Shamwari yedu
Ziva kuti izvi zvinosanganisirawo Burp Suite, asi pachave neyakasiyana bhuku pamusoro payo uye ayo anobatsira plugins.
Zviri Mukati:
-
unganidza -
Altdns -
aquatone -
MassDNS -
nsec3map -
Acunetix -
Dirsearch -
wfuzz -
fff -
gobuster -
Arjun -
LinkFinder -
JSParser -
sqlmap -
NoSQLMap -
oxml_xxe -
tplmap -
CeWL -
Weakpass -
AEM_hacker -
JoomScan -
WPScan
unganidza
Kuti uwane zvikamu zvakabatana zvetiweki uye yakazvimirira manhamba ehurongwa, Amass inoshandisa IP kero inowanikwa panguva yekushanda. Ruzivo rwese rwakawanikwa runoshandiswa kugadzira network mepu.
Pros:
- Maitiro ekuunganidza ruzivo anosanganisira:
* DNS - kutsvaga kweduramazwi kwema subdomain, bruteforce subdomains, smart search uchishandisa shanduko yakavakirwa pane yakawanikwa subdomain, dzosera DNS mibvunzo uye tsvaga DNS maseva pazvinogoneka kuita chikumbiro chekuendesa zone (AXFR);* Vhura sosi yekutsvaga - Bvunza, Baidu, Bing, CommonCrawl, DNSDB, DNSDumpster, DNSTable, Dogpile, Exalead, FindSubdomains, Google, IPv4Info, Netcraft, PTRArchive, Riddler, SiteDossier, ThreatCrowd, VirusTotal, Yahoo;
* Tsvaga TLS chitupa dhatabhesi - Censys, CertDB, CertSpotter, Crtsh, Entrust;
* Kushandisa injini yekutsvaga APIs - BinaryEdge, BufferOver, CIRCL, HackerTarget, PassiveTotal, Robtex, SecurityTrails, Shodan, Twitter, Umbrella, URLScan;
* Tsvaga Internet pawebhu dura: ArchiveIt, ArchiveToday, Arquivo, LoCArchive, OpenUKArchive, UKGovArchive, Wayback;
- Kubatanidzwa neMaltego;
- Inopa iyo yakazara yakazara kufukidzwa yebasa rekutsvaga DNS subdomain.
Cons:
- Chenjerera nemass.netdomains - inoedza kubata kero yega yega IP mune yakatarwa zvivakwa uye kuwana mazita edomasi kubva kumashure DNS lookups uye TLS zvitupa. Iyi inzira ye "yepamusoro-soro", inogona kuratidza zviitiko zvako zvehungwaru musangano riri kuferefetwa.
- Yakanyanya ndangariro yekushandisa, inogona kupedza kusvika 2 GB ye RAM mune dzakasiyana marongero, izvo zvisingakubvumidze iwe kumhanyisa chishandiso ichi mugore pane yakachipa VDS.
Altdns
Pros:
- Inoshanda zvakanaka nemaseti makuru edata.
aquatone
Pros:
- Izvo zvinobuda zvinogadzira boka remafaira uye maforodha ari nyore kushandisa kana uchienderera mberi nekushanda nemamwe maturusi:
* Chirevo cheHTML chine akaunganidzwa skrini uye mazita emhinduro akaiswa mumapoka akafanana;* Iro faira rine ese maURL kwakawanikwa mawebhusaiti;
* Faira ine nhamba uye peji data;
* Folder ine mafaera ane misoro yemhinduro kubva kune zvakawanikwa zvinangwa;
* Folder ine mafaera ane muviri wemhinduro kubva kune zvakawanikwa zvibodzwa;
* Screenshots yemawebhusaiti akawanikwa;
- Inotsigira kushanda nemishumo yeXML kubva kuNmap neMasscan;
- Inoshandisa isina musoro Chrome/Chromium kupa zviratidziro.
Cons:
- Inogona kukwezva kutarisisa kweiyo intrusion yekuona masisitimu, saka inoda kumisikidzwa.
Iyo skrini yakatorwa kune imwe yekare vhezheni yeaquatone (v0.5.0), umo DNS subdomain yekutsvaga yakaitwa. Shanduro dzekare dzinogona kuwanikwa pa
MassDNS
Pros:
- Kurumidza - inokwanisa kugadzirisa mazita anopfuura 350 zviuru pasekondi.
Cons:
- MassDNS inogona kukonzera mutoro wakakura pane DNS solvers mukushandiswa, izvo zvinogona kutungamira kurambidzwa kune iwo maseva kana zvichemo kuISP yako. Mukuwedzera, ichaisa mutoro wakakura pamaseva eDNS ekambani, kana vanayo uye kana vari ivo vane mhosva kune madomasi auri kuedza kugadzirisa.
- Rondedzero yevanogadzirisa parizvino ndeyechinyakare, asi kana ukasarudza yakatyoka DNS solvers uye wowedzera matsva anozivikanwa, zvese zvichanaka.
