碳基体

奋斗在产品安全第一线的安全妹子

web渗透信息侦察收集工具——Recon-ng

在web渗透测试中,信息侦察与收集相当重要,每个经验丰富的黑客都有自己独特的信息收集妙招,曾有幸参加过大牛们的信息收集交流,点子都非常赞。在秉承黑站思路第一的前提下,能合理的利用现有的优秀工具也是不错的选择,起码对新手而言,可以扩充思路。现在就记录一下Recon-ng 这款较新的信息侦察收集工具的使用。


Recon-ng官方文档


一、安装

1.安装依赖文件dnspython,httplib2,python-0auth2

sudo pip install dnspython (也可以使用easy_install安装)

sudo pip install httplib2

git clone https://github.com/synedra/python-oauth2.git

cd python-oauth2/

sudo python setup.py install

2.安装recon-ng

git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git

3.运行

cd recon-ng/

./recon-ng.py

二、使用

与MSF的使用方法非常类似,插播一下msf使用基础流程,唤起回忆

第一步:search name模块

第二步:use name模块
第三步:info 查看模块信息
第四步:show payloads 查看该模块可以使用的攻击载荷(为scanner的时候不需要)
第五步:set payload 载荷
第六步:show targets查看该攻击载荷使用的系统类型(为scanner的时候不需要)
第七步:set targets num 设置目标的系统类型
第八步:show options 查看需要设置的参数 
show advanced 列出所有高级配置选项


mso-hansi-font-family:"Times New Roman";mso-fareast-language:ZH-CN;"  >第九步:set name
mso-hansi-font-family:"Times New Roman";mso-fareast-language:ZH-CN;"  >设置参数


mso-hansi-font-family:"Times New Roman";mso-fareast-language:ZH-CN;"  >第十步:exploit
mso-hansi-font-family:"Times New Roman";mso-fareast-language:ZH-CN;"  >(为scanner
"Times New Roman";mso-fareast-language:ZH-CN;"  >时用run
"Times New Roman";mso-fareast-language:ZH-CN;"  >)

第十一步:session –l –v列出所有可用的交互会话以及详细信息

1. 模块介绍

在使用该工具前,有必要提及一下信息收集的常规步骤,以便如何使用这款工具。信息收集分为三步:侦察Reconnaissance发现Discovery汇报reporting。这也对应了该工具的三个模块

recon-ng > show modules

(1). 侦察Reconnaissance

是一种被动的信息收集方式(passive reconnaissance),例如通过搜索引擎google hacker技巧收集目标的敏感信息

 

(2).发现Discovery

是一种主动的信息收集方式(active reconnaissance),例如通过发送http请求包探测web服务指纹


(3).汇报Reporting

Recon-ng提供两种格式的报表,html与csv

  2. 模块使用范例

(1) web应用指纹识别

第一步:搜索指定模块

recon-ng > search whatweb
[*] Searching for 'whatweb'

  Recon:
  -------------------------------
    recon/hosts/enum/http/whatweb

第二步:使用该模块

recon-ng > use recon/hosts/enum/http/whatweb

第三步:查看模块信息

recon-ng [whatweb] > info

  Name:
    WhatWeb Web Technologies scan

  Author:
    thrapt (thrapt@gmail.com) and Tim Tomes (@LaNMaSteR53)

  Description:
    Leverages WhatWeb.net to recognise web technologies being used.

  Options:

    Name     Current Value  Req  Description
    -------  -------------  ---  -----------
    SOURCE   db             yes  source of module input
    VERBOSE  True           yes  verbose output

  Comments:
    Source options: [ db | <hostname> | ./path/to/file | query <sql> ]


第四步:设置选参数

recon-ng [whatweb] > set SOURCE resources.infosecinstitute.com
SOURCE => resources.infosecinstitute.com

第五步:运行

recon-ng [whatweb] > run

注意:如果出现 [!] <urlopen error timed out> 的错误提示,可以修改全局参数SOCKET_TIMEOUT

recon-ng [whatweb] > back
recon-ng > show options

  Name            Current Value                                                     Req  Description
  --------------  -------------                                                     ---  -----------
  COMPANY                                                                           no   target company name
  DB_FILE         ./data/data.db                                                    yes  path to main database file
  DOMAIN                                                                            no   target domain
  KEY_FILE        ./data/keys.db                                                    yes  path to API key database file
  PROXY           False                                                             yes  proxy all requests
  PROXY_SERVER    127.0.0.1:8080                                                    yes  proxy server
  REC_FILE        ./data/cmd.rc                                                     yes  path to resource file for 'record'
  SOCKET_TIMEOUT  10                                                                yes  socket timeout in seconds
  USER-AGENT      Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)  yes  user-agent string
  VERBOSE         True                                                              yes  verbose output

recon-ng > set SOCKET_TIMEOUT 20
SOCKET_TIMEOUT => 20
recon-ng > use recon/hosts/enum/http/whatweb
recon-ng [whatweb] > set SOURCE resources.infosecinstitute.com
SOURCE => resources.infosecinstitute.com

recon-ng [whatweb] > run

探测结果如下图所示

  (2)公司职员信息收集

recon-ng > use recon/contacts/gather/http/jigsaw
recon-ng [jigsaw] > info

  Name:
    Jigsaw Contact Enumerator

  Author:
    Tim Tomes (@LaNMaSteR53)

  Description:
    Harvests contacts from Jigsaw.com. This module updates the 'contacts' table of the database with the
    results.

