本文最后更新于 420 天前,其中的信息可能已经有所发展或是发生改变。
:::info
💘渗透全流程:
信息👣收集 – 漏洞发现 – 漏洞利用 – 权限提升 – 隧道搭建 – 内网渗透 – 横向移动 – 后渗透
:::
子域名挖掘
思路分析:
完整的域名,由协议、子域名、顶级域名组成
实现步骤:
- 指定顶级域名
- 整理子域名字典,遍历子域名
- 识别返回包
V1.0
基本功能实现
#! usr/bin/env python3
'''
1. 打开 subdomain 字典
2. 构造子域名,发起请求
'''
import requests
def domain_scan(domain_name, sub_domains):
for sub in sub_domains:
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'
}
url = f'https://{sub}.{domain_name}'
try:
requests.get(url, headers=headers)
print(f'[*]{url}')
except requests.ConnectionError:
print(f'[-]connection error')
if __name__ == '__main__':
# 输入 domain
domain_name = input('please input the domain name:')
# 读取子域名字典
with open('./submain.txt', 'r') as file:
sub_name = file.read()
sub_domains = sub_name.splitlines()
# print('total:{}'.format(len(sub_domain)))
# 子域名扫描
domain_scan(domain_name, sub_domains)
V2.0
加入代理配置
#! usr/bin/env python3
'''
1. 打开 subdomain 字典
2. 构造子域名,发起请求
'''
import requests
def domain_scan(domain_name, sub_domains):
for sub in sub_domains:
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'
}
# 隧道域名:端口号
tunnel = "e163.kdltps.com:15818"
# 用户名密码方式
username = "t19881668198359"
password = "p5832qec"
proxies = {
"http": "http://%(user)s:%(pwd)s@%(proxy)s/" % {"user": username, "pwd": password, "proxy": tunnel},
"https": "http://%(user)s:%(pwd)s@%(proxy)s/" % {"user": username, "pwd": password, "proxy": tunnel}
}
url = f'https://{sub}.{domain_name}'
try:
requests.get(url, headers=headers, proxies=proxies)
print(f'[*]{url}')
except requests.ConnectionError:
print(f'[-]connection error')
if __name__ == '__main__':
# 输入 domain
domain_name = input('please input the domain name:')
# 读取子域名字典
with open('./submain.txt', 'r') as file:
sub_name = file.read()
sub_domains = sub_name.splitlines()
# print('total:{}'.format(len(sub_domain)))
# 子域名扫描
domain_scan(domain_name, sub_domains)
