Kali Linux – 信息收集工具(1)

📌 相关文章

📜 Kali Linux – 信息收集工具(1)

📅 最后修改于: 2023-12-03 15:32:27.469000 🧑 作者: Mango

Kali Linux - 信息收集工具

Kali Linux 是一款基于 Debian 的 Linux 发行版，可以用于安全测试和渗透测试。Kali Linux 包含了大量的渗透测试工具和信息安全工具，用于测试网络、识别漏洞、渗透测试等。

信息收集工具

在渗透测试和安全评估过程中，信息收集是非常重要的一步。Kali Linux 提供了多种信息收集工具，包括但不限于以下几种：

Nmap

Nmap 是一款网络发现和安全审计工具，可以扫描主机和服务，识别操作系统和版本信息，以及发现漏洞。

使用命令 nmap -sS <IP地址>，可以扫描指定 IP 地址的主机。例如：

$ nmap -sS 192.168.1.1

Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-10 08:00 CST
Nmap scan report for 192.168.1.1
Host is up (0.0026s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet
80/tcp   open  http
515/tcp  open  printer
631/tcp  open  ipp
9100/tcp open  jetdirect

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

Recon-ng

Recon-ng 是一款针对网络和开放源代码情报收集的 Web 应用程序，它可以处理多种类型的数据源，并且可以自动化许多通常需要人工执行的步骤。

使用命令 recon-ng 进入 Recon-ng 命令行界面，然后使用 show modules 命令列出可用模块。

$ recon-ng

[recon-ng][default] > show modules

  Modules
  -----------------------------------------------------------------------------------------------
  recon/domains-contacts/pgp_search
  recon/domains-contacts/salesforce
  recon/domains-contacts/whois_pocs
  recon/domains-hosts/alexa
  recon/domains-hosts/anubis
  recon/domains-hosts/archive_it
  recon/domains-hosts/baidu
  recon/domains-hosts/bing_certificates
  recon/domains-hosts/bing_domain_web
  recon/domains-hosts/bing_domains
  recon/domains-hosts/bing_ip
  recon/domains-hosts/bing_phonebook
  recon/domains-hosts/bing_tlds
  recon/domains-hosts/censys
  recon/domains-hosts/ceoemail
  recon/domains-hosts/centralops
  recon/domains-hosts/crawl
  recon/domains-hosts/crt
  recon/domains-hosts/dnsdb
  recon/domains-hosts/doubleclick
  recon/domains-hosts/exalead_certificates
  recon/domains-hosts/exalead_domains
  recon/domains-hosts/exalead_ip
  recon/domains-hosts/exalead_phonebook
  recon/domains-hosts/exalead_tlds
  recon/domains-hosts/facebook_graph
  recon/domains-hosts/fofa
  recon/domains-hosts/google_certificates
  recon/domains-hosts/google_cse
  recon/domains-hosts/google_dork
  recon/domains-hosts/google_profile
  recon/domains-hosts/google_site
  recon/domains-hosts/google_site_api
  recon/domains-hosts/hackertarget
  recon/domains-hosts/hunter
  recon/domains-hosts/ipinfodb
  recon/domains-hosts/ip_void
  recon/domains-hosts/lacnic
  recon/domains-hosts/linked_in
  recon/domains-hosts/mxtoolbox
  recon/domains-hosts/netcraft
  recon/domains-hosts/passivedns
  recon/domains-hosts/ptrarchive
  recon/domains-hosts/ripe
  recon/domains-hosts/robtex_asn
  recon/domains-hosts/robtex_contact
  recon/domains-hosts/robtex_ip
  recon/domains-hosts/rss
  recon/domains-hosts/sitedossier
  recon/domains-hosts/sitedossier_contacts
  recon/domains-hosts/site_report
  recon/domains-hosts/skypeforbusiness
  recon/domains-hosts/sub_brute
  recon/domains-hosts/subdomt2
  recon/domains-hosts/sublist3r
  recon/domains-hosts/threatcrowd
  recon/domains-hosts/threatminer
  recon/domains-hosts/threatsourcing
  recon/domains-hosts/tor_nodes
  recon/domains-hosts/traceroute
  recon/domains-hosts/udp
  recon/domains-hosts/unique_san
  recon/domains-hosts/urlscan
  recon/domains-hosts/viewdns
  recon/domains-hosts/wayback
  recon/hosts-hosts/ssl_guard
  recon/profiles-profiles/username_harvester
  recon/profiles-profiles/whoami
  recon/contacts-contacts/fullcontact
  recon/contacts-contacts/hibp
  recon/contacts-contacts/hunter
  recon/contacts-contacts/pipl
  recon/contacts-contacts/profiler
  recon/osint/osint_social/bee_related
  recon/osint/osint_social/biased_news
  recon/osint/osint_social/byte_check
  recon/osint/osint_social/dating_sites
  recon/osint/osint_social/discord_id
  recon/osint/osint_social/flickr_images
  recon/osint/osint_social/hashtags
  recon/osint/osint_social/sourceforge_users
  recon/osint/osint_social/twitter
  recon/osint/osint_social/yt_comments
  recon/persons-persons/data_breach
  recon/persons-persons/googleplus
  recon/persons-persons/hunter
  recon/persons-persons/info_by_email
  recon/persons-persons/instagram
  recon/persons-persons/namechk
  recon/persons-persons/phones
  recon/persons-persons/shodan_email
  recon/persons-persons/shodan_username
  recon/persons-persons/username_check
  recon/persons-persons/whitepages_pro
  recon/persons-persons/whoisology
  recon/persons-persons/zoominfo
  recon/companies-companies/bing_api
  recon/companies-companies/companieshouse
  recon/companies-companies/google_finance
  recon/companies-companies/hunter
  recon/companies-companies/lnkd_api
  recon/companies-companies/lu_li
  recon/companies-companies/otx_api
  recon/companies-companies/shodan_hosts
  recon/domains/bruteforce
  recon/domains/ip
  recon/domains/hostalive
  recon/domains/top_ports
  recon/domains/virtual_hosts
[...]

