渗透测试---被动信息收集详解

被动信息收集

  • 一、被动信息收集简介
    • 1.被动信息收集
    • 2.信息收集的内容
    • 3.信息收集的目的
  • 二、被动信息收集方式
    • 1.dig:域名解析查询
      • ①直接查询
      • ②按指定内容查询
      • ③查新DNS版本信息
      • ④DNS追踪,迭代/递归查询
    • 2.nslookup:诊断DNS基础结构
    • 3.whois:注册信息查询
    • 4.dnsenum
    • 5.fierce
      • ①直接查询
      • ②字典爆破
  • 三、被动信息收集方式的重点(个人认为)
    • 1.进入recon-ng环境
    • 2.创建新的工作区
    • 3.设置工作区参数
    • 4.DNS查询
    • 5.解析IP
    • 6.生成报告
    • 7.查看报告
  • 四、桃花依旧笑春风


一、被动信息收集简介

1.被动信息收集

指通过公开渠道的可获得信息,与目标系统或者主机不产生直接的信息交互,以尽可能避免留下任何痕迹的信息收集方法。

2.信息收集的内容

IP地址段
域名信息
邮件地址
文档图片数据
公司地址
公司组织架构
联系电话/传真号码
人员姓名/职务
目标系统使用的技术架构
公开的商用信息

3.信息收集的目的

个人认为信息收集是为了获取目标系统的基础架构以及目标主机的ip地址段以及该对象的域名信息,以达到使用所收集的信息去描述目标系统或者主机的目的,并对之后的一些列扫描工作做准备,是渗透测试技术的第一个关键步骤


二、被动信息收集方式

在这里我使用的系统环境是基于kali-linux-2018-W25-amd64的虚拟环境.

1.dig:域名解析查询

①直接查询

命令:dig 所要查询域名

root@yanxiao:~# dig www.sina.com

; <<>> DiG 9.11.3-1-Debian <<>> www.sina.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21747  
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096
;; QUESTION SECTION:
;www.sina.com.			IN	A

;; ANSWER SECTION:
www.sina.com.		5	IN	CNAME	us.sina.com.cn.
us.sina.com.cn.		5	IN	CNAME	spool.grid.sinaedge.com.
spool.grid.sinaedge.com. 5	IN	A	221.204.241.188
spool.grid.sinaedge.com. 5	IN	A	61.158.251.244

;; Query time: 5 msec
;; SERVER: 192.168.181.2#53(192.168.181.2)
;; WHEN: Wed Jun 26 16:22:04 CST 2019
;; MSG SIZE  rcvd: 135

②按指定内容查询

命令:dig @ <所查询的域名> <所查询的具体类型>

root@yanxiao:~# dig @8.8.8.8 www.sina.com mx

; <<>> DiG 9.11.3-1-Debian <<>> @8.8.8.8 www.sina.com mx
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40167
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.sina.com.			IN	MX

;; ANSWER SECTION:
www.sina.com.		59	IN	CNAME	us.sina.com.cn.
us.sina.com.cn.		59	IN	CNAME	spool.grid.sinaedge.com.

;; AUTHORITY SECTION:
sinaedge.com.		59	IN	SOA	ns1.sinaedge.com. null.sinaedge.com. 20100707 10800 60 604800 60

;; Query time: 144 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jun 26 16:36:47 CST 2019
;; MSG SIZE  rcvd: 148

结合noallanswer只显示查询结果,摒弃无关信息。

root@yanxiao:~# dig @8.8.8.8 +noall +answer mx sina.com 
sina.com.		59	IN	MX	5 freemx1.sinamail.sina.com.cn.
sina.com.		59	IN	MX	10 freemx2.sinamail.sina.com.cn.
sina.com.		59	IN	MX	10 freemx3.sinamail.sina.com.cn.

