資訊收集框架——recon-ng
背景:在滲透測試前期做攻擊面發現(資訊收集)時候往往需要用到很多工具,最後再將蒐集到的資訊彙總到一塊。
現在有這樣一個現成的框架,裡面集成了許多資訊收集模組、資訊儲存資料庫、以及報告生成模組,為工程化資訊收集提供了可能。
它就是recon-ng。recon-ng使用python編寫,其使用方式和metasploit十分相似
使用方法介紹:
1、新建工作區(建議一個滲透目標一個工作區,這樣能確保蒐集到的資訊都是針對一個目標的)
命令:Recon-ng -w 工作區名字
例:
recon-ng -w cctv
# 通過上面的命令建立‘cctv’工作區後可以通過如下命令檢視工作區情況
[recon-ng][cctv] > show workspaces +------------+ | Workspaces | +------------+ | cctv | | default | +------------+
2、設定搜尋引擎api
Keys list ===>檢視現有搜尋引擎api
keys add shodan fdkasjkfljklasjkldffjalks ===>設定shodan搜尋api
[recon-ng][cctv] > keys list +--------------------------+ | Name | Value | +--------------------------+ | bing_api | | | builtwith_api | | | censysio_id | | | censysio_secret | | | flickr_api | | | fullcontact_api | | | github_api | | | google_api | | | hashes_api | | | ipinfodb_api | | | ipstack_api | | | jigsaw_api | | | jigsaw_password | | | jigsaw_username | | | pwnedlist_api | | | pwnedlist_iv | | | pwnedlist_secret | | | shodan_api | | | twitter_api | | | twitter_secret | | | virustotal_api | | +--------------------------+ [recon-ng][cctv] > keys add shodan_api fdkasjkfljklasjkldffjalks
3、show options(檢視全域性設定)
[recon-ng][cctv] > show options Name Current Value Required Description ---------- ------------- -------- ----------- NAMESERVER 8.8.8.8 yes nameserver for DNS interrogation PROXY no proxy server (address:port) THREADS 10 yes number of threads (where applicable) TIMEOUT 10 yes socket timeout (seconds) USER-AGENT Recon-ng/v4 yes user-agent string VERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug)
建議設定代理,讓可以訪問google(不得不佩服google的搜尋能力)
set PROXY 127.0.0.1:1087
4、查詢包含哪些可用模組
通過use加tab鍵可以檢視有哪些可用模組
[recon-ng][cctv] > use discovery/info_disclosure/cache_snoop recon/domains-companies/pen recon/domains-hosts/threatcrowd recon/netblocks-hosts/shodan_net discovery/info_disclosure/interesting_files recon/domains-contacts/metacrawler recon/domains-hosts/threatminer recon/netblocks-hosts/virustotal exploitation/injection/command_injector recon/domains-contacts/pen recon/domains-vulnerabilities/ghdb recon/netblocks-ports/census_2012 exploitation/injection/xpath_bruter recon/domains-contacts/pgp_search recon/domains-vulnerabilities/punkspider recon/netblocks-ports/censysio import/csv_file recon/domains-contacts/whois_pocs recon/domains-vulnerabilities/xssed recon/ports-hosts/migrate_ports import/list recon/domains-credentials/pwnedlist/account_creds recon/domains-vulnerabilities/xssposed recon/profiles-contacts/dev_diver recon/companies-contacts/bing_linkedin_cache recon/domains-credentials/pwnedlist/api_usage recon/hosts-domains/migrate_hosts recon/profiles-contacts/github_users recon/companies-contacts/jigsaw/point_usage recon/domains-credentials/pwnedlist/domain_creds recon/hosts-hosts/bing_ip recon/profiles-profiles/namechk recon/companies-contacts/jigsaw/purchase_contact recon/domains-credentials/pwnedlist/domain_ispwned recon/hosts-hosts/ipinfodb recon/profiles-profiles/profiler recon/companies-contacts/jigsaw/search_contacts recon/domains-credentials/pwnedlist/leak_lookup recon/hosts-hosts/ipstack recon/profiles-profiles/twitter_mentioned recon/companies-contacts/pen recon/domains-credentials/pwnedlist/leaks_dump recon/hosts-hosts/resolve recon/profiles-profiles/twitter_mentions recon/companies-domains/pen recon/domains-domains/brute_suffix recon/hosts-hosts/reverse_resolve recon/profiles-repositories/github_repos recon/companies-multi/github_miner recon/domains-hosts/bing_domain_api recon/hosts-hosts/ssltools recon/repositories-profiles/github_commits recon/companies-multi/whois_miner recon/domains-hosts/bing_domain_web recon/hosts-hosts/virustotal recon/repositories-vulnerabilities/gists_search recon/contacts-contacts/mailtester recon/domains-hosts/brute_hosts recon/hosts-locations/migrate_hosts recon/repositories-vulnerabilities/github_dorks recon/contacts-contacts/mangle recon/domains-hosts/builtwith recon/hosts-ports/shodan_ip reporting/csv recon/contacts-contacts/unmangle recon/domains-hosts/certificate_transparency recon/locations-locations/geocode reporting/html recon/contacts-credentials/hibp_breach recon/domains-hosts/findsubdomains recon/locations-locations/reverse_geocode reporting/json recon/contacts-credentials/hibp_paste recon/domains-hosts/google_site_web recon/locations-pushpins/flickr reporting/list recon/contacts-domains/migrate_contacts recon/domains-hosts/hackertarget recon/locations-pushpins/shodan reporting/proxifier recon/contacts-profiles/fullcontact recon/domains-hosts/mx_spf_ip recon/locations-pushpins/twitter reporting/pushpin recon/credentials-credentials/adobe recon/domains-hosts/netcraft recon/locations-pushpins/youtube reporting/xlsx recon/credentials-credentials/bozocrack recon/domains-hosts/shodan_hostname recon/netblocks-companies/whois_orgs reporting/xml recon/credentials-credentials/hashes_org recon/domains-hosts/ssl_san recon/netblocks-hosts/reverse_resolve
