banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

How to quickly gather information.

1224
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This is a collection of commonly used information gathering scripts. It includes scripts for using nmap and masscan to identify live hosts, as well as scripts for extracting IP addresses and ports from the scan results. There are also scripts for batch pinging and generating IP ranges, as well as scripts for appending specific content to each line of a text file. Other scripts include extracting IP addresses and URLs from files, extracting URLs from JavaScript files, extracting URLs from APK files, collecting subdomains, searching for SSH keys, and viewing WiFi passwords. Finally, there is a script for fingerprinting systems using masscan, httpx, kscan, and observer_ward.

Organize some commonly used information gathering scripts.

Identifying Live Hosts with nmap and mascan#

Use nmap to identify live hosts, then pass the output to mascan to scan the ports of the live IPs. After scanning, filter the scan results to output in the format of ip. Then use httpx to further identify if the systems are live.

# nmap scan for live hosts
nmap -sn 172.29.130.0/24 > nmap-ip.txt

# Get the live IPs from nmap scan
cat nmap-ip.txt | grep "repo" | cut -d " " -f6 | cut -d "(" -f2 | cut -d ")" -f1 > ip.txt

# mascan port scan
sudo masscan -iL ip.txt --rate 10000 -p1-65535 --only-open

# Get the IPs from mascan scan results
cat masscan-ip.txt | grep "tcp" | cut -d " " -f 4,6 | awk '{print $2,$1}'| tr " " ":" | cut -d "/" -f1 | cut -d ":" -f1 | sort -t "." -k4n | uniq > ip.txt

# Get the ports from mascan scan results
cat masscan-ip.txt | grep "tcp" | cut -d " " -f 4,6 | awk '{print $2,$1}'| tr " " ":" | cut -d "/" -f1 | cut -d ":" -f2 | sort -n | uniq > port.txt

# If you want both ports and IPs
cat m.txt | grep "tcp" | cut -d " " -f 4,6 | awk '{print $2,$1}'| tr " " ":" | cut -d "/" -f1 | cut -d ":" -f1,2 | sort -t "." -k4n | uniq

After organizing the IPs in the format of ip (e.g., 192.168.1.1:8080), you can use other tools to scan if the systems are live, and use httpx to check if the systems are live.

The format would be like this, and you can get the complete URL.

image.png

Bulk Identifying Live Hosts in Windows#

# Bulk ping C class in Windows to identify live hosts
for /L %i IN (1,1,254) DO ping -w 2 -n 1 192.168.1.%i

Generating IP Ranges#

# 192.168.1.1-192.168.1.254
# usage: 1 254 192.168.1.
for i in {$1..$2};do echo "$3"$i;done

Bulk Appending Specific Content to Text#

If you have a text file with each line containing an IP address and you need to add the HTTP protocol before each IP address to make it http://ip, you can use the sed command to append content to the beginning or end of each line. The characters $ and ^ are used to represent the end and beginning of each line, respectively.

# Append specific content to the end of each line in a file, in this case, the IP address, e.g., 192.168.1.x, is transformed into 192.168.1.0/24
cat ip.txt | sed 's/$/.0\/24/'
 
# Append specific content to the beginning of each line in a file, in this case, the IP address, e.g., 192.168.1.5, is transformed into http://192.168.1.5
cat ip.txt | sed 's/^/http:\/\//'

Getting All Gateway IPs in a Local Network#

Get all gateway IPs in a local network to check if the C class is live.

# Class A
for i in {1..255};do for b in {1..255};do echo "10".$i.$b."1";done;done
 
# Class B
for i in {16..31};do for b in {1..255};do echo "172".$i.$b."1";done;done
 
# Class C
for i in {1.255};do echo "192.168".$i."1";done

Extracting IPs from a File#

grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" file.txt

Extracting URLs from a Text#

grep -E -o "https?://[a-zA-Z0-9./?=_-]*" file.txt

# Extract URLs from a JavaScript file
curl https://abc.com/file.js | grep -Eo "(http|https)://[a-zA-Z0-9/?=_=]*"*

Extracting URLs from an APK#

Refer to: GitHub - ndelphit/apkurlgrep: Extract endpoints from APK files

apkurlgrep -a path/to/file.apk

Subdomain Enumeration#

curl -s "https://rapiddns.io/subdomain/jxuspt.com?full=1#result" | grep "<td><a" | cut -d "/" -f3 | cut -d '"' -f1 | xargs -l2 | sed 's/#result//g' curl -s "https://rapiddns.io/subdomain/$1?full=1" | grep '<td>[a-z]' | cut -d "<" -f2 | cut -d ">" -f2 | grep -v http | sort

SSH Key Search#

for key in ~/.ssh/*; do ssh-keygen -l -f "${key}"; done | uniq

View Wi-Fi Passwords#

netsh wlan show profile name ="WIFI_5G" 
netsh wlan show profile name ="WIFI_5G" key=clear

Fingerprint Recognition Script#

Based on the previous content, you can write some bash scripts for easy one-click querying. The following script aims to perform a masscan scan, then use httpx to detect live systems, and use kscan and observer_ward to scan system fingerprints.

Combine with the .bash_profile file, you can start the scan by entering mscan 11.11.11.11.

image.png

#!/bin/bash

# masscan port scan 
#
#
echo -e "\033[31m Starting masscan port scan... \033[0m"
sudo masscan -p1-65535 $1 --rate 1000 > ./mport.txt
echo -e "\033[31m Starting httpx live detection... \033[0m"
cat mport.txt | grep "tcp" | cut -d " " -f 4,6 | awk '{print $2,$1}'| tr " " ":" | cut -d "/" -f1 | cut -d ":" -f1,2  | httpx > mresult.txt
rm -rf ./mport.txt

echo -e "\033[31m kscan scanning... \033[0m"
if [ -f "mresult.txt" ]; then
	kscan -t mresult.txt -o kscanresult.txt
fi

echo -e "\033[31m Fingerprint recognition... \033[0m"
if [ -f "kscanresult.txt" ]; then
	cat kscanresult.txt | grep -E "http:|https" | awk 'BEGIN {FS="  " } ; { print $1 }' | observer_ward --stdin
fi
rm -rf kscanresult.txt
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.