege>hostscan 58.250.137.36 qq.com
58.250.137.36 <title>騰訊首頁</title>
批量探測
顯然在不確定是哪個內網IP為主站機器的情況下,一個一個IP試效率就太低了,因此我們需要程式碼實現自動探測。我們可以獲取C段網站標題,然後看哪個IP標題和外網訪問時的標題對比,以此確認哪個IP為主站機器,如果做了負載均橫或機器有多網絡卡,則可能有多個IP都為同一標題。
因為是.net程式,所以Ladon可直接載入EXE做為模組掃描,從掃描結果得知,qq.com綁定了多個IP。實戰時指定為目標內網IP即可,hostscan.exe域名需寫死或通過TXT讀取。
C:\Users\k8gege>hostscan 58.250.137.36 qq.com
58.250.137.36 <title>騰訊首頁</title>
C:\Users\k8gege>Ladon40 58.250.137.36/24 hostscan.exe
Ladon 6.6
Start: 2020-07-15 21:42:40
Runtime: .net 4.0 OS Arch: x86
OS Name: Microsoft Windows 7 旗艦版
Call DiyMoudle (c# exe)
58.250.137.36/24
load hostscan.exe
58.250.137.36/24 is Valid CIDR
IPCound: 256
Scan Start: 2020-07-15 21:42:40
58.250.137.100 <title>鑵捐浜戞櫤鏈?涓€閿惌寤轟紒涓氳嚜宸辯殑瀹㈡湇騫衝彴</title>
58.250.137.36 <title>騰訊首頁</title>
58.250.137.38 <title>騰訊首頁</title>
58.250.137.116
58.250.137.124
58.250.137.115
58.250.137.107 <title>鎶㈡敞QQ絀洪棿涓撳睘鍩熷悕</title>
58.250.137.112 <title>鐧誨綍</title>
58.250.137.101 <title>騰訊首頁</title>
工具下載
最新版本:https://k8gege.org/Download
歷史版本: https://github.com/k8gege/Ladon/releases