前言
在内网渗透中,有时候你会发现有些WEB无法通过IP访问,主要原因是目标对网站进行了域名绑定,尤其是同服上有多个域名站点的。这时候你访问可能报401、403、404等错误,或者也不报错返回IIS或APACHE等默认页面,如果认为目标未搭建网站,则可能因此错过一些存在漏洞的WEB。或者说你已经搞下内网其中一台机器,想通过该机器搞主站,但是使用Ladon的WebScan或WhatCms均未探测到主网IP,原因多半也是网站绑定了域名(IIS设置显示为主机头),所以本文主要是解决这个问题。
解决方案
1.通过修改Hosts文件,绑定IP域名,访问IP看返回页面与目标主站对比。
2.访问网站,设置HTTP主机头,访问IP看返回页面与目标主站页面对比。
实战用途
1.探测域名对应内网IP
2.探测主站绑定多个IP
C#代码
namespace hostscan
{
class Program
{
//hostscan for ladon
//http://k8gege.org
static void Main(string[] args)
{
string ip = "";
//string host = "qq.com";//扫C段或批量时写目标对应域名
string host = ""; //不设主机头,默认获取IP对应WEB标题
if (args.Length == 1)
{
ip = args[0];
}
else if (args.Length == 2)
{
ip = args[0];
host = args[1];
}
else
{
Console.WriteLine("hostscan ip");
Console.WriteLine("hostscan ip domain");
return;
}
string url = "http://" + ip;
if (ip.Contains("http://") || ip.Contains("https://"))
url = ip;
HttpWebRequest req = (HttpWebRequest)HttpWebRequest.Create(url);
req.Method = "GET";
//req.ContentLength = data.Length;
//req.ContentType = "application/x-www-form-urlencoded";
req.ContentType = "application/octet-stream";
if (host != "")
req.Host = host;
req.Accept = "image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-silverlight, application/vnd.ms-xpsdocument, application/x-ms-application, application/x-ms-xbap, application/xaml+xml, */*";
try
{
HttpWebResponse response = (HttpWebResponse)req.GetResponse();
Stream myResponseStream = response.GetResponseStream();
StreamReader myStreamReader = new StreamReader(myResponseStream, System.Text.Encoding.Default);
string retString = myStreamReader.ReadToEnd();
myStreamReader.Close();
myResponseStream.Close();
Console.WriteLine(ip + " " + GetTitle(retString));
}
catch (Exception ex)
{
;
}
}
private static string GetTitle(string html)
{
String regex = @"<title>.+</title>";
String title = Regex.Match(html, regex).ToString();
title = Regex.Replace(title, @"[\""]+", "");
return title;
}
}
}
指定主机头访问IP,并获取标题(如果不指定我们将获取不到标题)
C:\Users\k8gege>hostscan 58.250.137.36 qq.com
58.250.137.36 <title>腾讯首页</title>
批量探测
显然在不确定是哪个内网IP为主站机器的情况下,一个一个IP试效率就太低了,因此我们需要代码实现自动探测。我们可以获取C段网站标题,然后看哪个IP标题和外网访问时的标题对比,以此确认哪个IP为主站机器,如果做了负载均横或机器有多网卡,则可能有多个IP都为同一标题。
因为是.net程序,所以Ladon可直接加载EXE做为模块扫描,从扫描结果得知,qq.com绑定了多个IP。实战时指定为目标内网IP即可,hostscan.exe域名需写死或通过TXT读取。
C:\Users\k8gege>hostscan 58.250.137.36 qq.com
58.250.137.36 <title>腾讯首页</title>
C:\Users\k8gege>Ladon40 58.250.137.36/24 hostscan.exe
Ladon 6.6
Start: 2020-07-15 21:42:40
Runtime: .net 4.0 OS Arch: x86
OS Name: Microsoft Windows 7 旗舰版
Call DiyMoudle (c# exe)
58.250.137.36/24
load hostscan.exe
58.250.137.36/24 is Valid CIDR
IPCound: 256
Scan Start: 2020-07-15 21:42:40
58.250.137.100 <title>鑵捐浜戞櫤鏈?涓€閿惌寤轰紒涓氳嚜宸辩殑瀹㈡湇骞冲彴</title>
58.250.137.36 <title>腾讯首页</title>
58.250.137.38 <title>腾讯首页</title>
58.250.137.116
58.250.137.124
58.250.137.115
58.250.137.107 <title>鎶㈡敞QQ绌洪棿涓撳睘鍩熷悕</title>
58.250.137.112 <title>鐧诲綍</title>
58.250.137.101 <title>腾讯首页</title>
工具下载
最新版本:https://k8gege.org/Download
历史版本: https://github.com/k8gege/Ladon/releases