被动信息收集(一)
被动信息收集
- 公开渠道可获得的信息
- 与目标系统不产生直接交互
- 尽量避免留下痕迹
收集的内容
IP地址段、域名信息、邮件地址、文档图片数据、公司地址、公司组织架构、联系电话/传真号码、人员姓名/职务、公开的商业信息等;
DNS信息收集——nslookup
非交互式
root@kali:~# nslookup sina.com
Server: 192.168.206.2
Address: 192.168.206.2#53
Non-authoritative answer:
Name: sina.com
Address: 111.20.46.45
root@kali:~# nslookup -type=mx sina.com
Server: 192.168.206.2
Address: 192.168.206.2#53
Non-authoritative answer:
sina.com mail exchanger = 10 freemx3.sinamail.sina.com.cn. # 10表示优先级,相比5优先级较低
sina.com mail exchanger = 5 freemx1.sinamail.sina.com.cn.
sina.com mail exchanger = 10 freemx2.sinamail.sina.com.cn.
Authoritative answers can be found from:
交互式
root@kali:~# nslookup
> server
Default server: 192.168.206.2
Address: 192.168.206.2#53
> sina.com
Server: 192.168.206.2
Address: 192.168.206.2#53
Non-authoritative answer:
Name: sina.com
Address: 111.20.46.45
> set type=mx
> sina.com
Server: 192.168.206.2
Address: 192.168.206.2#53
Non-authoritative answer:
sina.com mail exchanger = 10 freemx2.sinamail.sina.com.cn.
sina.com mail exchanger = 5 freemx1.sinamail.sina.com.cn.
sina.com mail exchanger = 10 freemx3.sinamail.sina.com.cn.
Authoritative answers can be found from:
>
注:一般情况下,采用不同的DNS服务器得到的结果是不一样的,因为现在都采用智能DNS,根据终端用户的地址确定返回的服务器IP,以提升访问速度。
DNS信息收集——Dig
dig @8.8.8.8 sina.com; #dig @指定DNS服务器 要收集的域名
dig @8.8.8.8 sina.com any;
dig @8.8.8.8 sina.com mx;
root@kali:~# dig @8.8.8.8 sina.com
; <<>> DiG 9.11.3-1-Debian <<>> @8.8.8.8 sina.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29223
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;sina.com. IN A
;; ANSWER SECTION:
sina.com. 39 IN A 111.20.46.45
;; Query time: 67 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 09 11:35:49 CST 2019
;; MSG SIZE rcvd: 53
root@kali:~# dig @8.8.8.8 sina.cm any
; <<>> DiG 9.11.3-1-Debian <<>> @8.8.8.8 sina.cm any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32589
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;sina.cm. IN ANY
;; ANSWER SECTION:
sina.cm. 599 IN A 81.171.22.6
sina.cm. 599 IN NS ns1.weaponizedcow.com.
sina.cm. 599 IN NS ns2.weaponizedcow.com.
sina.cm. 599 IN SOA ns1.weaponizedcow.com. admin.sina.cm. 2019052703 86400 10800 604800 300
sina.cm. 299 IN MX 1 mail.h-email.net.
sina.cm. 299 IN TXT "v=spf1 ip6:fd9c:d030:168c::/48 -all"
;; Query time: 596 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 09 11:36:40 CST 2019
;; MSG SIZE rcvd: 227
反向查询
dig +noall +answer -x 8.8.8.8 #dig +noall(什么也不显示) +answer(只显示answer信息) -x(反向解析) IP地址
dig +noall +answer -x 114.114.114.114
root@kali:~# dig +noall +answer -x 8.8.8.8
8.8.8.8.in-addr.arpa. 5 IN PTR dns.google.
root@kali:~# dig +noall +answer -x 114.114.114.114
114.114.114.114.in-addr.arpa. 5 IN PTR public1.114dns.com.
bind版本信息
dig +noall +answer txt chaos VERSION.BIND @ns4.sina.com. #chaos类中的txt记录
dig +noall +answer txt chaos VERSION.BIND @ns2.baidu.com.
root@kali:~# dig +noall +answer txt chaos VERSION.BIND @ns4.sina.com.
VERSION.BIND. 0 CH TXT " "
root@kali:~# dig +noall +answer txt chaos VERSION.BIND @ns2.baidu.com.
VERSION.BIND. 0 CH TXT "baidu dns"
DNS追踪
dig +trace www.sina.com
#DNS追踪: 根域——.com域——sina.com域——www.sina.com;
root@kali:~# dig +trace www.sina.com
; <<>> DiG 9.11.3-1-Debian <<>> +trace www.sina.com
;; global options: +cmd
. 5 IN NS g.root-servers.net.
