[Pentest] 用 theHarvester 做滲透測試前的資料收集工作
從 網站滲透測試實務入門 這本書裡看到了 theHarvester 這個小工具,
可以用來搜集指定網站的相關資訊,如 email、相關的 IP address、domain name 等等,
簡單來試一下吧~
1. 安裝 theHarvester
用 git 直接複製 GitHub 的最新程式碼下來:
git clone https://github.com/laramies/theHarvester.git
抓下來之後,進到 theHarvester 目錄,就可以看到 theHarvester.py 這個主程式,
可以先看一下它的說明畫面:
testuser@localhost ~/theHarvester $ python theHarvester.py ******************************************************************* * * * | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ * * | __| '_ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| * * | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | * * \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| * * * * TheHarvester Ver. 2.7 * * Coded by Christian Martorella * * Edge-Security Research * * cmartorella@edge-security.com * ******************************************************************* Usage: theharvester options -d: Domain to search or company name -b: data source: google, googleCSE, bing, bingapi, pgp, linkedin, google-profiles, jigsaw, twitter, googleplus, all -s: Start in result number X (default: 0) -v: Verify host name via dns resolution and search for virtual hosts -f: Save the results into an HTML and XML file (both) -n: Perform a DNS reverse query on all ranges discovered -c: Perform a DNS brute force for the domain name -t: Perform a DNS TLD expansion discovery -e: Use this DNS server -l: Limit the number of results to work with(bing goes from 50 to 50 results, google 100 to 100, and pgp doesn't use this option) -h: use SHODAN database to query discovered hosts Examples: theHarvester.py -d microsoft.com -l 500 -b google -h myresults.html theHarvester.py -d microsoft.com -b pgp theHarvester.py -d microsoft -l 200 -b linkedin theHarvester.py -d apple.com -b googleCSE -l 500 -s 300
2. 用 theHarvester 搜尋 demo.testfire.net 相關資訊
這邊我們一樣用測試網站 demo.testfire.net 當我們的測試標的,
記得不要隨便拿個公開的網站來打…
一般使用上,theHarvester 只是去搜尋引擎找一些東西,
但是如果加上 -n, -c, -t 這些參數,就會變成主動去查詢資料,
可能就會被歸類成攻擊行為了…
用 -d 參數指定要查詢的網域,-b 選擇資料來源 (這邊選 all):
testuser@localhost ~/theHarvester $ python theHarvester.py -d demo.testfire.net -b all ...... Full harvest.. [-] Searching in Google.. Searching 0 results... Searching 100 results... [-] Searching in PGP Key server.. [-] Searching in Bing.. Searching 50 results... Searching 100 results... [-] Searching in Exalead.. Searching 50 results... Searching 100 results... Searching 150 results... [+] Emails found: ------------------ No emails found [+] Hosts found in search engines: ------------------------------------ [-] Resolving hostnames IPs... [+] Virtual hosts: ==================
嗯… 什麼東西都沒查到…
不過也別這麼快就放棄,因為 demo.testfire.net 是 testfire.net 這個網域上的一台機器,
有可能 testfire.net 網域的其他資訊,是有幫助於滲透測試的,
我們就用 testfire.net 來試試看:
testuser@localhost ~/theHarvester $ python theHarvester.py -d testfire.net -b all ...... [+] Emails found: ------------------ aabbott@testfire.net [+] Hosts found in search engines: ------------------------------------ [-] Resolving hostnames IPs... 65.61.137.117:Demo.testfire.net 65.61.137.117:demo.testfire.net 65.61.137.117:localhost.testfire.net 65.61.137.117:www.testfire.net [+] Virtual hosts: ================== 65.61.137.117 demo.testfire.net 65.61.137.117 altoromutual.com 65.61.137.117 testfire.net 65.61.137.117 65.61.137.117
這次我們就找到了 testfire.net 的一個電子郵件,
也看到了除了 demo.testfire.net 之外,
同一個 IP 上有其他的 domain name 如 altoromutual.com,
而這些資訊可能就是可以加以延伸搜尋的地方囉~
除了用在滲透測試的資訊蒐集以外,theHarvester 也可以用來偵查某個網域的暴露程度,
像是用這工具查出來自己的網域下的非公開 email 的話,可能就是哪邊沒弄好洩露出去囉~