web渗透信息侦察收集工具——Recon-ng
Recon-ng官方文档
一、安装
1.安装依赖文件dnspython,httplib2,python-0auth2
sudo pip install dnspython (也可以使用easy_install安装) sudo pip install httplib2 git clone https://github.com/synedra/python-oauth2.git cd python-oauth2/ sudo python setup.py install
2.安装recon-ng
git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
3.运行
cd recon-ng/
./recon-ng.py
二、使用
与MSF的使用方法非常类似,插播一下msf使用基础流程,唤起回忆
第一步:search name模块
第二步:use name模块第三步:info 查看模块信息
第四步:show payloads 查看该模块可以使用的攻击载荷(为scanner的时候不需要)
第五步:set payload 载荷
第六步:show targets查看该攻击载荷使用的系统类型(为scanner的时候不需要)
第七步:set targets num 设置目标的系统类型
第八步:show options 查看需要设置的参数
show advanced 列出所有高级配置选项
mso-hansi-font-family:"Times New Roman";mso-fareast-language:ZH-CN;" >第九步:set name mso-hansi-font-family:"Times New Roman";mso-fareast-language:ZH-CN;" >设置参数 mso-hansi-font-family:"Times New Roman";mso-fareast-language:ZH-CN;" >第十步:exploit mso-hansi-font-family:"Times New Roman";mso-fareast-language:ZH-CN;" >(为scanner "Times New Roman";mso-fareast-language:ZH-CN;" >时用run "Times New Roman";mso-fareast-language:ZH-CN;" >)第十一步:session –l –v列出所有可用的交互会话以及详细信息
1. 模块介绍
在使用该工具前,有必要提及一下信息收集的常规步骤,以便如何使用这款工具。信息收集分为三步:侦察Reconnaissance、发现Discovery与汇报reporting。这也对应了该工具的三个模块
recon-ng > show modules
(1). 侦察Reconnaissance
是一种被动的信息收集方式(passive reconnaissance),例如通过搜索引擎google hacker技巧收集目标的敏感信息
(2).发现Discovery
是一种主动的信息收集方式(active reconnaissance),例如通过发送http请求包探测web服务指纹
(3).汇报Reporting
Recon-ng提供两种格式的报表,html与csv
2. 模块使用范例
(1) web应用指纹识别
第一步:搜索指定模块
recon-ng > search whatweb
[*] Searching for 'whatweb'
Recon:
-------------------------------
recon/hosts/enum/http/whatweb
recon-ng > use recon/hosts/enum/http/whatweb
第三步:查看模块信息
recon-ng [whatweb] > info Name: WhatWeb Web Technologies scan Author: thrapt (thrapt@gmail.com) and Tim Tomes (@LaNMaSteR53) Description: Leverages WhatWeb.net to recognise web technologies being used. Options: Name Current Value Req Description ------- ------------- --- ----------- SOURCE db yes source of module input VERBOSE True yes verbose output Comments: Source options: [ db | <hostname> | ./path/to/file | query <sql> ]
第四步:设置选参数
recon-ng [whatweb] > set SOURCE resources.infosecinstitute.com
SOURCE => resources.infosecinstitute.com
recon-ng [whatweb] > run
注意:如果出现 [!] <urlopen error timed out> 的错误提示,可以修改全局参数SOCKET_TIMEOUT
recon-ng [whatweb] > back recon-ng > show options Name Current Value Req Description -------------- ------------- --- ----------- COMPANY no target company name DB_FILE ./data/data.db yes path to main database file DOMAIN no target domain KEY_FILE ./data/keys.db yes path to API key database file PROXY False yes proxy all requests PROXY_SERVER 127.0.0.1:8080 yes proxy server REC_FILE ./data/cmd.rc yes path to resource file for 'record' SOCKET_TIMEOUT 10 yes socket timeout in seconds USER-AGENT Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) yes user-agent string VERBOSE True yes verbose output recon-ng > set SOCKET_TIMEOUT 20 SOCKET_TIMEOUT => 20 recon-ng > use recon/hosts/enum/http/whatweb recon-ng [whatweb] > set SOURCE resources.infosecinstitute.com SOURCE => resources.infosecinstitute.com recon-ng [whatweb] > run探测结果如下图所示
(2)公司职员信息收集
recon-ng > use recon/contacts/gather/http/jigsaw recon-ng [jigsaw] > info Name: Jigsaw Contact Enumerator Author: Tim Tomes (@LaNMaSteR53) Description: Harvests contacts from Jigsaw.com. This module updates the 'contacts' table of the database with the results. Options: Name Current Value Req Description -------- ------------- --- ----------- COMPANY yes target company name KEYWORDS no additional keywords to identify company VERBOSE True yes verbose output recon-ng [jigsaw] > set COMPANY google.com recon-ng [jigsaw] > run该模块是通过在搜索https://www.jigsaw.com/ 网站,收集公司组织架构信息,需要花费一段时间运行,你可以使用ctrl+c终止查询,搜索结果我们可以采用下面的方法导出来
