taura nezvezvishandiso zvinobatsira zvemapentester. Muchinyorwa chitsva tichatarisa maturusi ekuongorora kuchengetedzwa kwewebhu application.
Shamwari yedu Ndakatoita zvakadai anenge makore manomwe apfuura. Zvinonakidza kuona kuti ndeapi maturusi akachengeta uye akasimbisa nzvimbo dzawo, uye ndeapi akapera kuseri uye haawanzo kushandiswa.
Ziva kuti izvi zvinosanganisirawo Burp Suite, asi pachave neyakasiyana bhuku pamusoro payo uye ayo anobatsira plugins.
Zviri Mukati:
unganidza
- Chishandiso cheGo chekutsvaga uye kuverengera DNS subdomains uye mepu yekunze network. Amass ipurojekiti yeOWASP yakagadzirirwa kuratidza kuti masangano paInternet anotaridzika sei kumunhu wekunze. Amass inowana mazita e subdomain munzira dzakasiyana siyana; chishandiso chinoshandisa ese ari maviri anodzokorodza enumeration ye subdomain uye yakavhurika sosi yekutsvaga.
Kuti uwane zvikamu zvakabatana zvetiweki uye yakazvimirira manhamba ehurongwa, Amass inoshandisa IP kero inowanikwa panguva yekushanda. Ruzivo rwese rwakawanikwa runoshandiswa kugadzira network mepu.
Pros:
- Maitiro ekuunganidza ruzivo anosanganisira:
* DNS - kutsvaga kweduramazwi kwema subdomain, bruteforce subdomains, smart search uchishandisa shanduko yakavakirwa pane yakawanikwa subdomain, dzosera DNS mibvunzo uye tsvaga DNS maseva pazvinogoneka kuita chikumbiro chekuendesa zone (AXFR);* Vhura sosi yekutsvaga - Bvunza, Baidu, Bing, CommonCrawl, DNSDB, DNSDumpster, DNSTable, Dogpile, Exalead, FindSubdomains, Google, IPv4Info, Netcraft, PTRArchive, Riddler, SiteDossier, ThreatCrowd, VirusTotal, Yahoo;
* Tsvaga TLS chitupa dhatabhesi - Censys, CertDB, CertSpotter, Crtsh, Entrust;
* Kushandisa injini yekutsvaga APIs - BinaryEdge, BufferOver, CIRCL, HackerTarget, PassiveTotal, Robtex, SecurityTrails, Shodan, Twitter, Umbrella, URLScan;
* Tsvaga Internet pawebhu dura: ArchiveIt, ArchiveToday, Arquivo, LoCArchive, OpenUKArchive, UKGovArchive, Wayback;
- Kubatanidzwa neMaltego;
- Inopa iyo yakazara yakazara kufukidzwa yebasa rekutsvaga DNS subdomain.
Cons:
- Chenjerera nemass.netdomains - inoedza kubata kero yega yega IP mune yakatarwa zvivakwa uye kuwana mazita edomasi kubva kumashure DNS lookups uye TLS zvitupa. Iyi inzira ye "yepamusoro-soro", inogona kuratidza zviitiko zvako zvehungwaru musangano riri kuferefetwa.
- Yakanyanya ndangariro yekushandisa, inogona kupedza kusvika 2 GB ye RAM mune dzakasiyana marongero, izvo zvisingakubvumidze iwe kumhanyisa chishandiso ichi mugore pane yakachipa VDS.
Altdns
-Chishandiso chePython chekunyora maduramazwi ekuverengera DNS subdomain. Inokutendera kuti ugadzire akawanda akasiyana e subdomain uchishandisa shanduko uye mvumo. Nokuda kweizvi, mazwi anowanzo kuwanikwa mu-subdomains anoshandiswa (semuenzaniso: test, dev, staging), kuchinja kwese uye mvumo inoshandiswa kune yakatozivikanwa subdomain, iyo inogona kuendeswa kune Altdns input. Iyo inoburitsa rondedzero yezvakasiyana zve subdomain zvinogona kuvapo, uye iyi runyorwa inogona kushandiswa gare gare kuDNS brute force.
