小白日记3:kali渗透测试之被动信息收集(二)-dig、whios、dnsenum、fierce
一、DIG
DIG强大之处linux下查询域名解析有两种选择,nslookup或者dig。Dig(Domain Information Groper)是一个在类Unix命令行模式下查询DNS包括NS记录,A记录,MX记录等相关信息的工具。
root@kali:~# dig -h Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt} {global-d-opt} host [@local-server] {local-d-opt} [ host [@local-server] {local-d-opt} [...]] Where: domain is in the Domain Name System q-class is one of (in,hs,ch,...) [default: in] q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a] #类型(……)默认a (Use ixfr=version for type ixfr) q-opt is one of: -x dot-notation (shortcut for reverse lookups) #反向查询 -i (use IP6.INT for IPv6 reverse lookups) #使用IPv6反向查询 -f filename (batch mode) #批处理模式 -b address[#port] (bind to source address/port) #绑定到源地址/端口 -p port (specify port number) #指定端口名称 -q name (specify query name) #指定查询名称 -t type (specify query type) #指定查询类型 -c class (specify query class) -k keyfile (specify tsig key file) -y [hmac:]name:key (specify named base64 tsig key) -4 (use IPv4 query transport only) -6 (use IPv6 query transport only) -m (enable memory usage debugging) d-opt is of the form +keyword[=value], where keyword is: +[no]vc (TCP mode) +[no]tcp (TCP mode, alternate syntax) +time=### (Set query timeout) [5] #指定超时设定 +tries=### (Set number of UDP attempts) [3] #设置UDP发包数 +retry=### (Set number of UDP retries) [2] #设置UDP重试次数 +domain=### (Set default domainname) +bufsize=### (Set EDNS0 Max UDP packet size) +ndots=### (Set NDOTS value) +[no]edns[=###] (Set EDNS version) [0] +[no]search (Set whether to use searchlist) +[no]showsearch (Search with intermediate results) +[no]defname (Ditto) +[no]recurse (Recursive mode) +[no]ignore (Don't revert to TCP for TC responses.) +[no]fail (Don't try next server on SERVFAIL) +[no]besteffort (Try to parse even illegal messages) +[no]aaonly (Set AA flag in query (+[no]aaflag)) +[no]adflag (Set AD flag in query) +[no]cdflag (Set CD flag in query) +[no]cl (Control display of class in records) +[no]cmd (Control display of command line) +[no]comments (Control display of comment lines) +[no]rrcomments (Control display of per-record comments) +[no]question (Control display of question) +[no]answer (Control display of answer) #控制响应输出 +[no]authority (Control display of authority) +[no]additional (Control display of additional) +[no]stats (Control display of statistics) +[no]short (Disable everything except short form of answer) +[no]ttlid (Control display of ttls in records) +[no]all (Set or clear all display flags) #是否输出所有显示标志 noall通常与answer使用 +[no]qr (Print question before sending) +[no]nssearch (Search all authoritative nameservers) +[no]identify (ID responders in short answers) +[no]trace (Trace delegation down from root [+dnssec]) #DNS追踪 +[no]dnssec (Request DNSSEC records) +[no]nsid (Request Name Server ID) +[no]sigchase (Chase DNSSEC signatures) +trusted-key=#### (Trusted Key when chasing DNSSEC sigs) +[no]topdown (Do DNSSEC validation top down mode) +[no]split=## (Split hex/base64 fields into chunks) +[no]multiline (Print records in an expanded format) +[no]onesoa (AXFR prints only one soa record) +[no]keepopen (Keep the TCP socket open between queries) global d-opts and servers (before host name) affect all queries. local d-opts and servers (after host name) affect only that lookup. -h (print help and exit) -v (print version and exit)
命令详解直接查询
