信息收集技术全面指南<\/h1>

主域名搜集<\/h2>
主域名搜集是信息收集的第一步，决定了后续能够搜索到的资产范围。以下是几种有效的搜集方法：<\/p>

1. 谷歌语法搜索<\/h3>

使用Google高级搜索语法可以高效定位目标资产：<\/p>

查找相似网站<\/strong>：related:kelnur.com<\/code> - 查找与目标网站内容相似的站点<\/li>
搜索主域名含关键词<\/strong>：site:.com "kelnur" -site:*.com<\/code> - 在.com主域名中搜索关键词，排除子域名<\/li>
查找反向链接的主域名<\/strong>：link:kelnur.com -site:*.com<\/code> - 查找直接链接到目标网站的主域名<\/li>

查找新注册的含关键词域名<\/strong>："kelnur" daterange:20240101-20241231 -site:*.com<\/code> - 搜索特定时间段内新注册的域名<\/li> <\/ul> 2. 网站图标(Favicon)查询<\/h3> 通过空间测绘工具(如FOFA、Shodan)使用网站图标哈希值进行查询，可能发现使用相同图标的其他主域名网站。<\/p> 3. IP查询法<\/h3> 空间测绘<\/strong>：根据网站的真实IP地址查询绑定的主域名<\/li> IP域名反查<\/strong>：使用https:\/\/viewdns.info\/reverseip\/<\/code>等工具进行反查<\/li> <\/ul> 4. 网站关联分析<\/h3> 通过分析网站的友情链接、合作伙伴等关联信息，寻找可能的主域名。<\/p> 子域名收集<\/h2> 1. 被动收集方法<\/h3> DNS查询<\/strong>：使用https:\/\/dnsdumpster.com\/<\/code><\/li> 证书查询<\/strong>：使用https:\/\/crt.sh\/<\/code>查询SSL证书中出现的子域名<\/li> <\/ul> 2. 主动收集工具<\/h3> Ksubdomain<\/h4> 特点<\/strong>：主动收集工具，异步DNS数据包，使用pcap每秒可扫描160万个子域名<\/li> 安装<\/strong>：https:\/\/github.com\/boy-hack\/ksubdomain<\/code><\/li> 常用命令<\/strong>： cat url.txt|.\/ksubdomain e --stdin -o url2.txt <\/span><\/span><\/code><\/pre> e<\/code>：枚举子域名<\/li> --silent<\/code>：静默模式输出<\/li> -o url2.txt<\/code>：结果输出到文件<\/li> <\/ul> <\/li> <\/ul> Subfinder<\/h4> 特点<\/strong>：快速被动子域枚举工具<\/li> 安装<\/strong>：https:\/\/github.com\/projectdiscovery\/subfinder<\/code><\/li> 常用命令<\/strong>： .\/subfinder -dL url.txt -o url2.txt <\/span><\/span><\/code><\/pre> -dL url.txt<\/code>：从文件读取多个主域名<\/li> -o url2.txt<\/code>：结果输出到文件<\/li> <\/ul> <\/li> <\/ul> 3. 去重处理<\/h3> 使用Python脚本进行高效去重：<\/p> seen =<\/span> set() <\/span><\/span>with<\/span> open('url3.txt'<\/span>, 'r'<\/span>, encoding=<\/span>'utf-8'<\/span>) as<\/span> infile, open('url4.txt'<\/span>, 'w'<\/span>, encoding=<\/span>'utf-8'<\/span>) as<\/span> outfile: <\/span><\/span> for<\/span> line in<\/span> infile: <\/span><\/span> line =<\/span> line.<\/span>strip() <\/span><\/span> if<\/span> line: <\/span><\/span> first_part =<\/span> line.<\/span>split('=>'<\/span>)[0<\/span>].<\/span>strip() <\/span><\/span> if<\/span> first_part not<\/span> in<\/span> seen: <\/span><\/span> seen.<\/span>add(first_part) <\/span><\/span> outfile.<\/span>write(first_part +<\/span> '<\/span>\n<\/span>'<\/span>) <\/span><\/span><\/code><\/pre>IP地址收集<\/h2> 1. 子域名解析IP<\/h3> 使用Python脚本批量解析子域名IP并去重：<\/p> import<\/span> dns.resolver <\/span><\/span>import<\/span> concurrent.futures <\/span><\/span>import<\/span> sys <\/span><\/span>from<\/span> tqdm import<\/span> tqdm <\/span><\/span> <\/span><\/span>def<\/span> get_ip_from_local_dns<\/span>(domain, dns_server=<\/span>"8.8.8.8"<\/span>, dns_port=<\/span>53<\/span>): <\/span><\/span> resolver =<\/span> dns.<\/span>resolver.<\/span>Resolver() <\/span><\/span> resolver.<\/span>nameservers =<\/span> [dns_server] <\/span><\/span> resolver.