【渗透工具系列】内容枚举神器Gobuster
作者:FancyPig | 发布时间: | 更新时间:
相关阅读
data-postsbox="{"id":27764,"title":"【渗透工具系列】端点挖掘神器GoSpider","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/11/20221129013340640.png","cover_video":"","views":2283,"comment_count":4,"category":"software","is_forum_post":false}">{"id":27764,"title":"【渗透工具系列】端点挖掘神器GoSpider","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/11/20221129013340640.png","cover_video":"","views":2283,"comment_count":4,"category":"software","is_forum_post":false}
data-postsbox="{"id":27597,"title":"【渗透工具系列】模糊测试必备神器FFUF","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/11/20221127034109620.png","cover_video":"","views":4261,"comment_count":4,"category":"software","is_forum_post":false}">{"id":27597,"title":"【渗透工具系列】模糊测试必备神器FFUF","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/11/20221127034109620.png","cover_video":"","views":4261,"comment_count":4,"category":"software","is_forum_post":false}
data-postsbox="{"id":27474,"title":"【渗透工具系列】极其快速的参数枚举工具Arjun","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/11/20221125003417789.png","cover_video":"","views":3187,"comment_count":5,"category":"software","is_forum_post":false}">{"id":27474,"title":"【渗透工具系列】极其快速的参数枚举工具Arjun","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/11/20221125003417789.png","cover_video":"","views":3187,"comment_count":5,"category":"software","is_forum_post":false}
data-postsbox="{"id":27006,"title":"【渗透工具系列】支持屏幕截图的黑客扫描工具EyeWitness","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/11/20221120062105607.png","cover_video":"","views":2655,"comment_count":4,"category":"software","is_forum_post":false}">{"id":27006,"title":"【渗透工具系列】支持屏幕截图的黑客扫描工具EyeWitness","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/11/20221120062105607.png","cover_video":"","views":2655,"comment_count":4,"category":"software","is_forum_post":false}
data-postsbox="{"id":26746,"title":"【渗透工具系列】端点扫描神器Meg","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/11/20221117014650253.png","cover_video":"","views":3410,"comment_count":9,"category":"software","is_forum_post":false}">{"id":26746,"title":"【渗透工具系列】端点扫描神器Meg","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/11/20221117014650253.png","cover_video":"","views":3410,"comment_count":9,"category":"software","is_forum_post":false}
data-postsbox="{"id":26486,"title":"【渗透工具系列】Burpsuite扩展插件Turbo Intruder","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/11/20221112101541192.png","cover_video":"","views":5014,"comment_count":11,"category":"software","is_forum_post":false}">{"id":26486,"title":"【渗透工具系列】Burpsuite扩展插件Turbo Intruder","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/11/20221112101541192.png","cover_video":"","views":5014,"comment_count":11,"category":"software","is_forum_post":false}
视频讲解
本期视频我们将为大家带来内容枚举、暴力破解神器,本工具内置了目录扫描、DNS枚举、服务器虚拟主机名、Amazon S3存储桶等多个检测插件,可以说是体验极佳!
图文讲解
安装教程
您可以通过go直接安装Gobuster
go install github.com/OJ/gobuster/v3@latest安装完成后直接输入gobuster运行
使用教程
目录扫描
我们可以使用gobuster进行目录探测,使用插件dir
字典:/opt/SecLists/Discovery/Web-Content/common.txt
gobuster dir --url 127.0.0.1 --wordlist /opt/SecLists/Discovery/Web-Content/common.txt速度限制
当然值得一提的是,在做漏洞赏金时,我们通常会对请求速度进行限制,可以使用下面的参数
- --threads 线程数
- --delay 请求延迟
gobuster dir --url 127.0.0.1 --wordlist /opt/SecLists/Discovery/Web-Content/common.txt --threads 10 --delay 1s当然,除此之外,偶尔我们还需要设置特定的user-agent及请求头,可以使用下面的参数
- --useragent 指定user-agent
- --headers 指定请求头中的参数与参数值
gobuster dir --url 127.0.0.1 --wordlist /opt/SecLists/Discovery/Web-Content/common.txt --threads 10 --delay 1s --useragent 'PinkDraconian-Intigriti' --headers 'X-Intigriti:PinkDraconian'
可以通过扫描快速发现目录及存在的文件
子域名探测
当然,我们还可以对服务器子域名进行探测
字典:/opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
gobuster vhost --url pink.com --wordlist /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --threads 10 --delay 1s --useragent 'PinkDraconian-Intigriti' --headers 'X-Intigriti:PinkDraconian'
模糊测试/密码暴力破解
除此之外,你还可以使用Gobuster进行模糊测试,或者说用它来进行密码的暴力破解
字典:/opt/SecLists/blob/master/Passwords/darkweb2017-top10000.txt
gobuster vhost --url 'http://127.0.0.1/admin.php?username=admin&password=FUZZ' --wordlist /opt/SecLists/blob/master/Passwords/darkweb2017-top10000.txtDNS枚举
gobuster dns -d google.com -w ~/wordlists/subdomains.txt结果
===============================================================
Gobuster v3.2.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Mode : dns
[+] Url/Domain : google.com
[+] Threads : 10
[+] Wordlist : /home/oj/wordlists/subdomains.txt
===============================================================
2019/06/21 11:54:20 Starting gobuster
===============================================================
Found: chrome.google.com
Found: ns1.google.com
Found: admin.google.com
Found: www.google.com
Found: m.google.com
Found: support.google.com
Found: translate.google.com
Found: cse.google.com
Found: news.google.com
Found: music.google.com
Found: mail.google.com
Found: store.google.com
Found: mobile.google.com
Found: search.google.com
Found: wap.google.com
Found: directory.google.com
Found: local.google.com
Found: blog.google.com
===============================================================
2019/06/21 11:54:20 Finished
===============================================================S3存储桶检测
gobuster s3 -w bucket-names.txt