  Options:

    Name      Current Value  Req  Description
    --------  -------------  ---  -----------
    COMPANY                  yes  target company name
    KEYWORDS                 no   additional keywords to identify company
    VERBOSE   True           yes  verbose output

recon-ng [jigsaw] > set COMPANY google.com

recon-ng [jigsaw] > run

该模块是通过在搜索http://www.jigsaw.com/ 网站,收集公司组织架构信息,需要花费一段时间运行,你可以使用ctrl+c终止查询,搜索结果我们可以采用下面的方法导出来

recon-ng > use reporting/html_report
recon-ng [html_report] > info

  Name:
    HTML Report Generator

  Author:
    Tim Tomes (@LaNMaSteR53)

  Description:
    Creates a HTML report.

  Options:

    Name      Current Value        Req  Description
    --------  -------------        ---  -----------
    FILENAME  ./data/results.html  yes  path and filename for report output
    SANITIZE  True                 yes  mask sensitive data in the report

recon-ng [html_report] > set FILENAME /root/Desktop/result.html
FILENAME => /root/Desktop/result.html
recon-ng [html_report] > run
[*] Report generated at '/root/Desktop/result.html'.

我们打开result.html,可以看到收集到的以下信息

 遗憾的是该模块使用的是http://www.jigsaw.com/网站中的信息,而国内网站基本没有收入进来,所以不适合做国内网站渗透信息收集。其实绝大多数好用的开源的被动的信息收集工具(passive reconnaissance)使用的信息源都不适合国内网站渗透信息收集,但可以参考这个思路,做一个国内版的。


(3)查看apache server-status页面是否可以访问

server-status页面会显示apache服务器的重要信息,如下图所示

 

recon-ng > use discovery/info_disclosure/http/server_status
recon-ng [server_status] > info

  Name:
    Apache Server-Status Page Scanner

  Author:
    Tim Tomes (@LaNMaSteR53)

  Description:
    Checks hosts for a 'server-status' page.

  Options:

    Name     Current Value  Req  Description
    -------  -------------  ---  -----------
    SOURCE   db             yes  source of module input
    VERBOSE  True           yes  verbose output

  Comments:
    Source options: [ db | <hostname> | ./path/to/file | query <sql> ]
    http://blog.sucuri.net/2012/10/popular-sites-with-apache-server-status-enabled.html
    http://httpd.apache.org/docs/2.2/mod/mod_status.html
    Google dork: intitle:"Apache Status" inurl:"server-status"

recon-ng [server_status] > set SOURCE apache.org
SOURCE => apache.org
recon-ng [server_status] > run

recon-ng [server_status] > run
[*] http://apache.org/server-status/ => 200. Possible Apache Status page found!
[*] https://apache.org/server-status/ => 200. Possible Apache Status page found!
[*] 2 Server Status pages found.


(4) 域名信息收集

recon-ng > use recon/hosts/gather/http/yahoo

recon-ng [yahoo] > set DOMAIN qq.com
DOMAIN => qq.com
recon-ng [yahoo] > run

需要花费一段时间运行,可以使用ctrl+c终止查询,搜索结果同样可以采用html或csv的格式导出来,方法见  (2)公司职员信息收集

recon-ng [yahoo] > back
recon-ng > use reporting/html_report
recon-ng [html_report] > set FILENAME /Users/dani/Desktop/result_yahoo.html
FILENAME => /Users/dani/Desktop/result_yahoo.html

类似的域名搜索模块还有

recon/hosts/gather/http/netcraft

recon/hosts/gather/http/baidu

recon/hosts/gather/http/bing

recon/hosts/gather/http/google


(5)服务器指纹

recon-ng > use recon/hosts/enum/http/server_enum
recon-ng [server_enum] > set host apache.org
HOST => apache.org
recon-ng [server_enum] > run
----------------------START-----------------------
[*] ORIG_URL: http://apache.org
[*] DEST_URL: http://apache.org
---------------------HEADERS----------------------
[*] CONTENT-LENGTH: 36028
[*] ACCEPT-RANGES: bytes
[*] EXPIRES: Tue, 19 Feb 2013 16:49:39 GMT
[*] VARY: Accept-Encoding
[*] SERVER: Apache/2.4.3 (Unix) OpenSSL/1.0.0g
[*] LAST-MODIFIED: Tue, 19 Feb 2013 15:10:23 GMT
[*] CONNECTION: close
[*] ETAG: "8cbc-4d6153d9bb79e"
[*] CACHE-CONTROL: max-age=3600
[*] DATE: Tue, 19 Feb 2013 15:49:39 GMT
[*] CONTENT-TYPE: text/html; charset=utf-8
---------------------COOKIES----------------------
--------------------META TAGS---------------------
-----------------------END------------------------

  +------------------------------------------------------+
  | SERVER | Apache/2.4.3 (Unix) OpenSSL/1.0.0g | Apache |
  | ERROR  | 404 (/jxahqyevew.nsa)              | Apache |
  +------------------------------------------------------+

(6) 查找robots.txt

详细的robots.txt会暴露敏感路径

recon-ng > use discovery/info_disclosure/http/robots

recon-ng [robots] > set SOURCE bus.61.com
SOURCE => bus.61.com
recon-ng [robots] > run
[*] http://bus.61.com/robots.txt => 200. robots.txt found!
[*] http://bus.61.com/sitemap.xml => 404
[*] http://bus.61.com/sitemap.xml.gz => 403
[*] https://bus.61.com/robots.txt => Error
[*] https://bus.61.com/sitemap.xml => Error
[*] https://bus.61.com/sitemap.xml.gz => Error
[*] 1 files found.


参考资料:

https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Home

http://resources.infosecinstitute.com/awesome-modules-of-recon-ng-used-for-web-recon-testing/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+infosecResources+(InfoSec+Resources)

http://resources.infosecinstitute.com/awesome-modules-of-recon-ng-used-for-web-recon-testing/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+infosecResources+(InfoSec+Resources)

来源:碳基体

评论

热度(2)

  1. test碳基体 转载了此文字