<\/span>port =<\/span> dns_port <\/span><\/span> resolver.<\/span>timeout =<\/span> 2<\/span> <\/span><\/span> resolver.<\/span>lifetime =<\/span> 3<\/span> <\/span><\/span> try<\/span>: <\/span><\/span> answers =<\/span> resolver.<\/span>resolve(domain, 'A'<\/span>) <\/span><\/span> ip_list =<\/span> [rdata.<\/span>address for<\/span> rdata in<\/span> answers] <\/span><\/span> return<\/span> domain, ip_list, None<\/span> <\/span><\/span> except<\/span> Exception<\/span> as<\/span> e: <\/span><\/span> return<\/span> domain, [], str(e) <\/span><\/span> <\/span><\/span>def<\/span> read_urls_from_file<\/span>(file_path): <\/span><\/span> try<\/span>: <\/span><\/span> with<\/span> open(file_path, 'r'<\/span>) as<\/span> file: <\/span><\/span> urls =<\/span> file.<\/span>readlines() <\/span><\/span> return<\/span> [url.<\/span>strip() for<\/span> url in<\/span> urls if<\/span> url.<\/span>strip()] <\/span><\/span> except<\/span> FileNotFoundError<\/span>: <\/span><\/span> print(f<\/span>"[-] 文件 <\/span>{<\/span>file_path}<\/span> 未找到"<\/span>) <\/span><\/span> return<\/span> [] <\/span><\/span> <\/span><\/span>def<\/span> write_ips_to_file<\/span>(results, output_path=<\/span>"ips.txt"<\/span>): <\/span><\/span> try<\/span>: <\/span><\/span> with<\/span> open(output_path, 'w'<\/span>) as<\/span> file: <\/span><\/span> for<\/span> ip in<\/span> results: <\/span><\/span> file.<\/span>write(f<\/span>"<\/span>{<\/span>ip}<\/span>\n<\/span>"<\/span>) <\/span><\/span> print(f<\/span>"[+] 所有 IP 地址已写入 <\/span>{<\/span>output_path}<\/span> 文件"<\/span>) <\/span><\/span> except<\/span> Exception<\/span> as<\/span> e: <\/span><\/span> print(f<\/span>"[-] 写入文件时出错: <\/span>{<\/span>e}<\/span>"<\/span>) <\/span><\/span> <\/span><\/span>def<\/span> process_result<\/span>(result): <\/span><\/span> domain, ips, error =<\/span> result <\/span><\/span> if<\/span> error: <\/span><\/span> print(f<\/span>"[-] <\/span>{<\/span>domain}<\/span> 解析失败: <\/span>{<\/span>error}<\/span>"<\/span>) <\/span><\/span> else<\/span>: <\/span><\/span> print(f<\/span>"[+] <\/span>{<\/span>domain}<\/span> => <\/span>{<\/span>','<\/span>.<\/span>join(ips)}<\/span>"<\/span>) <\/span><\/span> return<\/span> ips <\/span><\/span> <\/span><\/span>def<\/span> main<\/span>(): <\/span><\/span> if<\/span> len(sys.<\/span>argv) ><\/span> 1<\/span>: <\/span><\/span> file_path =<\/span> sys.<\/span>argv[1<\/span>] <\/span><\/span> else<\/span>: <\/span><\/span> file_path =<\/span> input("请输入包含域名的文件路径 (如url.txt): "<\/span>) <\/span><\/span> <\/span><\/span> domains =<\/span> read_urls_from_file(file_path) <\/span><\/span> if<\/span> not<\/span> domains: <\/span><\/span> print("[-] 没有找到有效的域名"<\/span>) <\/span><\/span> return<\/span> <\/span><\/span> <\/span><\/span> print(f<\/span>"[*] 开始处理 <\/span>{<\/span>len(domains)}<\/span> 个域名..."