工具指南 | Kaiahttps://docs.kaiasec.tk/post/tools/工具指南Wowchemy (https://wowchemy.com)zh-HansThu, 28 Jul 2022 00:00:00 +0000https://docs.kaiasec.tk/media/logo.svg工具指南https://docs.kaiasec.tk/post/tools/使用EyeWitness工具识别内网资产https://docs.kaiasec.tk/post/tools/%E4%BD%BF%E7%94%A8eyewitness%E5%B7%A5%E5%85%B7%E8%AF%86%E5%88%AB%E5%86%85%E7%BD%91%E8%B5%84%E4%BA%A7/Sat, 10 Sep 2022 00:00:00 +0000https://docs.kaiasec.tk/post/tools/%E4%BD%BF%E7%94%A8eyewitness%E5%B7%A5%E5%85%B7%E8%AF%86%E5%88%AB%E5%86%85%E7%BD%91%E8%B5%84%E4%BA%A7/<h3 id="简介">简介:</h3> <p>主要就是通过截图的方式去识别网站</p> <h3 id="使用场景">使用场景:</h3> <p>当内网扫描到大量web资产,通过浏览器手工输入url访问网站效率特别慢,可以通过这个工具批量截图网站页面,快速识别有价值的资产。从而更高效进行横向渗透测试。</p> <h3 id="工具地址">工具地址:</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">https://github.com/FortyNorthSecurity/EyeWitness </span></span></code></pre></div><h3 id="原理">原理:</h3> <p>EyeWitness 将调用 selenium,它使用您系统上安装的实际浏览器(IceWeasel 或 Firefox)来截取屏幕截图。您不会看到浏览器弹出窗口,但它会在后台运行,并截取您提供的 URL 的屏幕截图,并生成简单的报告</p> <h3 id="安装">安装:</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">#kali</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">apt install eyewitness </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">#windows</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">好像需要重新编译,没用过windows </span></span></code></pre></div><h3 id="使用指南">使用指南:</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">#作者给的使用指南</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">https://www.christophertruncer.com/eyewitness-2-0-release-and-user-guide/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">################################################################################</span> </span></span><span class="line"><span class="cl"><span class="c1"># EyeWitness #</span> </span></span><span class="line"><span class="cl"><span class="c1">################################################################################</span> </span></span><span class="line"><span class="cl"><span class="c1"># FortyNorth Security - https://www.fortynorthsecurity.com #</span> </span></span><span class="line"><span class="cl"><span class="c1">################################################################################</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">usage: EyeWitness.py <span class="o">[</span>--web<span class="o">]</span> <span class="o">[</span>-f Filename<span class="o">]</span> <span class="o">[</span>-x Filename.xml<span class="o">]</span> <span class="o">[</span>--single Single URL<span class="o">]</span> <span class="o">[</span>--no-dns<span class="o">]</span> <span class="o">[</span>--timeout Timeout<span class="o">]</span> <span class="o">[</span>--jitter <span class="c1"># of Seconds]</span> </span></span><span class="line"><span class="cl"> <span class="o">[</span>--delay <span class="c1"># of Seconds] [--threads # of Threads] [--max-retries Max retries on a timeout] [-d Directory Name]</span> </span></span><span class="line"><span class="cl"> <span class="o">[</span>--results Hosts Per Page<span class="o">]</span> <span class="o">[</span>--no-prompt<span class="o">]</span> <span class="o">[</span>--user-agent User Agent<span class="o">]</span> <span class="o">[</span>--difference Difference Threshold<span class="o">]</span> </span></span><span class="line"><span class="cl"> <span class="o">[</span>--proxy-ip 127.0.0.1<span class="o">]</span> <span class="o">[</span>--proxy-port 8080<span class="o">]</span> <span class="o">[</span>--proxy-type socks5<span class="o">]</span> <span class="o">[</span>--show-selenium<span class="o">]</span> <span class="o">[</span>--resolve<span class="o">]</span> </span></span><span class="line"><span class="cl"> <span class="o">[</span>--add-http-ports ADD_HTTP_PORTS<span class="o">]</span> <span class="o">[</span>--add-https-ports ADD_HTTPS_PORTS<span class="o">]</span> <span class="o">[</span>--only-ports ONLY_PORTS<span class="o">]</span> <span class="o">[</span>--prepend-https<span class="o">]</span> </span></span><span