Pros:
- Inoshanda zvakanaka nemaseti makuru edata.
aquatone
- yaimbozivikanwa zviri nani sechimwe chishandiso chekutsvaga subdomain, asi munyori iye pachake akasiya izvi achifarira Amass ambotaurwa. Iye zvino aquatone yakanyorwa patsva muGo uye yakanyatso kurongedzerwa kune yekutanga kucherechedzwa pamawebhusaiti. Kuti uite izvi, aquatone inopfuura nepakati pemazita akatarwa uye inotsvaga mawebhusaiti pazviteshi zvakasiyana, mushure mezvo inounganidza ruzivo rwese nezve saiti uye inotora skrini. Yakanakira kukurumidza kwekutanga kucherechedzwa kwemawebhusaiti, mushure meizvozvo iwe unogona kusarudza zvinonyanya kutariswa zvekurwiswa.
Pros:
- Izvo zvinobuda zvinogadzira boka remafaira uye maforodha ari nyore kushandisa kana uchienderera mberi nekushanda nemamwe maturusi:
* Chirevo cheHTML chine akaunganidzwa skrini uye mazita emhinduro akaiswa mumapoka akafanana;* Iro faira rine ese maURL kwakawanikwa mawebhusaiti;
* Faira ine nhamba uye peji data;
* Folder ine mafaera ane misoro yemhinduro kubva kune zvakawanikwa zvinangwa;
* Folder ine mafaera ane muviri wemhinduro kubva kune zvakawanikwa zvibodzwa;
* Screenshots yemawebhusaiti akawanikwa;
- Inotsigira kushanda nemishumo yeXML kubva kuNmap neMasscan;
- Inoshandisa isina musoro Chrome/Chromium kupa zviratidziro.
Cons:
- Inogona kukwezva kutarisisa kweiyo intrusion yekuona masisitimu, saka inoda kumisikidzwa.
Iyo skrini yakatorwa kune imwe yekare vhezheni yeaquatone (v0.5.0), umo DNS subdomain yekutsvaga yakaitwa. Shanduro dzekare dzinogona kuwanikwa pa .
MassDNS
chimwe chishandiso chekutsvaga DNS subdomain. Musiyano wayo mukuru ndewekuti inoita DNS mibvunzo yakananga kune akawanda akasiyana DNS anogadzirisa uye anozviita nekukurumidza.
Pros:
- Kurumidza - inokwanisa kugadzirisa mazita anopfuura 350 zviuru pasekondi.
Cons:
- MassDNS inogona kukonzera mutoro wakakura pane DNS solvers mukushandiswa, izvo zvinogona kutungamira kurambidzwa kune iwo maseva kana zvichemo kuISP yako. Mukuwedzera, ichaisa mutoro wakakura pamaseva eDNS ekambani, kana vanayo uye kana vari ivo vane mhosva kune madomasi auri kuedza kugadzirisa.
- Rondedzero yevanogadzirisa parizvino ndeyechinyakare, asi kana ukasarudza yakatyoka DNS solvers uye wowedzera matsva anozivikanwa, zvese zvichanaka.
Mufananidzo weaquatone v0.5.0
nsec3map
chishandiso chePython chekuwana runyorwa rwakakwana rweDNSSEC-yakachengetedzwa domains.
Pros:
- Kurumidza kuwana mauto munzvimbo dzeDNS ane hushoma nhamba yemibvunzo kana DNSSEC tsigiro yakagoneswa munzvimbo;
- Inosanganisira plugin yaJohn the Ripper iyo inogona kushandiswa kupaza mhedzisiro NSEC3 hashes.
Cons:
- Zvikanganiso zvakawanda zveDNS hazvina kubatwa nemazvo;
- Iko hakuna otomatiki parallelization yekugadzirisa NSEC marekodhi - iwe unofanirwa kupatsanura iyo namespace pamunhu;
- High memory kushandiswa.
Acunetix
-web vulnerability scanner iyo inogadzirisa maitiro ekutarisa kuchengetedzeka kwewebhu maapplication. Inoedza majekiseni eSQL, XSS, XXE, SSRF uye humwe hurema hwewebhu. Nekudaro, senge chero imwe scanner, akasiyana ewebhu kusagadzikana haatsive pentester, sezvo isingakwanise kuwana macheni akaomarara ekusagadzikana kana kusasimba mune pfungwa. Asi inovhara kwakawanda kwakasiyana kusadzivirirwa, kusanganisira akasiyana maCVE, ayo pentester angave akanganwa nezvayo, saka zviri nyore kwazvo kukusunungura kubva kumacheki enguva dzose.