<\/span>) <\/span><\/span> all_ips =<\/span> [] <\/span><\/span> <\/span><\/span> with<\/span> concurrent.<\/span>futures.<\/span>ThreadPoolExecutor(max_workers=<\/span>50<\/span>) as<\/span> executor: <\/span><\/span> future_to_domain =<\/span> {executor.<\/span>submit(get_ip_from_local_dns, domain): domain for<\/span> domain in<\/span> domains} <\/span><\/span> <\/span><\/span> for<\/span> future in<\/span> tqdm(concurrent.<\/span>futures.<\/span>as_completed(future_to_domain), total=<\/span>len(domains), desc=<\/span>"解析进度"<\/span>): <\/span><\/span> result =<\/span> future.<\/span>result() <\/span><\/span> domain_ips =<\/span> process_result(result) <\/span><\/span> all_ips.<\/span>extend(domain_ips) <\/span><\/span> <\/span><\/span> unique_ips =<\/span> list(set(all_ips)) <\/span><\/span> print(f<\/span>"[+] 共发现 <\/span>{<\/span>len(unique_ips)}<\/span> 个唯一IP地址"<\/span>) <\/span><\/span> write_ips_to_file(unique_ips) <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>: <\/span><\/span> main() <\/span><\/span><\/code><\/pre>2. CDN绕过技术<\/h3> CDN简介<\/strong>：内容分发网络，通过分布式服务器缓存内容，提升访问速度并隐藏真实IP。<\/p> 绕过方法<\/strong>：<\/p> 内部邮箱资源<\/strong>：<\/p> 通过目标网站的注册或RSS订阅功能获取邮件头<\/li> 查找邮件服务器域名并解析其IP<\/li> <\/ul> <\/li> 扫描网站测试文件<\/strong>：<\/p> 如.phpinfo、.test等可能暴露真实IP的文件<\/li> <\/ul> <\/li> 子域名反推法<\/strong>：<\/p> 查找未启用CDN的子域名(如mail.example.com)并解析其IP<\/li> <\/ul> <\/li> 网络空间引擎搜索<\/strong>：<\/p> 使用FOFA、Shodan等直接查询主域名<\/li> <\/ul> <\/li> 全球Ping<\/strong>：<\/p> 使用https:\/\/tool.chinaz.com\/speedworld\/<\/code>等工具进行全球Ping测试<\/li> <\/ul> <\/li> phpinfo.php探针<\/strong>：<\/p> 查找可能暴露服务器信息的探针文件<\/li> <\/ul> <\/li> C段查询<\/strong>：<\/p> 对已知IP的C段进行查询，可能发现真实服务器<\/li> <\/ul> <\/li> <\/ol> 端口收集<\/h2> 1. Naabu端口扫描<\/h3> 特点<\/strong>：Go编写的快速端口扫描程序，注重可靠性和简单性<\/li> 安装<\/strong>：https:\/\/github.com\/projectdiscovery\/naabu<\/code><\/li> 常用命令<\/strong>： .\n<\/span>aabu.exe -l ips.txt -silent <\/span><\/span><\/code><\/pre> -l ips.txt<\/code>：指定IP列表文件<\/li> -silent<\/code>：静默模式输出<\/li> <\/ul> <\/li> <\/ul> 2. 常见端口及攻击方式<\/h3> 端口<\/th> 服务<\/th> 攻击方式<\/th> <\/tr> <\/thead> 21<\/td> FTP\/TFTP<\/td> 爆破\/嗅探\/溢出\/后门<\/td> <\/tr> 22<\/td> SSH<\/td> 爆破\/OpenSSH漏洞<\/td> <\/tr> 23<\/td> Telnet<\/td> 爆破\/嗅探\/弱口令<\/td> <\/tr> 25<\/td> SMTP<\/td> 邮件伪造<\/td> <\/tr> 53<\/td> DNS<\/td> 域传送\/劫持\/缓存投毒\/欺骗<\/td> <\/tr> 80\/443<\/td> HTTP\/HTTPS<\/td> Web应用漏洞\/心脏滴血<\/td> <\/tr> 1433<\/td> MSSQL<\/td> 爆破\/注入\/SA弱口令<\/td> <\/tr> 3306<\/td> MySQL<\/td> 爆破\/注入<\/td> <\/tr> 3389<\/td> RDP<\/td> 爆破\/shift后门<\/td> <\/tr> 6379<\/td> Redis<\/td> 未授权访问\/爆破<\/td> <\/tr> 7001\/7002<\/td> WebLogic<\/td> Java反序列化\/控制台弱口令<\/td> <\/tr> 8080<\/td> Tomcat\/JBoss<\/td> 爆破\/PUT文件上传\/反序列化<\/td> <\/tr> 9200\/9300<\/td> Elasticsearch<\/td> 远程代码执行<\/td> <\/tr> 27017<\/td> MongoDB<\/td> 未授权访问\/爆破<\/td> <\/tr> <\/tbody> <\/table> 存活探测<\/h2> HTTPX工具<\/h3> 特点<\/strong>：快速多功能HTTP工具包，支持多种探测功能<\/p> <\/li> 安装<\/strong>：https:\/\/github.com\/projectdiscovery\/httpx<\/code><\/p> <\/li> 常用命令<\/strong>：<\/p> cat url4.txt | .