被动信息收集1
>被动信息收集
>域名系统DNS
>DNS信息收集——nslookup
>DNS信息收集—>dig
>DNS区域传输
>DNS字典爆破
>DNS注册信息
>被动信息收集
公开渠道可获得的信息与目标系统不进行直接交互尽量避免留下一切痕迹信息收集内容:IP地址、域名信息、邮件地址、文档图片数据、公司地址、公司组织架构、联系电话/传真号码、人员姓名/职务、目标系统使用的技术架构、公开的商业信息等信息用途:用信息描述目标、社会工程学攻击、发现、物理缺口>域名系统DNS
DNS(Domain Name System)域名系统将域名和IP地址相互映射(正向解析:域名—>IP地址)端口:TCP/UDP 53目前,每级域名长度<=63,域名总长度<=253记录类型:A(主机记录)、CNAME(别名记录)、MX(邮件交换记录)、NS(域名服务器记录)、PTR(邮件交换中的反向地址解析)、AAA(IPv6主机记录)、SRV(服务位置记录)、NAPTR(正则表达方式映射域名)等FQND(Fully Qualified Domain Name)完全合格域名/全称域名,指主机名加上全路径(全路径列出了序列中的所有域成员)如:百度的域名为baidu.con,FQND为
DNS服务器解析流程
>DNS信息收集——nslookup
nslookup,查询DNS记录、监测DNS服务器是否能正确实现域名解析交互式界面root@xuer:~# nslookup> serverDefault server: 192.168.10.2Address: 192.168.10.2#53> Server:192.168.10.2Address:192.168.10.2#53Non-authoritative answer:Name:Address: 66.102.251.33> set type=mx> Server:192.168.10.2Address:192.168.10.2#53Non-authoritative answer:mail exchanger = 10 freemx2..mail exchanger = 10 freemx3.. #5,10表示优先级mail exchanger = 5 freemx1.. #优先级5高于10Authoritative answers can be found from:
直接解析
nslookup -type=ns
nslookup -q=ns # -type参数与-p参数,都可指定记录类型
root@xuer:~# nslookup -type=ns Server:192.168.10.2Address:192.168.10.2#53Non-authoritative answer:nameserver = .nameserver = .nameserver = .nameserver = .nameserver = .nameserver = .nameserver = .nameserver = .Authoritative answers can be found from:root@xuer:~# nslookup -q=ns Server:192.168.10.2Address:192.168.10.2#53Non-authoritative answer:nameserver = .nameserver = .nameserver = .nameserver = .nameserver = .nameserver = .nameserver = .nameserver = .Authoritative answers can be found from:
>DNS信息收集——dig
解析特定域名记录的域名dig @8.8.8.8 mx
root@xuer:~# dig @8.8.8.8 mx ; <<>> DiG 9.11.3-1-Debian <<>> @8.8.8.8 mx; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35085;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 512;; QUESTION SECTION:;.INMX;; ANSWER SECTION:.59INMX10 freemx2...59INMX10 freemx3...59INMX5 freemx1..;; Query time: 176 msec;; SERVER: 8.8.8.8#53(8.8.8.8);; WHEN: Sun Apr 07 16:19:47 CST ;; MSG SIZE rcvd: 129
解析某DNS全部域名
dig @8.8.8.8 any #dig @DNS服务器 域名
root@xuer:~# dig @8.8.8.8 mx ; <<>> DiG 9.10.3-P4-Debian <<>> @8.8.8.8 mx ; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61484;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;.INMX;; ANSWER SECTION:.60INMX10 freemx2...60INMX5 freemx1...60INMX10 freemx3..;; Query time: 63 msec;; SERVER: 8.8.8.8#53(8.8.8.8);; WHEN: Tue Apr 23 16:39:59 CST ;; MSG SIZE rcvd: 129
筛选过滤解析(筛选出answer项)
dig +noall +answer @8.8.8.8 any
root@xuer:~# dig +noall +answer @8.8.8.8 .59INA66.102..59INTXT"v=spf1 include:spf. -all".. zhihao.. 042601 900 300 604800 .................59INMX5 freemx1...59INMX10 freemx2...59INMX10 freemx3..
