banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

How to Collect Information Quickly

940
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The provided text contains a collection of small scripts for information gathering. It includes scripts for using nmap and masscan to identify live hosts, extracting IP addresses and ports from scan results, generating IP ranges, appending content to text files, extracting IP addresses and URLs from files, extracting URLs from JavaScript files and APKs, collecting subdomains, searching for SSH keys, viewing WiFi passwords, and performing fingerprint recognition using masscan, httpx, kscan, and observer_ward. The text also includes a sample script for performing masscan port scanning, live detection, and fingerprinting.

Organize some commonly used information collection scripts

Identifying live hosts using nmap combined with mascan#

nmap is used to identify live hosts, and then the output is passed to masscan, which scans the ports of the live IP addresses. After scanning, the scan results are filtered to output in the form of ip. Then, httpx is used to further identify the live hosts.

# Scan for live hosts using nmap
nmap -sn 172.29.130.0/24 > nmap-ip.txt

# Get the live IP addresses from the nmap scan
cat nmap-ip.txt | grep "repo" | cut -d " " -f6 | cut -d "(" -f2 | cut -d ")" -f1 > ip.txt

# Scan ports using masscan
sudo masscan -iL ip.txt --rate 10000 -p1-65535 --only-open

# Get the IP addresses from the masscan scan results
cat masscan-ip.txt | grep "tcp" | cut -d " " -f 4,6 | awk '{print $2,$1}'| tr " " ":" | cut -d "/" -f1 | cut -d ":" -f1 | sort -t "." -k4n | uniq > ip.txt

# Get the ports from the masscan scan results
cat masscan-ip.txt | grep "tcp" | cut -d " " -f 4,6 | awk '{print $2,$1}'| tr " " ":" | cut -d "/" -f1 | cut -d ":" -f2 | sort -n | uniq > port.txt

# If you need both the port and the IP address
cat m.txt | grep "tcp" | cut -d " " -f 4,6 | awk '{print $2,$1}'| tr " " ":" | cut -d "/" -f1 | cut -d ":" -f1,2 | sort -t "." -k4n | uniq

After organizing the IP format (e.g., 192.168.1.1:8080), you can use other tools to scan the system for live hosts and use httpx to check if the system is alive.

The format would look something like this, and you can obtain the complete URL:

image.png

Bulk identification of live hosts on Windows#

# Bulk ping C class on Windows to identify live hosts
for /L %i IN (1,1,254) DO ping -w 2 -n 1 192.168.1.%i

Generating IP ranges#

# 192.168.1.1-192.168.1.254
# usage: 1 254 192.168.1.
for i in {$1..$2};do echo "$3"$i;done

Batch appending specific content to a text file#

If you have a text file with each line containing an IP address and you need to add the HTTP protocol in front of each IP address to convert it to http://ip, you can use the sed command to batch prepend content to each line. The characters to replace are the $ and ^ symbols, where $ represents the end of each line and ^ represents the beginning of each line.

# In bash, append specific content to the end of each line in a file, in this case, the IP address, e.g., 192.168.1.x, is transformed into 192.168.1.0/24
cat ip.txt | sed 's/$/.0\/24/'
 
# In bash, append specific content to the beginning of each line in a file, in this case, the IP address, e.g., 192.168.1.5, is transformed into http://192.168.1.5
cat ip.txt | sed 's/^/http:\/\//'

Getting all gateway IPs in the internal network range#

Get all gateway IPs in the internal network range to determine if the C class is live.

# Class A
for i in {1..255};do for b in {1..255};do echo "10".$i.$b."1";done;done
 
# Class B
for i in {16..31};do for b in {1..255};do echo "172".$i.$b."1";done;done
 
# Class C
for i in {1.255};do echo "192.168".$i."1";done

Extracting IP addresses from a file#

grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" file.txt

Extracting URLs from a text file#

grep -E -o "https?://[a-zA-Z0-9./?=_-]*" file.txt

# Extracting URLs from a JavaScript file
curl https://abc.com/file.js | grep -Eo "(http|https)://[a-zA-Z0-9/?=_=]*"*

Extracting URLs from an APK file#

Refer to: GitHub - ndelphit/apkurlgrep: Extract endpoints from APK files

apkurlgrep -a path/to/file.apk

Subdomain enumeration#

curl -s "https://rapiddns.io/subdomain/jxuspt.com?full=1#result" | grep "<td><a" | cut -d "/" -f3 | cut -d '"' -f1 | xargs -l2 | sed 's/#result//g' curl -s "https://rapiddns.io/subdomain/$1?full=1" | grep '<td>[a-z]' | cut -d "<" -f2 | cut -d ">" -f2 | grep -v http | sort

SSH key search#

for key in ~/.ssh/*; do ssh-keygen -l -f "${key}"; done | uniq

Viewing Wi-Fi passwords#

netsh wlan show profile name ="WIFI_5G" 
netsh wlan show profile name ="WIFI_5G" key=clear

Fingerprint recognition script#

Based on the previous content, you can write some bash scripts for easy one-click queries. The following script aims to perform masscan scanning, followed by live detection using httpx, and system fingerprint scanning using kscan and observer_ward.

Combined with the .bash_profile file, you can simply enter mscan 11.11.11.11 to start the scan.

image.png

#!/bin/bash

# Masscan port scan 
#
#
echo -e "\033[31m Starting masscan port scan... \033[0m"
sudo masscan -p1-65535 $1 --rate 1000 > ./mport.txt
echo -e "\033[31m Starting live detection using httpx... \033[0m"
cat mport.txt | grep "tcp" | cut -d " " -f 4,6 | awk '{print $2,$1}'| tr " " ":" | cut -d "/" -f1 | cut -d ":" -f1,2  | httpx > mresult.txt
rm -rf ./mport.txt

echo -e "\033[31m Scanning with kscan... \033[0m"
if [ -f "mresult.txt" ]; then
	kscan -t mresult.txt -o kscanresult.txt
fi

echo -e "\033[31m Fingerprint recognition in progress... \033[0m"
if [ -f "kscanresult.txt" ]; then
	cat kscanresult.txt | grep -E "http:|https" | awk 'BEGIN {FS="  " } ; { print $1 }' | observer_ward --stdin
fi
rm -rf kscanresult.txt
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.