\h<\/span>ttpx.exe -status-code -title -tech-detect -follow-redirects -mc 200,302,403 -proxy http:\/\/127.0.0.1:7897 -threads 200<\/span> -timeout 10<\/span> -o result.json <\/span><\/span><\/code><\/pre>参数说明<\/strong>：<\/p> -status-code<\/code>：显示HTTP状态码<\/li> -title<\/code>：抓取网页标题<\/li> -tech-detect<\/code>：检测Web技术<\/li> -follow-redirects<\/code>：跟随重定向<\/li> -mc 200,302,403<\/code>：只显示指定状态码的结果<\/li> -proxy<\/code>：通过代理发送请求<\/li> -threads 200<\/code>：使用200个并发线程<\/li> -timeout 10<\/code>：设置10秒超时<\/li> -o result.json<\/code>：输出JSON格式结果<\/li> <\/ul> <\/li> <\/ul> 指纹识别<\/h2> EHole_magic<\/h3> 特点<\/strong>：支持路径指纹识别、重点资产漏洞检测、FTP服务识别及爆破<\/p> <\/li> 安装<\/strong>：https:\/\/github.com\/lemonlove7\/EHole_magic<\/code><\/p> <\/li> 常用命令<\/strong>：<\/p> .\e<\/span>hole_windows.exe finger -l .\u<\/span>rl.txt --proxy http:\/\/127.0.0.1:7897 <\/span><\/span><\/code><\/pre>参数说明<\/strong>：<\/p> finger<\/code>：指纹识别模块<\/li> -l .\url.txt<\/code>：指定目标列表文件<\/li> --proxy<\/code>：通过代理发送请求<\/li> <\/ul> <\/li> <\/ul> 网站基本信息收集<\/h3> 编程语言<\/strong>：使用Wappalyzer工具分析<\/li> 数据库类型<\/strong>：Wappalyzer或FOFA识别<\/li> Web容器<\/strong>：Wappalyzer和FOFA识别<\/li> 操作系统<\/strong>：大小写测试(Windows不区分大小写，Linux区分)<\/li> Ping TTL值分析<\/li> <\/ul> <\/li> <\/ol> 目录扫描<\/h2> FFUF工具<\/h3> 特点<\/strong>：Go编写的快速Web模糊器<\/p> <\/li> 安装<\/strong>：https:\/\/github.com\/ffuf\/ffuf<\/code><\/p> <\/li> 常用命令<\/strong>：<\/p> .\f<\/span>fuf.exe -u https:\/\/www.example.com\/FUZZ -w .\/common.txt -x http:\/\/127.0.0.1:7897 -mc 200<\/span> -recursion -recursion-depth 2<\/span> -c <\/span><\/span><\/code><\/pre>参数说明<\/strong>：<\/p> -u<\/code>：目标URL，FUZZ为占位符<\/li> -w<\/code>：字典文件路径<\/li> -x<\/code>：通过代理发送请求<\/li> -mc 200<\/code>：只显示200状态码结果<\/li> -recursion<\/code>：自动递归爆破<\/li> -recursion-depth 2<\/code>：限制递归深度为2层<\/li> -c<\/code>：彩色输出<\/li> <\/ul> <\/li> <\/ul> 推荐字典<\/h3> SecLists<\/strong>：https:\/\/github.com\/danielmiessler\/SecLists<\/code> 包含用户名、密码、URL、敏感数据模式、模糊测试载荷等<\/li> 非常全面的安全测试字典集合<\/li> <\/ul> <\/li> <\/ul> JS文件信息提取<\/h2> JSFinder工具<\/h3> 特点<\/strong>：自动提取JS文件中的敏感信息(API路径、域名、密钥等)<\/p> <\/li> 安装<\/strong>：https:\/\/github.com\/Threezh1\/JSFinder<\/code><\/p> <\/li> 常用命令<\/strong>：<\/p> python .\J<\/span>SFinder.py -u https:\/\/example.com\/ -c "_gscu_1123603759:434164374obd12"<\/span> -d <\/span><\/span><\/code><\/pre>参数说明<\/strong>：<\/p> -u<\/code>：目标网址<\/li> -c<\/code>：指定Cookie(可获取更多接口信息)<\/li> -d<\/code>：深度扫描模式<\/li> <\/ul> <\/li> <\/ul> 总结<\/h2> 本指南系统介绍了信息收集的全流程技术，从主域名搜集到子域名枚举，从IP收集到端口扫描，再到存活探测、指纹识别和目录扫描。关键点包括：<\/p> 主域名是信息收集的基础<\/strong>，使用多种方法确保全面性<\/li> 子域名枚举<\/strong>结合主动和被动方法提高覆盖率<\/li> IP收集和CDN绕过<\/strong>是定位真实服务器的关键<\/li> 端口扫描<\/strong>扩展攻击面，识别潜在脆弱服务<\/li> 指纹识别<\/strong>帮助快速定位已知漏洞<\/li> 目录扫描<\/strong>可能发现隐藏的敏感资源<\/li> <\/ol> 实际工作中，可根据目标特点灵活组合这些技术，也可编写自动化脚本提高效率。信息收集的质量直接决定了后续渗透测试的广度和深度，是安全评估中不可忽视的重要环节。<\/p>