TheHarvester

TheHarvester 是一款用于收集电子邮件、子域名、虚拟主机和相关主机信息的开源工具。

使用命令 theharvester -d <域名> -l <数量>，可以查询指定域名的电子邮件地址。例如：

$ theharvester -d google.com -l 10

────────────────────────────────────────────────────────────────────────────────────────────────────────────────
theHarvester 3.2.1     by Christian Martorella (edge-security.com) and others
Usage: theharvester options
.

Harvesting:
-d: Domain to search or company name (google.com, microsoft.com)
-b: Data source (google, bing, linkedin, etc.)
-s: Start in result number X (default: 0)
-v: Verify host name via dns resolution and search for virtual hosts
-f: Save the results into an HTML and XML file (be careful with the -m option, always conduct a test)
-n: Perform a DNS reverse query on all ranges discovered
-c: Perform a DNS brute force for the domain name
-t: Perform a DNS TLD expansion discovery
-e: Use this email provider (default: all providers)
-m: Metasploit integration

Enumeration:
-l: Limit the number of results to work with (bing has a limit of 50)
-k: Use this keyword to start searching (optional)
-w: Perform a search for a single record and exit
-p: Use this Google Custom Search Engine (CSE) ID for search, default is thegoogle search engine
-a: Include only these comma separated Google Custom Search Engine (CSE) categories (web, images, youtube, etc.)
-g: Use google dorks for Google search enumeration. For example: -g "site:github.com"
-o: Output folder name

API keys/username:
-x: Slideshare API key
-z: Zoominfo API key
-h: SHODAN API key
-u: Hunter API key
-m': Metasploit RPC username
.
.
Searching Google...
Searching Google Images...
Searching Google Groups...
Searching Google News...
Searching Google Docs...
Searching Google+. . .
Google+ usernames found: 0
Searching LinkedIn...
LinkedIn emails found: 0
Searching LinkedIn URLs...
Searching Bing...
Bing emails found: 0
Searching PGP servers...
PGP Emails found: 0
Searching Twitter...
Searching Google profiles...
Searching VKontakte...
No emails found
Searching General...
All emails has been searched
.
.

Maltego

Maltego 是一个基于图表的情报收集和侦查工具，它可以帮助用户理解目标网络的蓝图并发现潜在的攻击矢量。

使用命令 maltego 启动 Maltego，在 "新建画面" 中输入要查询的域名，然后选择 “Transforms -> Run Transform -> All Transforms” 开始查询。

总结

Kali Linux 除了提供很多信息收集工具，还有很多其他类型的安全审计、网络测试和漏洞扫描工具。需要强调的是，在使用这些工具进行安全测试和评估时，请遵循合法的法律标准和规定。