HVV information collection key points

The following text is a collection of tools and websites commonly used for information gathering. It is continuously updated!

1. Company/Organization Name#

爱企查

Tool: enscan

wgpsec/ENScan_GO

一款基于各大企业信息API的工具，解决在遇到的各种针对国内企业信息收集难题。一键收集控股公司ICP备案、APP、小程序、微信公众号等信息聚合导出。

Go3118297

./ENScanPublic_amd64_darwin -n Company Name

This step can obtain the target domain and all subsidiary companies.

小蓝本

Tool: lbb

GitHub - jixing-lab/lbb: lbb is a corporate information query tool that can help companies query their own publicly available applications, new media, websites, etc.

2. Domain#

oneforall

shuize

Online Subdomain Tools#

phpinfo.me

rapiddns

Brute Force#

Layer Subdomain Digging Machine (optional)

subDomainsBrute

Duplicate Recognition and Live Detection#

cat domain.txt | httpx
cat domain.txt | sort | uniq | httpx

This step focuses on domain information collection. After collection, it needs to be deduplicated and checked for live status.

3. IP#

Domain to IP, C segment

cIPR

Converts domain to IP segment weight.

IP to Domain

ip2domain

Batch query IP corresponding domain, Baidu weight, and filing information.

4. Ports#

Masscan#

Scan a single IP

sudo masscan --rate 1000 -p1-65535 --only-open 1.1.1.1

Scan multiple IPs

sudo masscan -iL ip.txt --rate 10000 -p1-65535 --only-open

Identify live ports

cat masscan.txt | grep "tcp" | cut -d " " -f 4,6 | awk '{print $2,$1}'| tr " " ":" | cut -d "/" -f1 | cut -d ":" -f1,2 | httpx

I have tried many port scanning tools, but I am not satisfied with them, so I returned to using masscan. By default, without the --rate option to set the speed, it scans all ports of a single IP, which takes about 10 minutes. The scan time can be reduced to 1-2 minutes by increasing the rate appropriately, such as 1000 or 2000, which is acceptable.

Other tools can be used as supplements to discover hidden assets.

Small script

#!/bin/bash

# masscan port scan 
#
#
sudo masscan -p1-65535 $1 --rate 1000 > ./mport.txt
cat mport.txt | grep "tcp" | cut -d " " -f 4,6 | awk '{print $2,$1}'| tr " " ":" | cut -d "/" -f1 | cut -d ":" -f1,2 | httpx > mresult.txt
rm -rf ./mport.txt

You can also try rustscan.

5. Semi/Automated Exploitation Tools#

GitHub - zhzyker/dismap: Asset discovery and identification tools 快速识别 Web 指纹信息，定位资产类型。辅助红队快速定位目标资产信息，辅助蓝队发现疑似脆弱点

nuclei

Domain, IP, and ports are the three attributes of assets, and information gathering revolves around these three attributes. There are many tools for collection, so finding the most suitable one is the most important.

Fingerprint Recognition#

observer_ward

kscan

GitHub - winezer0/whatweb-plus: whatweb enhanced version, merging multiple fingerprint libraries with 8000+ plugins (providing exe version)

Combine port scanning scripts with fingerprint recognition tools

echo -e "\033[31m Starting masscan port scan... \033[0m"
sudo masscan -p1-65535 $1 --rate 1000 > ./mport.txt
echo -e "\033[31m Starting httpx live detection... \033[0m"
cat mport.txt | grep "tcp" | cut -d " " -f 4,6 | awk '{print $2,$1}'| tr " " ":" | cut -d "/" -f1 | cut -d ":" -f1,2  | httpx > mresult.txt
rm -rf ./mport.txt

echo -e "\033[31m Scanning with kscan... \033[0m"
if [ -f "mresult.txt" ]; then
	kscan -t mresult.txt -o kscanresult.txt
fi

echo -e "\033[31m Fingerprint recognition... \033[0m"
if [ -f "kscanresult.txt" ]; then
	cat kscanresult.txt | grep -E "http:|https" | awk 'BEGIN {FS="  " } ; { print $1 }' | observer_ward --stdin
fi
rm -rf kscanresult.txt

6. Asset Mapping Platforms#

hunter

fofa