端口<\/th>	服务<\/th>	攻击方式<\/th> <\/tr> <\/thead>
21<\/td>	FTP\/TFTP<\/td>	爆破\/嗅探\/溢出\/后门<\/td> <\/tr>
22<\/td>	SSH<\/td>	爆破\/OpenSSH漏洞<\/td> <\/tr>
23<\/td>	Telnet<\/td>	爆破\/嗅探\/弱口令<\/td> <\/tr>
25<\/td>	SMTP<\/td>	邮件伪造<\/td> <\/tr>
53<\/td>	DNS<\/td>	域传送\/劫持\/缓存投毒\/欺骗<\/td> <\/tr>
80\/443<\/td>	HTTP\/HTTPS<\/td>	Web应用漏洞\/心脏滴血<\/td> <\/tr>
1433<\/td>	MSSQL<\/td>	爆破\/注入\/SA弱口令<\/td> <\/tr>
3306<\/td>	MySQL<\/td>	爆破\/注入<\/td> <\/tr>
3389<\/td>	RDP<\/td>	爆破\/shift后门<\/td> <\/tr>
6379<\/td>	Redis<\/td>	未授权访问\/爆破<\/td> <\/tr>
7001\/7002<\/td>	WebLogic<\/td>	Java反序列化\/控制台弱口令<\/td> <\/tr>
8080<\/td>	Tomcat\/JBoss<\/td>	爆破\/PUT文件上传\/反序列化<\/td> <\/tr>
9200\/9300<\/td>	Elasticsearch<\/td>	远程代码执行<\/td> <\/tr>
27017<\/td>	MongoDB<\/td>	未授权访问\/爆破<\/td> <\/tr> <\/tbody> <\/table> 存活探测<\/h2> HTTPX工具<\/h3> 特点<\/strong>：快速多功能HTTP工具包，支持多种探测功能<\/p> <\/li> 安装<\/strong>：`https:\/\/github.com\/projectdiscovery\/httpx<\/code><\/p> <\/li>` 常用命令<\/strong>：<\/p> cat url4.txt \| .\h<\/span>ttpx.exe -status-code -title -tech-detect -follow-redirects -mc 200,302,403 -proxy http:\/\/127.0.0.1:7897 -threads 200<\/span> -timeout 10<\/span> -o result.json <\/span><\/span><\/code><\/pre>参数说明<\/strong>：<\/p> -status-code<\/code>：显示HTTP状态码<\/li> -title<\/code>：抓取网页标题<\/li> -tech-detect<\/code>：检测Web技术<\/li> -follow-redirects<\/code>：跟随重定向<\/li> -mc 200,302,403<\/code>：只显示指定状态码的结果<\/li> -proxy<\/code>：通过代理发送请求<\/li> -threads 200<\/code>：使用200个并发线程<\/li> -timeout 10<\/code>：设置10秒超时<\/li> -o result.json<\/code>：输出JSON格式结果<\/li> <\/ul> <\/li> <\/ul> 指纹识别<\/h2> EHole_magic<\/h3> 特点<\/strong>：支持路径指纹识别、重点资产漏洞检测、FTP服务识别及爆破<\/p> <\/li> 安装<\/strong>：https:\/\/github.com\/lemonlove7\/EHole_magic<\/code><\/p> <\/li> 常用命令<\/strong>：<\/p> .\e<\/span>hole_windows.exe finger -l .\u<\/span>rl.txt --proxy http:\/\/127.0.0.1:7897 <\/span><\/span><\/code><\/pre>参数说明<\/strong>：<\/p> finger<\/code>：指纹识别模块<\/li> -l .