Mufananidzo weaquatone v0.5.0
nsec3map
Pros:
- Kurumidza kuwana mauto munzvimbo dzeDNS ane hushoma nhamba yemibvunzo kana DNSSEC tsigiro yakagoneswa munzvimbo;
- Inosanganisira plugin yaJohn the Ripper iyo inogona kushandiswa kupaza mhedzisiro NSEC3 hashes.
Cons:
- Zvikanganiso zvakawanda zveDNS hazvina kubatwa nemazvo;
- Iko hakuna otomatiki parallelization yekugadzirisa NSEC marekodhi - iwe unofanirwa kupatsanura iyo namespace pamunhu;
- High memory kushandiswa.
Acunetix
Pros:
- Kuderera kwemaitiro enhema;
- Migumisiro inogona kutumirwa kunze semishumo;
- Inoita nhamba huru yecheki yehutera hwakasiyana;
- Parallel scanning yeakawanda anotambira.
Cons:
- Iko hakuna deduplication algorithm (Acunetix ichafunga mapeji akafanana mukushanda kuti ave akasiyana, sezvo achitungamira kune akasiyana maURL), asi vanogadzira vari kushanda pairi;
- Inoda kuisirwa pane yakaparadzana sevha yewebhu, iyo inoomesera macustomer masisitimu ane VPN yekubatanidza uye kushandisa scanner mune yakasarudzika chikamu chemunharaunda vatengi network;
- Iyo sevhisi iri pasi pechidzidzo inogona kuita ruzha, semuenzaniso, nekutumira akawandisa ekurwisa mavheji kune fomu rekuonana pane saiti, nekudaro kuomesa bhizinesi maitiro;
- Iyo ndeyemuridzi uye, maererano, kwete yemahara mhinduro.
Dirsearch
Pros:
- Inokwanisa kusiyanisa mapeji echokwadi "200 OK" kubva pamapeji "200 OK", asi nemashoko "peji harina kuwanikwa";
- Inouya neduramazwi rinoshanda rine chiyero chakanaka pakati pehukuru nekubudirira kwekutsvaga. Iine yakajairwa nzira dzakajairika kune akawanda CMS uye tekinoroji stacks;
- Yayo yega duramazwi fomati, iyo inokutendera iwe kuti uwane kuita kwakanaka uye kuchinjika mukuverengera mafaera nemadhairekitori;
- Zviri nyore kubuda - plain text, JSON;
- Inogona kuita throttling - kumbomira pakati pezvikumbiro, izvo zvakakosha kune chero sevhisi isina simba.
Cons:
- Mawedzero anofanirwa kupfuudzwa setambo, izvo zvisingaite kana iwe uchida kupfuudza akawanda ekuwedzera kamwechete;
- Kuti ushandise duramazwi rako, rinozoda kugadziridzwa zvishoma kune iyo Dirsearch duramazwi fomati kuti inyatsogona.
wfuzz
Pros:
- Multifunctional - modular chimiro, gungano rinotora maminetsi mashoma;
- Yakanaka kusefa uye fuzzing michina;
- Iwe unogona nhanho chero nzira yeHTTP, pamwe nenzvimbo chero ipi zvayo muchikumbiro cheHTTP.
Cons:
- Under development.
fff
Pros:
- Mafirita akafanana newfuzz mafirita, anokubvumira kuti ugone kugadzirisa brute force;
- Inokutendera kuti uite fuzz HTTP header values, POST yekukumbira data uye zvikamu zvakasiyana zve URL, kusanganisira mazita uye kukosha kweGET paramita;
- Unogona kutsanangura chero nzira yeHTTP.
Cons:
- Under development.
gobuster
Pros:
- Kumhanya kwakanyanya kwekushanda kwese kwebrute simba kutsvaga kweDNS subdomain uye kune brute simba remafaira nemadhairekitori.
Cons:
- Iyo yazvino vhezheni haitsigire kuseta misoro yeHTTP;
- Nekumisikidza, mamwe chete eiyo HTTP mamiriro macode (200,204,301,302,307) anoonekwa seanoshanda.
Arjun
Pros:
- Kumhanya kwepamusoro nekuda kwekutsvaga kwebhinari;
- Tsigiro yeGET/POST paramita, pamwe nemaparamita ari muchimiro cheJSON;
Iyo plugin yeBurp Suite inoshanda pane yakafanana musimboti -
LinkFinder
Pros:
- Fast;
- Kune yakakosha plugin yeChrome yakavakirwa paLinkFinder.
.
Cons:
- Mhedziso yekupedzisira isingaite;
- Haiongorore JavaScript nekufamba kwenguva;
- Yakareruka pfungwa yekutsvaga malink - kana JavaScript neimwe nzira yakavharwa, kana ma link akatanga asipo uye akagadzirwa zvine simba, saka haizokwanise kuwana chero chinhu.