③查新DNS版本信息

命令:dig +noall +answer txt chaos VERSION.BIND @ns3.所要查询的域名

root@yanxiao:~# dig +noall +answer txt chaos VERSION.BIND @ns3.sina.com
VERSION.BIND.		0	CH	TXT	"  "
#注:这里DNS版本信息应该是在双引号下显示,而此时为空并不是因为命令有误,
#	 而是因为新浪将之版本信息隐藏	

④DNS追踪,迭代/递归查询

命令:dig +trace 所要查询的域名

root@yanxiao:~# dig +trace +noall +answer sina.com
.			5	IN	NS	i.root-servers.net.
.			5	IN	NS	e.root-servers.net.
.			5	IN	NS	g.root-servers.net.
.			5	IN	NS	a.root-servers.net.
.			5	IN	NS	l.root-servers.net.
.			5	IN	NS	b.root-servers.net.
.			5	IN	NS	f.root-servers.net.
.			5	IN	NS	h.root-servers.net.
.			5	IN	NS	j.root-servers.net.
.			5	IN	NS	k.root-servers.net.
.			5	IN	NS	d.root-servers.net.
.			5	IN	NS	c.root-servers.net.
.			5	IN	NS	m.root-servers.net.
.			5	IN	RRSIG	NS 8 0 518400 20190709050000 20190626040000 25266 . KzQL7eH1xUR1o5RWy/pKJAwhzZ+86CkW7uWRJo64plyhMNMo/afOnrFb 7sHfBJmkKlAAAAAFDePWxBL2zLyWaOX4Tj05yd3mbF5t3rfeP/75EIFA 5R3pqV+cxZSijW2EVrXNbL3KaNpsYH9sYujGKvYPuf/WNarUkLUx7Xn9 gcsOX3ZS6KfZ8NIekE3+Bsuex+vnBhIlws1XlsvnUPGf/1hVXruAX2IB xlQIjT4zjLXEwuP4pgbpdRkbGlXOe7uWXtt2Ywja5+227DqrUuiA+wEF dKNFRX6T/0rZ3a/DPmKAy5d0Xgq2obEt5M32jepblE8hWz6WnTq/5R8i m0AahA==
;; Received 525 bytes from 192.168.181.2#53(192.168.181.2) in 12 ms

;; Received 1196 bytes from 192.112.36.4#53(g.root-servers.net) in 93 ms

;; Received 723 bytes from 192.33.14.30#53(b.gtld-servers.net) in 24 ms

sina.com.		60	IN	A	66.102.251.33
;; Received 336 bytes from 180.149.138.199#53(ns2.sina.com.cn) in 22 ms


2.nslookup:诊断DNS基础结构

命令:nslookup -type=<选择要查询的类型例如:a记录、ns记录、mx记录> 所要查询域名

root@yanxiao:~# nslookup -type=a sina.com    
Server:		192.168.181.2
Address:	192.168.181.2#53

Non-authoritative answer:
Name:	sina.com
Address: 66.102.251.33
# 注:-type=a  查询主机记录

root@yanxiao:~# nslookup -type=ns sina.com
Server:		192.168.181.2
Address:	192.168.181.2#53
# 注:-type=ns  查询域名服务器记录

Non-authoritative answer:
sina.com	nameserver = ns4.sina.com.
sina.com	nameserver = ns4.sina.com.cn.
sina.com	nameserver = ns3.sina.com.cn.
sina.com	nameserver = ns3.sina.com.
sina.com	nameserver = ns1.sina.com.cn.
sina.com	nameserver = ns2.sina.com.
sina.com	nameserver = ns2.sina.com.cn.
sina.com	nameserver = ns1.sina.com.

Authoritative answers can be found from:

# 注:-type=mx  查询邮件服务器记录
root@yanxiao:~# nslookup -type=mx sina.com
Server:		192.168.181.2
Address:	192.168.181.2#53

Non-authoritative answer:
sina.com	mail exchanger = 10 freemx3.sinamail.sina.com.cn.
sina.com	mail exchanger = 10 freemx2.sinamail.sina.com.cn.
sina.com	mail exchanger = 5 freemx1.sinamail.sina.com.cn.