. 5 IN NS e.root-servers.net.
. 5 IN NS a.root-servers.net.
. 5 IN NS k.root-servers.net.
. 5 IN NS d.root-servers.net.
. 5 IN NS h.root-servers.net.
. 5 IN NS l.root-servers.net.
. 5 IN NS c.root-servers.net.
. 5 IN NS m.root-servers.net.
. 5 IN NS f.root-servers.net.
. 5 IN NS j.root-servers.net.
. 5 IN NS i.root-servers.net.
. 5 IN NS b.root-servers.net.
;; Received 239 bytes from 192.168.206.2#53(192.168.206.2) in 52 ms
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20190721210000 20190708200000 59944 . rBBoxa85AB4TGBjemIyo+OrzEE6WB1GKZB+LaNhX8XLlgfj6FBTJDy3D a1+Bc8Dp6bhu+OYz5KdFwQaoV3ac/WsP9Ftp8BAFgrGbO8iLAe0xJ13d XWPWxsUmsd08jStBw7mVMPDWHcQguwF6eI3Qqhdokl9J5W0f6Nfn+w27 OMG+KqMuZIzi9s/ualc0ZpUivKu/VNgXWqO93YOsBheXdzPLgqPiuGdT BSfLAD1mC9X/Wpvt2ucEh+JvmlK1Zf0psTIFpw1D8M6zjrKzGf2cZdY7 WAzC3hYcBRObBOFRaqLTmDBMy5G1esxwshAOTSuKRQNCFBgV2buykje0 nucu3Q==
;; Received 1172 bytes from 199.7.91.13#53(d.root-servers.net) in 334 ms
sina.com. 172800 IN NS ns1.sina.com.cn.
sina.com. 172800 IN NS ns2.sina.com.cn.
sina.com. 172800 IN NS ns3.sina.com.cn.
sina.com. 172800 IN NS ns1.sina.com.
sina.com. 172800 IN NS ns2.sina.com.
sina.com. 172800 IN NS ns4.sina.com.
sina.com. 172800 IN NS ns3.sina.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20190714044431 20190707033431 3800 com. BKPFq/Z6OdQj3J/veD+Ty87mCyx1yfhuW3eFuZ4g6d6JOZ+CHghL6DEL y8ztytbZxVCMHrFRl5VkSrxM9buZ2MDJnHeZBqB/LwuCncLD9DRQ/5R3 tbvu8PIWFrwvpgfyez+h5/XVEKJqszN+rFlNEsOS4iaZDw+mIn3PYOt5 T2U=
TGAG8VMC6NS5VVK68CIGRJ6Q414N2KB2.com. 86400 IN NSEC3 1 1 0 - TGAIBD36C6B9GMU6EB96HFA3PBUKS49B NS DS RRSIG
TGAG8VMC6NS5VVK68CIGRJ6Q414N2KB2.com. 86400 IN RRSIG NSEC3 8 2 86400 20190713052839 20190706041839 3800 com. E5aYOgdYmVUfMkPa97Xeskoufr2gX9bBSxY1TTJSlM/xISG2je0QcVbi FI2bEFMGIMqT486WZuzedoQk0zVwEoWCzbCREAC3WMwjnsZtgphbBg11 utRYYgiVGKkoLXil2SSa3+DoUyxYHU+YnFkgLsftzOYKkdlLzzMEfdK6 HR8=
;; Received 727 bytes from 192.35.51.30#53(f.gtld-servers.net) in 608 ms
www.sina.com. 60 IN CNAME us.sina.com.cn.
us.sina.com.cn. 60 IN CNAME spool.grid.sinaedge.com.
;; Received 103 bytes from 114.134.80.145#53(ns2.sina.com) in 130 ms
DNS区域传输
将一个区域文件复制到多个DNS服务器上的过程叫做区域传输,这个功能能够完成DNS服务器之间的数据库同步,一般只发生在DNS服务器之间。
如果DNS区域传输存在漏洞,我们就可以利用DNS区域传输来查看目标的记录,首先我们要先知道一个域名服务器,因为域名服务器有所有主机的记录;采用 dig @域名服务器 域名 传输方法axfr (AXFR(Request for full zone transfer))同步数据库记录;
dig @ns1.sina.com sina.com axfr
host -T -l sina.com ns1.sina.com
root@kali:~# dig @ns1.sina.com sina.com axfr
; <<>> DiG 9.11.3-1-Debian <<>> @ns1.sina.com sina.com axfr
; (1 server found)
;; global options: +cmd
; Transfer failed.
root@kali:~# host -T -l sina.com ns1.sina.com
Using domain server:
Name: ns1.sina.com
Address: 114.134.80.144#53
Aliases:
Host sina.com not found: 5(REFUSED)
; Transfer failed.