class="line"><span class="cl"> <span class="o">[</span>--selenium-log-path SELENIUM_LOG_PATH<span class="o">]</span> <span class="o">[</span>--resume ew.db<span class="o">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">EyeWitness is a tool used to capture screenshots from a list of URLs </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Protocols: </span></span><span class="line"><span class="cl"> --web HTTP Screenshot using Selenium </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Input Options: </span></span><span class="line"><span class="cl"> -f Filename Line-separated file containing URLs to capture </span></span><span class="line"><span class="cl"> -x Filename.xml Nmap XML or .Nessus file </span></span><span class="line"><span class="cl"> --single Single URL Single URL/Host to capture </span></span><span class="line"><span class="cl"> --no-dns Skip DNS resolution when connecting to websites </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Timing Options: </span></span><span class="line"><span class="cl"> --timeout Timeout Maximum number of seconds to <span class="nb">wait</span> <span class="k">while</span> requesting a web page <span class="o">(</span>Default: 7<span class="o">)</span> </span></span><span class="line"><span class="cl"> --jitter <span class="c1"># of Seconds</span> </span></span><span class="line"><span class="cl"> Randomize URLs and add a random delay between requests </span></span><span class="line"><span class="cl"> --delay <span class="c1"># of Seconds Delay between the opening of the navigator and taking the screenshot</span> </span></span><span class="line"><span class="cl"> --threads <span class="c1"># of Threads</span> </span></span><span class="line"><span class="cl"> Number of threads to use <span class="k">while</span> using file based input </span></span><span class="line"><span class="cl"> --max-retries Max retries on a timeout </span></span><span class="line"><span class="cl"> Max retries on timeouts </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Report Output Options: </span></span><span class="line"><span class="cl"> -d Directory Name Directory name <span class="k">for</span> report output </span></span><span class="line"><span class="cl"> --results Hosts Per Page </span></span><span class="line"><span class="cl"> Number of Hosts per page of report </span></span><span class="line"><span class="cl"> --no-prompt Don<span class="s1">&#39;t prompt to open the report </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">Web Options: </span></span></span><span class="line"><span class="cl"><span class="s1"> --user-agent User Agent </span></span></span><span class="line"><span class="cl"><span class="s1"> User Agent to use for all requests </span></span></span><span class="line"><span class="cl"><span class="s1"> --difference Difference Threshold </span></span></span><span class="line"><span class="cl"><span class="s1"> Difference threshold when determining if user agent requests are close &#34;enough&#34; (Default: 50) </span></span></span><span class="line"><span class="cl"><span class="s1"> --proxy-ip 127.0.0.1 IP of web proxy to go through </span></span></span><span class="line"><span class="cl"><span class="s1"> --proxy-port 8080 Port of web proxy to go through </span></span></span><span class="line"><span class="cl"><span class="s1"> --proxy-type socks5 Proxy type (socks5/http) </span></span></span><span class="line"><span class="cl"><span class="s1"> --show-selenium Show display for selenium </span></span></span><span class="line"><span class="cl"><span class="s1"> --resolve Resolve IP/Hostname for targets </span></span></span><span class="line"><span class="cl"><span class="s1"> --add-http-ports ADD_HTTP_PORTS </span></span></span><span class="line"><span class="cl"><span class="s1"> Comma-separated additional port(s) to assume are http (e.g. &#39;</span>8018,8028<span class="s1">&#39;) </span></span></span><span class="line"><span class="cl"><span