Question

Let’s now dive into recon itself. First, always verify the target’s scope. A program’s scope on its policy page specifies which subdomains, products, and applications you’re allowed to attack. Carefully verify which of the company’s assets are in scope to avoid overstepping boundaries during the recon and hacking process. For example, if example.com ’s policy specifies that dev.example.com and test.example.com are out of scope, you shouldn’t perform any recon or attacks on those subdomains.

让我们现在深入了解侦察本身。首先，始终验证目标的范围。一个程序在其策略页面上的范围指定了您可以攻击的子域、产品和应用程序。仔细验证公司的哪些资产在范围内，以避免在侦察和黑客过程中越界。例如，如果 example.com 的策略指定 dev.example.com 和 test.example.com 不在范围内，则不应在这些子域上执行任何侦查或攻击。

Once you’ve verified this, discover what’s actually in the scope. Which domains, subdomains, and IP addresses can you attack? What company assets is the organization hosting on these machines?

一旦您验证了这一点，就要发现实际上是什么范围。您可以攻击哪些域名、子域名和 IP 地址？这些机器上组织主持着哪些公司资产？

WHOIS and Reverse WHOIS

When companies or individuals register a domain name, they need to supply identifying information, such as their mailing address, phone number, and email address, to a domain registrar. Anyone can then query this information by using the whois command, which searches for the registrant and owner information of each known domain. You might be able to find the associated contact information, such as an email, name, address, or phone number:

当公司或个人注册域名时，他们需要向域名注册机构提供识别信息，例如邮寄地址、电话号码和电子邮件地址。然后任何人都可以通过使用 whois 命令查询这些信息，该命令搜索每个已知域的注册人和所有者信息。您可能会找到相关的联系信息，例如电子邮件、姓名、地址或电话号码。

$     whois facebook.com

This information is not always available, as some organizations and individuals use a service called domain privacy , in which a third-party service provider replaces the user’s information with that of a forwarding service.

有些组织和个人使用域名隐私服务，第三方服务提供商会替换用户信息以达到转发服务的目的，这些信息并未总是可用。

You could then conduct a reverse WHOIS search, searching a database by using an organization name, a phone number, or an email address to find domains registered with it. This way, you can find all the domains that belong to the same owner. Reverse WHOIS is extremely useful for finding obscure or internal domains not otherwise disclosed to the public. Use a public reverse WHOIS tool like ViewDNS.info ( https://viewdns.info/reversewhois/ ) to conduct this search. WHOIS and reverse WHOIS will give you a good set of top-level domains to work with.

您可以进行反向 WHOIS 搜索，通过使用组织名称、电话号码或电子邮件地址搜索数据库，找到注册在其名下的域名。这样，您可以找到属于同一所有者的所有域名。反向 WHOIS 非常有用，可用于查找未公开的模糊或内部域名。使用公共反向 WHOIS 工具，如 ViewDNS.info（https://viewdns.info/reversewhois/）进行此搜索。WHOIS 和反向 WHOIS 将为您提供一组好的顶级域名。

IP Addresses

Another way of discovering your target’s top-level domains is to locate IP addresses. Find the IP address of a domain you know by running the nslookup command. You can see here that facebook.com is located at 157.240.2.35:

发现目标顶级域名的另一种方法是查找 IP 地址。运行 nslookup 命令来查找您已知的域名的 IP 地址。您可以在这里看到，Facebook.com 位于 157.240.2.35：

$     nslookup facebook.com 
Server: 192.168.0.1
Address: 192.168.0.1#53
Non-authoritative answer:
Name: facebook.com
Address: 157.240.2.35

Once you’ve found the IP address of the known domain, perform a reverse IP lookup. Reverse IP searches look for domains hosted on the same server, given an IP or domain. You can also use ViewDNS.info for this.

一旦您找到已知域名的 IP 地址，就执行反向 IP 查找。反向 IP 搜索寻找在同一服务器上托管的域名，给定一个 IP 或者域名。您也可以使用 ViewDNS.info 来进行此操作。

Also run the whois command on an IP address, and then see if the target has a dedicated IP range by checking the NetRange field. An IP range is a block of IP addresses that all belong to the same organization. If the organization has a dedicated IP range, any IP you find in that range belongs to that organization:

也要在 IP 地址上运行 whois 命令，查看 NetRange 字段以确定目标是否拥有专用 IP 范围。IP 范围是属于同一组织的一组 IP 地址。如果该组织拥有专用 IP 范围，任何在该范围内的 IP 都属于该组织。

