Key points for hvv information collection

Tools and websites commonly used for information gathering, continuously updated!

1. Company/Organization Name#

Tool: enscan

一款基于各大企业信息API的工具，解决在遇到的各种针对国内企业信息收集难题。一键收集控股公司ICP备案、APP、小程序、微信公众号等信息聚合导出。

Go3085297

./ENScanPublic_amd64_darwin -n Company Name

This step can obtain the target domain and all subsidiaries.

Xiaolanben

Tool: lbb

GitHub - jixing-lab/lbb: lbb is a corporate information query tool that can help companies query their own publicly available applications, new media, websites, etc.

2. Domain#

OneForAll

Shuize

Online Subdomain Tools#

phpinfo.me

Rapiddns

Brute Force#

Layer Subdomain Excavator (optional)

subDomainsBrute

Duplicate Recognition and Live Identification#

cat domain.txt | httpx
cat domain.txt | sort | uniq | httpx

This step focuses on domain information gathering. After the collection is completed, it needs to be deduplicated and identified for live status.

3. IP#

Domain to IP, C segment

cIPR

Convert domain to IP range with weight

IP to Domain

ip2domain

Batch query IP corresponding domain, Baidu weight, record information;

4. Ports#

Masscan#

Scan a single IP

sudo masscan  --rate 1000 -p1-65535 --only-open 1.1.1.1

Scan multiple IPs

sudo masscan -iL ip.txt --rate 10000 -p1-65535 --only-open

Identify live ports

cat masscan.txt | grep "tcp" | cut -d " " -f 4,6 | awk '{print $2,$1}'| tr " " ":" | cut -d "/" -f1 | cut -d ":" -f1,2 | httpx

I have tried many port scanning tools, but I am not satisfied with them, so I returned to using masscan. By default, without the --rate setting, it scans all ports of a single IP, which takes about 10 minutes. You can adjust the rate to 1000 or 2000 to scan in 1-2 minutes, which is acceptable in terms of time.

Other tools can be used as supplements to discover hidden assets.

Small script

#!/bin/bash

# masscan port scan 
#
#
sudo masscan -p1-65535 $1 --rate 1000 > ./mport.txt
cat mport.txt | grep "tcp" | cut -d " " -f 4,6 | awk '{print $2,$1}'| tr " " ":" | cut -d "/" -f1 | cut -d ":" -f1,2 | httpx > mresult.txt
rm -rf ./mport.txt

You can try rustscan

5. Semi/Automated Exploitation Tools#

GitHub - zhzyker/dismap: Asset discovery and identification tools 快速识别 Web 指纹信息，定位资产类型。辅助红队快速定位目标资产信息，辅助蓝队发现疑似脆弱点

Nuclei

Domain, IP, and ports are the three attributes of assets, and information gathering revolves around these three attributes. There are many tools for collection, but finding the most suitable one is the most important.

Fingerprint Recognition#

ObserverWard

Kscan

GitHub - winezer0/whatweb-plus: whatweb enhanced version, merge multiple fingerprint libraries, 8000+ plugins (provides exe version)

Combine port scanning scripts with fingerprint recognition tools

echo -e "\033[31m Starting masscan port scanning... \033[0m"
sudo masscan -p1-65535 $1 --rate 1000 > ./mport.txt
echo -e "\033[31m Starting httpx live detection... \033[0m"
cat mport.txt | grep "tcp" | cut -d " " -f 4,6 | awk '{print $2,$1}'| tr " " ":" | cut -d "/" -f1 | cut -d ":" -f1,2  | httpx > mresult.txt
rm -rf ./mport.txt

echo -e "\033[31m Scanning with kscan... \033[0m"
if [ -f "mresult.txt" ]; then
	kscan -t mresult.txt -o kscanresult.txt
fi

echo -e "\033[31m Fingerprint recognition... \033[0m"
if [ -f "kscanresult.txt" ]; then
	cat kscanresult.txt | grep -E "http:|https" | awk 'BEGIN {FS="  " } ; { print $1 }' | observer_ward --stdin
fi
rm -rf kscanresult.txt

6. Asset Mapping Platforms#

Hunter

Fofa