Authoritative answers can be found from:


3.whois:注册信息查询

命令:whois 所要查询的域名

root@yanxiao:~# whois baidu.com 
   Domain Name: BAIDU.COM
   Registry Domain ID: 11181110_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.markmonitor.com
   Registrar URL: http://www.markmonitor.com
   Updated Date: 2019-05-09T04:30:46Z
   Creation Date: 1999-10-11T11:05:17Z
   Registry Expiry Date: 2026-10-11T11:05:17Z
   Registrar: MarkMonitor Inc.
   Registrar IANA ID: 292
   Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
   Registrar Abuse Contact Phone: +1.2083895740
   Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
   Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
   Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
   Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
   Name Server: NS1.BAIDU.COM
   Name Server: NS2.BAIDU.COM
   Name Server: NS3.BAIDU.COM
   Name Server: NS4.BAIDU.COM
   Name Server: NS7.BAIDU.COM
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2019-06-26T09:02:43Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: baidu.com
Registry Domain ID: 11181110_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2019-05-08T20:59:33-0700
Creation Date: 1999-10-11T04:05:17-0700
Registrar Registration Expiration Date: 2026-10-11T00:00:00-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)
Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)
Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)
Registrant Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Registrant State/Province: Beijing
Registrant Country: CN
Admin Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Admin State/Province: Beijing
Admin Country: CN
Tech Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Tech State/Province: Beijing
Tech Country: CN
Name Server: ns3.baidu.com
Name Server: ns4.baidu.com
Name Server: ns7.baidu.com
Name Server: ns2.baidu.com
Name Server: ns1.baidu.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2019-06-26T02:02:28-0700 <<<

For more information on WHOIS status codes, please visit:
  https://www.icann.org/resources/pages/epp-status-codes

If you wish to contact this domain’s Registrant, Administrative, or Technical
contact, and such email address is not visible above, you may do so via our web
form, pursuant to ICANN’s Temporary Specification. To verify that you are not a
robot, please enter your email address to receive a link to a page that
facilitates email communication with the relevant contact(s).

Web-based WHOIS:
  https://domains.markmonitor.com/whois

If you have a legitimate interest in viewing the non-public WHOIS details, send
your request and the reasons for your request to whoisrequest@markmonitor.com
and specify the domain name in the subject line. We will review that request and
may ask for supporting documentation and explanation.

The data in MarkMonitor’s WHOIS database is provided for information purposes,
and to assist persons in obtaining information about or related to a domain
name’s registration record. While MarkMonitor believes the data to be accurate,
the data is provided "as is" with no guarantee or warranties regarding its
accuracy.

By submitting a WHOIS query, you agree that you will use this data only for
lawful purposes and that, under no circumstances will you use this data to:
  (1) allow, enable, or otherwise support the transmission by email, telephone,
or facsimile of mass, unsolicited, commercial advertising, or spam; or
  (2) enable high volume, automated, or electronic processes that send queries,
data, or email to MarkMonitor (or its systems) or the domain name contacts (or
its systems).

MarkMonitor.com reserves the right to modify these terms at any time.

By submitting this query, you agree to abide by this policy.

MarkMonitor is the Global Leader in Online Brand Protection.

MarkMonitor Domain Management(TM)
MarkMonitor Brand Protection(TM)
MarkMonitor AntiCounterfeiting(TM)
MarkMonitor AntiPiracy(TM)
MarkMonitor AntiFraud(TM)
Professional and Managed Services

Visit MarkMonitor at https://www.markmonitor.com
Contact us at +1.8007459229
In Europe, at +44.02032062220
--


4.dnsenum

dnsenum的目的是尽可能收集一个域的信息,它能够通过谷歌或者字典文件猜测可能存在的域名,以及对一个网段进行反向查询。
命令:dnsenum -enum 所要查询的域名

root@yanxiao:~# dnsenum -enum baidu.com
Smartmatch is experimental at /usr/bin/dnsenum line 698.
Smartmatch is experimental at /usr/bin/dnsenum line 698.
dnsenum VERSION:1.2.4
Warning: can't load Net::Whois::IP module, whois queries disabled.
Warning: can't load WWW::Mechanize module, Google scraping desabled.

