✍内容

项目地址

https://github.com/projectdiscovery/uncover

简介

uncover is a go wrapper using APIs of well known search engines to quickly discover exposed hosts on the internet. It is built with automation in mind, so you can query it and utilize the results with your current pipeline tools.

Installation Instructions

uncover requires go1.20 to install successfully. Run the following command to get the repo -

1
go install -v github.com/projectdiscovery/uncover/cmd/uncover@latest

  • 默认输出地址
    /root/go/bin/
    运行上面的下载命令就会将工具下载到这个目录中

  • provider configuration file address
    /root/.config/uncover/

Provider Configuration

The default provider configuration file should be located at $CONFIG/uncover/provider-config.yaml and has the following contents as an example.

Note: API keys are required and must be configured before running uncover.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
shodan:
  - SHODAN_API_KEY_1
  - SHODAN_API_KEY_2
censys:
  - CENSYS_API_ID_1:CENSYS_API_SECRET_1
  - CENSYS_API_ID_2:CENSYS_API_SECRET_2
fofa:
  - FOFA_EMAIL_1:FOFA_KEY_1
  - FOFA_EMAIL_2:FOFA_KEY_2
quake:
  - QUAKE_TOKEN_1
  - QUAKE_TOKEN_2
hunter:
  - HUNTER_API_KEY_1
  - HUNTER_API_KEY_2
zoomeye:
  - ZOOMEYE_API_KEY_1
  - ZOOMEYE_API_KEY_2
netlas:
  - NETLAS_API_KEY_1
  - NETLAS_API_KEY_2
criminalip:
  - CRIMINALIP_API_KEY_1
  - CRIMINALIP_API_KEY_2
publicwww:
  - PUBLICWWW_API_KEY_1
  - PUBLICWWW_API_KEY_2
hunterhow:
  - HUNTERHOW_API_KEY_1 
  - HUNTERHOW_API_KEY_2

When multiple keys/credentials are specified for same provider in the config file, random key will be used for each execution.

其他的参考官网即可

命令示例

这个工具如果没有指定引擎的话默认是使用shodan引擎

默认运行

1
echo 'ssl:"Uber Technologies, Inc."' | uncover

查询文件中的语句

1
uncover -q dorks.txt
1
2
3
4
cat dorks.txt

ssl:"Uber Technologies, Inc."
title:"Grafana"

利用多个引擎查询

1
echo jira | uncover -e shodan,censys,fofa,quake,hunter,zoomeye,netlas,criminalip

多个引擎使用不同的语句搜索

1
uncover -shodan 'http.component:"Atlassian Jira"' -censys 'services.software.product=`Jira`' -fofa 'app="ATLASSIAN-JIRA"' -quake 'Jira' -hunter 'Jira' -zoomeye 'app:"Atlassian JIRA"' -netlas 'jira' -criminalip 'Jira'

shodan快速识别IP端口以及漏洞查询

echo 51.83.59.99/24 | uncover

指定输出内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
uncover -q jira -f host -silent

ec2-44-198-22-253.compute-1.amazonaws.com
ec2-18-246-31-139.us-west-2.compute.amazonaws.com
tasks.devrtb.com
leased-line-91-149-128-229.telecom.by
74.242.203.213.static.inetbone.net
ec2-52-211-7-108.eu-west-1.compute.amazonaws.com
ec2-54-187-161-180.us-west-2.compute.amazonaws.com
185-2-52-226.static.nucleus.be
ec2-34-241-80-255.eu-west-1.compute.amazonaws.com

-f 有三种模式:ip、port、host,对应的就是只输出ip、port或者host
-silent表示只输出不调试

自定义输出格式

1
2
3
4
5
6
7
8
echo kubernetes | uncover -f https://ip:port/version -silent

https://35.222.229.38:443/version
https://52.11.181.228:443/version
https://35.239.255.1:443/version
https://34.71.48.11:443/version
https://130.211.54.173:443/version
https://54.184.250.232:443/version

将uncover的结果作为其他工具的输入

1
2
3
4
uncover -q example -f ip | naabu  在找到的主机上运行 naabu 进行端口扫描
uncover -q title:GitLab | httpx  为 Web 服务器运行 httpx 以探测找到的结果。
uncover -q 51.83.59.99/24 | httpx  在从 shodan-internetdb 获取的主机/端口上运行 httpx。
uncover -q 'org:"Example Inc."' | httpx | nuclei   运行 httpx / nuclei 进行漏洞评估。

notes

结果被限制为 100 默认值,可以使用 limit 标志来增加。

常用命令

快速探测端口以及存活探测

1
./uncover -q net:192.168.2.1/24 | ./httpx -sc -title

配置

shodan key

1
2
3
4
shodan:
	- 

ZOOMEYE_API_KEY=