$ whois 157.240.2.35
    NetRange:       157.240.0.0 - 157.240.255.255 
CIDR:           157.240.0.0/16
NetName:        THEFA-3
NetHandle:      NET-157-240-0-0-1
Parent:         NET157 (NET-157-0-0-0-0)
NetType:        Direct Assignment
OriginAS:
Organization:   Facebook, Inc. (THEFA-3)
RegDate:        2015-05-14
Updated:        2015-05-14
Ref:            https://rdap.arin.net/registry/ip/157.240.0.0
OrgName:        Facebook, Inc.
OrgId:          THEFA-3
Address:        1601 Willow Rd.
City:           Menlo Park
StateProv:      CA
PostalCode:     94025
Country:        US
RegDate:        2004-08-11
Updated:        2012-04-17
Ref:            https://rdap.arin.net/registry/entity/THEFA-3
OrgAbuseHandle: OPERA82-ARIN
OrgAbuseName:   Operations
OrgAbusePhone:  +1-650-543-4800
OrgAbuseEmail:  noc@fb.com
OrgAbuseRef:    https://rdap.arin.net/registry/entity/OPERA82-ARIN
OrgTechHandle: OPERA82-ARIN
OrgTechName:   Operations
OrgTechPhone:  +1-650-543-4800
OrgTechEmail:  noc@fb.com
OrgTechRef:    https://rdap.arin.net/registry/entity/OPERA82-ARIN

Another way of finding IP addresses in scope is by looking at autonomous systems, which are routable networks within the public internet. Autonomous system numbers ( ASNs ) identify the owners of these networks. By checking if two IP addresses share an ASN, you can determine whether the IPs belong to the same owner.

另一种找到范围内 IP 地址的方法是查看自治系统，这些是公共互联网中可路由的网络。自治系统号码（ASN）标识这些网络的所有者。通过检查两个 IP 地址是否共享 ASN，您可以确定这些 IP 是否属于同一所有者。

To figure out if a company owns a dedicated IP range, run several IP-to-ASN translations to see if the IP addresses map to a single ASN. If many addresses within a range belong to the same ASN, the organization might have a dedicated IP range. From the following output, we can deduce that any IP within the 157.240.2.21 to 157.240.2.34 range probably belongs to Facebook:

通过运行多个 IP-to-ASN 翻译，确定一家公司是否拥有专用 IP 范围。如果一个范围内的许多地址属于相同的 ASN，则该组织可能拥有专用 IP 范围。从以下输出中，我们可以推断出在 157.240.2.21 到 157.240.2.34 范围内的任何 IP 可能属于 Facebook：

$     whois -h whois.cymru.com 157.240.2.20 
AS      | IP               | AS Name
32934   | 157.240.2.20     | FACEBOOK, US
$     whois -h whois.cymru.com 157.240.2.27 
AS      | IP               | AS Name
32934   | 157.240.2.27     | FACEBOOK, US
$     whois -h whois.cymru.com 157.240.2.35 
AS      | IP               | AS Name
32934   | 157.240.2.35     | FACEBOOK, US

The -h flag in the whois command sets the WHOIS server to retrieve information from, and whois.cymru.com is a database that translates IPs to ASNs. If the company has a dedicated IP range and doesn’t mark those addresses as out of scope, you could plan to attack every IP in that range.

whois 命令中的-h 标志设置要检索信息的 WHOIS 服务器，而 whois.cymru.com 是将 IP 地址翻译为 ASN 的数据库。如果公司拥有专用 IP 地址范围，并且没有将这些地址标记为超出范围，您可以计划攻击该范围内的每个 IP 地址。

Certificate Parsing

Another way of finding hosts is to take advantage of the Secure Sockets Layer (SSL) certificates used to encrypt web traffic. An SSL certificate’s Subject Alternative Name field lets certificate owners specify additional hostnames that use the same certificate, so you can find those hostnames by parsing this field. Use online databases like crt.sh, Censys, and Cert Spotter to find certificates for a domain.

通过利用用于加密 Web 流量的安全套接字层 (SSL) 证书来查找主机的另一种方法。 SSL 证书的主题备用名称字段允许证书所有者指定使用相同证书的其他主机名，因此您可以通过解析此字段找到这些主机名。 使用在线数据库，如 crt.sh、Censys 和 Cert Spotter，以查找域的证书。

For example, by running a certificate search using crt.sh for facebook.com , we can find Facebook’s SSL certificate. You’ll see that that many other domain names belonging to Facebook are listed:

例如，通过使用 crt.sh 对 facebook.com 进行证书搜索，我们可以找到 Facebook 的 SSL 证书。你会发现许多其他属于 Facebook 的域名也被列出：

X509v3 Subject Alternative Name:
 DNS:*.facebook.com
 DNS:*.facebook.net
 DNS:*.fbcdn.net
 DNS:*.fbsbx.com
 DNS:*.messenger.com
 DNS:facebook.com
 DNS:messenger.com
 DNS:*.m.facebook.com
 DNS:*.xx.fbcdn.net
 DNS:*.xy.fbcdn.net
 DNS:*.xz.fbcdn.net

The crt.sh website also has a useful utility that lets you retrieve the information in JSON format, rather than HTML, for easier parsing. Just add the URL parameter output=json to the request URL: https://crt.sh/?q=facebook.com&output=json.

crt.sh 网站还提供了一个有用的工具，让您以 JSON 格式检索信息，而不是 HTML，以便更容易地解析。只需在请求 URL 中添加 URL 参数 output=json：https://crt.sh/?q=facebook.com&output=json。

Subdomain Enumeration

After finding as many domains on the target as possible, locate as many subdomains on those domains as you can. Each subdomain represents a new angle for attacking the network. The best way to enumerate subdomains is to use automation.

