Uzakwethu
Qaphela ukuthi lokhu kuhlanganisa neBurp Suite, kodwa kuzoba khona ukushicilelwa okuhlukile mayelana nayo nama-plugin ayo awusizo.
Okuqukethwe:
-
I-Amass -
Ama-Altdns -
i-aquatone -
IMassDNS -
nsec3map -
I-Acunetix -
Ucwaningo -
wfuz -
fuf -
i-gobuster -
Arjun -
I-LinkFinder -
I-JSParser -
i-sqlmap -
NoSQLMap -
oxml_xxe -
i-tplmap -
CeWL -
I-Weakpass -
I-AEM_hacker -
I-JoomScan -
I-WPScan
I-Amass
Ukuthola izingxenye zenethiwekhi ezixhumene nezinombolo zesistimu ezizimele, i-Amass isebenzisa amakheli e-IP atholwe ngesikhathi sokusebenza. Lonke ulwazi olutholiwe lusetshenziselwa ukwakha imephu yenethiwekhi.
Izinzuzo:
- Izindlela zokuqoqa ulwazi zihlanganisa:
* I-DNS - ukusesha kwesichazamazwi sezizinda ezingaphansi, izizinda ezingaphansi kwe-bruteforce, ukusesha okuhlakaniphile kusetshenziswa ukuguqulwa kwezakhi okusekelwe ezizindeni ezingaphansi ezitholiwe, imibuzo ye-DNS ehlanekezelwe futhi useshe amaseva e-DNS lapho kungenzeka khona ukwenza isicelo sokudlulisa indawo (AXFR);* Usesho lomthombo ovulekile - Ask, Baidu, Bing, CommonCrawl, DNSDB, DNSDumpster, DNSTable, Dogpile, Exalead, FindSubdomains, Google, IPv4Info, Netcraft, PTRArchive, Riddler, SiteDossier, ThreatCrowd, VirusTotal, Yahoo;
* Sesha isizindalwazi sesitifiketi se-TLS - Censys, CertDB, CertSpotter, Crtsh, Entrust;
* Ukusebenzisa ama-API enjini yokusesha - BinaryEdge, BufferOver, CIRCL, HackerTarget, PassiveTotal, Robtex, SecurityTrails, Shodan, Twitter, Umbrella, URLScan;
* Sesha izingobo zomlando zewebhu ze-inthanethi: I-ArchiveIt, i-ArchiveToday, i-Arquivo, i-LoCArchive, i-OpenUKArchive, i-UKGovArchive, i-Wayback;
- Ukuhlanganiswa ne-Maltego;
- Inikeza ukufakwa okuphelele komsebenzi wokusesha izizinda ezingaphansi kwe-DNS.
Umthengi:
- Qaphela ngezizinda ze-amass.net - izozama ukuxhumana nawo wonke amakheli e-IP kwingqalasizinda ekhonjiwe futhi ithole amagama wesizinda kusuka ekubhekeni okuhlanekezelwe kwe-DNS nezitifiketi ze-TLS. Lena indlela "yephrofayili ephezulu", ingadalula imisebenzi yakho yezobunhloli enhlanganweni ephenywayo.
- Ukusetshenziswa okuphezulu kwememori, kungadla kufikela ku-2 GB we-RAM kuzilungiselelo ezihlukene, ezingeke zikuvumele ukuthi usebenzise leli thuluzi efwini ku-VDS eshibhile.
Ama-Altdns
Izinzuzo:
- Isebenza kahle ngamasethi amakhulu edatha.
i-aquatone
Izinzuzo:
- Okukhiphayo kudala iqembu lamafayela namafolda asebenziseka kalula uma kuqhubeka ukusebenza namanye amathuluzi:
* Umbiko we-HTML onezithombe-skrini eziqoqiwe nezihloko zezimpendulo eziqoqwe ngokufana;* Ifayela elinawo wonke ama-URL lapho amawebhusayithi atholwe khona;
* Ifayela elinezibalo nedatha yekhasi;
* Ifolda enamafayela aqukethe izihloko zezimpendulo ezivela kokuhlosiwe okutholiwe;
* Ifolda enamafayela aqukethe indikimba yempendulo evela kokuhlosiwe okutholiwe;
* Izithombe-skrini zamawebhusayithi atholakele;
- Isekela ukusebenza ngemibiko ye-XML evela ku-Nmap ne-Masscan;
- Isebenzisa i-Chrome/Chromium engenakhanda ukuze inikeze izithombe-skrini.
