python中的被動信息搜集

概述:

被動信息搜集主要通過搜索引擎或者社交等方式對目標資產信息進行提取,通常包括IP查詢,Whois查詢,子域名搜集等。進行被動信息搜集時不與目標產生交互,可以在不接觸到目標系統的情況下挖掘目標信息。

主要方法:DNS解析,子域名挖掘,郵件爬取等。

DNS解析:

1、概述:

DNS(Domain Name System,域名系統)是一種分佈式網絡目錄服務,主要用於域名與IP地址的相互轉換,能夠使用戶更方便地訪問互聯網,而不用去記住一長串數字(能夠被機器直接讀取的IP)。

2、IP查詢:

IP查詢是通過當前所獲取的URL去查詢對應IP地址的過程。可以利用Socket庫函數中的gethostbyname()獲取域名對應的IP值。

代碼:

import socket

ip = socket.gethostbyname('www.baidu.com')
print(ip)

返回:

39.156.66.14

3、Whois查詢:

Whois是用來查詢域名的IP以及所有者信息的傳輸協議。Whois相當於一個數據庫,用來查詢域名是否已經被註冊,以及註冊域名的詳細信息(如域名所有人,域名註冊商等)。

Python中的python-whois模塊可用於Whois查詢。

代碼:

from whois import whois

data = whois('www.baidu.com')
print(data)

返回:

E:\python\python.exe "H:/code/Python Security/Day01/Whois查詢.py"
{
  "domain_name": [
    "BAIDU.COM",
    "baidu.com"
  ],
  "registrar": "MarkMonitor, Inc.",
  "whois_server": "whois.markmonitor.com",
  "referral_url": null,
  "updated_date": [
    "2020-12-09 04:04:41",
    "2021-04-07 12:52:21"
  ],
  "creation_date": [
    "1999-10-11 11:05:17",
    "1999-10-11 04:05:17"
  ],
  "expiration_date": [
    "2026-10-11 11:05:17",
    "2026-10-11 00:00:00"
  ],
  "name_servers": [
    "NS1.BAIDU.COM",
    "NS2.BAIDU.COM",
    "NS3.BAIDU.COM",
    "NS4.BAIDU.COM",
    "NS7.BAIDU.COM",
    "ns3.baidu.com",
    "ns2.baidu.com",
    "ns7.baidu.com",
    "ns1.baidu.com",
    "ns4.baidu.com"
  ],
  "status": [
    "clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited",
    "clientTransferProhibited https://icann.org/epp#clientTransferProhibited",
    "clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited",
    "serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited",
    "serverTransferProhibited https://icann.org/epp#serverTransferProhibited",
    "serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited",
    "clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)",
    "clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)",
    "clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)",
    "serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)",
    "serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)",
    "serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)"
  ],
  "emails": [
    "[email protected]",
    "[email protected]"
  ],
  "dnssec": "unsigned",
  "name": null,
  "org": "Beijing Baidu Netcom Science Technology Co., Ltd.",
  "address": null,
  "city": null,
  "state": "Beijing",
  "zipcode": null,
  "country": "CN"
}

Process finished with exit code 0

子域名挖掘:

1、概述:

域名可以分為頂級域名,一級域名,二級域名等。

子域名(subdomain)是頂級域名(一級域名或父域名)的下一級。

在測試過程中,測試目標主站時如果未發現任何相關漏洞,此時通常會考慮挖掘目標系統的子域名。

子域名挖掘方法有多種,例如,搜索引擎,子域名破解,字典查詢等。

2、利用Python編寫一個簡單的子域名挖掘工具:

(以https://cn.bing.com/為例)

代碼:

# coding=gbk
import requests
from bs4 import BeautifulSoup
from urllib.parse import urlparse
import sys


def Bing_Search(site, pages):
    Subdomain = []
    # 以列表的形式存儲子域名
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
        'Referer': 'https://cn.bing.com/',
        'Cookie': 'MUID=37FA745F1005602C21A27BB3117A61A3; SRCHD=AF=NOFORM; SRCHUID=V=2&GUID=DA7BDD699AFB4AEB8C68A0B4741EFA74&dmnchg=1; MUIDB=37FA745F1005602C21A27BB3117A61A3; ULC=P=9FD9|1:1&H=9FD9|1:1&T=9FD9|1:1; PPLState=1; ANON=A=CEC39B849DEE39838493AF96FFFFFFFF&E=1943&W=1; NAP=V=1.9&E=18e9&C=B8-HXGvKTE_2lQJ0I3OvbJcIE8caEa9H4f3XNrd3z07nnV3pAxmVJQ&W=1; _tarLang=default=en; _TTSS_IN=hist=WyJ6aC1IYW5zIiwiYXV0by1kZXRlY3QiXQ==; _TTSS_OUT=hist=WyJlbiJd; ABDEF=V=13&ABDV=13&MRB=1618913572156&MRNB=0; KievRPSSecAuth=FABSARRaTOJILtFsMkpLVWSG6AN6C/svRwNmAAAEgAAACPyKw8I/CYhDEAFiUHPfZQSWnp%2BMm43NyhmcUtEqcGeHpvygEOz6CPQIUrTCcE3VESTgWkhXpYVdYAKRL5u5EH0y3%2BmSTi5KxbOq5zlLxOf61W19jGuTQGjb3TZhsv5Wb58a2I8NBTwIh/cFFvuyqDM11s7xnw/ZZoqc9tNuD8ZG9Hi29RgIeOdoSL/Kzz5Lwb/cfSW6GbawOVtMcToRJr20K0C0zGzLhxA7gYH9CxajTo7w5kRx2/b/QjalnzUh7lvZCNrF5naagj10xHhZyHItlNtjNe3yqqLyLZmgNrzT8o7QWfpJWHqAak4AFt3nY9R0NGLHM6UxPC8ph9hEaYbWtIsY7JNvVYFwbDk6o4oqu33kHeyqW/JTVhQACnpn2v74dZzvk4xRp%2BpcQIoRIzI%3D; _U=1ll1JNraa8gnrWOg3NTDw_PUniDnXYIikDzB-R_hVgutXRRVFcrnaPKxVBXA1w-dBZJsJJNfk6vGHSqJtUsLXvZswsd5A1xFvQ_V_nUInstIfDUs7q7FyY2DmvDRlfMIqbgdt-KEqazoz-r_TLWScg4_WDNFXRwg6Ga8k2cRyOTfGNkon7kVCJ7IoPDTAdqdP; WLID=kQRArdi2czxUqvURk62VUr88Lu/DLn6bFfcwTmB8EoKbi3UZYvhKiOCdmPbBTs0PQ3jO42l3O5qWZgTY4FNT8j837l8J9jp0NwVh2ytFKZ4=; _EDGE_S=SID=01830E382F4863360B291E1B2E6662C7; SRCHS=PC=ATMM; WLS=C=3d04cfe82d8de394&N=%e5%81%a5; SRCHUSR=DOB=20210319&T=1619277515000&TPC=1619267174000&POEX=W; SNRHOP=I=&TS=; _SS=PC=ATMM&SID=01830E382F4863360B291E1B2E6662C7&bIm=656; ipv6=hit=1619281118251&t=4; SRCHHPGUSR=SRCHLANGV2=zh-Hans&BRW=W&BRH=S&CW=1462&CH=320&DPR=1.25&UTC=480&DM=0&WTS=63754766339&HV=1619277524&BZA=0&TH=ThAb5&NEWWND=1&NRSLT=-1&LSL=0&SRCHLANG=&AS=1&NNT=1&HAP=0&VSRO=0'
    }
    for i in range(1, int(pages)+1):
        url = "https://cn.bing.com/search?q=site%3a" + site + "&go=Search&qs=ds&first=" + str((int(i)-1)*10) + "&FORM=PERE"
        html = requests.get(url, headers=headers)
        soup = BeautifulSoup(html.content, 'html.parser')
        job_bt = soup.findAll('h2')
        for i in job_bt:
            link = i.a.get('href')
            domain = str(urlparse(link).scheme + "://" + urlparse(link).netloc)
            if domain in Subdomain:
                pass
            else:
                Subdomain.append(domain)
                print(domain)