在尽可能发现目标的许多域名后，尽可能定位这些域名上的许多子域。每个子域代表攻击网络的新角度。枚举子域的最佳方法是使用自动化。

Tools like Sublist3r, SubBrute, Amass, and Gobuster can enumerate subdomains automatically with a variety of wordlists and strategies. For example, Sublist3r works by querying search engines and online subdomain databases, while SubBrute is a brute-forcing tool that guesses possible subdomains until it finds real ones. Amass uses a combination of DNS zone transfers, certificate parsing, search engines, and subdomain databases to find subdomains. You can build a tool that combines the results of multiple tools to achieve the best results. We’ll discuss how to do this in “Writing Your Own Recon Scripts” on page 80 .

像 Sublist3r、SubBrute、Amass 和 Gobuster 这样的工具可以使用各种字典和策略自动枚举子域名。例如，Sublist3r 通过查询搜索引擎和在线子域名数据库工作，而 SubBrute 是一种暴力破解工具，可以猜测可能的子域名直到找到真实的域名。Amass 使用 DNS 区域转移、证书解析、搜索引擎和子域名数据库的组合来寻找子域名。您可以构建一个组合多个工具结果的工具，以获得最佳结果。我们将在第 80 页的“编写自己的侦查脚本”中讨论如何实现这一点。

To use many subdomain enumeration tools, you need to feed the program a wordlist of terms likely to appear in subdomains. You can find some good wordlists made by other hackers online. Daniel Miessler’s SecLists at https://github.com/danielmiessler/SecLists/ is a pretty extensive one. You can also use a wordlist generation tool like Commonspeak2 ( https://github.com/assetnote/commonspeak2 /) to generate wordlists based on the most current internet data. Finally, you can combine several wordlists found online or that you generated yourself for the most comprehensive results. Here’s a simple command to remove duplicate items from a set of two wordlists:

使用许多子域名枚举工具，需要为程序提供一个可能出现在子域名中的单词清单。你可以在网上找到其他黑客制作的一些很好的单词清单。Daniel Miessler 的 SecLists (https://github.com/danielmiessler/SecLists/) 是一个非常全面的清单。你还可以使用一个词汇表生成工具，比如 Commonspeak2 (https://github.com/assetnote/commonspeak2/)，基于最新的互联网数据生成词汇表。最后，你可以结合在线找到或自己生成的几个词汇表，以获得最全面的结果。这是一个简单的命令，用于从两个词汇表的集合中删除重复项：

sort -u wordlist1.txt wordlist2.txt

The sort command line tool sorts the lines of text files. When given multiple files, it will sort all files and write the output to the terminal. The -u option tells sort to return only unique items in the sorted list.

sort 命令行工具用于排序文本文件的行。当给出多个文件时，它会对所有文件进行排序并将输出写入终端。-u 选项告诉 sort 仅返回排序列表中的唯一项。

Gobuster is a tool for brute-forcing to discover subdomains, directories, and files on target web servers. Its DNS mode is used for subdomain brute-forcing. In this mode, you can use the flag -d to specify the domain you want to brute-force and -w to specify the wordlist you want to use:

Gobuster 是一种工具，用于暴力破解目标 Web 服务器上的子域，目录和文件。它的 DNS 模式用于子域暴力破解。在此模式下，您可以使用标志-d 指定要暴力破解的域名，使用-w 指定要使用的单词列表：

gobuster dns -d target_domain -w wordlist 

Once you’ve found a good number of subdomains, you can discover more by identifying patterns. For example, if you find two subdomains of example.com named 1.example.com and 3.example.com , you can guess that 2.example.com is probably also a valid subdomain. A good tool for automating this process is Altdns ( https://github.com/infosec-au/altdns/ ), which discovers subdomains with names that are permutations of other subdomain names.

一旦你找到了足够多的子域名，你可以通过识别模式来发现更多。例如，如果你发现 example.com 的两个子域名分别是 1.example.com 和 3.example.com，那么你可以猜测 2.example.com 也可能是一个有效的子域名。一个自动化这个过程的好工具是 Altdns（https://github.com/infosec-au/altdns/），它可以发现具有其他子域名名称排列组合的名称的子域名。

In addition, you can find more subdomains based on your knowledge about the company’s technology stack. For example, if you’ve already learned that example.com uses Jenkins, you can check if jenkins.example.com is a valid subdomain.