反向查询
dig +noall +answer -x 8.8.8.8 #dig +noall(什么也不显示) +answer(只显示answer信息) -x(反向解析) IP地址
dig +noall +answer -x 114.114.114.114
root@xuer:~# dig +noall +answer -x 8.8.8.88.8.8.8.in-addr.arpa.5INPTRgoogle-public-dns-.root@xuer:~# dig +noall +answer -x 114.114.114.114114.114.114.114.in-addr.arpa. .
Bind信息版本
dig +noall +answer txt chaos VERSION.BIND @
dig +noall +answer txt chaos VERSION.BIND @.
dig +noall +answer txt chaos VERSION.BIND @.
root@xuer:~# dig +noall +answer txt chaos VERSION.BIND @VERSION.BIND.0CHTXT"1.1.1711.01"root@xuer:~# dig +noall +answer txt chaos VERSION.BIND @.VERSION.BIND.0CHTXT" "root@xuer:~# dig +noall +answer txt chaos VERSION.BIND @.VERSION.BIND.0CHTXT"baidu dns"
DNS追踪(递归与迭代查询)
dig +trace #根域——.com域——域——
root@xuer:~# dig +trace ;; Warning: Message parser reports malformed message packet.; <<>> DiG 9.10.3-P4-Debian <<>> +trace ;; global options: +cmd.5INNSd.root-..5INNSl.root-..5INNSj.root-..5INNSm.root-..5INNSc.root-..5INNSa.root-..5INNSi.root-..5INNSf.root-..5INNSh.root-..5INNSb.root-..5INNSk.root-..5INNSe.root-..5INNSg.root-.;; Received 512 bytes from 192.168.10.2#53(192.168.10.2) in 85 mscom.172800INNSh.gtld-.172800INNSd.gtld-.172800INNSa.gtld-.172800INNSi.gtld-.172800INNSc.gtld-.172800INNSk.gtld-.172800INNSm.gtld-.172800INNSf.gtld-.172800INNSb.gtld-.172800INNSj.gtld-.172800INNSl.gtld-.172800INNSg.gtld-.172800INNSe.gtld-.86400INDS30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766com.86400INRRSIGDS 8 1 86400 0505050000 0422040000 25266 . j2mlpUL+0e0pKViD6DvLdC8FymlBVzT2TFyCHevc2vZotFcsxESsfc2i JThJGW4GtCfKHAzud8FLWibTdp8YmePd478XXzQ88zgS3vHcbErnGcvX nL441qccNwvnpv3diKZ6F5PyjbbsV2OcpD1bzVmJE3NEy2AuDYqBrXG7 5SsSHCyLISXeF5OMASFT3SVNq0HfqJ1hxp4Os+MFhKnd2DSp/Wld1sK2 W4eeBt6ceBm4NouIvzPFz63kI9qk2p8lswe5es3tbhPwxWDNdhpXX/Cd pxaU+AsUGsq6SAl7zJdVaXaYlxfJpVFz+wrrksoGK2JeDbPRTrPrtb8Y OQq1cw==;; Received 1168 bytes from 192.112.36.4#53(g.root-) in 204 ............... 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY . 86400 IN RRSIG NSEC3 8 2 86400 0429044545 0422033545 3800 com. I7ZicA+yc/vhrcFDvhWKgDnobDmIBvVTQdjupvBoULcng9u9DKXjXc8u 5ixqO0CQMnogd9XRhyVT6+yu7YZiG6KHYUxnHSZcvyhnnMiJzCS1Olxx SjPsMHTnnCW8KQHHtNCAJHu7BLYINnSoRh7RqxYPqmo4JzZTwWZG9mcE MLw=. 