Pros:
- Kuderera kwemaitiro enhema;
- Migumisiro inogona kutumirwa kunze semishumo;
- Inoita nhamba huru yecheki yehutera hwakasiyana;
- Parallel scanning yeakawanda anotambira.
Cons:
- Iko hakuna deduplication algorithm (Acunetix ichafunga mapeji akafanana mukushanda kuti ave akasiyana, sezvo achitungamira kune akasiyana maURL), asi vanogadzira vari kushanda pairi;
- Inoda kuisirwa pane yakaparadzana sevha yewebhu, iyo inoomesera macustomer masisitimu ane VPN yekubatanidza uye kushandisa scanner mune yakasarudzika chikamu chemunharaunda vatengi network;
- Iyo sevhisi iri pasi pechidzidzo inogona kuita ruzha, semuenzaniso, nekutumira akawandisa ekurwisa mavheji kune fomu rekuonana pane saiti, nekudaro kuomesa bhizinesi maitiro;
- Iyo ndeyemuridzi uye, maererano, kwete yemahara mhinduro.
Dirsearch
-Chishandiso chePython chebrute-forcing directories uye mafaera pane mawebhusaiti.
Pros:
- Inokwanisa kusiyanisa mapeji echokwadi "200 OK" kubva pamapeji "200 OK", asi nemashoko "peji harina kuwanikwa";
- Inouya neduramazwi rinoshanda rine chiyero chakanaka pakati pehukuru nekubudirira kwekutsvaga. Iine yakajairwa nzira dzakajairika kune akawanda CMS uye tekinoroji stacks;
- Yayo yega duramazwi fomati, iyo inokutendera iwe kuti uwane kuita kwakanaka uye kuchinjika mukuverengera mafaera nemadhairekitori;
- Zviri nyore kubuda - plain text, JSON;
- Inogona kuita throttling - kumbomira pakati pezvikumbiro, izvo zvakakosha kune chero sevhisi isina simba.
Cons:
- Mawedzero anofanirwa kupfuudzwa setambo, izvo zvisingaite kana iwe uchida kupfuudza akawanda ekuwedzera kamwechete;
- Kuti ushandise duramazwi rako, rinozoda kugadziridzwa zvishoma kune iyo Dirsearch duramazwi fomati kuti inyatsogona.
wfuzz
-Python web application fuzzer. Pamwe imwe yeanonyanya kuzivikanwa webhu phasers. Nheyo yacho iri nyore: wfuzz inokutendera kuti utore chero nzvimbo muchikumbiro cheHTTP, izvo zvinoita kuti zvikwanise kuganhura GET/POST paramita, misoro yeHTTP, kusanganisira Cookie nemamwe misoro yekusimbisa. Panguva imwecheteyo, zvakare yakanakira kune yakapusa brute simba remadhairekitori uye mafaera, ayo aunoda duramazwi rakanaka. Iyo ine zvakare inochinjika sefa system, iyo iwe yaunogona kusefa mhinduro kubva kune webhusaiti zvinoenderana neyakasiyana paramita, iyo inokutendera iwe kuti uwane mhedzisiro inoshanda.
Pros:
- Multifunctional - modular chimiro, gungano rinotora maminetsi mashoma;
- Yakanaka kusefa uye fuzzing michina;
- Iwe unogona nhanho chero nzira yeHTTP, pamwe nenzvimbo chero ipi zvayo muchikumbiro cheHTTP.
Cons:
- Under development.
fff
- webhu fuzzer muGo, yakagadzirwa mu "mufananidzo uye mufananidzo" wewfuzz, inobvumidza iwe kushungurudza mafaera, madhairekitori, ma URL nzira, mazita uye kukosha kweGET / POST paramita, HTTP misoro, kusanganisira iyo Host musoro wechisimba. of virtual host. wfuzz inosiyana kubva kuhama yayo mukumhanya kwepamusoro uye zvimwe zvitsva, semuenzaniso, inotsigira Dirsearch fomati maduramazwi.