此外，你可以根据你对公司技术栈的了解找到更多的子域名。例如，如果你已经了解到 example.com 使用 Jenkins，你可以检查 jenkins.example.com 是否是一个有效的子域名。

Also look for subdomains of subdomains. After you’ve found, say, dev.example.com , you might find subdomains like 1.dev.example.com . You can find subdomains of subdomains by running enumeration tools recursively: add the results of your first run to your Known Domains list and run the tool again.

查找子域名的子域名。 当你找到一个比如 dev.example.com 后，你可能会发现子域名例如 1.dev.example.com。 通过递归运行枚举工具，您可以找到子域名的子域名：将第一次运行的结果添加到已知域名列表中，再次运行该工具。

Service Enumeration

Next, enumerate the services hosted on the machines you’ve found. Since services often run on default ports, a good way to find them is by port-scanning the machine with either active or passive scanning.

接下来，列出您发现的机器上托管的服务。由于服务通常在默认端口上运行，因此使用主动或被动扫描扫描机器是找到它们的好方法。

In active scanning , you directly engage with the server. Active scanning tools send requests to connect to the target machine’s ports to look for open ones. You can use tools like Nmap or Masscan for active scanning. For example, this simple Nmap command reveals the open ports on scanme.nmap.org :

在主动扫描中，你直接与服务器交互。主动扫描工具会发送请求以连接到目标机器的端口，以查找开放的端口。你可以使用像 Nmap 或 Masscan 这样的工具进行主动扫描。例如，这个简单的 Nmap 命令可以揭示 scanme.nmap.org 上的开放端口：

$     nmap scanme.nmap.org 
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.086s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
135/tcp filtered msrpc
445/tcp filtered microsoft-ds
9929/tcp open nping-echo
31337/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 230.83 seconds

On the other hand, in passive scanning , you use third-party resources to learn about a machine’s ports without interacting with the server. Passive scanning is stealthier and helps attackers avoid detection. To find services on a machine without actively scanning it, you can use Shodan , a search engine that lets the user find machines connected to the internet.

另一方面，在被动扫描中，您使用第三方资源来了解机器的端口，而无需与服务器进行交互。被动扫描更加隐秘，帮助攻击者避免被发现。要在不活跃扫描机器的情况下查找该机器的服务，您可以使用 Shodan，这是一个搜索引擎，允许用户查找连接到互联网的机器。

With Shodan, you can discover the presence of webcams, web servers, or even power plants based on criteria such as hostnames or IP addresses. For example, if you run a Shodan search on scanme.nmap.org ’s IP address, 45.33.32.156, you get the result in Figure 5-1 . You can see that the search yields different data than our port scan, and provides additional information about the server.

通过 Shodan，您可以根据主机名或 IP 地址等标准发现网络摄像头、Web 服务器甚至是电厂的存在。例如，如果您在 scanme.nmap.org 的 IP 地址 45.33.32.156 上运行 Shodan 搜索，您将获得图 5-1 中的结果。您可以看到，此搜索产生了与我们的端口扫描不同的数据，并提供了有关服务器的其他信息。

Figure 5-1 : The Shodan results page of scanme.nmap.org

图 5-1：scanme.nmap.org 的 Shodan 结果页面。

Alternatives to Shodan include Censys and Project Sonar. Combine the information you gather from different databases for the best results. With these databases, you might also find your target’s IP addresses, certificates, and software versions.

除了 Shodan 之外，还有 Censys 和 Project Sonar 可供选择。从不同的数据库中收集信息以获得最佳结果。通过这些数据库，您还可能找到目标的 IP 地址、证书和软件版本。

Directory Brute-Forcing

The next thing you can do to discover more of the site’s attack surface is brute-force the directories of the web servers you’ve found. Finding directories on servers is valuable, because through them, you might discover hidden admin panels, configuration files, password files, outdated functionalities, database copies, and source code files. Directory brute-forcing can sometimes allow you to directly take over a server!

你可以接下来尝试对网站已发现的 web 服务器目录进行暴力破解，以便更全面地探测攻击面。发现服务器目录很有价值，因为通过它们，你可能会找到隐藏的管理面板、配置文件、密码文件、过时的功能、数据库副本和源代码文件。有时暴力破解目录会让你直接接管服务器！

Even if you can’t find any immediate exploits, directory information often tells you about the structure and technology of an application. For example, a pathname that includes phpmyadmin usually means that the application is built with PHP.

