Tools and websites commonly used for information gathering, continuously updated!
1. Company/Organization Name#
Tool: enscan
./ENScanPublic_amd64_darwin -n Company Name
This step can obtain the target domain and all subsidiaries.
Tool: lbb
2. Domain#
Online Subdomain Tools#
Brute Force#
Layer Subdomain Excavator (optional)
Duplicate Recognition and Live Identification#
cat domain.txt | httpx
cat domain.txt | sort | uniq | httpx
This step focuses on domain information gathering. After the collection is completed, it needs to be deduplicated and identified for live status.
3. IP#
Domain to IP, C segment
Convert domain to IP range with weight
IP to Domain
Batch query IP corresponding domain, Baidu weight, record information;
4. Ports#
Masscan#
Scan a single IP
sudo masscan --rate 1000 -p1-65535 --only-open 1.1.1.1
Scan multiple IPs
sudo masscan -iL ip.txt --rate 10000 -p1-65535 --only-open
Identify live ports
cat masscan.txt | grep "tcp" | cut -d " " -f 4,6 | awk '{print $2,$1}'| tr " " ":" | cut -d "/" -f1 | cut -d ":" -f1,2 | httpx
I have tried many port scanning tools, but I am not satisfied with them, so I returned to using masscan. By default, without the --rate setting, it scans all ports of a single IP, which takes about 10 minutes. You can adjust the rate to 1000 or 2000 to scan in 1-2 minutes, which is acceptable in terms of time.
Other tools can be used as supplements to discover hidden assets.
Small script
#!/bin/bash
# masscan port scan
#
#
sudo masscan -p1-65535 $1 --rate 1000 > ./mport.txt
cat mport.txt | grep "tcp" | cut -d " " -f 4,6 | awk '{print $2,$1}'| tr " " ":" | cut -d "/" -f1 | cut -d ":" -f1,2 | httpx > mresult.txt
rm -rf ./mport.txt
You can try rustscan
5. Semi/Automated Exploitation Tools#
Domain, IP, and ports are the three attributes of assets, and information gathering revolves around these three attributes. There are many tools for collection, but finding the most suitable one is the most important.
Fingerprint Recognition#
Combine port scanning scripts with fingerprint recognition tools
echo -e "\033[31m Starting masscan port scanning... \033[0m"
sudo masscan -p1-65535 $1 --rate 1000 > ./mport.txt
echo -e "\033[31m Starting httpx live detection... \033[0m"
cat mport.txt | grep "tcp" | cut -d " " -f 4,6 | awk '{print $2,$1}'| tr " " ":" | cut -d "/" -f1 | cut -d ":" -f1,2 | httpx > mresult.txt
rm -rf ./mport.txt
echo -e "\033[31m Scanning with kscan... \033[0m"
if [ -f "mresult.txt" ]; then
kscan -t mresult.txt -o kscanresult.txt
fi
echo -e "\033[31m Fingerprint recognition... \033[0m"
if [ -f "kscanresult.txt" ]; then
cat kscanresult.txt | grep -E "http:|https" | awk 'BEGIN {FS=" " } ; { print $1 }' | observer_ward --stdin
fi
rm -rf kscanresult.txt