指定DNS域名服务器 #dig <查询子域名> <指定类型> @<指定DNS服务器ip>root@kali:~# dig www.baidu.com #直接查询 ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> www.baidu.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44198 #opcode,状态,ID ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 16 #标记 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 #版本,udp:1280 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; ANSWER SECTION: www.baidu.com. 6 IN CNAME www.a.shifen.com. www.a.shifen.com. 553 IN A 14.215.177.38 www.a.shifen.com. 553 IN A 14.215.177.37 ;; AUTHORITY SECTION: com. 67772 IN NS a.gtld-servers.net. com. 67772 IN NS j.gtld-servers.net. com. 67772 IN NS f.gtld-servers.net. com. 67772 IN NS h.gtld-servers.net. com. 67772 IN NS k.gtld-servers.net. com. 67772 IN NS m.gtld-servers.net. com. 67772 IN NS b.gtld-servers.net. com. 67772 IN NS l.gtld-servers.net. com. 67772 IN NS g.gtld-servers.net. com. 67772 IN NS d.gtld-servers.net. com. 67772 IN NS e.gtld-servers.net. com. 67772 IN NS c.gtld-servers.net. com. 67772 IN NS i.gtld-servers.net. ;; ADDITIONAL SECTION: g.gtld-servers.net. 47412 IN A 192.42.93.30 j.gtld-servers.net. 2442 IN A 192.48.79.30 i.gtld-servers.net. 66535 IN A 192.43.172.30 e.gtld-servers.net. 56469 IN A 192.12.94.30 a.gtld-servers.net. 34163 IN A 192.5.6.30 a.gtld-servers.net. 7565 IN AAAA 2001:503:a83e::2:30 h.gtld-servers.net. 68265 IN A 192.54.112.30 f.gtld-servers.net. 31194 IN A 192.35.51.30 b.gtld-servers.net. 4732 IN A 192.33.14.30 b.gtld-servers.net. 22851 IN AAAA 2001:503:231d::2:30 l.gtld-servers.net. 42219 IN A 192.41.162.30 c.gtld-servers.net. 34151 IN A 192.26.92.30 m.gtld-servers.net. 47041 IN A 192.55.83.30 d.gtld-servers.net. 25144 IN A 192.31.80.30 k.gtld-servers.net. 65164 IN A 192.52.178.30 ;; Query time: 84 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Tue Sep 06 15:50:49 CST 2016 ;; MSG SIZE rcvd: 589dig www.baiadu.com mx @8.8.8.8
mx查询
反向查询 #dig -x <服务器IP地址> #noall什么都不输出,answer只输出answer结果
#可能查询结果不一样,因为域名与IP地址个关系可以为一对多、多对一
1、查询DNS服务器的bing版本 #dig +noall +answer txt chaos VERSION.BID @
∴用于查询域名下主机名的记录 ep:查询sina.com下的www.sina.com #安全意识高的网站会把bing命令隐藏起来
###利用攻破dns服务器,获得其主机记录
2、DNS追踪 #dig +trace <域名> #做递归查询
3、DNS区域传输 # dig @epDNS服务器 ep域名 axfr #通俗来说是查询其备用DNS服务器
区域传送操作指的是一台后备服务器使用来自主服务器的数据刷新自己的zone数据库。这为运行中的DNS服务提供了一定的冗余度,其目的是为了防止主域名服务器因意外故障变得不可用时影响到全局。实现信息同步
###若dns区域传输配置错误,会导致任何人都可以连上DNS服务器
root@kali:~# dig @ns3.sina.com sina.com axfr @ns3.sina.com sina.com axfr (1 server found) global options: +cmd相同作用命令:host -T -l sina.com ns3.sina.com #-l进行asf2全区域传输connection timed out; no servers could be reached
二、whois注册信息
#whois <域名>
root@kali:~# whois wooyun.org Domain Name: WOOYUN.ORG Domain ID: D159099935-LROR WHOIS Server: Referral URL: http://www.net.cn Updated Date: 2016-01-15T00:24:32Z Creation Date: 2010-05-06T08:50:48Z Registry Expiry Date: 2024-05-06T08:50:48Z Sponsoring Registrar: Hichina Zhicheng Technology Limited Sponsoring Registrar IANA ID: 420 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registrant ID: hc556860480-cn Registrant Name: Fang Xiao Dun Registrant Organization: Fang Xiao Dun Registrant Street: Haidian District JuYuan Road 6# 502 Registrant City: Beijing Registrant State/Province: Beijing Registrant Postal Code: 100080 Registrant Country: CN Registrant Phone: +86.18610137578 Registrant Phone Ext: Registrant Fax: +86.18610137578 Registrant Fax Ext: Registrant Email: [email protected] Admin ID: HC-009652962-CN Admin Name: Fang Xiaodun Admin Organization: Beijing Bigfish Technology Admin Street: Haidian District JuYuan Road 6# 502 Admin City: Beijing Admin State/Province: Beijing Admin Postal Code: 100080 Admin Country: CN Admin Phone: +86.18610137578 Admin Phone Ext: Admin Fax: +86.18610137578 Admin Fax Ext: Admin Email: [email protected] Tech ID: HC-844637505-CN Tech Name: Fang Xiaodun Tech Organization: Beijing Bigfish Technology Tech Street: Haidian District JuYuan Road 6# 502 Tech City: Beijing Tech State/Province: Beijing Tech Postal Code: 100080 Tech Country: CN Tech Phone: +86.18610137578 Tech Phone Ext: Tech Fax: +86.18610137578 Tech Fax Ext: Tech Email: [email protected] Name Server: NS1.DNSV2.COM Name Server: NS2.DNSV2.COM DNSSEC: unsigned >>> Last update of WHOIS database: 2016-09-02T21:50:05Z <<< For more information on Whois status codes, please visit https://icann.org/epp Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to(a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.whios网站提供图形化但结果可能不尽人意
三、DNSenum
dnsenum的目的是尽可能收集一个域的信息,它能够通过谷歌或者字典文件猜测可能存在的域名,以及对一个网段进行反向查询。它可以查询网站的主机地址信息、域名服务器、mx record(函件交换记录),在域名服务器上执行axfr请求,通过谷歌脚本得到扩展域名信息(google hacking),提取自域名并查询,计算C类地址并执行whois查询,执行反向查询,把地址段写入文件。
常用用法:
root@kali:~# dnsenum -enum baidu.com dnsenum.pl VERSION:1.2.3 Warning: can't load Net::Whois::IP module, whois queries disabled. ----- baidu.com ----- Host's addresses: __________________ baidu.com. 346 IN A 220.181.57.217 baidu.com. 346 IN A 111.13.101.208 baidu.com. 346 IN A 123.125.114.144 baidu.com. 346 IN A 180.149.132.47 Name Servers: ______________ ns2.baidu.com. 76012 IN A 61.135.165.235 ns4.baidu.com. 25326 IN A 220.181.38.10 ns3.baidu.com. 38813 IN A 220.181.37.10 ns7.baidu.com. 78929 IN A 119.75.219.82 dns.baidu.com. 35202 IN A 202.108.22.220 Mail (MX) Servers: ___________________ mx1.baidu.com. 600 IN A 61.135.163.61 jpmx.baidu.com. 2599 IN A 61.208.132.13 mx50.baidu.com. 600 IN A 61.135.163.61 mx.n.shifen.com. 600 IN A 220.181.3.77 Trying Zone Transfers and getting Bind Versions: _________________________________________________ Trying Zone Transfer for baidu.com on ns4.baidu.com ...
常用参数 --threads [number] 设置用户可同时运行的进程 -r 允许递归查询 -d 设置WHOIS请求之间的时间延迟数(s) -o 指定输出位置 -w 启用WHOIS请求
四、fierce
fierce工具主要是对子域名进行扫描和收集信息。使用fierce工具获得一个目标主机上所有IP地址和主机信息。
root@kali:~# fierce -dns baidu.com DNS Servers for baidu.com: ns4.baidu.com ns2.baidu.com ns3.baidu.com ns7.baidu.com dns.baidu.com Trying zone transfer first... Testing ns4.baidu.com Request timed out or transfer not allowed. Testing ns2.baidu.com Request timed out or transfer not allowed. Testing ns3.baidu.com Request timed out or transfer not allowed. Testing ns7.baidu.com Request timed out or transfer not allowed. Testing dns.baidu.com Request timed out or transfer not allowed. Unsuccessful in zone transfer (it was worth a shot) Okay, trying the good old fashioned way... brute force Checking for wildcard DNS... Nope. Good. Now performing 2280 test(s)... 10.94.49.39 access.baidu.com 10.11.252.74 accounts.baidu.com 10.26.109.19 admin.baidu.com 10.42.4.225 ads.baidu.com 172.22.15.17 agent.baidu.com 172.22.15.16 agent.baidu.com 10.57.8.26 alpha.baidu.com…………………………………………
- 字典爆破 #若DNS服务器不允许进行区域传输 #kali2.0不自带dnsdict
fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist a.txt
###ep:查找字典
dpkg -L fierce
小白日记,未完待续……dnsdict6 -d4 -t 16 -x sina.com #-t:线程数 #-d:显示IPv6地址和mx、ns #-d4:IPv4 #指定字典大小[-l/m/x/u]
#dnsdict6:速度快,字典大、全、精准
dnsenum -f dnsbig.txt -dnsserver 8.8.8.8 sina.com -o sina.xml
dnsmap sina.com -w dns.txt
dnsrecon -d sina.com --lifetime 10 -t brt -D dnsbig.txt
dnsrecon -t std -d sina.com
可靠参考点击打开链接