\url.txt<\/code>：指定目标列表文件<\/li> --proxy<\/code>：通过代理发送请求<\/li> <\/ul> <\/li> <\/ul> 网站基本信息收集<\/h3> 编程语言<\/strong>：使用Wappalyzer工具分析<\/li> 数据库类型<\/strong>：Wappalyzer或FOFA识别<\/li> Web容器<\/strong>：Wappalyzer和FOFA识别<\/li> 操作系统<\/strong>：大小写测试(Windows不区分大小写，Linux区分)<\/li> Ping TTL值分析<\/li> <\/ul> <\/li> <\/ol> 目录扫描<\/h2> FFUF工具<\/h3> 特点<\/strong>：Go编写的快速Web模糊器<\/p> <\/li> 安装<\/strong>：https:\/\/github.com\/ffuf\/ffuf<\/code><\/p> <\/li> 常用命令<\/strong>：<\/p> .\f<\/span>fuf.exe -u https:\/\/www.example.com\/FUZZ -w .\/common.txt -x http:\/\/127.0.0.1:7897 -mc 200<\/span> -recursion -recursion-depth 2<\/span> -c <\/span><\/span><\/code><\/pre>参数说明<\/strong>：<\/p> -u<\/code>：目标URL，FUZZ为占位符<\/li> -w<\/code>：字典文件路径<\/li> -x<\/code>：通过代理发送请求<\/li> -mc 200<\/code>：只显示200状态码结果<\/li> -recursion<\/code>：自动递归爆破<\/li> -recursion-depth 2<\/code>：限制递归深度为2层<\/li> -c<\/code>：彩色输出<\/li> <\/ul> <\/li> <\/ul> 推荐字典<\/h3> SecLists<\/strong>：https:\/\/github.com\/danielmiessler\/SecLists<\/code> 包含用户名、密码、URL、敏感数据模式、模糊测试载荷等<\/li> 非常全面的安全测试字典集合<\/li> <\/ul> <\/li> <\/ul> JS文件信息提取<\/h2> JSFinder工具<\/h3> 特点<\/strong>：自动提取JS文件中的敏感信息(API路径、域名、密钥等)<\/p> <\/li> 安装<\/strong>：https:\/\/github.com\/Threezh1\/JSFinder<\/code><\/p> <\/li> 常用命令<\/strong>：<\/p> python .\J<\/span>SFinder.py -u https:\/\/example.com\/ -c "_gscu_1123603759:434164374obd12"<\/span> -d <\/span><\/span><\/code><\/pre>参数说明<\/strong>：<\/p> -u<\/code>：目标网址<\/li> -c<\/code>：指定Cookie(可获取更多接口信息)<\/li> -d<\/code>：深度扫描模式<\/li> <\/ul> <\/li> <\/ul> 总结<\/h2> 本指南系统介绍了信息收集的全流程技术，从主域名搜集到子域名枚举，从IP收集到端口扫描，再到存活探测、指纹识别和目录扫描。关键点包括：<\/p> 主域名是信息收集的基础<\/strong>，使用多种方法确保全面性<\/li> 子域名枚举<\/strong>结合主动和被动方法提高覆盖率<\/li> IP收集和CDN绕过<\/strong>是定位真实服务器的关键<\/li> 端口扫描<\/strong>扩展攻击面，识别潜在脆弱服务<\/li> 指纹识别<\/strong>帮助快速定位已知漏洞<\/li> 目录扫描<\/strong>可能发现隐藏的敏感资源<\/li> <\/ol> 实际工作中，可根据目标特点灵活组合这些技术，也可编写自动化脚本提高效率。信息收集的质量直接决定了后续渗透测试的广度和深度，是安全评估中不可忽视的重要环节。<\/p>