if __name__ == '__main__':
    if len(sys.argv) == 3:
        site = sys.argv[1]
        page = sys.argv[2]
    else:
        print("usge: %s baidu.com 10" % sys.argv[0])
        # 輸出幫助信息
        sys.exit(-1)
    Subdomain = Bing_Search('www.baidu.com', 15)

返回:

郵件爬取:

1、概述:

針對目標系統進行滲透的過程中,如果目標服務器安全性很高,通過服務器很難獲取目標權限時,通常會采用社工的方式對目標服務進行進一步攻擊。

針對搜索界面的相關郵件信息進行爬取、處理等操作之後。利用獲得的郵箱賬號批量發送釣魚郵件,誘騙、欺詐目標用戶或管理員進行賬號登錄或點擊執行,進而獲取目標系統的其權限。

該郵件采集工具所用到的相關庫函數如下:

import sys
import getopt
import requests
from bs4 import BeautifulSoup
import re

2、過程:

①:在程序的起始部分,當執行過程中沒有發生異常時,則執行定義的start()函數。

通過sys.argv[ ] 實現外部指令的接收。其中,sys.argv[0] 代表代碼本身的文件路徑,sys.argv[1:] 表示從第一個命令行參數到輸入的最後一個命令行參數,存儲形式為list。

代碼如下:

if __name__ == '__main__':
    # 定義異常
    try:
        start(sys.argv[1: ])
    except:
        print("interrupted by user, killing all threads ... ")

②:編寫命令行參數處理功能。此處主要應用  getopt.getopt()函數處理命令行參數,該函數目前有短選項和長選項兩種格式。

短選項格式為“ – ”加上單個字母選項;

長選項格式為“ — ”加上一個單詞選項。

opts為一個兩元組列表,每個元素形式為“(選項串,附加參數)”。當沒有附加參數時,則為空串。之後通過for語句循環輸出opts列表中的數值並賦值給自定義的變量。

代碼如下:

def start(argv):
    url = ""
    pages = ""
    if len(sys.argv) < 2:
        print("-h 幫助信息;\n")
        sys.exit()
    # 定義異常處理
    try:
        banner()
        opts, args = getopt.getopt(argv, "-u:-p:-h")
    except:
        print('Error an argument')
        sys.exit()
    for opt, arg in opts:
        if opt == "-u":
            url = arg
        elif opt == "-p":
            pages = arg
        elif opt == "-h":
            print(usage())
    launcher(url, pages)

③:輸出幫助信息,增加代碼工具的可讀性和易用性。為瞭使輸出的信息更加美觀簡潔,可以通過轉義字符設置輸出字體顏色,從而實現所需效果。

開頭部分包含三個參數:顯示方式,前景色,背景色。這三個參數是可選的,可以隻寫其中一個參數。結尾可以省略,但為瞭書寫規范,建議以 “\033[0m” 結尾。

代碼如下:

print('\033[0:30;41m 3cH0 - Nu1L \033[0m')
print('\033[0:30;42m 3cH0 - Nu1L \033[0m')
print('\033[0:30;43m 3cH0 - Nu1L \033[0m')
print('\033[0:30;44m 3cH0 - Nu1L \033[0m')
# banner信息
def banner():
    print('\033[1:34m ################################ \033[0m\n')
    print('\033[1:34m 3cH0 - Nu1L \033[0m\n')
    print('\033[1:34m ################################ \033[0m\n')
# 使用規則
def usage():
    print('-h: --help 幫助;')
    print('-u: --url 域名;')
    print('-p --pages 頁數;')
    print('eg: python -u "www.baidu.com" -p 100' + '\n')
    sys.exit()