-----   baidu.com   -----


Host's addresses:
__________________

baidu.com.                               5        IN    A        123.125.114.144
baidu.com.                               5        IN    A        220.181.38.148


Name Servers:
______________

ns4.baidu.com.                           5        IN    A        14.215.178.80
ns7.baidu.com.                           5        IN    A        180.76.76.92
dns.baidu.com.                           5        IN    A        202.108.22.220
ns2.baidu.com.                           5        IN    A        220.181.33.31
ns3.baidu.com.                           5        IN    A        112.80.248.64


Mail (MX) Servers:
___________________

mx.n.shifen.com.                         5        IN    A        61.135.165.120
mx.n.shifen.com.                         5        IN    A        111.202.115.85
mx50.baidu.com.                          5        IN    A        180.76.13.18
mx1.baidu.com.                           5        IN    A        220.181.50.185
mx1.baidu.com.                           5        IN    A        61.135.165.120
jpmx.baidu.com.                          5        IN    A        61.208.132.13
mx.maillb.baidu.com.                     5        IN    A        111.202.115.85


Trying Zone Transfers and getting Bind Versions:
_________________________________________________


Trying Zone Transfer for baidu.com on ns4.baidu.com ... 
AXFR record query failed: REFUSED

Trying Zone Transfer for baidu.com on dns.baidu.com ... 
AXFR record query failed: REFUSED

Trying Zone Transfer for baidu.com on ns7.baidu.com ... 
AXFR record query failed: REFUSED

Trying Zone Transfer for baidu.com on ns2.baidu.com ... 
AXFR record query failed: REFUSED

Trying Zone Transfer for baidu.com on ns3.baidu.com ... 
AXFR record query failed: REFUSED

brute force file not specified, bay.


5.fierce

fierce工具主要是对子域名进行扫描和收集信息。使用fierce工具获得一个目标主机上所有IP地址和主机信息

①直接查询

命令:fierce -dns 所要查询的域名

root@yanxiao:~# fierce -dns baidu.com
DNS Servers for baidu.com:
	ns3.baidu.com
	ns7.baidu.com
	dns.baidu.com
	ns4.baidu.com
	ns2.baidu.com

Trying zone transfer first...
	Testing ns3.baidu.com
		Request timed out or transfer not allowed.
	Testing ns7.baidu.com
		Request timed out or transfer not allowed.
	Testing dns.baidu.com
		Request timed out or transfer not allowed.
	Testing ns4.baidu.com
		Request timed out or transfer not allowed.
	Testing ns2.baidu.com
		Request timed out or transfer not allowed.

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
Nope. Good.
Now performing 2280 test(s)...


......此处的发现结果不予显示

Subnets found (may want to probe here using nmap or unicornscan):

......此处的发现结果不予显示

Done with Fierce scan: http://ha.ckers.org/fierce/
Found 220 entries.

Have a nice day.

②字典爆破

kali中的fierce中自带一个字典可以用来实施字典爆破。
字典存放目录:/usr/share/fierce/hosts.txt
命令:fierce -dnsserver 要使用的dns服务器 -dns 所要爆破的域名 -wordlist 字典路径

root@yanxiao:~# fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist /usr/share/fierce/hosts.txt

DNS Servers for sina.com.cn:
	ns2.sina.com.cn
	ns3.sina.com.cn
	ns1.sina.com.cn
	ns4.sina.com.cn

Trying zone transfer first...

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
Nope. Good.
Now performing 2280 test(s)...

......此处的发现结果不予显示

Subnets found (may want to probe here using nmap or unicornscan):

......此处的发现结果不予显示

Done with Fierce scan: http://ha.ckers.org/fierce/
Found 458 entries.

Have a nice day.