即使你找不到立即可用的漏洞，目录信息通常也会告诉你应用程序的结构和技术。例如，包括 phpmyadmin 的路径名通常意味着该应用程序是用 PHP 构建的。

You can use Dirsearch or Gobuster for directory brute-forcing. These tools use wordlists to construct URLs, and then request these URLs from a web server. If the server responds with a status code in the 200 range, the directory or file exists. This means you can browse to the page and see what the application is hosting there. A status code of 404 means that the directory or file doesn’t exist, while 403 means it exists but is protected. Examine 403 pages carefully to see if you can bypass the protection to access the content.

你可以使用 Dirsearch 或 Gobuster 进行目录穷举。 这些工具使用单词列表来构造 URL，并从 Web 服务器请求这些 URL。 如果服务器响应的状态代码在 200 范围内，则表示该目录或文件存在。 这意味着您可以浏览该页面并查看应用程序托管的内容。 404 状态代码表示目录或文件不存在，而 403 表示该目录或文件存在，但受到保护。 仔细检查 403 页，看看是否可以绕过保护以访问内容。

Here’s an example of running a Dirsearch command. The -u flag specifies the hostname, and the -e flag specifies the file extension to use when constructing URLs:

这是运行 Dirsearch 命令的示例。-u 标志指定了主机名，-e 标志指定了构建 URL 时要使用的文件扩展名：

$     ./dirsearch.py -u scanme.nmap.org -e php 
Extensions: php | HTTP method: get | Threads: 10 | Wordlist size: 6023
Error Log: /tools/dirsearch/logs/errors.log
Target: scanme.nmap.org
[12:31:11] Starting:
[12:31:13] 403 -  290B  - /.htusers
[12:31:15] 301 -  316B  - /.svn  ->  http://scanme.nmap.org/.svn/
[12:31:15] 403 -  287B  - /.svn/
[12:31:15] 403 -  298B  - /.svn/all-wcprops
[12:31:15] 403 -  294B  - /.svn/entries
[12:31:15] 403 -  297B  - /.svn/prop-base/
[12:31:15] 403 -  296B  - /.svn/pristine/
[12:31:15] 403 -  291B  - /.svn/tmp/
[12:31:15] 403 -  315B  - /.svn/text-base/index.php.svn-base
[12:31:15] 403 -  293B  - /.svn/props/
[12:31:15] 403 -  297B  - /.svn/text-base/
[12:31:40] 301 -  318B  - /images  ->  http://scanme.nmap.org/images/
[12:31:40] 200 -   7KB  - /index
[12:31:40] 200 -   7KB  - /index.html
[12:31:53] 403 -  295B  - /server-status
[12:31:53] 403 -  296B  - /server-status/
[12:31:54] 301 -  318B  - /shared  ->  http://scanme.nmap.org/shared/
Task Completed 

Gobuster’s Dir mode is used to find additional content on a specific domain or subdomain. This includes hidden directories and files. In this mode, you can use the -u flag to specify the domain or subdomain you want to brute-force and -w to specify the wordlist you want to use:

Gobuster 的 Dir 模式用于在特定域或子域上查找其他内容，包括隐藏目录和文件。在此模式下，您可以使用-u 标志来指定要暴力破解的域或子域，使用-w 来指定要使用的字典：

gobuster dir -u target_url -w wordlist

Manually visiting all the pages you’ve found through brute-forcing can be time-consuming. Instead, use a screenshot tool like EyeWitness ( https://github.com/FortyNorthSecurity/EyeWitness/ ) or Snapper ( https://github.com/dxa4481/Snapper/ ) to automatically verify that a page is hosted on each location. EyeWitness accepts a list of URLs and takes screenshots of each page. In a photo gallery app, you can quickly skim these to find the interesting-looking ones. Keep an eye out for hidden services, such as developer or admin panels, directory listing pages, analytics pages, and pages that look outdated and ill-maintained. These are all common places for vulnerabilities to manifest.

手动访问通过暴力破解找到的所有页面可能会耗费大量时间。相反，使用像 EyeWitness（https://github.com/FortyNorthSecurity/EyeWitness/）或 Snapper（https://github.com/dxa4481/Snapper/）这样的截图工具自动验证每个位置上是否托管有该页面。EyeWitness 接受一个 URL 列表并截取每个页面的屏幕截图。在照片库应用程序中，您可以快速滑过这些页面，找到有趣的页面。注意隐藏服务，例如开发人员或管理员面板，目录列表页面，分析页面以及看起来过时和未养护的页面。这些都是漏洞可能发生的常见地方。

Spidering the Site

Another way of discovering directories and paths is through web spidering , or web crawling, a process used to identify all pages on a site. A web spider tool starts with a page to visit. It then identifies all the URLs embedded on the page and visits them. By recursively visiting all URLs found on all pages of a site, the web spider can uncover many hidden endpoints in an application.

