Fork me on GitHub

脚本工具集

闲的蛋疼的时候写点脚本,帮助测试把,说白了还是懒

00x1 信息搜集

这个需要本地配置下nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# -*- coding: utf-8 -*-
# @Time : 2018/4/16 13:28
# @Author : ha1g0
# @Site : http://whc.dropsec.xyz
# @File : gathering.py
import os
import argparse
import requests
import re
import nmap
import threading
import socket
# 爬取单个百度搜索页面的域名
def craw(url):
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"}
response = requests.get(url, headers=header)
response_html = response.text
response_html.replace('\xa0','')
# 正则
match = 'style="text-decoration:none;">(.*?)/'
subdomains = re.findall(match, response_html)
for i in subdomains:
i.strip('&nbsp')
return subdomains
# 爬取前10页百度链接的二级域名
def craw_all(key,domains):
for i in range(10):
url = "http://www.baidu.com/s?wd=site:" + str(key) + "&cl=3&pn=%s" % (i*10)
subdomains=[]
subdomains = craw(url)
domains.extend(subdomains)
# set去重
domains = list(set(domains))
return domains
class hostScan:
'''
根据ip对主机进行 端口 和 os的探测
'''
def __init__(self,ip):
self.ip = ip
self.ports = []
self.osname =''
self.accuracy = ''
self.nm = nmap.PortScanner()
self.__ip_scan()
def __ip_scan(self):
try:
self.nm.scan(self.ip, arguments="-O")
print("调用 %s " % (self.nm.command_line()))
except nmap.PortScannerError:
pass
def ip_ports(self):
try:
self.ports = self.nm[self.ip].all_tcp()
return self.ports
except Exception as e:
print("主机%s不存活 " % self.ip)
pass
def ip_os(self):
try:
self.osname = self.nm[self.ip]["osmatch"][0]['name']
self.accuracy = self.nm[self.ip]["osmatch"][0]["accuracy"]
return self.osname
except Exception as e :
pass
else:
if self.osname == '':
self.osname = self.accuracy
def ip_info(self):
self.ip_ports()
self.ip_os()
return self.ports,self.osname
def scan(information):
ip = information['ip']
scan = hostScan(ip)
ports, osname = scan.ip_info()
information['ports'] = ports
information['osname'] = osname
if __name__ == '__main__':
subdomains = []
# parser = argparse.ArgumentParser()
# parser.add_argument('-d','--domain',help='first domain')
# key = parser.parse_args().domain
key ='zzti.edu.cn'
if key:
subdomains = craw_all(str(key),subdomains)
for subdomain in subdomains:
information = {}
ports=[]
osname =''
try:
ip = socket.gethostbyname(subdomain)
information['subdomain'] = subdomain
information['ip'] = ip
scan(information)
except socket.gaierror as e:
print ('can\'t discover the ip of '+str(subdomain))
print (information)
------ 本文结束 ------

版权声明

Haigo的窝 by Haigo is licensed under a Creative Commons BY-NC-ND 4.0 International License.
Haigo创作并维护的Haigo的窝博客采用创作共用保留署名-非商业-禁止演绎4.0国际许可证
本文首发于Haigo的窝 博客( http://whc.dropsec.xyz ),版权所有,侵权必究。