三、被动信息收集方式的重点(个人认为)

recon-ng
recon-ng是由python编写的一个开源的Web侦查(信息收集)框架。recon-ng框架是一个全特性的工具,使用它可以自动的收集信息和网络侦查。默认集成数据库,可把查询结果结构化存储在其中,有报告模块,把结果导出为报告。

使用recon-ng的信息侦查方式有三个步骤:
1、DNS查询 —— google、baidu、bing、yahoo、Brute force(有自己的字典)
2、解析IP地址(查询数据库)—— resolve模块
3、生成报告 —— report模块

具体如下实例所示:

1.进入recon-ng环境

root@yanxiao:~# recon-ng
                                                                                        
    _/_/_/    _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/
   _/    _/  _/        _/        _/      _/  _/_/    _/            _/_/    _/  _/       
  _/_/_/    _/_/_/    _/        _/      _/  _/  _/  _/  _/_/_/_/  _/  _/  _/  _/  _/_/_/
 _/    _/  _/        _/        _/      _/  _/    _/_/            _/    _/_/  _/      _/ 
_/    _/  _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/    
                                                                                        

                                          /\
                                         / \\ /\
        Sponsored by...           /\  /\/  \\V  \/\
                                 / \\/ // \\\\\ \\ \/\
                                // // BLACK HILLS \/ \\
                               www.blackhillsinfosec.com

                      [recon-ng v4.9.3, Tim Tomes (@LaNMaSteR53)]                       

[75] Recon modules
[8]  Reporting modules
[2]  Import modules
[2]  Exploitation modules
[2]  Discovery modules

[recon-ng][default] > 

首次使用recon-ng,可以使用help查看所有可以执行的命令:

[recon-ng][default] > help

Commands (type [help|?] <topic>):
---------------------------------
add             Adds records to the database
back            Exits the current context
delete          Deletes records from the database
exit            Exits the framework
help            Displays this menu
keys            Manages framework API keys
load            Loads specified module
pdb             Starts a Python Debugger session
query           Queries the database
record          Records commands to a resource file
reload          Reloads all modules
resource        Executes commands from a resource file
search          Searches available modules
set             Sets module options
shell           Executes shell commands
show            Shows various framework items
snapshots       Manages workspace snapshots
spool           Spools output to a file
unset           Unsets module options
use             Loads specified module
workspaces      Manages workspaces

查看recon-ng命令的使用方法:

[recon-ng][default] > recon-ng -h
[*] Command: recon-ng -h
usage: recon-ng [-h] [-v] [-w workspace] [-r filename] [--no-check]
                [--no-analytics]

recon-ng - Tim Tomes (@LaNMaSteR53) tjt1980[at]gmail.com

optional arguments:
  -h, --help      show this help message and exit
  -v, --version   show program's version number and exit
  -w workspace    load/create a workspace
  -r filename     load commands from a resource file
  --no-check      disable version check
  --no-analytics  disable analytics reporting

2.创建新的工作区

这一步相对来说可有可无,但是为了养成良好习惯,在进行不同的案例之前为这个案例单独建一个工作区我个人认为是比较重要的,方便之后的管理以及查询
命令:workspaces list,显示已存在的工作表

[recon-ng][default] > workspaces list

  +------------+
  | Workspaces |
  +------------+
  | default    |
  | sina       |
  +------------+

这里要说明一下,若进入到recon-ng环境中时创建工作表可以用下列命令:
命令:workspaces add 工作区名

[recon-ng][default] > workspaces add sina-test

[recon-ng][sina-test] > workspaces list

  +------------+
  | Workspaces |
  +------------+
  | default    |
  | sina-test  |
  | sina       |
  +------------+

#删除工作表
[recon-ng][sina-test] > workspaces delete sina-test

[recon-ng][default] > workspaces list

  +------------+
  | Workspaces |
  +------------+
  | default    |
  | sina       |
  +------------+

若还是在kali环境下,则使用下列命令直接创建新工作区或者进入已经存在的工作区:
命令:recon-ng -w 工作区名

root@yanxiao:~# recon-ng -w sina-test

[recon-ng][sina-test] > workspaces list

  +------------+
  | Workspaces |
  +------------+
  | default    |
  | sina-test  |
  | sina       |
  +------------+
  

3.设置工作区参数

这里的工作区参数也可以直接跳过不进行设置,不影响结果;不过需要注意的是不设置参数的话,对方是很容易发现你用recon-ng对他进行扫描,所以建议还是进行设置,设置参数之后扫描会更加隐蔽
命令:show options