class="s1"> --add-https-ports ADD_HTTPS_PORTS </span></span></span><span class="line"><span class="cl"><span class="s1"> Comma-separated additional port(s) to assume are https (e.g. &#39;</span>8018,8028<span class="s1">&#39;) </span></span></span><span class="line"><span class="cl"><span class="s1"> --only-ports ONLY_PORTS </span></span></span><span class="line"><span class="cl"><span class="s1"> Comma-separated list of exclusive ports to use (e.g. &#39;</span>80,8080<span class="err">&#39;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> --prepend-https Prepend http:// and https:// to URLs without either </span></span><span class="line"><span class="cl"> --selenium-log-path SELENIUM_LOG_PATH </span></span><span class="line"><span class="cl"> Selenium geckodriver log path </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Resume Options: </span></span><span class="line"><span class="cl"> --resume ew.db Path to db file <span class="k">if</span> you want to resume </span></span></code></pre></div><h3 id="简单使用">简单使用:</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">#单个目标</span> </span></span><span class="line"><span class="cl">eyewitness --single <span class="s1">&#39;https://www.baidu.com&#39;</span> --web -d ./output --delay <span class="m">10</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">#多个目标</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">eyewitness -f ./url.txt --web -d ./output --delay <span class="m">10</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">#参数使用说明</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">--single :单个网站 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">--web 识别web页面 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-d 输出目录 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">--delay 打开网站后延迟截图的时间(不设置的话截图太快,可能网站还没渲染完),单位:秒 </span></span></code></pre></div><h3 id="使用效果">使用效果:</h3> <p>扫描结束会询问你是否现在打开报告,这里选择否我们自己打开就行</p> <p> <figure > <div class="d-flex justify-content-center"> <div class="w-100" ><img src="./image/image_Y76VcemUoA.png" alt="" loading="lazy" data-zoomable /></div> </div></figure> </p> <p> <figure > <div class="d-flex justify-content-center"> <div class="w-100" ><img src="./image/image_JtnOVwS2rv.png" alt="" loading="lazy" data-zoomable /></div> </div></figure> </p> <h3 id="使用proxychains代理">使用proxychains代理</h3> <blockquote> <p>📌这里有几个需要注意的坑</p> </blockquote> <ul> <li> <p><strong>确保EyeWitness执行目录权限可写</strong></p> <p>在执行的目录下<code>chmod 777 -R ./</code></p> </li> <li> <p><strong>不支持在低权限用户以root身份运行(使用sudo)</strong></p> <p>好像Firefox的原因</p> </li> <li> <p><strong>proxychains低版本执行会报错</strong></p> <p>下载最新的<a href="https://github.com/rofl0r/proxychains-ng" title="proxychains-ng" target="_blank" rel="noopener">proxychains-ng</a>版本</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">git clone https://github.com/rofl0r/proxychains-ng ~/proxychains-ng </span></span><span class="line"><span class="cl"><span class="nb">cd</span> ~/proxychains-ng </span></span><span class="line"><span class="cl">make -s clean </span></span><span class="line"><span class="cl">./configure --prefix<span class="o">=</span>/usr --sysconfdir<span class="o">=</span>/etc </span></span><span class="line"><span class="cl">make -s </span></span><span class="line"><span class="cl">make -s install </span></span><span class="line"><span class="cl">ln -sf /usr/bin/proxychains4 /usr/local/bin/proxychains-ng </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">修改/etc/proxychains.conf <span class="o">(</span>可能是/etc/proxychains4.conf<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">#将下面的一行添加到proxychains.conf,只要它不在“[ProxyList]”下的最底部,任何地方都可以使用,建议将它添加到“proxy_dns”之后</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">localnet 127.0.0.0/255.0.0.0 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">#代理使用</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">proxychains-ng eyewitness -f ./url.txt --web -d ./output --delay <span class="m">10</span> </span></span></code></pre></div></li> </ul>