Umthengi:
- Ingase idonse ukunaka kwamasistimu okuthola ukungena, ngakho idinga ukucushwa.
Isithombe-skrini sithathwe kwesinye sezinguqulo ezindala ze-aquatone (v0.5.0), lapho ukusesha kwesizinda esingaphansi kwe-DNS kwasetshenziswa khona. Izinguqulo ezindala zingatholakala kokuthi
IMassDNS
Izinzuzo:
- Ngokushesha - ekwazi ukuxazulula amagama angaphezu kwezinkulungwane ezingama-350 ngomzuzwana.
Umthengi:
- I-MassDNS ingabangela umthwalo omkhulu kuzixazululi ze-DNS ezisetshenziswayo, okungaholela ekuvinjweni kwalawo maseva noma izikhalazo ku-ISP yakho. Ngaphezu kwalokho, izobeka umthwalo omkhulu kumaseva e-DNS enkampani, uma benawo futhi uma benesibopho sezizinda ozama ukuzixazulula.
- Uhlu lwezixazululi luphelelwe isikhathi okwamanje, kodwa uma ukhetha izixazululi ze-DNS eziphukile futhi wengeza ezintsha ezaziwayo, yonke into izolunga.
Isithombe-skrini se-aquatone v0.5.0
nsec3map
Izinzuzo:
- Ngokushesha ithola abasingathi ezindaweni ze-DNS ngenani elincane lemibuzo uma ukwesekwa kwe-DNSSEC kunikwe amandla endaweni;
- Ifaka i-plugin ye-John the Ripper engasetshenziswa ukuqhekeza amahashi angumphumela we-NSEC3.
Umthengi:
- Amaphutha amaningi e-DNS awaphathwa ngendlela efanele;
- Akukho ukufana okuzenzakalelayo kokucubungula amarekhodi e-NSEC - kufanele uhlukanise indawo yamagama ngesandla;
- Ukusetshenziswa okuphezulu kwenkumbulo.
I-Acunetix
Izinzuzo:
- Izinga eliphansi lezinto ezingamanga;
- Imiphumela ingathunyelwa njengemibiko;
- Yenza inani elikhulu lokuhlola ubuthakathaka obuhlukahlukene;
- Ukuskena okuhambisanayo kwabasingathi abaningi.
Umthengi:
- Ayikho i-algorithm ye-deduplication (i-Acunetix izocabangela amakhasi afanayo ekusebenzeni ukuze ahluke, njengoba eholela kuma-URL ahlukene), kodwa abathuthukisi basebenza kuwo;
- Idinga ukufakwa kuseva yewebhu ehlukile, ehlanganisa amasistimu okuhlola amaklayenti ngoxhumo lwe-VPN nokusebenzisa isithwebuli engxenyeni engayodwa yenethiwekhi yeklayenti lendawo;
- Isevisi engaphansi kocwaningo ingase yenze umsindo, isibonelo, ngokuthumela ama-vector amaningi kakhulu efomini lokuxhumana esizeni, ngaleyo ndlela kube nzima kakhulu izinqubo zebhizinisi;
- Iwubunikazi futhi, ngokufanelekile, akusona isixazululo samahhala.
Ucwaningo
Izinzuzo:
- Ingakwazi ukuhlukanisa amakhasi wangempela athi “200 OK” kumakhasi athi “200 OK”, kodwa ngombhalo othi “ikhasi alitholakali”;
- Iza nesichazamazwi esiwusizo esinokulingana okuhle phakathi kosayizi nokusebenza kahle kosesho. Iqukethe izindlela ezijwayelekile ezijwayelekile kuma-CMS amaningi nezitaki zobuchwepheshe;
- Ifomethi yaso yesichazamazwi, ekuvumela ukuthi uzuze ukusebenza kahle nokuvumelana nezimo ekubaleni amafayela nezinkomba;
- Okukhiphayo okulula - umbhalo ongenalutho, i-JSON;
- Ingenza i-throttling - ikhefu phakathi kwezicelo, okubalulekile kunoma iyiphi isevisi ebuthakathaka.