86400 IN NSEC3 1 1 0 - TGAIBD36C6B9GMU6EB96HFA3PBUKS49B NS DS . 86400 IN RRSIG NSEC3 8 2 86400 0428053823 0421042823 3800 com. jpAQ2wa1a/GCx6S0I/V19jmKpT4uax6LIoa9G2p++0dPkfdL+PBUjeVG ngKU+s4Tq/KcHZNH4EAXl5EnS9PYbQ2u1xvIX42P8T8D/MrGig78xHCx gBNIq/rDCRwa3z8incfWc6bWS/dCZExtwzGoXrUbWusQlAWoJJsh6dtB N60=;; Received 723 bytes from 192.48.79.30#53(j.gtld-) in 321 .60INA66.102.................;; Received 336 bytes from 114.134.80.145#53() in 237 ms
>DNS区域传输
区域传输:将一个区域文件复制到多个DNS服务器上的过程该功能能够完成DNS服务器之间的数据库同步,一般只发生在DNS服务器之间若DNS区域传输存在漏洞,则可利用DNS区域传输来查看目标的记录(必须知道DNS服务器)采用 dig @域名服务器 域名 传输方法axfr (AXFR(Request for full zone transfer))同步数据库记录;dig @ axfr
host -T -l
root@xuer:~# dig @ axfr; <<>> DiG 9.11.3-1-Debian <<>> @ axfr; (1 server found);; global options: +cmd; Transfer failed.root@xuer:~# host -T -l Using domain server:Name: Address: 114.134.80.144#53Aliases: Host not found: 5(REFUSED); Transfer failed.
>DNS字典爆破
fiercedpkg -L fierce #查询系统中与fierce相关文件(dpkg是进行包管理的)
fierce -dnsserver 8.8.8.8 -dns -wordlist hosts.txt # -dnsserver指定DNS服务器 -dns指定所查域 -wordlist指定字典
root@xuer:~# dpkg -L fierce /./usr/usr/bin/usr/bin/fierce/usr/share/usr/share/doc/usr/share/doc/fierce/usr/share/doc/fierce/changelog.Debian.gz/usr/share/doc/fierce/copyright/usr/share/fierce/usr/share/fierce/hosts.txt #fierce爆破字典root@xuer:~# fierce -dnsserver 8.8.8.8 -dns -wordlist hosts.txtDNS Servers for :Trying zone transfer first...Unsuccessful in zone transfer (it was worth a shot)Okay, trying the good old fashioned way... brute forceCan't open hosts.txt or the default wordlistExiting...
dnsenum
dpkg -L dnsenum #查询系统中与dnsenum相关的文件
dnsenum -f /usr/share/dnsenum/dns.txt -dnsserver 8.8.8.8 -o sina.xml # -f指定字典 -dnsserver指定DNS服务器
root@xuer:~# dpkg -L dnsenum/./usr/usr/bin/usr/bin/dnsenum/usr/share/usr/share/dnsenum/usr/share/dnsenum/dns.txt/usr/share/doc/usr/share/doc/dnsenum/usr/share/doc/dnsenum/README.md/usr/share/doc/dnsenum/changelog.Debian.gz/usr/share/doc/dnsenum/copyrightroot@xuer:~# dnsenum -f /usr/share/dnsenum/dns.txt -dnsserver 8.8.8.8 -o sina.xmlSmartmatch is experimental at /usr/bin/dnsenum line 698.Smartmatch is experimental at /usr/bin/dnsenum line 698.dnsenum VERSION:1.2.4----------Host's addresses:. 