小白日记5：kali渗透测试之被动信息收集（四）--theHarvester，metagoofil，meltag，个人专属密码字典--CUPP

1、theHarvester

theHarvester是一个社会工程学工具，它通过搜索引擎、PGP服务器以及SHODAN数据库收集用户的email，子域名，主机，雇员名，开放端口和banner信息。

注：一般需要翻墙                

#可使用proxychains指定代理

root@kali:~# theharvester -h********************************************************************                                                                 ** | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  ** | __| '_ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| ** | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    **  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    **                                                                 ** TheHarvester Ver. 2.6                                           ** Coded by Christian Martorella                                   ** Edge-Security Research                                          ** cmartorella@edge-security.com                                   ********************************************************************Usage: theharvester options        -d: Domain to search or company name       -b: data source: google, googleCSE, bing, bingapi, pgp #指定搜索引擎或社交媒体                        linkedin, google-profiles, people123, jigsaw,                         twitter, googleplus, all       -s: Start in result number X (default: 0)       -v: Verify host name via dns resolution and search for virtual hosts       -f: Save the results into an HTML and XML file                          #保存文件       -n: Perform a DNS reverse query on all ranges discovered       -c: Perform a DNS brute force for the domain name       -t: Perform a DNS TLD expansion discovery       -e: Use this DNS server       -l: Limit the number of results to work with(bing goes from 50 to 50 results,#限制搜索结果数，默认每次并发为50       -h: use SHODAN database to query discovered hosts            google 100 to 100, and pgp doesn't use this option)<span style="color:#ff0000;">Examples:                                #例子</span>        theharvester -d microsoft.com -l 500 -b google        theharvester -d microsoft.com -b pgp        theharvester -d microsoft -l 200 -b linkedin        theharvester -d apple.com -b googleCSE -l 500 -s 300

范例：theharvester -d sina.com -l 300 -b bing

二、metagoofil #kali2.0不自带

metagoofil是一款收集文档信息的工具，可以从目标域的可用文档中收集信息。利用的搜索引擎是google。其支持的格式如下：.doc  .odt  .xls  .ods    .ppt   .odp   .PDF 

metagoofil  -d 目标域名 -l 10 -f all -o a.html -t a

三、meltago

注：首次使用前需申请账号,需要翻墙

综合性信息收集软件，用户体验友好，为图形化操作界面。向导可使用不同类型的搜索，也可自定义。

1、选择类型（自定义）

切换类型

新建

……

四、Host

查询主机使用的域名

#host 163.com 
#host -t MX 163.com 

五、其他途径

社交网络、工商注册、新闻组/论坛、招聘网站（当公司招收哪类人才，说明其该方向有短板。如：招web渗透工程师）、某些专门做历史归档的网站archive.org（可了解一些其历史信息【技术情况】）

六、个人专属密码字典--CUPP（命中率相对较高）【默认不在kali】

用python编写的，适合社会工程学，当你收集到目标的具体信息后，你就可以通过这个脚本来智能化生成关于目标的字典。【需考虑外国人与中国人密码习惯】

注：若源有问题，可换中科大源

deb http://mirrors.ustc.edu.cn/kali sana main non-free contrib
deb http://mirrors.ustc.edu.cn/kali-security/ sana/updates main contrib non-free
deb-src http://mirrors.ustc.edu.cn/kali-security/ sana/updates main contrib non-free

安装：

<span style="font-size:18px;">git clone https://github.com/Mebus/cupp.git                    #克隆，文件放置位置</span>

用法：

<span style="font-size:18px;">root@kali:~# cd cupp/root@kali:~/cupp# lsCHANGELOG.md  cupp3.py  cupp.cfg  cupp.py  LICENSE  README.md  test_cupp.pyroot@kali:~/cupp# cat README.md                      #用户手册# cupp.py - Common User Passwords Profiler ## About  The most common form of authentication is the combination of a username  and a password or passphrase. If both match values stored within a locally  stored table, the user is authenticated for a connection. Password strength is  a measure of the difficulty involved in guessing or breaking the password  through cryptographic techniques or library-based automated testing of  alternate values.  A weak password might be very short or only use alphanumberic characters,  making decryption simple. A weak password can also be one that is easily  guessed by someone profiling the user, such as a birthday, nickname, address,  name of a pet or relative, or a common word such as God, love, money or password.  That is why CUPP has born, and it can be used in situations like legal  penetration tests or forensic crime investigations.## Options  Usage: cupp.py [OPTIONS]        -h      this menu        -i      Interactive questions for user password profiling     #交互问题密码分析，【常用】，产生向导生成专属字典        -w      Use this option to profile existing dictionary,                or WyD.pl output to make some pwnsauce :)        -l      Download huge wordlists from repository        -a      Parse default usernames and passwords directly from Alecto DB.                Project Alecto uses purified databases of Phenoelit and CIRT which where merged and enhanced.        -v      Version of the program## Configuration   CUPP has configuration file cupp.cfg with instructions.</span>