另一种发现目录和路径的方式是通过网络蜘蛛或网络爬虫。它是一种用于识别网站上所有页面的过程。一个网络爬虫工具从一个访问页面开始。然后它会识别页面上嵌入的所有 URL 并访问它们。通过递归访问站点上所有页面中找到的所有 URL，网络爬虫可以揭示应用程序中许多隐藏的端点。

OWASP Zed Attack Proxy (ZAP) at https://www.zaproxy.org/ has a built-in web spider you can use ( Figure 5-2 ). This open source security tool includes a scanner, proxy, and many other features. Burp Suite has an equivalent tool called the crawler , but I prefer ZAP’s spider.

OWASP Zed Attack Proxy（ZAP）在 https://www.zaproxy.org/有一个内置的网络蜘蛛，您可以使用（图 5-2）。这个开源安全工具包括扫描器、代理和许多其他功能。Burp Suite 有一个等效的工具称为爬虫，但我更喜欢 ZAP 的蜘蛛。

Figure 5-2 : The startup page of OWASP ZAP

图 5-2：OWASP ZAP 的启动页面

Access its spider tool by opening ZAP and choosing Tools ▶ Spider ( Figure 5-3 ).

通过打开 ZAP 并选择工具▶Spider（图 5-3），访问它的爬虫工具。

Figure 5-3 : You can find the Spider tool via Tools ▶ Spider.

图 5-3：您可以通过工具▶蜘蛛来找到蜘蛛工具。

You should see a window for specifying the starting URL ( Figure 5-4 ).

你应该看到一个窗口来指定起始 URL（图 5-4）。

Figure 5-4 : You can specify the target URL to scan.

图 5-4：您可以指定要扫描的目标 URL。

Click Start Scan . You should see URLs pop up in the bottom window ( Figure 5-5 ).

点击开始扫描。您应该会在底部窗口（图 5-5）中看到 URL 弹出。

Figure 5-5 : The scan results show up at the bottom pane of the OWASP ZAP window.

图 5-5：扫描结果会显示在 OWASP ZAP 窗口的底部面板。

You should also see a site tree appear on the left side of your ZAP window ( Figure 5-6 ). This shows you the files and directories found on the target server in an organized format.

你还应该在 ZAP 窗口左侧看到一个站点结构树的出现（如图 5-6 所示）。它以有组织的格式显示了目标服务器上找到的文件和目录。

Figure 5-6 : The site tree in the left window shows you the files and directories found on the target server.

图 5-6：左窗口中的站点树显示了目标服务器上找到的文件和目录。

Third-Party Hosting

Take a look at the company’s third-party hosting footprint. For example, look for the organization’s S3 buckets. S3 , which stands for Simple Storage Service , is Amazon’s online storage product. Organizations can pay to store resources in buckets to serve in their web applications, or they can use S3 buckets as a backup or storage location. If an organization uses Amazon S3, its S3 buckets can contain hidden endpoints, logs, credentials, user information, source code, and other information that might be useful to you.

看看公司的第三方托管足迹。例如，寻找组织的 S3 存储桶。 S3 代表 Amazon 的在线存储产品 – 简单存储服务。组织可以付费将资源存储在存储桶中以在其 Web 应用程序中使用，或者他们可以使用 S3 存储桶作为备份或存储位置。如果组织使用 Amazon S3，则其 S3 存储桶可能包含隐藏的端点、日志、凭据、用户信息、源代码和其他对你有用的信息。

How do you find an organization’s buckets? One way is through Google dorking, as mentioned earlier. Most buckets use the URL format BUCKET.s3.amazonaws.com or s3.amazonaws.com/BUCKET , so the following search terms are likely to find results:

如何查找组织机构的存储桶？一种方法是通过前面提到的 Google Dorking。大多数存储桶使用 URL 格式 BUCKET.s3.amazonaws.com 或 s3.amazonaws.com/BUCKET，因此以下搜索词可能会找到结果：

site:s3.amazonaws.com COMPANY_NAME
site:amazonaws.com COMPANY_NAME

If the company uses custom URLs for its S3 buckets, try more flexible search terms instead. Companies often still place keywords like aws and s3 in their custom bucket URLs, so try these searches:

如果公司为其 S3 存储桶使用自定义 URL，请尝试更灵活的搜索词。公司通常在其自定义存储桶 URL 中仍然放置像 aws 和 s3 等关键字，因此尝试以下这些搜索：

amazonaws s3 COMPANY_NAME
amazonaws bucket COMPANY_NAME
amazonaws COMPANY_NAME
s3 COMPANY_NAME

Another way of finding buckets is to search a company’s public GitHub repositories for S3 URLs. Try searching these repositories for the term s3 . We’ll talk about using GitHub for recon in “GitHub Recon” on the following page .

另一种找到存储桶的方式是在公司的公共 GitHub 存储库中搜索 S3 网址。尝试在这些存储库中搜索“s3”一词。我们将在下一页的“GitHub 侦察”中讨论如何使用 GitHub 进行侦察。

GrayhatWarfare ( https://buckets.grayhatwarfare.com/ ) is an online search engine you can use to find publicly exposed S3 buckets ( Figure 5-7 ). It allows you to search for a bucket by using a keyword. Supply keywords related to your target, such as the application, project, or organization name, to find relevant buckets.