4 IN A 66.102.251.33Name Servers:.338IN A 202.106.184.. 523IN A 180.149.138..2524IN A 180.149.138..162IN A 121.14.1.. 1726IN A 123.125.29.. 1670IN A 114.134.80.. 1280IN A 114.134.80..2872IN A 123.125.29.99Mail (MX) Servers:___________________freemx3.. 60 IN A 39.156.6.104freemx1.. 55 IN A 39.156.6.104freemx2.. 60 IN A 121.14.32.117Trying Zone Transfers and getting Bind Versions:_________________________________________________Trying Zone Transfer for on ... AXFR record query failed: REFUSEDTrying Zone Transfer for on ... AXFR record query failed: REFUSEDTrying Zone Transfer for on ... AXFR record query failed: REFUSEDTrying Zone Transfer for on ... AXFR record query failed: REFUSEDTrying Zone Transfer for on ... AXFR record query failed: REFUSEDTrying Zone Transfer for on ... AXFR record query failed: REFUSEDTrying Zone Transfer for on ... AXFR record query failed: REFUSEDTrying Zone Transfer for on ... AXFR record query failed: REFUSEDBrute forcing with /usr/share/dnsenum/dns.txt:. 60 IN CNAME ....46 IN A 111.19.237...46 IN A 111.19.237...46 IN A 111.19.237...46 IN A 111.19.237...46 IN A 111.19.237...46 IN A 111.19.237...46 IN A 111.19.237...46 IN A 111.19.237.. 60 IN CNAME .. 30 IN CNAME .. 17 IN A 49.7.37..60 IN A 66.102.251.24.......
dnsmap
dpkg -L dnsmap #查询系统中与dnsmap相关的文件
dnsmap -w /usr/share/dnsmap/wordlist_TLAs.txt
root@xuer:~# dpkg -L dnsmap /./usr/usr/share/usr/share/doc/usr/share/doc/dnsmap/usr/share/doc/dnsmap/README.txt.gz/usr/share/doc/dnsmap/TODO.txt/usr/share/doc/dnsmap/changelog.gz/usr/share/doc/dnsmap/use_cases.txt/usr/share/doc/dnsmap/CREDITS.txt/usr/share/doc/dnsmap/copyright/usr/share/doc/dnsmap/changelog.Debian.gz/usr/share/dnsmap/usr/share/dnsmap/wordlist_TLAs.txt/usr/bin/usr/bin/dnsmap-bulk.sh/usr/bin/dnsmaproot@xuer:~# dnsmap -w /usr/share/dnsmap/wordlist_TLAs.txtdnsmap 0.30 - DNS Network Mapper by pagvac ()[+] searching (sub)domains for using /usr/share/dnsmap/wordlist_TLAs.txt[+] using maximum random delay of 10 millisecond(s) between IP address #1: 111.19.237.230IP address #2: 111.19.237.226IP address #3: 111.19.237.229IP address #4: 111.19.237.231IP address #5: 111.19.237.228IP address #6: 111.19.237.227IP address #7: 111.19.237.233IP address #8: 111.19.237.232......