Pros:
- Mafirita akafanana newfuzz mafirita, anokubvumira kuti ugone kugadzirisa brute force;
- Inokutendera kuti uite fuzz HTTP header values, POST yekukumbira data uye zvikamu zvakasiyana zve URL, kusanganisira mazita uye kukosha kweGET paramita;
- Unogona kutsanangura chero nzira yeHTTP.
Cons:
- Under development.
gobuster
- chishandiso cheGo chekuziva, chine nzira mbiri dzekushanda. Yekutanga inoshandiswa kushungurudza mafaera uye madhairekitori pawebhusaiti, yechipiri inoshandiswa brute force DNS subdomains. Chishandiso hachina kutsigira kudzokororwa kuverengerwa kwemafaira uye madhairekitori, ayo, chokwadi, anochengetedza nguva, asi nerumwe rutivi, hutsinye hwekupedzisira hwega hwega pawebhusaiti hunofanirwa kutangwa zvakasiyana.
Pros:
- Kumhanya kwakanyanya kwekushanda kwese kwebrute simba kutsvaga kweDNS subdomain uye kune brute simba remafaira nemadhairekitori.
Cons:
- Iyo yazvino vhezheni haitsigire kuseta misoro yeHTTP;
- Nekumisikidza, mamwe chete eiyo HTTP mamiriro macode (200,204,301,302,307) anoonekwa seanoshanda.
Arjun
- Chishandiso chechisimba chechisimba cheyakavanzika HTTP paramita muGET/POST paramita, pamwe neJSON. Duramazwi rakavakirwa-mukati rine 25 mazwi, ayo Ajrun anotarisa mumasekondi angangoita makumi matatu. Icho chinonyengera ndechekuti Ajrun haatarise imwe neimwe parameter zvakasiyana, asi inotarisa ~ 980 paramita panguva uye inoona kana mhinduro yachinja. Kana mhinduro yachinja, inopatsanura iyi 30 paramita kuita zvikamu zviviri uye inotarisa kuti ndeipi yezvikamu izvi inokanganisa mhinduro. Saka, uchishandisa nyore bhinari kutsvaga, parameter kana akati wandei akavanzwa paramita anowanikwa akapesvedzera mhinduro uye, saka, anogona kuvapo.
Pros:
- Kumhanya kwepamusoro nekuda kwekutsvaga kwebhinari;
- Tsigiro yeGET/POST paramita, pamwe nemaparamita ari muchimiro cheJSON;
Iyo plugin yeBurp Suite inoshanda pane yakafanana musimboti - , iyo zvakare yakanaka kwazvo pakutsvaga yakavanzika HTTP paramita. Isu tichakuudza zvimwe nezvazvo mune iri kuuya chinyorwa nezve Burp nema plugins ayo.
LinkFinder
-Chinyorwa chePython chekutsvaga zvinongedzo mumafaira eJavaScript. Inobatsira kutsvaga zvakavanzika kana kukanganwa magumo/maURL muwebhu application.
Pros:
- Fast;
- Kune yakakosha plugin yeChrome yakavakirwa paLinkFinder.
.
Cons:
- Mhedziso yekupedzisira isingaite;
- Haiongorore JavaScript nekufamba kwenguva;
- Yakareruka pfungwa yekutsvaga malink - kana JavaScript neimwe nzira yakavharwa, kana ma link akatanga asipo uye akagadzirwa zvine simba, saka haizokwanise kuwana chero chinhu.
JSParser
ndeye Python script inoshandisa ΠΈ kusiyanisa maURL ehama kubva kuJavaScript mafaera. Inobatsira kwazvo kuona zvikumbiro zveAJAX uye kunyora rondedzero yeAPI nzira dzinodyidzana neapp. Inoshanda zvinobudirira pamwe chete neLinkFinder.