GrayhatWarfare（https://buckets.grayhatwarfare.com/）是一个在线搜索引擎，您可以使用它来查找公开暴露的 S3 存储桶（图 5-7）。它允许您使用关键字搜索桶。提供与目标相关的关键字，例如应用程序、项目或组织名称，以查找相关的桶。

Figure 5-7 : The GrayhatWarfare home page

图 5-7：GrayhatWarfare 主页

Finally, you can try to brute-force buckets by using keywords. Lazys3 ( https://github.com/nahamsec/lazys3/ ) is a tool that helps you do this. It relies on a wordlist to guess buckets that are permutations of common bucket names. Another good tool is Bucket Stream ( https://github.com/eth0izzle/bucket-stream/ ), which parses certificates belonging to an organization and finds S3 buckets based on permutations of the domain names found on the certificates. Bucket Stream also automatically checks whether the bucket is accessible, so it saves you time.

最后，你可以尝试使用关键词进行暴力破解存储桶。Lazys3（https://github.com/nahamsec/lazys3/）是一个帮助你实现的工具。它依赖于一个单词列表来猜测存储桶，这些存储桶是常见存储桶名称的排列组合。另一个好的工具是 Bucket Stream（https://github.com/eth0izzle/bucket-stream/），它解析属于一个组织的证书，并基于在证书上找到的域名的排列组合来找到 S3 存储桶。Bucket Stream 还自动检查存储桶是否可访问，因此它可以节省你的时间。

Once you’ve found a couple of buckets that belong to the target organization, use the AWS command line tool to see if you can access one. Install the tool by using the following command:

一旦找到几个属于目标机构的存储桶，使用 AWS 命令行工具查看是否可以访问其中一个。使用以下命令安装工具：

pip install awscli

Then configure it to work with AWS by following Amazon’s documentation at https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html . Now you should be able to access buckets directly from your terminal via the aws s3 command. Try listing the contents of the bucket you found:

按照亚马逊文档 https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html 进行配置，使其可与 AWS 兼容。现在，您可以通过 aws s3 命令直接从终端访问桶。尝试列出您找到的桶的内容：

aws s3 ls s3://BUCKET_NAME/

If this works, see if you can read the contents of any interesting files by copying files to your local machine:

如果这个方法有效，请尝试复制文件到本地计算机上，查看其中有趣文件的内容：

aws s3 cp s3://BUCKET_NAME/FILE_NAME/path/to/local/directory

Gather any useful information leaked via the bucket and use it for future exploitation! If the organization reveals information such as active API keys or personal information, you should report this right away. Exposed S3 buckets alone are often considered a vulnerability. You can also try to upload new files to the bucket or delete files from it. If you can mess with its contents, you might be able to tamper with the web application’s operations or corrupt company data. For example, this command will copy your local file named TEST_FILE into the target’s S3 bucket:

收集通过存储桶泄露的任何有用信息并将其用于未来利用！如果组织披露例如活动 API 密钥或个人信息的信息，您应立即报告。仅暴露的 S3 桶通常被视为漏洞。您还可以尝试向存储桶上传新文件或从中删除文件。如果您可以干扰其内容，您可能能够篡改 Web 应用程序的操作或破坏公司数据。例如，此命令将将名为 TEST_FILE 的本地文件复制到目标的 S3 存储桶中：

aws s3 cp TEST_FILE s3://BUCKET_NAME/

And this command will remove the TEST_FILE that you just uploaded:

而此命令将删除您刚上传的 `TEST_FILE` 文件:

aws s3 rm s3://BUCKET_NAME/TEST_FILE

These commands are a harmless way to prove that you have write access to a bucket without actually tampering with the target company’s files.

这些命令是一种无害的方式，可以证明您具有对一个存储桶的写权限，而不会实际干扰目标公司的文件。

Always upload and remove your own test files. Don’t risk deleting important company resources during your testing unless you’re willing to entertain a costly lawsuit.

始终上传和删除您自己的测试文件。除非您愿意承担昂贵的诉讼风险，否则不要在测试期间冒险删除重要的公司资源。

GitHub Recon

Search an organization’s GitHub repositories for sensitive data that has been accidentally committed, or information that could lead to the discovery of a vulnerability.

搜索组织的 GitHub 存储库，查找意外提交的敏感数据或可能导致漏洞发现的信息。

Start by finding the GitHub usernames relevant to your target. You should be able to locate these by searching the organization’s name or product names via GitHub’s search bar, or by checking the GitHub accounts of known employees.