也可以通過search命令來查詢相關模組
[recon-ng][cctv] > search google [*] Searching for 'google'... Recon ----- recon/domains-hosts/google_site_web
此時大家可能會有疑問,這麼多模組我怎麼知道哪個模組是幹什麼使的呢? 這個時候我們可以use相應模組後用show info看到關於該模組的詳細解釋
[recon-ng][cctv] > use recon/domains-hosts/google_site_web
[recon-ng][cctv][google_site_web] > show info Name: Google Hostname Enumerator Path: modules/recon/domains-hosts/google_site_web.py Author: Tim Tomes (@LaNMaSteR53) Description: Harvests hosts from Google.com by using the 'site' search operator. Updates the 'hosts' table with the results. Options: Name Current Value Required Description ------ ------------- -------- ----------- SOURCE cctv.com yes source of input (see 'show info' for details) Source Options: default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL <string> string representing a single input <path> path to a file containing a list of inputs query <sql> database query returning one column of inputs
此外recon-ng會將收集到的資訊自動存入資料庫,後面咱們可以將這些資料掏出來進行二次查詢。可以通過下面這個命令檢視資料庫有哪些表:
[recon-ng][cctv] > show schema +---------------+ | domains | +---------------+ | domain | TEXT | | module | TEXT | +---------------+ +--------------------+ | companies | +--------------------+ | company | TEXT | | description | TEXT | | module | TEXT | +--------------------+ +-----------------+ | netblocks | +-----------------+ | netblock | TEXT | | module | TEXT | +-----------------+ +-----------------------+ | locations | +-----------------------+ | latitude | TEXT | | longitude | TEXT | | street_address | TEXT | | module | TEXT | +-----------------------+ +---------------------+ | vulnerabilities | +---------------------+ | host | TEXT | | reference | TEXT | | example | TEXT | | publish_date | TEXT | | category | TEXT | | status | TEXT | | module | TEXT | +---------------------+ +-------------------+ | ports | +-------------------+ | ip_address | TEXT | | host | TEXT | | port | TEXT | | protocol | TEXT | | module | TEXT | +-------------------+ +-------------------+ | hosts | +-------------------+ | host | TEXT | | ip_address | TEXT | | region | TEXT | | country | TEXT | | latitude | TEXT | | longitude | TEXT | | module | TEXT | +-------------------+ +--------------------+ | contacts | +--------------------+ | first_name | TEXT | | middle_name | TEXT | | last_name | TEXT | | email | TEXT | | title | TEXT | | region | TEXT | | country | TEXT | | module | TEXT | +--------------------+ +-----------------+ | credentials | +-----------------+ | username | TEXT | | password | TEXT | | hash | TEXT | | type | TEXT | | leak | TEXT | | module | TEXT | +-----------------+ +-----------------------------+ | leaks | +-----------------------------+ | leak_id | TEXT | | description | TEXT | | source_refs | TEXT | | leak_type | TEXT | | title | TEXT | | import_date | TEXT | | leak_date | TEXT | | attackers | TEXT | | num_entries | TEXT | | score | TEXT | | num_domains_affected | TEXT | | attack_method | TEXT | | target_industries | TEXT | | password_hash | TEXT | | password_type | TEXT | | targets | TEXT | | media_refs | TEXT | | module | TEXT | +-----------------------------+ +---------------------+ | pushpins | +---------------------+ | source | TEXT | | screen_name | TEXT | | profile_name | TEXT | | profile_url | TEXT | | media_url | TEXT | | thumb_url | TEXT | | message | TEXT | | latitude | TEXT | | longitude | TEXT | | time | TEXT | | module | TEXT | +---------------------+ +-----------------+ | profiles | +-----------------+ | username | TEXT | | resource | TEXT | | url | TEXT | | category | TEXT | | notes | TEXT | | module | TEXT | +-----------------+ +--------------------+ | repositories | +--------------------+ | name | TEXT | | owner | TEXT | | description | TEXT | | resource | TEXT | | category | TEXT | | url | TEXT | | module | TEXT | +--------------------+
5、使用方法舉例(拿搜尋子域名與對應ip的場景來舉例)
使用google搜尋來查詢目標有哪些子域名
