侦察
查找受 CloudFlare(或 CloudFront)保护的网站源服务器
$ python cloudflair.py myvulnerable.site
[*] The target appears to be behind CloudFlare.
[*] Looking for certificates matching "myvulnerable.site" using Censys
[*] 75 certificates matching "myvulnerable.site" found.
[*] Looking for IPv4 hosts presenting these certificates...
[*] 10 IPv4 hosts presenting a certificate issued to "myvulnerable.site" were found.
- 51.194.77.1
- 223.172.21.75
- 18.136.111.24
- 127.200.220.231
- 177.67.208.72
- 137.67.239.174
- 182.102.141.194
- 8.154.231.164
- 37.184.84.44
- 78.25.205.83
[*] Retrieving target homepage at https://myvulnerable.site
[*] Testing candidate origin servers
- 51.194.77.1
- 223.172.21.75
- 18.136.111.24
responded with an unexpected HTTP status code 404
- 127.200.220.231
timed out after 3 seconds
- 177.67.208.72
- 137.67.239.174
- 182.102.141.194
- 8.154.231.164
- 37.184.84.44
- 78.25.205.83
[*] Found 2 likely origin servers of myvulnerable.site!
- 177.67.208.72 (HTML content identical to myvulnerable.site)
- 182.102.141.194 (HTML content identical to myvulnerable.site)分析AWS环境
python cloudmapper.py collect --account my_account
Google 存储桶枚举
python GCPBucketBrute.py -d example.com -p projects.txt -n枚举 AWS、Azure 和 Google Cloud 中的公共资源
usage: cloud_enum.py [-h] -k KEYWORD [-m MUTATIONS] [-b BRUTE]
Multi-cloud enumeration utility. All hail OSINT!
optional arguments:
-h, --help show this help message and exit
-k KEYWORD, --keyword KEYWORD
Keyword. Can use argument multiple times.
-kf KEYFILE, --keyfile KEYFILE
Input file with a single keyword per line.
-m MUTATIONS, --mutations MUTATIONS
Mutations. Default: enum_tools/fuzz.txt
-b BRUTE, --brute BRUTE
List to brute-force Azure container names. Default: enum_tools/fuzz.txt
-t THREADS, --threads THREADS
Threads for HTTP brute-force. Default = 5
-ns NAMESERVER, --nameserver NAMESERVER
DNS server to use in brute-force.
-l LOGFILE, --logfile LOGFILE
Will APPEND found items to specified file.
-f FORMAT, --format FORMAT
Format for log file (text,json,csv - defaults to text)
--disable-aws Disable Amazon checks.
--disable-azure Disable Azure checks.
--disable-gcp Disable Google checks.
-qs, --quickscan Disable all mutations and second-level scans搜索潜在的前置域
python3 FindFrontableDomains.py --domain example.com --threads 20
python3 FindFrontableDomains.py --check ajax.microsoft.com验证域前置是否可用
$ python cdn-search.py -h
usage: cdn-search.py [-h] [-d DOMAIN] [-p PAGES]
optional arguments:
-h, --help Show this help message and exit
-d DOMAIN, --domain DOMAIN
Search censys for certs using domain
-p PAGES, --pages PAGES
Number of pages to retrieve (100/page)$ python validate-domains.py -h
usage: validate-domains.py [-h] [-f DOMAINS_FILE] [-s SSL] [-c CDN_DOMAIN]
[-o OUTPUT_FILE]
optional arguments:
-h, --help show this help message and exit
-f DOMAINS_FILE, --domains-file DOMAINS_FILE
Path to list of potential frontable domains.
-s SSL, --ssl SSL Prepend domain from list with http or https.
-c CDN_DOMAIN, --cdn-domain CDN_DOMAIN
CDN FQDN for C2.
-o OUTPUT_FILE, --output-file OUTPUT_FILE
Save results to file.绕过 Cloudflare 的反爬虫页面
识别云环境中的提权路径
python3 main.py -e -p google,github,k8s --github-only-org --k8s-get-secret-values --gcp-get-secret-values分析和可视化Azure和Azure Active Directory对象的图形
审核 AWS/GCP/Azure 基础设施安全状况
通过查看证书透明度日志查找 Amazon S3 存储桶
$ ruby lazys3.rb <COMPANY> 将基础设施资产及其之间的关系整合
发现开放的 S3 存储桶
$ festin -h
usage: __main__.py [-h] [--version] [-f FILE_DOMAINS] [-w] [-c CONCURRENCY] [--no-links] [-T HTTP_TIMEOUT] [-M HTTP_MAX_RECURSION] [-dr DOMAIN_REGEX] [-rr RESULT_FILE] [-rd DISCOVERED_DOMAINS] [-ra RAW_DISCOVERED_DOMAINS]
[--tor] [--debug] [--no-print] [-q] [--index] [--index-server INDEX_SERVER] [-dn] [-ds DNS_RESOLVER]
[domains [domains ...]]
Festin - the powered S3 bucket finder and content discover
positional arguments:
domains
optional arguments:
-h, --help show this help message and exit
--version show version
-f FILE_DOMAINS, --file-domains FILE_DOMAINS
file with domains
-w, --watch watch for new domains in file domains '-f' option
-c CONCURRENCY, --concurrency CONCURRENCY
max concurrency
HTTP Probes:
--no-links extract web site links
-T HTTP_TIMEOUT, --http-timeout HTTP_TIMEOUT
set timeout for http connections
-M HTTP_MAX_RECURSION, --http-max-recursion HTTP_MAX_RECURSION
maximum recursison when follow links
-dr DOMAIN_REGEX, --domain-regex DOMAIN_REGEX
only follow domains that matches this regex
Results:
-rr RESULT_FILE, --result-file RESULT_FILE
results file
-rd DISCOVERED_DOMAINS, --discovered-domains DISCOVERED_DOMAINS
file name for storing new discovered after apply filters
-ra RAW_DISCOVERED_DOMAINS, --raw-discovered-domains RAW_DISCOVERED_DOMAINS
file name for storing any domain without filters
Connectivity:
--tor Use Tor as proxy
Display options:
--debug enable debug mode
--no-print doesn't print results in screen
-q, --quiet Use quiet mode
Redis Search:
--index Download and index documents into Redis
--index-server INDEX_SERVER
Redis Search ServerDefault: redis://localhost:6379
DNS options:
-dn, --no-dnsdiscover
not follow dns cnames
-ds DNS_RESOLVER, --dns-resolver DNS_RESOLVER
comma separated custom domain name servers