从寻找与您目标相关的 GitHub 用户名开始。您可以通过使用 GitHub 的搜索栏搜索组织名称或产品名称，或者通过检查已知员工的 GitHub 帐户来找到这些用户名。

When you’ve found usernames to audit, visit their pages. Find repositories related to the projects you’re testing and record them, along with the usernames of the organization’s top contributors, which can help you find more relevant repositories.

当您找到要审计的用户名时，请访问他们的页面。查找与您测试的项目相关的存储库，并记录它们，以及组织顶级贡献者的用户名，这可以帮助您找到更多相关的存储库。

Then dive into the code. For each repository, pay special attention to the Issues and Commits sections. These sections are full of potential info leaks: they could point attackers to unresolved bugs, problematic code, and the most recent code fixes and security patches. Recent code changes that haven’t stood the test of time are more likely to contain bugs. Look at any protection mechanisms implemented to see if you can bypass them. You can also search the Code section for potentially vulnerable code snippets. Once you’ve found a file of interest, check the Blame and History sections at the top-right corner of the file’s page to see how it was developed ( Figure 5-8 ).

然后深入代码中。对于每个存储库，特别留意问题和提交部分。这些部分充满了潜在的信息泄漏：它们可能指向未解决的漏洞，有问题的代码，并且是最近的代码修复和安全补丁。最近的代码更容易包含错误。查看实施的任何保护机制是否可以绕过它们。您还可以搜索代码部分以查找可能存在漏洞的代码片段。一旦找到感兴趣的文件，请检查文件页面右上角的责难和历史部分以了解它是如何开发的（图 5-8）。

Figure 5-8 : The History and Blame sections

图 5-8：历史和责任部分。

We’ll dive deeper into reviewing source code in Chapter 22 , but during the recon phase, look for hardcoded secrets such as API keys, encryption keys, and database passwords. Search the organization’s repositories for terms like key , secret , and password to locate hardcoded user credentials that you can use to access internal systems. After you’ve found leaked credentials, you can use KeyHacks ( https://github.com/streaak/keyhacks/ ) to check if the credentials are valid and learn how to use them to access the target’s services.

在第 22 章中，我们将更深入地了解源代码审查，但在侦察阶段，要寻找硬编码的秘密，如 API 密钥、加密密钥和数据库密码。在组织的存储库中搜索关键词，如 key、secret 和 password，以定位硬编码的用户凭据，您可以使用它们来访问内部系统。找到泄露的凭据后，您可以使用 KeyHacks(https://github.com/streaak/keyhacks/) 来检查凭据是否有效，并学习如何使用它们来访问目标服务。

You should also search for sensitive functionalities in the project. See if any of the source code deals with important functions such as authentication, password reset, state-changing actions, or private info reads. Pay attention to code that deals with user input, such as HTTP request parameters, HTTP headers, HTTP request paths, database entries, file reads, and file uploads, because they provide potential entry points for attackers to exploit the application’s vulnerabilities. Look for any configuration files, as they allow you to gather more information about your infrastructure. Also, search for old endpoints and S3 bucket URLs that you can attack. Record these files for further review in the future.

你还应该搜索项目中的敏感功能。查看是否有任何源代码涉及重要功能，例如身份验证、密码重置、状态更改操作或私人信息读取。注意处理用户输入的代码，例如 HTTP 请求参数、HTTP 头部、HTTP 请求路径、数据库条目、文件读取和文件上传，因为它们为攻击者利用应用程序漏洞提供了潜在的入口点。查找任何配置文件，因为它们可以让你收集有关基础架构的更多信息。此外，搜索可以攻击的旧端点和 S3 存储桶 URL。记录这些文件以备将来进一步审查。

Outdated dependencies and the unchecked use of dangerous functions are also a huge source of bugs. Pay attention to dependencies and imports being used and go through the versions list to see if they’re outdated. Record any outdated dependencies. You can use this information later to look for publicly disclosed vulnerabilities that would work on your target.

过时的依赖和对危险函数的未检查使用也是错误的巨大来源。注意使用的依赖和导入，查看版本列表以查看它们是否过时。记录任何过时的依赖关系。您可以稍后使用此信息查找可在您的目标上运行的公开披露的漏洞。

Tools like Gitrob and TruffleHog can automate the GitHub recon process. Gitrob ( https://github.com/michenriksen/gitrob/ ) locates potentially sensitive files pushed to public repositories on GitHub. TruffleHog ( https://github.com/trufflesecurity/truffleHog/ ) specializes in finding secrets in repositories by conducting regex searches and scanning for high-entropy strings.

类似 Gitrob 和 TruffleHog 这样的工具可以自动化 GitHub 侦察过程。Gitrob（https://github.com/michenriksen/gitrob/）可以定位在 GitHub 公共仓库中推送的潜在敏感文件。TruffleHog（https://github.com/trufflesecurity/truffleHog/）专注于通过进行正则表达式搜索和扫描高熵字符串来查找存储库中的机密信息。