简单的流程化信息收集
脚本
import os
import fnmatch
import socket
import shutil
def checkcdn(host):
ip_list=[]
try:
addrs = socket.getaddrinfo(host, None)
for item in addrs:
if item[4][0] not in ip_list:
ip_list.append(item[4][0])
count_ip = len(ip_list)
if count_ip > 1:
return False
elif count_ip == 1:
return ip_list[0]
else:
return False
except Exception as e:
return False# 打印错误
print("by k1115h0t")
print("根域名放置在domians.txt中")
print("当前文件夹下放置httpx")
os.system('subfinder/subfinder -dL domains.txt -all -o subfinder_subdomains.txt')
os.system('python3 oneforall/oneforall.py --targets domains.txt run')
oneforall_result=''
for f_name in os.listdir('oneforall/results'):
if fnmatch.fnmatch(f_name, 'all*.txt'):
oneforall_result='oneforall/results/'+f_name
# 读取第一个文本文件
with open(oneforall_result, 'r') as file1:
content1 = file1.readlines()
# 读取第二个文本文件
with open('subfinder_subdomains.txt', 'r') as file2:
content2 = file2.readlines()
# 合并两个文本文件
merged_content = content1 + content2
# 去重
unique_content = list(set(merged_content))
# 将去重后的内容写入新的文本文件
with open('subdomains.txt', 'w') as merged_file:
merged_file.writelines(unique_content)
print("================================================")
print("================================================")
print("================================================")
print("子域名已经全部扫描完成,子域名结果存储在 subdomains.txt")
print("开始识别CDN")
print("================================================")
print("================================================")
print("================================================")
if os.path.exists('oneforall/results'):
shutil.rmtree(r'oneforall/results')
os.remove('subfinder_subdomains.txt')
f1=open(file='subdomains.txt',mode='r',encoding='utf-8')
f2=open(file='cdn.txt',mode='a',encoding='utf-8')
f3=open(file='nocdn.txt',mode='a',encoding='utf-8')
f4=open(file='nocdn_ip.txt',mode='a',encoding='utf-8')
l1=[]
num=1
for i in f1.readlines():
newi=i.strip('\n')
result=checkcdn(newi)
# print(num)
num=num+1
if result!=False:
f3.write(i)
if result not in l1:
l1.append(result)
else:
f2.write(i)
for j in l1:
f4.write(j+'\n')
f1.close()
f2.close()
f3.close()
f4.close()
print("================================================")
print("================================================")
print("================================================")
print("cdn识别完成,结果存储在 cdn.txt nocdn.txt nocdn_ip.txt")
print("开始调用httpx")
print("================================================")
print("================================================")
print("================================================")
os.system('./httpx -l cdn.txt -sc -cl -title -o cdn_httpx.txt')
os.system('./httpx -l nocdn.txt -sc -cl -title -o nocdn_httpx.txt')
print("================================================")
print("================================================")
print("================================================")
print("httpx识别完成,结果存储在 cdn_httpx.txt nocdn_httpx.txt")
print("开始调用rustscan")
print("================================================")
print("================================================")
print("================================================")
os.system("rustscan -a nocdn_ip.txt -r 1-65535 -- -sC -Pn -n -sV >> rustscan_nocdn.txt")
使用时需要新建一个domains.txt用于存放根域名(baidu.com)
脚本的流程
-
调用 subfinder 和 oneforall进行子域名扫描
生成 subdomains.txt 存储所有的子域名 -
对子域名结果进行分析去重,并识别cdn
生成 cdn.txt nocdn.txt nocdn_ip.txt -
使用httpx进行扫描
生成 cdn_httpx.txt nocdn_httpx.txt -
使用rustscan对无cdn的ip进行端口扫描
生成 rustscan_nocdn.txt
目录下面工具的放置
在第二次使用的时候,需要先手动删除所有txt文件
rm *.txt
目录结构:
├── cdn_httpx.txt 有cdn的域名的httpx 结果
├── cdn.txt 没有cdn的域名
├── domains.txt 要进行信息收集的根域名
├── httpx httpx二进制文件
├── nocdn_httpx.txt 无cdn的域名的httpx 结果
├── nocdn_ip.txt 无cdn域名解析出的ip
├── nocdn.txt
├── oneforall
├── rustscan_nocdn.txt
├── start.py
├── subdomains.txt
└── subfinder
工具链接
工具链接:
https://github.com/shmilylty/OneForAll
https://github.com/projectdiscovery/subfinder
https://github.com/projectdiscovery/httpx
https://github.com/RustScan/RustScan