JSParser
Pros:
- Kukurumidza kupatsanura mafaera eJavaScript.
sqlmap
Pros:
- Nhamba huru yemaitiro akasiyana uye mavheji;
- Nhamba yakaderera yezvinyorwa zvenhema;
- Mazhinji esarudzo dzekugadzirisa zvakanaka, hunyanzvi hwakasiyana, dhatabhesi inotarirwa, tamper zvinyorwa zvekupfuura WAF;
- Kugona kugadzira goho remarara;
- Zvakawanda zvakasiyana-siyana zvekushandisa, semuenzaniso, kune mamwe madhatabhesi - otomatiki kurodha / kurodha mafaera, kuwana kugona kuita mirairo (RCE) nevamwe;
- Tsigiro yekubatanidza zvakananga kune dhatabhesi uchishandisa data yakawanikwa panguva yekurwiswa;
- Iwe unogona kuendesa mameseji faira nemhedzisiro yeBurp sekuisa - hapana chikonzero chekunyora nemaoko ese emirairo mutsara hunhu.
Cons:
- Zvakaoma kugadzirisa, semuenzaniso, kunyora mamwe echeki yako nekuda kwekushomeka kwemagwaro eizvi;
- Pasina zvigadziriso zvakakodzera, inoita seti isina kukwana yecheki, iyo inogona kutsausa.
NoSQLMap
Pros:
- Kufanana ne sqlmap, haingowani mukana wekusagadzikana, asi zvakare inotarisa mukana wekushandiswa kwayo kweMongoDB neCouchDB.
Cons:
- Haitsigire NoSQL yeRedis, Cassandra, budiriro iri kuitika munzira iyi.
oxml_xxe
Pros:
- Inotsigira akawanda akajairwa mafomati akadai seDOCX, ODT, SVG, XML.
Cons:
- Tsigiro yePDF, JPEG, GIF haina kuitwa zvizere;
- Inogadzira faira rimwe chete. Kuti ugadzirise dambudziko iri unogona kushandisa chishandiso
docem , iyo inogona kugadzira nhamba huru yemafaira ekubhadhara munzvimbo dzakasiyana.
Zvishandiso zviri pamusoro zvinoita basa rakakura rekuyedza XXE paunenge uchirodha zvinyorwa zvine XML. Asi zvakare yeuka kuti XML mafomati ekubata anogona kuwanikwa mune mamwe akawanda kesi, semuenzaniso, XML inogona kushandiswa se data fomati panzvimbo yeJSON.
Naizvozvo, isu tinokurudzira kuti utarise kune inotevera repository, iyo ine nhamba yakakura yeakasiyana mitoro:
tplmap
Pros:
- Nhamba huru yemaitiro akasiyana uye mavheji;
- Inotsigira akawanda template kupa injini;
- Mazhinji maitiro ekushandisa.
CeWL
Pros:
- Easy kushandisa.
Cons:
- Iwe unofanirwa kungwarira nekudzika kwekutsvaga kuitira kuti usatore imwe domain.
Weakpass
Pros:
- Rine ese maduramazwi uye maduramazwi ane mapassword akajairika - unogona kusarudza duramazwi rezvaunoda iwe;
- Maduramazwi anovandudzwa uye anozadzwazve nemapassword matsva;
- Maduramazwi anorongwa nekushanda zvakanaka. Iwe unogona kusarudza sarudzo yezvese inokurumidza online brute force uye yakadzama sarudzo yemapassword kubva kune voluminous duramazwi rine ichangoburwa;
- Pane karukureta inoratidza nguva inotora kubhura mapassword pamidziyo yako.
Tinoda kusanganisa maturusi eCMS cheki muboka rakasiyana: WPScan, JoomScan uye AEM hacker.
AEM_hacker
Pros:
- Inogona kuona zvikumbiro zveAEM kubva pane runyorwa rwema URL akaunzwa kune yaanoisa;
- Ine zvinyorwa zvekuwana RCE nekurodha JSP goko kana kushandisa SSRF.
JoomScan
Pros:
- Kugona kuwana zvikanganiso zvekugadzirisa uye matambudziko ane administrative marongero;
- Inonyora shanduro dzeJoomla uye kusagadzikana kwakabatana, zvakafanana kune zvega zvega;
- Iine zvinopfuura 1000 zvekushandisa zveJoomla zvikamu;
- Kubuda kwemishumo yekupedzisira mune zvinyorwa uye HTML mafomati.
WPScan
Pros:
- Inokwanisa kunyora kwete chete isina kuchengetedzeka WordPress plugins uye misoro, asiwo kuwana runyorwa rwevashandisi uye TimThumb mafaera;
- Inogona kuitisa brute simba rekurwisa pane WordPress masaiti.
Cons:
- Pasina zvigadziriso zvakakodzera, inoita seti isina kukwana yecheki, iyo inogona kutsausa.
Kazhinji, vanhu vakasiyana vanosarudza maturusi akasiyana ebasa: ese akanaka nenzira yavo, uye izvo zvinofarirwa nemunhu zvinogona kusaenderana nemumwe zvachose. Kana iwe uchifunga kuti isu takafuratira zvisiri izvo zvimwe zvakanaka zvinobatsira, nyora nezvazvo mumashoko!
Source: www.habr.com