Umthengi:
- Izandiso kufanele zidluliswe njengeyunithi yezinhlamvu, okuyinto engalungile uma udinga ukudlula izandiso eziningi ngesikhathi esisodwa;
- Ukuze usebenzise isichazamazwi sakho, sizodinga ukuthi sishintshwe kancane sibe ifomethi yesichazamazwi se-Dirsearch ukuze sisebenze kahle kakhulu.
wfuz
Izinzuzo:
- I-Multifunctional - isakhiwo se-modular, umhlangano uthatha imizuzu embalwa;
- Indlela elula yokuhlunga kanye ne-fuzzing;
- Ungakwazi ukuhlukanisa noma iyiphi indlela ye-HTTP, kanye nanoma iyiphi indawo esicelweni se-HTTP.
Umthengi:
- Ngaphansi kokuthuthukiswa.
fuf
Izinzuzo:
- Izihlungi zifana nezihlungi ze-wfuzz, zikuvumela ukuthi ulungiselele amandla anonya;
- Ikuvumela ukuthi uhlanganise amanani kanhlokweni we-HTTP, idatha yesicelo se-POST kanye nezingxenye ezihlukahlukene ze-URL, okuhlanganisa amagama namanani amapharamitha we-GET;
- Ungacacisa noma iyiphi indlela ye-HTTP.
Umthengi:
- Ngaphansi kokuthuthukiswa.
i-gobuster
Izinzuzo:
- Isivinini esikhulu sokusebenza sokusesha kwe-brute force kwezizinda ezingaphansi kwe-DNS kanye namandla ahlukumezayo wamafayela nezinkomba.
Umthengi:
- Inguqulo yamanje ayikusekeli ukusetha izihloko ze-HTTP;
- Ngokuzenzakalelayo, amanye amakhodi wesimo se-HTTP kuphela (200,204,301,302,307) athathwa njengavumelekile.
Arjun
Izinzuzo:
- Ijubane eliphezulu ngenxa yokusesha kanambambili;
- Ukusekelwa kwamapharamitha we-GET/POST, kanye namapharamitha asesimweni se-JSON;
I-plugin yeBurp Suite isebenza ngomgomo ofanayo -
I-LinkFinder
Izinzuzo:
- Ngokushesha;
- Kukhona i-plugin ekhethekile ye-Chrome esekelwe ku-LinkFinder.
.
Umthengi:
- Isiphetho sokugcina esingalungile;
- Ayihlaziyi i-JavaScript ngokuhamba kwesikhathi;
- I-logic elula yokusesha izixhumanisi - uma i-JavaScript ivezwe ngandlela thize, noma izixhumanisi zishoda ekuqaleni futhi zenziwe ngendlela eguqukayo, ngeke ikwazi ukuthola lutho.
I-JSParser
Izinzuzo:
- Ukuhlaziya okusheshayo kwamafayela e-JavaScript.
i-sqlmap
Izinzuzo:
- Inani elikhulu lamasu ahlukene nama-vectors;
- Inombolo ephansi yezimpawu ezingamanga;
- Izinketho eziningi zokuhlela kahle, amasu ahlukahlukene, isizindalwazi esiqondiwe, imibhalo ephazamisayo yokudlula i-WAF;
- Ikhono lokudala ukulahlwa kokuphumayo;
- Amakhono amaningi okusebenza ahlukene, isibonelo, kwezinye izingosi zolwazi - ukulayisha/ukulayishwa ngokuzenzakalelayo kwamafayela, ukuthola ikhono lokukhipha imiyalo (RCE) nokunye;
- Ukusekela uxhumano oluqondile ku-database usebenzisa idatha etholwe ngesikhathi sokuhlasela;
- Ungahambisa ifayela lombhalo elinemiphumela ye-Burp njengokufaka - asikho isidingo sokuqamba mathupha zonke izici zomugqa womyalo.
Umthengi:
- Kunzima ukwenza ngendlela oyifisayo, isibonelo, ukubhala amanye amasheke akho ngenxa yokushoda kwemibhalo yalokhu;
- Ngaphandle kwezilungiselelo ezifanele, yenza isethi engaphelele yokuhlola, okungase kudukise.
NoSQLMap
Izinzuzo:
- Njenge-sqlmap, ayitholi nje kuphela ubungozi obungaba khona, kodwa futhi ihlola ukuthi kungenzeka yini ukuxhashazwa kwayo kwe-MongoDB ne-CouchDB.