DNS字典爆破
一般情况下,都不能直接与域名服务器进行同步。得到想要的主机记录,这时候就可以使用DNS字典爆破,拿一个字典一个一个尝试,把对应的域名的解析记录全部暴力尝试出来。
fierce
dpkg -L fierce #dpkg是进行包管理的,可以搜索出系统中与fierce相关的文件
fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist /usr/share/fierce/hosts.txt # -dnsserver指定DNS服务器 -dns指定要查询的域 -wordlist指定字典
root@kali:~# dpkg -L fierce
/.
/usr
/usr/bin
/usr/bin/fierce
/usr/share
/usr/share/doc
/usr/share/doc/fierce
/usr/share/doc/fierce/changelog.Debian.gz
/usr/share/doc/fierce/copyright
/usr/share/fierce
/usr/share/fierce/hosts.txt
root@kali:~# fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist /usr/share/fierce/hosts.txt
DNS Servers for sina.com.cn:
ns4.sina.com.cn
ns2.sina.com.cn
ns1.sina.com.cn
ns3.sina.com.cn
Trying zone transfer first...
Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force
Checking for wildcard DNS...
Nope. Good.
Now performing 2280 test(s)...
39.156.6.98 1.sina.com.cn
39.156.6.98 8.sina.com.cn
221.179.175.207 a.sina.com.cn
183.222.142.107 a1.sina.com.cn
183.222.142.104 a1.sina.com.cn
183.222.142.106 a1.sina.com.cn
183.222.142.109 a1.sina.com.cn
183.222.142.108 a1.sina.com.cn
183.222.142.111 a1.sina.com.cn
183.222.142.110 a1.sina.com.cn
183.222.142.105 a1.sina.com.cn
183.222.142.108 a2.sina.com.cn
183.222.142.110 a2.sina.com.cn
183.222.142.106 a2.sina.com.cn
183.222.142.111 a2.sina.com.cn
dnsenum
dpkg -L dnsenum #查询系统中与dnsenum相关的文件
dnsenum -f /usr/share/dnsenum/dns.txt -dnsserver 8.8.8.8 sina.com -o sina.xml # -dnsserver指定DNS服务器 -f指定字典
root@kali:~# dpkg -L dnsenum
/.
/usr
/usr/bin
/usr/bin/dnsenum
/usr/share
/usr/share/dnsenum
/usr/share/dnsenum/dns.txt
/usr/share/doc
/usr/share/doc/dnsenum
/usr/share/doc/dnsenum/README.md
/usr/share/doc/dnsenum/changelog.Debian.gz
/usr/share/doc/dnsenum/copyright
root@kali:~# dnsenum -f /usr/share/dnsenum/dns.txt -dnsserver 8.8.8.8 sina.com -o sina.xml
Smartmatch is experimental at /usr/bin/dnsenum line 698.
Smartmatch is experimental at /usr/bin/dnsenum line 698.
dnsenum VERSION:1.2.4
----- sina.com -----
Host's addresses:
__________________
sina.com. 21 IN A 111.20.46.45
Name Servers:
______________
ns3.sina.com. 1360 IN A 180.149.138.199
ns4.sina.com. 3600 IN A 123.125.29.99
ns1.sina.com.cn. 2596 IN A 36.51.252.8
ns2.sina.com.cn. 3600 IN A 180.149.138.199
ns1.sina.com. 2572 IN A 114.134.80.144
ns4.sina.com.cn. 3271 IN A 121.14.1.22
ns2.sina.com. 3600 IN A 114.134.80.145
Mail (MX) Servers:
___________________
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
Trying Zone Transfer for sina.com on ns3.sina.com ...
AXFR record query failed: REFUSED
Trying Zone Transfer for sina.com on ns4.sina.com ...
AXFR record query failed: REFUSED
Trying Zone Transfer for sina.com on ns1.sina.com.cn ...
AXFR record query failed: REFUSED
Trying Zone Transfer for sina.com on ns2.sina.com.cn ...
AXFR record query failed: REFUSED
Trying Zone Transfer for sina.com on ns1.sina.com ...
AXFR record query failed: REFUSED
Trying Zone Transfer for sina.com on ns4.sina.com.cn ...
AXFR record query failed: REFUSED
Trying Zone Transfer for sina.com on ns2.sina.com ...
AXFR record query failed: REFUSED
Trying Zone Transfer for sina.com on ns3.sina.com.cn ...