Pros:
- Kukurumidza kupatsanura mafaera eJavaScript.
sqlmap
ingangove imwe yezvishandiso zvakakurumbira zvekuongorora mawebhusaiti. Sqlmap inogadzirisa kutsvaga uye kushanda kweSQL jekiseni, inoshanda nemitauro yakawanda yeSQL, uye ine nhamba huru yemaitiro akasiyana-siyana muzvombo zvayo, kubva pamashoko akatwasuka kusvika kune akaomarara majekiseni eSQL majekiseni. Pamusoro pezvo, ine hunyanzvi hwakawanda hwekuwedzera kushandiswa kweDBMS dzakasiyana, saka haingobatsiri se scanner yemajekiseni eSQL, asiwo sechombo chine simba chekushandisa majekiseni eSQL atowanikwa.
Pros:
- Nhamba huru yemaitiro akasiyana uye mavheji;
- Nhamba yakaderera yezvinyorwa zvenhema;
- Mazhinji esarudzo dzekugadzirisa zvakanaka, hunyanzvi hwakasiyana, dhatabhesi inotarirwa, tamper zvinyorwa zvekupfuura WAF;
- Kugona kugadzira goho remarara;
- Zvakawanda zvakasiyana-siyana zvekushandisa, semuenzaniso, kune mamwe madhatabhesi - otomatiki kurodha / kurodha mafaera, kuwana kugona kuita mirairo (RCE) nevamwe;
- Tsigiro yekubatanidza zvakananga kune dhatabhesi uchishandisa data yakawanikwa panguva yekurwiswa;
- Iwe unogona kuendesa mameseji faira nemhedzisiro yeBurp sekuisa - hapana chikonzero chekunyora nemaoko ese emirairo mutsara hunhu.
Cons:
- Zvakaoma kugadzirisa, semuenzaniso, kunyora mamwe echeki yako nekuda kwekushomeka kwemagwaro eizvi;
- Pasina zvigadziriso zvakakodzera, inoita seti isina kukwana yecheki, iyo inogona kutsausa.
NoSQLMap
-Chishandiso chePython chekugadzirisa otomatiki kutsvaga uye kushandisa majekiseni eNoSQL. Zviri nyore kushandisa kwete chete muNoSQL dhatabhesi, asiwo zvakananga paunenge uchiongorora mawebhu application anoshandisa NoSQL.
Pros:
- Kufanana ne sqlmap, haingowani mukana wekusagadzikana, asi zvakare inotarisa mukana wekushandiswa kwayo kweMongoDB neCouchDB.
Cons:
- Haitsigire NoSQL yeRedis, Cassandra, budiriro iri kuitika munzira iyi.
oxml_xxe
- chishandiso chekumisikidza XXE XML inoshandisa mumhando dzakasiyana dzemafaira anoshandisa iyo XML fomati mune imwe fomu.
Pros:
- Inotsigira akawanda akajairwa mafomati akadai seDOCX, ODT, SVG, XML.
Cons:
- Tsigiro yePDF, JPEG, GIF haina kuitwa zvizere;
- Inogadzira faira rimwe chete. Kuti ugadzirise dambudziko iri unogona kushandisa chishandiso , iyo inogona kugadzira nhamba huru yemafaira ekubhadhara munzvimbo dzakasiyana.
Zvishandiso zviri pamusoro zvinoita basa rakakura rekuyedza XXE paunenge uchirodha zvinyorwa zvine XML. Asi zvakare yeuka kuti XML mafomati ekubata anogona kuwanikwa mune mamwe akawanda kesi, semuenzaniso, XML inogona kushandiswa se data fomati panzvimbo yeJSON.
Naizvozvo, isu tinokurudzira kuti utarise kune inotevera repository, iyo ine nhamba yakakura yeakasiyana mitoro: .
tplmap
-Chishandiso chePython chekuzivisa otomatiki uye kushandisa Server-Side Template Injection kusagadzikana; ine marongero uye mireza yakafanana nesqlmap. Inoshandisa akati wandei akasiyana matekiniki uye mavheji, kusanganisira jekiseni remapofu, uye zvakare ine matekiniki ekuita kodhi uye kurodha / kurodha mafaera asina kupokana. Pamusoro pezvo, ane mune yake arsenal matekiniki emakumi maviri akasiyana einjini dzetemplate uye mamwe matekiniki ekutsvaga eval()-senge majekiseni ekodhi muPython, Ruby, PHP, JavaScript. Kana ikabudirira, inovhura inopindirana console.
