常用信息收集网址
Whois信息
站长之家: http://whois.chinaz.com
Bugscaner: http://whois.bugscaner.com
国外在线: https://bgp.he.net
根域名
小蓝本: https://www.xiaolanben.com/pc
天眼查: https://www.tianyancha.com
爱企查: https://aiqicha.baidu.com
子域名
Amass: https://github.com/OWASP/Amass
Subfinder: https://github.com/projectdiscovery/subfinder
OneForAll: https://github.com/shmilylty/OneForAll
ksubdomain: https://github.com/knownsec/ksubdomain
subDomainsBrute: https://github.com/lijiejie/subDomainsBrute
Sonar: https://omnisint.io/
查子域: https://chaziyu.com/ (在线)
旁站
在线: http://stool.chinaz.com/same
真实ip
全球ping: https://www.wepcc.com
dns检测: https://tools.ipip.net/dns.php
Xcdn: https://github.com/3xp10it/xcdn
端口+C段
Nmap: https://nmap.org
Fscan: https://github.com/shadow1ng/fscan
Txportmap:https://github.com/4dogs-cn/TXPortMap
Masscan: https://github.com/robertdavidgraham/masscan
敏感信息
Googlehack语法
后台地址
site:xxx.com intitle:管理|后台|登陆|管理员|系统|内部
site:xxx.com inurl:login|admin|system|guanli|denglu|manage|admin_login|auth|dev
敏感文件
site:xxx.com (filetype:doc OR filetype:ppt OR filetype:pps OR filetype:xls OR filetype:docx OR filetype:pptx OR filetype:ppsx OR filetype:xlsx OR filetype:odt OR filetype:ods OR filetype:odg OR filetype:odp OR filetype:pdf OR filetype:wpd OR filetype:svg OR filetype:svgz OR filetype:indd OR filetype:rdp OR filetype:sql OR filetype:xml OR filetype:db OR filetype:mdb OR filetype:sqlite OR filetype:log OR filetype:conf)
测试环境
site:xxx.com inurl:test|ceshi
site:xxx.com intitle:测试
邮箱
site:xxx.com (intitle:"Outlook Web App" OR intitle:"邮件" OR inurl:"email" OR inurl:"webmail")
其他
site:xxx.com inurl:api|uid=|id=|userid=|token|session
site:xxx.com intitle:index.of "server at"
Github
@xxx.com password/secret/credentials/token/config/pass/login/ftp/ssh/pwd
@xxx.com security_credentials/connetionstring/JDBC/ssh2_auth_password/send_keys
网盘引擎
超能搜: https://www.chaonengsou.com
空间引擎搜索
FOFA: https://fofa.so
Quake: https://quake.360.cn/quake/#/index
Hunter: https://hunter.qianxin.com
Shadon: https://www.shodan.io
ZoomEye: https://www.zoomeye.org
历史漏洞
乌云镜像: https://wooyun.x10sec.org
Seebug: https://www.seebug.org
Exploit Database: https://www.exploit-db.com
Vulners: https://vulners.com
Sploitus: https://sploitus.com
APP
小蓝本: https://www.xiaolanben.com/pc
AppStore: https://www.apple.com/app-store
公众号
微信直接搜索
小程序
微信直接搜索
小蓝本: https://www.xiaolanben.com/pc
信息深度收集:
指纹识别
火狐插件: Wappalyzer
EHole: https://github.com/EdgeSecurityTeam/EHole
TideFinger: https://github.com/TideSec/TideFinger
ObserverWard:https://github.com/0x727/ObserverWard_0x727
Title识别
HTTPX: https://github.com/projectdiscovery/httpx
WebBatchRequest: https://github.com/ScriptKid-Beta/WebBatchRequest
Bscan: https://github.com/broken5/bscan
目录扫描
Dirsearch: https://github.com/maurosoria/dirsearch
Dirmap: https://github.com/H4ckForJob/dirmap
JS接口
JSFinder: https://github.com/Threezh1/JSFinder
URLFinder: https://github.com/pingc0y/URLFinder
LinkFinder: https://github.com/GerbenJavado/LinkFinder
Packer-Fuzzer: https://github.com/rtcatc/Packer-Fuzzer (webpack)
搜索关键接口
config/api
method:"get"
http.get("
method:"post"
http.post("
$.ajax
service.httppost
service.httpget
WAF识别
WhatWaf: https://github.com/Ekultek/WhatWaf
wafw00f: https://github.com/EnableSecurity/wafw00f
信息收集平台
ARL: https://github.com/TophantTechnology/ARL
ARL-plus: https://github.com/ki9mu/ARL-plus-docker
ShuiZe: https://github.com/0x727/ShuiZe_0x727
BBOT: https://github.com/blacklanternsecurity/bbot
漏洞扫描工具
Goby: https://gobies.org
Xray: https://github.com/chaitin/xray
afrog: https://github.com/zan8in/afrog
Nuclei: https://github.com/projectdiscovery/nuclei
当前主机信息搜集
常用信息搜集
whoami # 查看当前用户
net user # 查看所有用户
query user # 查看当前在线用户
ipconfig /all # 查看当前主机的主机名/IP/DNS等信息
route print # 查看路由表信息
netstat -ano # 查看端口开放情况
arp -a # 查看arp解析情况
tasklist /svc # 查看进程及对应服务名
net localgroup administrators # 查看管理员组成员
systeminfo # 查看系统信息含补丁信息
net use # 查看ipc连接情况
net view # 查看匿名共享情况
netsh firewall show state # 查看防火墙状态
cmdkey /l# 查看当前保存的登录凭证
密码搜集
netsh wlan show profiles # 查看连接过的wifi名称
netsh wlan show profile name="wifi名称" key=clear # 查看wifi的密码
dir /a %userprofile%\AppData\Local\Microsoft\Credentials* # 查看RDP连接凭证
dir /a /s /b "网站目录\*config*" > 1.txt # 数据库配置文件
laZagne.exe all -oN # 本地wifi/浏览器等密码
dir %APPDATA%\Microsoft\Windows\Recent # 查看最近打开的文档
连通性
ping www.baidu.com # ICMP连通性
nslookup www.baidu.com # DNS连通性
curl https://www.baidu.com # http连通性
nc ip port # TCP连通性
域信息搜集
常用信息搜集
net config workstation #查看当前登录域
net user /domain # 获得所有域用户列表
net view /domain # 查看所有的域
net view /domain:XXX # 查看该域内所有主机
net group /domain # 查看所有域用户组列表
net group "domain computers" /domain # 查看域内所有的主机名
net group "domain admins" /domain # 查看所有域管理员
net group "domain controllers" /domain # 查看所有域控制器
net group "enterprise admins" /domain # 查看所有企业管理员
nltest /domain_trusts # 获取域信任信息
net time /domain # 查看当前登录域
net accounts /domain # 查看域密码策略
dsquery server # 寻找目录中的域控制器
netdom query pdc # 查看域控制器主机名
wmic useraccount get /all #获取域内用户的详细信息
环境信息搜集
nbtscan.exe xx.xx.xx.xx/24 # 查看c段机器
csvde.exe -f 1.csv -k # 批量导入/导出AD用户
setspn.exe -T xx.xx.xx.xx -Q / # 查看当前域内所有spn
密码搜集
dir /s /a \域控IP\SYSVOL*.xml # 获取域里面所有机子的本地管理员账号密码