④:確定搜索郵件的關鍵字,並調用bing_search()和baidu_search()兩個函數,返回Bing與百度兩大搜索引擎的查詢結果。由獲取到的結果進行列表合並,去重之後,循環輸出。

代碼如下:

# 漏洞回調函數
def launcher(url, pages):
    email_num = []
    key_words = ['email', 'mail', 'mailbox', '郵件', '郵箱', 'postbox']
    for page in range(1, int(pages)+1):
        for key_word in key_words:
            bing_emails = bing_search(url, page, key_word)
            baidu_emails = baidu_search(url, page, key_word)
            sum_emails = bing_emails + baidu_emails
            for email in sum_emails:
                if email in email_num:
                    pass
                else:
                    print(email)
                    with open('data.txt', 'a+')as f:
                        f.write(email + '\n')
                    email_num.append(email)

⑤:用Bing搜索引擎進行郵件爬取。Bing引擎具有反爬防護,會通過限定referer、cookie等信息來確定是否網頁爬取操作。

可以通過指定referer與requeses.session()函數自動獲取cookie信息,繞過Bing搜索引擎的反爬防護。

代碼如下:

# Bing_search
def bing_search(url, page, key_word):
    referer = "http://cn.bing.com/search?q=email+site%3abaidu.com&sp=-1&pq=emailsite%3abaidu.com&first=1&FORM=PERE1"
    conn = requests.session()
    bing_url = "http://cn.bing.com/search?q=" + key_word + "+site%3a" + url + "&qa=n&sp=-1&pq=" + key_word + "site%3a" + url +"&first=" + str((page-1)*10) + "&FORM=PERE1"  
    conn.get('http://cn.bing.com', headers=headers(referer))
    r = conn.get(bing_url, stream=True, headers=headers(referer), timeout=8)
    emails = search_email(r.text)
    return emails

⑥:用百度搜索引擎進行郵件爬取。百度搜索引擎同樣設定瞭反爬防護,相對Bing來說,百度不僅對referer和cookie進行校驗,還同時在頁面中通過JavaScript語句進行動態請求鏈接,從而導致不能動態獲取頁面中的信息。

可以通過對鏈接的提取,在進行request請求,從而繞過反爬設置。

代碼如下:

# Baidu_search
def baidu_search(url, page, key_word):
    email_list = []
    emails = []
    referer = "https://www.baidu.com/s?wd=email+site%3Abaidu.com&pn=1"
    baidu_url = "https://www.baidu.com/s?wd=" + key_word + "+site%3A" + url + "&pn=" + str((page-1)*10)
    conn = requests.session()   
    conn.get(baidu_url, headers=headers(referer))
    r = conn.get(baidu_url, headers=headers(referer))
    soup = BeautifulSoup(r.text, 'lxml')
    tagh3 = soup.find_all('h3')
    for h3 in tagh3:
        href = h3.find('a').get('href')
        try:
            r = requests.get(href, headers=headers(referer))
            emails = search_email(r.text)   
        except Exception as e:
            pass
        for email in emails:
            email_list.append(email)
    return email_list

⑦:通過正則表達式獲取郵箱號碼。此處也可以換成目標企業郵箱的正則表達式。

代碼如下:

# search_email
def search_email(html):
    emails = re.findall(r"[a-z0-9\.\-+_][email protected][a-z0-9\.\-+_]+\.[a-z]" + html, re.I)
    return emails
# headers(referer)
def headers(referer):
    headers = {
        'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36',
        'Accept': 'application/json, text/javascript, */*; q=0.01',
        'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8',
        'Accept-Encoding': 'gzip, deflate, br',
        'Referer': referer
    }
    return headers

3、完整代碼:

# coding=gbk
import sys
import getopt
import requests
from bs4 import BeautifulSoup
import re


# 主函數,傳入用戶輸入的參數
def start(argv):
    url = ""
    pages = ""
    if len(sys.argv) < 2:
        print("-h 幫助信息;\n")
        sys.exit()
    # 定義異常處理
    try:
        banner()
        opts, args = getopt.getopt(argv, "-u:-p:-h")
    except:
        print('Error an argument')
        sys.exit()
    for opt, arg in opts:
        if opt == "-u":
            url = arg
        elif opt == "-p":
            pages = arg
        elif opt == "-h":
            print(usage())
    launcher(url, pages)


# banner信息
def banner():
    print('\033[1:34m ################################ \033[0m\n')
    print('\033[1:34m 3cH0 - Nu1L \033[0m\n')
    print('\033[1:34m ################################ \033[0m\n')


# 使用規則
def usage():
    print('-h: --help 幫助;')
    print('-u: --url 域名;')
    print('-p --pages 頁數;')
    print('eg: python -u "www.baidu.com" -p 100' + '\n')
    sys.exit()


# 漏洞回調函數
def launcher(url, pages):
    email_num = []
    key_words = ['email', 'mail', 'mailbox', '郵件', '郵箱', 'postbox']
    for page in range(1, int(pages)+1):
        for key_word in key_words:
            bing_emails = bing_search(url, page, key_word)
            baidu_emails = baidu_search(url, page, key_word)
            sum_emails = bing_emails + baidu_emails
            for email in sum_emails:
                if email in email_num:
                    pass
                else:
                    print(email)
                    with open('data.txt', 'a+')as f:
                        f.write(email + '\n')
                    email_num.append(email)


# Bing_search
def bing_search(url, page, key_word):
    referer = "http://cn.bing.com/search?q=email+site%3abaidu.com&sp=-1&pq=emailsite%3abaidu.com&first=1&FORM=PERE1"
    conn = requests.session()
    bing_url = "http://cn.bing.com/search?q=" + key_word + "+site%3a" + url + "&qa=n&sp=-1&pq=" + key_word + "site%3a" + url +"&first=" + str((page-1)*10) + "&FORM=PERE1"
    conn.get('http://cn.bing.com', headers=headers(referer))
    r = conn.get(bing_url, stream=True, headers=headers(referer), timeout=8)
    emails = search_email(r.text)
    return emails


# Baidu_search
def baidu_search(url, page, key_word):
    email_list = []
    emails = []
    referer = "https://www.baidu.com/s?wd=email+site%3Abaidu.com&pn=1"
    baidu_url = "https://www.baidu.com/s?wd=" + key_word + "+site%3A" + url + "&pn=" + str((page-1)*10)
    conn = requests.session()
    conn.get(baidu_url, headers=headers(referer))
    r = conn.get(baidu_url, headers=headers(referer))
    soup = BeautifulSoup(r.text, 'lxml')
    tagh3 = soup.find_all('h3')
    for h3 in tagh3:
        href = h3.find('a').get('href')
        try:
            r = requests.get(href, headers=headers(referer))
            emails = search_email(r.text)
        except Exception as e:
            pass
        for email in emails:
            email_list.append(email)
    return email_list


# search_email
def search_email(html):
    emails = re.findall(r"[a-z0-9\.\-+_][email protected][a-z0-9\.\-+_]+\.[a-z]" + html, re.I)
    return emails


# headers(referer)
def headers(referer):
    headers = {
        'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36',
        'Accept': 'application/json, text/javascript, */*; q=0.01',
        'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8',
        'Accept-Encoding': 'gzip, deflate, br',
        'Referer': referer
    }
    return headers


if __name__ == '__main__':
    # 定義異常
    try:
        start(sys.argv[1: ])
    except:
        print("interrupted by user, killing all threads ... ")

以上就是python中的被動信息搜集的詳細內容,更多關於python 被動信息搜集的資料請關註WalkonNet其它相關文章!