渗透测试：域名爆破及端口扫描

对每个企业的web安全都起了至关重要的作用。在渗透测试过程中，最先要做的就是信息收集，子域名爆破就是信息收集中重要的一个环节。发现的子域名越多，渗透测试的切入点就越多，也越容易找到网站弱点所在。端口扫描主要通过对枚举出来的子域名对应的IP地址的扫描来确定目标网站所用服务器的系统、所开端口等信息，进而了解目标网站的架构及应用部署情况。

本文使用Python脚本，实现了子域名爆破及端口扫描的自动化，通过运行Python脚本，可以对目标域名进行子域名枚举，对收集到的子域名所对应的IP地址进行端口扫描。下面介绍一下脚本实现的原理。

脚本的运行在kali系统下，主要分为三部分，第一部分是对子域名的枚举，第二部分通过对枚举域名所对应的IP进行nmap端口扫描，将扫描的结果进行xml存储，第三部分是对xml文件的解析，将文件中IP及端口提取出来整理格式后和子域名枚举的结果一起发送邮件。

以下是脚本代码：

#coding:utf-8

import os,sys,xml.dom.minidom,multiprocessing

from sendmail import *

from time import sleep

def dnsbrute():

       try:

              domain ='XXX.com' #指定要进行域名爆破的域

              dnsserver ='114.114.114.114' #指定dns服务器

              os.system('rm-rf *.xml')

              os.system('dnsenum-f wydomain.csv --noreverse --dnsserver '+str(dnsserver)+' '+str(domain))

              while True:

                     ifos.system('ps -ef |grep dnsenum |grep -v grep') != 0:

                            IPlist= []

                            fori in os.popen('cut -d/ -f 1 '+str(domain)+'_ips.txt'):

                                   IPlist.append(str(i).strip())

                            break

       except Exception,e:

              print e

       return IPlist

def nmap_port_scan(i):

       try:

              cmd = 'nmap -sV--open -n  -Pn -oX '+i+'.xml '+i+'1>/dev/null 2>&1'

              os.system(cmd)

       except Exception,e:

              print e

def multiprocess_scan(IPlist):

       try:

              filename = []

              process = []

              for i in IPlist:

                     filename.append(i+'.xml')

                     process.append(multiprocessing.Process(target=nmap_port_scan,args=(i,),name="process-"+ i))

              for x inprocess:

                     x.start()

              x.join()

       except Exception,e:

              print e

       return filename

def port_xml_parser(filename):

       try:

              total =len(filename)

              finished = 0

              remainder =len(filename)

              print '正在进行nmap扫描,请稍等:'

              while True:

                     res =os.system('ps -ef |grep nmap |grep -v grep |grep -v "/dev/null"1>/dev/null 2>&1')

                     ifres==0:

                            sleep(1)

                            status= int(os.popen('ps -ef |grep nmap |grep -v grep |grep -v "/dev/null"|wc -l 1>/dev/null 2>&1'))

                            ifstatus != remainder:

                                   remainder= status

                                   finished= total - remainder

                                   print'扫描进度:'+str(finished)+'/'+str(remainder)+' 请等待.\n'

                            else:

                                   print '#',

                     else:

                            print'扫描进度:'+str(total)+'/'+str(total)+' 扫描已完成.\n'

                            break

              results = {}

              IPs = []

              for i infilename:

                     ports ={}

                     dom =xml.dom.minidom.parse(i)

                     root =dom.documentElement

                     ifroot.getElementsByTagName('address'):

                            ip= str(root.getElementsByTagName('address')[0].getAttribute("addr"))

                            port= root.getElementsByTagName('port')

                            service= root.getElementsByTagName('service')

                            forj in range(len(port)):

                                   ports[str(port[j].getAttribute("portid"))]=str(service[j].getAttribute("name"))

                            ifports!=None:

                                   IPs.append(ip)

                                   results[ip]=ports

              mail('results','results:'+str(results))

       except Exception,e:

              print e

       return results,IPs

def run():

       port_xml_parser(multiprocess_scan(dnsbrute()))

if __name__ == '__main__':

       run()

这个脚本的意义在于自动化信息收集过程，给渗透测试人员节省出时间进行更多有针对性的测试。

点击阅读原文，查看更多精彩文章。