Pros:
- Nhamba huru yemaitiro akasiyana uye mavheji;
- Inotsigira akawanda template kupa injini;
- Mazhinji maitiro ekushandisa.
CeWL
- jenareta reduramazwi muRuby, rakagadzirwa kuti ribvise mazwi akasarudzika kubva kune yakatsanangurwa webhusaiti, rinotevera zvinongedzo pane saiti kune kudzika kwakatarwa. Duramazwi rakaunganidzwa remazwi akasarudzika rinogona kuzoshandiswa kumanikidza mapassword pamasevhisi kana brute force mafaera nemadhairekitori pawebhusaiti imwe chete, kana kurwisa hashcat uchishandisa hashcat kana John the Ripper. Inobatsira paunenge uchinyora "chinangwa" rondedzero yemapassword angangoita.
Pros:
- Easy kushandisa.
Cons:
- Iwe unofanirwa kungwarira nekudzika kwekutsvaga kuitira kuti usatore imwe domain.
Weakpass
- sevhisi ine akawanda maduramazwi ane akasiyana mapassword. Inobatsira zvakanyanya kumabasa akasiyana siyana ane chekuita nekupaza password, kubva pamhepo yakapusa simba reakaundi pamasevhisi anotariswa, kusvika kune-off-line brute simba rehashi dzinogamuchirwa uchishandisa. kana . Iine mapassword anosvika mabhiriyoni masere kubva pa8 kusvika ku4 mavara pakureba.
Pros:
- Rine ese maduramazwi uye maduramazwi ane mapassword akajairika - unogona kusarudza duramazwi rezvaunoda iwe;
- Maduramazwi anovandudzwa uye anozadzwazve nemapassword matsva;
- Maduramazwi anorongwa nekushanda zvakanaka. Iwe unogona kusarudza sarudzo yezvese inokurumidza online brute force uye yakadzama sarudzo yemapassword kubva kune voluminous duramazwi rine ichangoburwa;
- Pane karukureta inoratidza nguva inotora kubhura mapassword pamidziyo yako.
Tinoda kusanganisa maturusi eCMS cheki muboka rakasiyana: WPScan, JoomScan uye AEM hacker.
AEM_hacker
chishandiso chekuziva kusagona kuitika muAdobe Experience Manager (AEM) maapplication.
Pros:
- Inogona kuona zvikumbiro zveAEM kubva pane runyorwa rwema URL akaunzwa kune yaanoisa;
- Ine zvinyorwa zvekuwana RCE nekurodha JSP goko kana kushandisa SSRF.
JoomScan
-Chishandiso chePerl chekugadzirisa otomatiki kuona kwekusagadzikana kana uchitumira Joomla CMS.
Pros:
- Kugona kuwana zvikanganiso zvekugadzirisa uye matambudziko ane administrative marongero;
- Inonyora shanduro dzeJoomla uye kusagadzikana kwakabatana, zvakafanana kune zvega zvega;
- Iine zvinopfuura 1000 zvekushandisa zveJoomla zvikamu;
- Kubuda kwemishumo yekupedzisira mune zvinyorwa uye HTML mafomati.
WPScan
- chishandiso chekuongorora mawebhusaiti eWordPress, ine kusazvibata mune yayo arsenal zvese zveWordPress injini pachayo uye kune mamwe maplugins.
Pros:
- Inokwanisa kunyora kwete chete isina kuchengetedzeka WordPress plugins uye misoro, asiwo kuwana runyorwa rwevashandisi uye TimThumb mafaera;
- Inogona kuitisa brute simba rekurwisa pane WordPress masaiti.
Cons:
- Pasina zvigadziriso zvakakodzera, inoita seti isina kukwana yecheki, iyo inogona kutsausa.
Kazhinji, vanhu vakasiyana vanosarudza maturusi akasiyana ebasa: ese akanaka nenzira yavo, uye izvo zvinofarirwa nemunhu zvinogona kusaenderana nemumwe zvachose. Kana iwe uchifunga kuti isu takafuratira zvisiri izvo zvimwe zvakanaka zvinobatsira, nyora nezvazvo mumashoko!
Source: www.habr.com