[recon-ng][cctv] > use recon/domains-hosts/google_site_web [recon-ng][cctv][google_site_web] > show options # 檢視需要填哪些資料 Name Current Value Required Description ------ ------------- -------- ----------- SOURCE default yes source of input (see 'show info' for details) [recon-ng][cctv][google_site_web] > set SOURCE cctv.com # 設定目標域名 SOURCE => cctv.com [recon-ng][cctv][google_site_web] > run #開始執行
也可以使用暴力猜解的方式來獲取目標子域名:
[recon-ng][cctv] > use recon/domains-hosts/brute_hosts [recon-ng][cctv][brute_hosts] > show options Name Current Value Required Description -------- ------------- -------- ----------- SOURCE default yes source of input (see 'show info' for details) WORDLIST /usr/local/Cellar/recon-ng/4.9.6/libexec/data/hostnames.txt yes path to hostname wordlist # 字典路徑 [recon-ng][cctv][brute_hosts] > set SOURCE cctv.com # 設定目標域名 SOURCE => cctv.com [recon-ng][cctv][brute_hosts] > run #開始執行
執行完畢後查詢到的資料將自動存入資料庫,我們可以通過'show hosts'或'query+sql語句'的方式來查詢,例:
[recon-ng][cctv] > show hosts +-----------------------------------------------------------------------------------------------------------+ | rowid | host | ip_address | region | country | latitude | longitude | module | +-----------------------------------------------------------------------------------------------------------+ | 1 | tv.cctv.com | | | | | | google_site_web | | 2 | www.cctv.com | | | | | | google_site_web | | 3 | news.cctv.com | | | | | | google_site_web | +-----------------------------------------------------------------------------------------------------------+
[recon-ng][cctv] >query select * from hosts;
+-----------------------------------------------------------------------------------------------------------+ | rowid | host | ip_address | region | country | latitude | longitude | module | +-----------------------------------------------------------------------------------------------------------+ | 1 | tv.cctv.com | | | | | | google_site_web | | 2 | www.cctv.com | | | | | | google_site_web | | 3 | news.cctv.com | | | | | | google_site_web | +-----------------------------------------------------------------------------------------------------------+
# 為了保證隱私刪掉了大部分資料,只給3個做為舉例
資料庫裡已經有目標的子域名資訊,現在想基於資料庫裡資訊做進一步查詢可以嗎? 當然可以,我們以查詢域名對應的ip為例:
[recon-ng][cctv] > use recon/hosts-hosts/resolve [recon-ng][cctv][resolve] > show options Name Current Value Required Description ------ ------------- -------- ----------- SOURCE default yes source of input (see 'show info' for details) # 正常來說SOURCE後應該是跟一個域名資訊,比如'www.cctv.com' [recon-ng][cctv][resolve] > set SOURCE query select host from hosts # 這裡厲害了哦!我們要查的是一個表的內容,如果一個域名設定一次那還不累死了? recon-ng竟然支援將值設為一個sql語句! 這樣就可以批量查詢表內的資料了! SOURCE => query select host from hosts [recon-ng][cctv][resolve] > run
執行完成後我們可以看下現在資料庫裡的內容有什麼變化:
[recon-ng][cctv][resolve] > show hosts +----------------------------------------------------------------------------------------------------------------+ | rowid | host | ip_address | region | country | latitude | longitude | module | +----------------------------------------------------------------------------------------------------------------+ | 1 | tv.cctv.com | 123.125.195.125 | | | | | google_site_web | | 2 | www.cctv.com | 114.112.172.231 | | | | | google_site_web | | 3 | news.cctv.com | 111.206.186.245 | | | | | google_site_web | | 4 | tv.cctv.com | 123.125.195.125 | | | | | resolve | | 5 | www.cctv.com | 114.112.172.231 | | | | | resolve | | 6 | news.cctv.com | 111.206.186.245 | | | | | resolve | +----------------------------------------------------------------------------------------------------------------+
# 可以看到已經把查詢到的ip地址填入表內了
就拿我們現在查詢到的資料來舉例說明一下該怎麼匯出報表
[recon-ng][cctv] > search report # 查下看有哪些報表相關模組 [*] Searching for 'report'... Reporting --------- reporting/csv reporting/html reporting/json reporting/list reporting/proxifier reporting/pushpin reporting/xlsx reporting/xml [recon-ng][cctv] > use reporting/html # 匯出成html檔案 [recon-ng][cctv][html] > show options Name Current Value Required Description -------- ------------- -------- ----------- CREATOR yes creator name for the report footer CUSTOMER yes customer name for the report header FILENAME /Users/liwei/.recon-ng/workspaces/cctv/results.html yes path and filename for report output # 報表匯出路徑 SANITIZE True yes mask sensitive data in the report [recon-ng][cctv][html] > set CREATOR liwei # 填寫報告作者 CREATOR => liwei [recon-ng][cctv][html] > set CUSTOMER cctv # 填寫使用者單位名稱 CUSTOMER => cctv [recon-ng][cctv][html] > run [*] Report generated at '/Users/liwei/.recon-ng/workspaces/cctv/results.html'. # 匯出成功 [recon-ng][cctv][html] >
最終報表長這樣:
&n