简单的流程化信息收集脚本
import osimport fnmatchimport socketimport shutildef checkcdn(host): ip_list=[] try: addrs = socket.getaddrinfo(host, None) for item in addrs: if item[4][0] not in ip_list: ip_list.append(item[4][0]) count_ip = len(ip_list) if count_ip > 1: return False elif count_ip == 1: return ip_list[0] else: return False except Exception as e: return False# 打印错误print("by k1115h0t")print("根域名放置在domians.txt中")print("当前文件夹下放置httpx")os.system('subfinder/subfinder -dL domains.txt -all -o subfinder_subdomains.txt')os.system('python3 oneforall/oneforall.py --targets domains.txt run')oneforall_result=''for f_name in os.listdir('oneforall/results'): if fnmatch.fnmatch(f_name, 'all*.txt'): oneforall_result='oneforall/results/'+f_name# 读取第一个文本文件with open(oneforall_result, 'r') as file1: content1 = file1.readlines()# 读取第二个文本文件with open('subfinder_subdomains.txt', 'r') as file2: content2 = file2.readlines()# 合并两个文本文件merged_content = content1 + content2# 去重unique_content = list(set(merged_content))# 将去重后的内容写入新的文本文件with open('subdomains.txt', 'w') as merged_file: merged_file.writelines(unique_content)print("================================================")print("================================================")print("================================================")print("子域名已经全部扫描完成,子域名结果存储在 subdomains.txt")print("开始识别CDN")print("================================================")print("================================================")print("================================================")if os.path.exists('oneforall/results'): shutil.rmtree(r'oneforall/results')os.remove('subfinder_subdomains.txt')f1=open(file='subdomains.txt',mode='r',encoding='utf-8')f2=open(file='cdn.txt',mode='a',encoding='utf-8')f3=open(file='nocdn.txt',mode='a',encoding='utf-8')f4=open(file='nocdn_ip.txt',mode='a',encoding='utf-8')l1=[]num=1for i in f1.readlines(): newi=i.strip('\n') result=checkcdn(newi) # print(num) num=num+1 if result!=False: f3.write(i) if result not in l1: l1.append(result) else: f2.write(i)for j in l1: f4.write(j+'\n')f1.close()f2.close()f3.close()f4.close()print("================================================")print("================================================")print("================================================")print("cdn识别完成,结果存储在 cdn.txt nocdn.txt nocdn_ip.txt")print("开始调用httpx")print("================================================")print("================================================")print("================================================")os.system('./httpx -l cdn.txt -sc -cl -title -o cdn_httpx.txt')os.system('./httpx -l nocdn.txt -sc -cl -title -o nocdn_httpx.txt')print("================================================")print("================================================")print("================================================")print("httpx识别完成,结果存储在 cdn_httpx.txt nocdn_httpx.txt")print("开始调用rustscan")print("================================================")print("================================================")print("================================================")os.system("rustscan -a nocdn_ip.txt -r 1-65535 -- -sC -Pn -n -sV >> rustscan_nocdn.txt")
使用时需要新建一个domains.txt用于存放根域名(baidu.com)脚本的流程
- 调用 subfinder 和 oneforall进行子域名扫描
生成 subdomains.txt 存储所有的子域名
- 对子域名结果进行分析去重,并识别cdn
生成 cdn.txt nocdn.txt nocdn_ip.txt
使用httpx进行扫描
生成 cdn_httpx.txt nocdn_httpx.txt
使用rustscan对无cdn的ip进行端口扫描
生成 rustscan_nocdn.txt
目录下面工具的放置在第二次使用的时候,需要先手动删除所有txt文件
rm *.txt
目录结构:
├── cdn_httpx.txt 有cdn的域名的httpx 结果├── cdn.txt 没有cdn的域名├── domains.txt 要进行信息收集的根域名├── httpxhttpx二进制文件├── nocdn_httpx.txt 无cdn的域名的httpx 结果├── nocdn_ip.txt无cdn域名解析出的ip├── nocdn.txt├── oneforall├── rustscan_nocdn.txt├── start.py├── subdomains.txt└── subfinder
工具链接
工具链接:https://github.com/shmilylty/OneForAllhttps://github.com/projectdiscovery/subfinderhttps://github.com/projectdiscovery/httpxhttps://github.com/RustScan/RustScan