<span style="font-size:18px;">## License  This program is free software; you can redistribute it and/or modify  it under the terms of the GNU General Public License as published by  the Free Software Foundation; either version 3 of the License, or  any later version.  This program is distributed in the hope that it will be useful,  but WITHOUT ANY WARRANTY; without even the implied warranty of  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the  GNU General Public License for more details.  You should have received a copy of the GNU General Public License  along with this program; if not, write to the Free Software  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA  See './LICENSE' for more information.## Github importThis project was imported into https://github.com/Mebus/cupp by Mebus from:  http://www.remote-exploit.org/content/cupp-3.0.tar.gz  http://www.remote-exploit.org/articles/misc_research__amp_code/index.html  to encourage further developement of the tool.## Original author  Muris Kurgas aka j0rgan    j0rgan@remote-exploit.org    http://www.remote-exploit.org    http://www.azuzi.me  ## Contributors  * Bosko Petrovic aka bolexxx    bole_loser@hotmail.com    http://www.offensive-security.com    http://www.bolexxx.net    * Mebus      https://github.com/Mebus/    * Abhro      https://github.com/Abhro/    * Andrea Giacomo      https://github.com/codepr</span>

需使用python调用

<span style="font-size:18px;">root@kali:~/cupp# python cupp.py -i</span>

七、图片信息

METADATA

元数据（Metadata）是描述其它数据的数据（data about other data），或者说是用于提供某种资源的有关信息的结构数据（structured data）。元数据是描述信息资源或数据等对象的数据，其使用目的在于：识别资源；评价资源；追踪资源在使用过程中的变化；实现简单高效地管理大量网络化数据；实现信息资源的有效发现、查找、一体化组织和对使用资源的有效管理。可以为数据说明其元素或属性（名称、大小、数据类型、等），或其结构（长度、字段、数据列），或其相关数据（位于何处、如何联系、拥有者）。

Exif图片信息：默认情况下，会记录物理位置。【http://baike.baidu.com/link?url=lsZXsROoT4fsYGDT9ilOrJFD_l82wK25U3dKVjIu_wrbX7ifCtGc5z8NmjkvjKlT00QrYG4L_qDebQT227uefq】

Foca信息收集器

Foca是款西班牙同僚开发的信息收集安全利器,主要对DNS和metadata元数据扫描分析。其文件分析可以是多种多样的，最常见的Microsoft Office文件，Open Office或PDF文件，甚至还可以分析Adobe InDesign或者SVG文件。

分析图片：

exiftool +图片名  #root@kali:~# exif QQ图片20160907233944.jpg

<span style="font-size:18px;">root@kali:~# exif QQ图片20160907233944.jpg ‘QQ图片20160907233944.jpg’中的EXIF 信息标识(‘英特尔’字节顺序):--------------------+----------------------------------------------------------信息标识                |值--------------------+----------------------------------------------------------Date and Time       |2016:08:05 14:20:30Model               |MX4 ProImage Width         |2592YCbCr Positioning   |CenteredImage Length        |1944Orientation         |Top-leftSoftware            |Flyme5.0              #操作系统Manufacturer        |MEIZU X-Resolution        |72Y-Resolution        |72Resolution Unit     |英寸Image Width         |160Resolution Unit     |英寸Image Length        |120Y-Resolution        |72Orientation         |Top-leftCompression         |JPEG 压缩X-Resolution        |72色彩空间                |sRGBDate and Time (Digit|2016:08:05 14:20:30F-Number            |f/2.2Exposure Program    |普通模式焦距                  |4.8 mm光圈                  |2.27 EV (f/2.2)白平衡                 |自动白平衡Pixel X Dimension   |2592图像唯一 ID             |Shutter Speed       |8.77 EV (1/436 sec.)测距模式                |Center-weighted average曝光模式                |自动曝光Date and Time (Origi|2016:08:05 14:20:30用户备注                |Pixel Y Dimension   |1944闪光灯                 |未闪光Exif Version        |Exif版本2.2Focal Length in 35mm|31曝光偏差                |0.50 EVMaximum Aperture Val|2.27 EV (f/2.2)亮度                  |3.08 EV (28.97 cd/m^2)场景捕获类型              |标准ISO Speed Ratings   |40Exposure Time       |1/438 sec.FlashPixVersion     |FlashPix版本 1.0<strong>GPS Image Direction |46GPS Image Direction |M</strong>--------------------+----------------------------------------------------------EXIF 数据中含有缩略图(2944 个字节)。</span>

windows下可用foca或查看图片属性