Umthengi:
- Ayisekeli i-NoSQL ye-Redis, i-Cassandra, ukuthuthukiswa kuyaqhubeka ngale ndlela.
oxml_xxe
Izinzuzo:
- Isekela amafomethi amaningi ajwayelekile njenge-DOCX, ODT, SVG, XML.
Umthengi:
- Ukusekelwa kwe-PDF, i-JPEG, i-GIF akwenziwanga ngokugcwele;
- Idala ifayela elilodwa kuphela. Ukuxazulula le nkinga ungasebenzisa ithuluzi
docem , engakha inani elikhulu lamafayela okulayisha ezindaweni ezahlukene.
Izinsiza ezingenhla zenza umsebenzi omuhle wokuhlola i-XXE lapho kulayishwa amadokhumenti aqukethe i-XML. Kodwa futhi khumbula ukuthi izibambi zefomethi ye-XML zingatholakala kwezinye izimo eziningi, isibonelo, i-XML ingasetshenziswa njengefomethi yedatha esikhundleni se-JSON.
Ngakho-ke, sincoma ukuthi unake inqolobane elandelayo, equkethe inani elikhulu lemithwalo ekhokhelwayo ehlukene:
i-tplmap
Izinzuzo:
- Inani elikhulu lamasu ahlukene nama-vectors;
- Isekela izinjini eziningi zokunikeza izifanekiso;
- Izindlela eziningi zokusebenza.
CeWL
Izinzuzo:
- Kulula ukuyisebenzisa.
Umthengi:
- Udinga ukuqaphela ukujula kokusesha ukuze ungathathi isizinda esengeziwe.
I-Weakpass
Izinzuzo:
- Iqukethe kokubili izichazamazwi ezithile nezichazamazwi ezinamaphasiwedi avamile - ungakhetha isichazamazwi esithile sezidingo zakho;
- Izichazamazwi ziyabuyekezwa futhi zigcwaliswe ngamaphasiwedi amasha;
- Izichazamazwi zihlelwa ngokusebenza kahle. Ungakhetha inketho yakho kokubili amandla anonya aku-inthanethi asheshayo kanye nokukhetha okuningiliziwe kwamaphasiwedi kusichazamazwi esinamandla esinokuvuza kwakamuva;
- Kukhona isibali esibonisa isikhathi esisithathayo ukuze usebenzise amagama ayimfihlo kumshini wakho.
Singathanda ukufaka amathuluzi okuhlola i-CMS eqenjini elihlukile: i-WPScan, i-JoomScan ne-AEM hacker.
I-AEM_hacker
Izinzuzo:
- Ingakwazi ukuhlonza izinhlelo zokusebenza ze-AEM ohlwini lwama-URL athunyelwe kokufakwayo;
- Iqukethe imibhalo yokuthola i-RCE ngokulayisha igobolondo le-JSP noma ukuxhaphaza i-SSRF.
I-JoomScan
Izinzuzo:
- Ikwazi ukuthola amaphutha okumisa nezinkinga ngezilungiselelo zokuphatha;
- Ibala izinguqulo ze-Joomla kanye nokuba sengozini okuhlobene, ngokufanayo ezingxenyeni ezingazodwana;
- Iqukethe izinto ezingaphezu kwe-1000 zezingxenye ze-Joomla;
- Umphumela wemibiko yokugcina ngombhalo kanye nefomethi ye-HTML.
I-WPScan
Izinzuzo:
- Iyakwazi ukufaka kuhlu hhayi kuphela ama-plugin we-WordPress angaphephile nezindikimba, kodwa futhi nokuthola uhlu lwabasebenzisi namafayela e-TimThumb;
- Ingaqhuba ukuhlasela kwe-brute force kumasayithi e-WordPress.
Umthengi:
- Ngaphandle kwezilungiselelo ezifanele, yenza isethi engaphelele yokuhlola, okungase kudukise.
Ngokuvamile, abantu abahlukene bakhetha amathuluzi ahlukene omsebenzi: wonke mahle ngendlela yawo, futhi lokho okuthandwa umuntu oyedwa kungase kungahambisani nhlobo nomunye. Uma ucabanga ukuthi asizinaki ngokungafanele insiza ethile enhle, bhala ngakho kumazwana!
Source: www.habr.com