recon-ng > use reporting/html_report recon-ng [html_report] > info Name: HTML Report Generator Author: Tim Tomes (@LaNMaSteR53) Description: Creates a HTML report. Options: Name Current Value Req Description -------- ------------- --- ----------- FILENAME ./data/results.html yes path and filename for report output SANITIZE True yes mask sensitive data in the report recon-ng [html_report] > set FILENAME /root/Desktop/result.html FILENAME => /root/Desktop/result.html recon-ng [html_report] > run [*] Report generated at '/root/Desktop/result.html'.我们打开result.html,可以看到收集到的以下信息
遗憾的是该模块使用的是https://www.jigsaw.com/网站中的信息,而国内网站基本没有收入进来,所以不适合做国内网站渗透信息收集。其实绝大多数好用的开源的被动的信息收集工具(passive reconnaissance)使用的信息源都不适合国内网站渗透信息收集,但可以参考这个思路,做一个国内版的。
(3)查看apache server-status页面是否可以访问
server-status页面会显示apache服务器的重要信息,如下图所示
recon-ng > use discovery/info_disclosure/http/server_status recon-ng [server_status] > info Name: Apache Server-Status Page Scanner Author: Tim Tomes (@LaNMaSteR53) Description: Checks hosts for a 'server-status' page. Options: Name Current Value Req Description ------- ------------- --- ----------- SOURCE db yes source of module input VERBOSE True yes verbose output Comments: Source options: [ db | <hostname> | ./path/to/file | query <sql> ] https://blog.sucuri.net/2012/10/popular-sites-with-apache-server-status-enabled.html https://httpd.apache.org/docs/2.2/mod/mod_status.html Google dork: intitle:"Apache Status" inurl:"server-status" recon-ng [server_status] > set SOURCE apache.org SOURCE => apache.org recon-ng [server_status] > run recon-ng [server_status] > run [*] https://apache.org/server-status/ => 200. Possible Apache Status page found! [*] https://apache.org/server-status/ => 200. Possible Apache Status page found! [*] 2 Server Status pages found.
(4) 域名信息收集
recon-ng > use recon/hosts/gather/http/yahoo recon-ng [yahoo] > set DOMAIN qq.com DOMAIN => qq.com recon-ng [yahoo] > run需要花费一段时间运行,可以使用ctrl+c终止查询,搜索结果同样可以采用html或csv的格式导出来,方法见 (2)公司职员信息收集
recon-ng [yahoo] > back
recon-ng > use reporting/html_report
recon-ng [html_report] > set FILENAME /Users/dani/Desktop/result_yahoo.html
FILENAME => /Users/dani/Desktop/result_yahoo.html
recon/hosts/gather/http/netcraft
recon/hosts/gather/http/baidu
recon/hosts/gather/http/bing
recon/hosts/gather/http/google
(5)服务器指纹
recon-ng > use recon/hosts/enum/http/server_enum recon-ng [server_enum] > set host apache.org HOST => apache.org recon-ng [server_enum] > run ----------------------START----------------------- [*] ORIG_URL: https://apache.org [*] DEST_URL: https://apache.org ---------------------HEADERS---------------------- [*] CONTENT-LENGTH: 36028 [*] ACCEPT-RANGES: bytes [*] EXPIRES: Tue, 19 Feb 2013 16:49:39 GMT [*] VARY: Accept-Encoding [*] SERVER: Apache/2.4.3 (Unix) OpenSSL/1.0.0g [*] LAST-MODIFIED: Tue, 19 Feb 2013 15:10:23 GMT [*] CONNECTION: close [*] ETAG: "8cbc-4d6153d9bb79e" [*] CACHE-CONTROL: max-age=3600 [*] DATE: Tue, 19 Feb 2013 15:49:39 GMT [*] CONTENT-TYPE: text/html; charset=utf-8 ---------------------COOKIES---------------------- --------------------META TAGS--------------------- -----------------------END------------------------ +------------------------------------------------------+ | SERVER | Apache/2.4.3 (Unix) OpenSSL/1.0.0g | Apache | | ERROR | 404 (/jxahqyevew.nsa) | Apache | +------------------------------------------------------+(6) 查找robots.txt
详细的robots.txt会暴露敏感路径
recon-ng > use discovery/info_disclosure/http/robots recon-ng [robots] > set SOURCE bus.61.com SOURCE => bus.61.com recon-ng [robots] > run [*] https://bus.61.com/robots.txt => 200. robots.txt found! [*] https://bus.61.com/sitemap.xml => 404 [*] https://bus.61.com/sitemap.xml.gz => 403 [*] https://bus.61.com/robots.txt => Error [*] https://bus.61.com/sitemap.xml => Error [*] https://bus.61.com/sitemap.xml.gz => Error [*] 1 files found.
参考资料:
https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Home
https://resources.infosecinstitute.com/awesome-modules-of-recon-ng-used-for-web-recon-testing/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+infosecResources+%28InfoSec+Resources%29
https://resources.infosecinstitute.com/awesome-modules-of-recon-ng-used-for-web-recon-testing/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+infosecResources+%28InfoSec+Resources%29上一篇: JSP上传图片并自动生成缩略图