AXFR record query failed: REFUSED
Brute forcing with /usr/share/dnsenum/dns.txt:
__
dnsmap
dpkg -L dnsmap #查询系统中与dnsmap相关的文件
dnsmap sina.com -w /usr/share/dnsmap/wordlist_TLAs.txt
root@kali:~# dpkg -L dnsmap
/.
/usr
/usr/share
/usr/share/doc
/usr/share/doc/dnsmap
/usr/share/doc/dnsmap/README.txt.gz
/usr/share/doc/dnsmap/TODO.txt
/usr/share/doc/dnsmap/changelog.gz
/usr/share/doc/dnsmap/use_cases.txt
/usr/share/doc/dnsmap/CREDITS.txt
/usr/share/doc/dnsmap/copyright
/usr/share/doc/dnsmap/changelog.Debian.gz
/usr/share/dnsmap
/usr/share/dnsmap/wordlist_TLAs.txt
/usr/bin
/usr/bin/dnsmap-bulk.sh
/usr/bin/dnsmap
root@kali:~# dnsmap sina.com -w /usr/share/dnsmap/wordlist_TLAs.txt
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
[+] searching (sub)domains for sina.com using /usr/share/dnsmap/wordlist_TLAs.txt
[+] using maximum random delay of 10 millisecond(s) between requests
ads.sina.com
IP address #1: 183.222.142.109
IP address #2: 183.222.142.111
IP address #3: 183.222.142.105
IP address #4: 183.222.142.108
IP address #5: 183.222.142.106
IP address #6: 183.222.142.104
IP address #7: 183.222.142.110
IP address #8: 183.222.142.107
DNS注册信息
whois sina.com #查询sina.com的注册信息
root@kali:~# whois sina.com
Domain Name: SINA.COM
Registry Domain ID: 2243615_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.paycenter.com.cn
Registrar URL: http://www.xinnet.com
Updated Date: 2018-12-20T09:17:25Z
Creation Date: 1998-09-16T04:00:00Z
Registry Expiry Date: 2021-09-15T04:00:00Z
Registrar: Xin Net Technology Corporation
Registrar IANA ID: 120
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +86.1087127926
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Name Server: NS1.SINA.COM
Name Server: NS1.SINA.COM.CN
Name Server: NS2.SINA.COM
Name Server: NS2.SINA.COM.CN
Name Server: NS3.SINA.COM
Name Server: NS3.SINA.COM.CN
Name Server: NS4.SINA.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2019-07-09T03:58:45Z <<<
For more information on Whois status codes, please visit https://icann.org/epp
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name:sina.com
Registry Domain ID:
Registrar WHOIS Server:whois.paycenter.com.cn
Registrar URL:http://www.xinnet.com
Updated Date:2018-09-12T01:18:05.00Z
Creation Date:1998-09-15T20:00:00.00Z
Registrar Registration Expiration Date:2021-09-14T20:00:00.00Z
Registrar:XINNET TECHNOLOGY CORPORATION
Registrar IANA ID:120
Registrar Abuse Contact Email:[email protected]
Registrar Abuse Contact Phone:+86.1087128064
Reseller:
Domain Status:
Registry Registrant ID:
Registrant Name:
Registrant Organization:
Registrant Street:
Registrant City:
Registrant State/Province:
Registrant Postal Code:
Registrant Country:
Registrant Phone:
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:
Registry Admin ID:
Admin Name:
Admin Organization:
Admin Street:
Admin City:
Admin State/Province:
Admin PostalCode:
Admin Country:
Admin Phone:
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email:
Registry Tech ID:
Tech Name:
Tech Organization:
Tech Street:
Tech City:
Tech State/Province:
Tech PostalCode:
Tech Country:
Tech Phone:
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email:
Name Server:ns1.sina.com.cn
Name Server:ns2.sina.com.cn
Name Server:ns3.sina.com.cn
Name Server:ns1.sina.com
Name Server:ns4.sina.com
Name Server:ns3.sina.com
DNSSEC:unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2019-07-09T03:59:00.00Z <<<:
For more information on Whois status codes, please visit https://icann.org/epp
The Data in Paycenter's WHOIS database is provided by Paycenter
for information purposes, and to assist persons in obtaining
information about or related to a domain name registration record.
Paycenter does not guarantee its accuracy. By submitting
a WHOIS query, you agree that you will use this Data only
for lawful purposes and that,
under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission
of mass unsolicited, commercial advertising or solicitations
via e-mail (spam); or
(2) enable high volume, automated, electronic processes that
apply to Paycenter or its systems.
Paycenter reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.!!
为什么有些域名whois查询不到??