>DNS注册信息
whois #查询的注册信息
whois -h 192.0.43.10 #查看域名相关信息
root@xuer:~# whois Domain Name: Registry Domain ID: 11181110_DOMAIN_COM-VRSNRegistrar WHOIS Server: Registrar URL: Updated Date: -01-25T04:08:55ZCreation Date: 1999-10-11T11:05:17ZRegistry Expiry Date: 2026-10-11T11:05:17ZRegistrar: MarkMonitor Inc.Registrar IANA ID: 292Registrar Abuse Contact Email: abusecomplaints@Registrar Abuse Contact Phone: +1.2083895740Domain Status: clientDeleteProhibited /epp#clientDeleteProhibitedDomain Status: clientTransferProhibited /epp#clientTransferProhibitedDomain Status: clientUpdateProhibited /epp#clientUpdateProhibitedDomain Status: serverDeleteProhibited /epp#serverDeleteProhibitedDomain Status: serverTransferProhibited /epp#serverTransferProhibitedDomain Status: serverUpdateProhibited /epp#serverUpdateProhibitedName Server: Name Server: Name Server: Name Server: Name Server: DNSSEC: unsignedURL of the ICANN Whois Inaccuracy Complaint Form: /wicf/>>> Last update of whois database: -04-22T13:36:00Z <<<For more information on Whois status codes, please visit /eppNOTICE: The expiration date displayed in this record is the date theregistrar's sponsorship of the domain name registration in the registry iscurrently set to expire. This date does not necessarily reflect the expirationdate of the domain name registrant's agreement with the sponsoringregistrar. Users may consult the sponsoring registrar's Whois database toview the registrar's reported date of expiration for this registration.TERMS OF USE: You are not authorized to access or query our Whoisdatabase through the use of electronic processes that are high-volume andautomated except as reasonably necessary to register domain names ormodify existing registrations; the Data in VeriSign Global RegistryServices' ("VeriSign") Whois database is provided by VeriSign forinformation purposes only, and to assist persons in obtaining informationabout or related to a domain name registration record. VeriSign does notguarantee its accuracy. By submitting a Whois query, you agree to abideby the following terms of use: You agree that you may use this Data onlyfor lawful purposes and that under no circumstances will you use this Datato: (1) allow, enable, or otherwise support the transmission of massunsolicited, commercial advertising or solicitations via e-mail, telephone,or facsimile; or (2) enable high volume, automated, electronic processesthat apply to VeriSign (or its computer systems). The compilation,repackaging, dissemination or other use of this Data is expresslyprohibited without the prior written consent of VeriSign. You agree not touse electronic processes that are automated and high-volume to access orquery the Whois database except as reasonably necessary to registerdomain names or modify existing registrations. VeriSign reserves the rightto restrict your access to the Whois database in its sole discretion to ensureoperational stability. VeriSign may restrict or terminate your access to theWhois database for failure to abide by these terms of use. VeriSignreserves the right to modify these terms at any time.The Registry database contains ONLY .COM, .NET, .EDU domains andRegistrars.Domain Name: Registry Domain ID: 11181110_DOMAIN_COM-VRSNRegistrar WHOIS Server: Registrar URL: Updated Date: -01-24T20:00:51-0800Creation Date: 1999-10-11T04:05:17-0700Registrar Registration Expiration Date: 2026-10-11T00:00:00-0700Registrar: MarkMonitor, Inc.Registrar IANA ID: 292Registrar Abuse Contact Email: abusecomplaints@Registrar Abuse Contact Phone: +1.2083895740Domain Status: clientUpdateProhibited (/epp#clientUpdateProhibited)Domain Status: clientTransferProhibited (/epp#clientTransferProhibited)Domain Status: clientDeleteProhibited (/epp#clientDeleteProhibited)Domain Status: serverUpdateProhibited (/epp#serverUpdateProhibited)Domain Status: serverTransferProhibited (/epp#serverTransferProhibited)Domain Status: serverDeleteProhibited (/epp#serverDeleteProhibited)Registrant Organization: Beijing Baidu Netcom Science Technology Co., Ltd.Registrant State/Province: BeijingRegistrant Country: CNAdmin Organization: Beijing Baidu Netcom Science Technology Co., Ltd.Admin State/Province: BeijingAdmin Country: CNTech Organization: Beijing Baidu Netcom Science Technology Co., Ltd.Tech State/Province: BeijingTech Country: CNName Server: Name Server: Name Server: Name Server: Name Server: DNSSEC: unsignedURL of the ICANN WHOIS Data Problem Reporting System: />>> Last update of WHOIS database: -04-22T06:26:30-0700 <<<For more information on WHOIS status codes, please visit:/resources/pages/epp-status-codesIf you wish to contact this domain’s Registrant, Administrative, or Technicalcontact, and such email address is not visible above, you may do so via our webform, pursuant to ICANN’s Temporary Specification. To verify that you are not arobot, please enter your email address to receive a link to a page thatfacilitates email communication with the relevant contact(s).Web-based WHOIS:/whoisIf you have a legitimate interest in viewing the non-public WHOIS details, sendyour request and the reasons for your request to whoisrequest@and specify the domain name in the subject line. We will review that request andmay ask for supporting documentation and explanation.The data in MarkMonitor’s WHOIS database is provided for information purposes,and to assist persons in obtaining information about or related to a domainname’s registration record. While MarkMonitor believes the data to be accurate,the data is provided "as is" with no guarantee or warranties regarding itsaccuracy.By submitting a WHOIS query, you agree that you will use this data only forlawful purposes and that, under no circumstances will you use this data to:(1) allow, enable, or otherwise support the transmission by email, telephone,or facsimile of mass, unsolicited, commercial advertising, or spam; or(2) enable high volume, automated, or electronic processes that send queries,data, or email to MarkMonitor (or its systems) or the domain name contacts (orits systems). reserves the right to modify these terms at any time.By submitting this query, you agree to abide by this policy.MarkMonitor is the Global Leader in Online Brand Protection.MarkMonitor Domain Management(TM)MarkMonitor Brand Protection(TM)MarkMonitor AntiCounterfeiting(TM)MarkMonitor AntiPiracy(TM)MarkMonitor AntiFraud(TM)Professional and Managed ServicesVisit MarkMonitor at Contact us at +1.8007459229In Europe, at +44.02032062220--
root@xuer:~# whois -h 192.0.43.10% []% Whois data copyright terms /db/dbcopyright.html% Information related to '192.0.0.0 - 192.255.255.255'% Abuse contact for '192.0.0.0 - 192.255.255.255' is 'helpdesk@'inetnum: 192.0.0.0 - 192.255.255.255netname: ERX-NETBLOCKdescr:Early registration addressesremarks: ------------------------------------------------------remarks: Important:remarks:remarks: Networks in this range were allocated by InterNICremarks: prior to the formation of Regional Internetremarks: Registries (RIRs): AfriNIC, APNIC, ARIN, LACNIC and RIPE NCC.remarks:remarks: Address ranges from this historical space have nowremarks: been transferred to the appropriate RIR database.remarks:remarks: If your search has returned this record, it means theremarks: address range is not administered by APNIC.remarks:remarks: Instead, please search one of the following databases:remarks:remarks: - AfriNIC (Africa)remarks: website: /remarks: command line: remarks:remarks: - ARIN (Northern America)remarks: website: /remarks: command line: remarks:remarks: - LACNIC (Latin America and the Carribean)remarks: website: /remarks: command line: remarks:remarks: - RIPE NCC (Europe)remarks: website: /remarks: command line: remarks:remarks: For information on the Early Registration Transferremarks: (ERX) project, see:remarks:remarks: /db/erxremarks:remarks: ------------------------------------------------------country: AUadmin-c: IANA1-APtech-c: IANA1-APmnt-by: APNIC-HMmnt-lower:APNIC-HMstatus: ALLOCATED PORTABLElast-modified: -08-28T00:31:46Zsource: APNICmnt-irt: IRT-APNIC-APirt: IRT-APNIC-APaddress: Brisbane, Australiae-mail: helpdesk@abuse-mailbox: helpdesk@admin-c: HM20-APtech-c: NO4-APauth: # Filteredremarks: APNIC is a Regional Internet Registry.remarks: We do not operate the referring network andremarks: are unable to investigate complaints of network abuse.remarks: For information about IRT, see /irtmnt-by: APNIC-HMlast-modified: -02-14T05:37:22Zsource: APNICrole: Internet Assigned Numbers Authorityaddress: see .admin-c: IANA1-APtech-c: IANA1-APnic-hdl: IANA1-APremarks: For more information on IANA servicesremarks: go to IANA web site at .mnt-by: MAINT-APNIC-APlast-modified: -06-22T22:34:30Zsource: APNIC% This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-NODE3)