信息收集技术全面指南<\/h1>

主域名搜集<\/h2> 主域名搜集是信息收集的第一步，决定了后续能够搜索到的资产范围。以下是几种有效的搜集方法：<\/p>

2. 网站图标(Favicon)查询<\/h3> 通过空间测绘工具(如FOFA、Shodan)使用网站图标哈希值进行查询，可能发现使用相同图标的其他主域名网站。<\/p>

4. 网站关联分析<\/h3> 通过分析网站的友情链接、合作伙伴等关联信息，寻找可能的主域名。<\/p>

子域名收集<\/h2>

2. 主动收集工具<\/h3>

IP地址收集<\/h2>

端口收集<\/h2>

存活探测<\/h2>

指纹识别<\/h2>

目录扫描<\/h2>

JS文件信息提取<\/h2>

主域名搜集<\/h2>
主域名搜集是信息收集的第一步，决定了后续能够搜索到的资产范围。以下是几种有效的搜集方法：<\/p>

2. 网站图标(Favicon)查询<\/h3>
通过空间测绘工具(如FOFA、Shodan)使用网站图标哈希值进行查询，可能发现使用相同图标的其他主域名网站。<\/p>

4. 网站关联分析<\/h3>
通过分析网站的友情链接、合作伙伴等关联信息，寻找可能的主域名。<\/p>