[recon-ng][sina-test] > show options

  Name        Current Value  Required  Description
  ----------  -------------  --------  -----------
  NAMESERVER  8.8.8.8        yes       nameserver for DNS interrogation
  PROXY                      no        proxy server (address:port)
  THREADS     10             yes       number of threads (where applicable)
  TIMEOUT     10             yes       socket timeout (seconds)
  USER-AGENT  Recon-ng/v4    yes       user-agent string
  VERBOSITY   1              yes       verbosity level (0 = minimal, 1 = verbose, 2 = debug)

要进行设置的参数信息命令:

set USER-AGENT Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
[recon-ng][sina-test] > set USER-AGENT Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
USER-AGENT => Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
[recon-ng][sina-test] > show options

  Name        Current Value                                                              Required  Description
  ----------  -------------                                                              --------  -----------
  NAMESERVER  8.8.8.8                                                                    yes       nameserver for DNS interrogation
  PROXY                                                                                  no        proxy server (address:port)
  THREADS     10                                                                         yes       number of threads (where applicable)
  TIMEOUT     10                                                                         yes       socket timeout (seconds)
  USER-AGENT  Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0  yes       user-agent string
  VERBOSITY   1                                                                          yes       verbosity level (0 = minimal, 1 = verbose, 2 = debug)

可以看到对工作区参数中的USER-AGENT这一项进行了修改。

4.DNS查询

通过搜索引擎(google、baidu、bing、yahoo)或者使用 brute force(暴力破解) 去查找主机记录。
命令:search

[recon-ng][sina-test] > search google
[*] Searching for 'google'...

  Recon
  -----
    recon/domains-hosts/google_site_api
    recon/domains-hosts/google_site_web

[recon-ng][sina-test] > search baidu
[*] Searching for 'baidu'...
[!] No modules found containing 'baidu'.

[recon-ng][sina-test] > search bing
[*] Searching for 'bing'...

  Recon
  -----
    recon/companies-contacts/bing_linkedin_cache
    recon/domains-hosts/bing_domain_api
    recon/domains-hosts/bing_domain_web
    recon/hosts-hosts/bing_ip

[recon-ng][sina-test] > search yahoo
[*] Searching for 'yahoo'...
[!] No modules found containing 'yahoo'.

[recon-ng][sina-test] > search brute
[*] Searching for 'brute'...

  Exploitation
  ------------
    exploitation/injection/xpath_bruter

  Recon
  -----
    recon/domains-domains/brute_suffix
    recon/domains-hosts/brute_hosts

这里会发现baidu和yahoo在recon-ng环境暂时不能使用。
我在这里使用的是brute模块。
选择要使用的模块,这里我选择了recon/domains-hosts/brute_hosts模块。
命令:use 所要使用的模块

[recon-ng][sina-test] > use recon/domains-hosts/brute_hosts
[recon-ng][sina-test][brute_hosts] > 

查看该模块参数:

[recon-ng][sina-test][brute_hosts] > show options

  Name      Current Value                           Required  Description
  --------  -------------                           --------  -----------
  SOURCE    default                                 yes       source of input (see 'show info' for details)
  WORDLIST  /usr/share/recon-ng/data/hostnames.txt  yes       path to hostname wordlist

设置参数:
命令:set SOURCE 所要发现的域名

[recon-ng][sina-test][brute_hosts] > set SOURCE sina.com
SOURCE => sina.com

运行:
命令:run

[recon-ng][sina-test][brute_hosts] > run

--------
SINA.COM
--------

......此处的发现结果不予显示

-------
SUMMARY
-------
[*] 288 total (247 new) hosts found.

查看粗略的表格,会在终端中显示出上一步中发现的IP地址的各项信息:
命令:show hosts

[recon-ng][sina-test][brute_hosts] > show hosts

  +------------------------------------------------------------------------------------------------------------------+
  | rowid |              host              |    ip_address   | region | country | latitude | longitude |    module   |
  +------------------------------------------------------------------------------------------------------------------+
  ......此处发现结果不予显示
  +------------------------------------------------------------------------------------------------------------------+

查询工作表模块当前的设置:
命令:show info

[recon-ng][sina-test][brute_hosts] > show info

      Name: DNS Hostname Brute Forcer
      Path: modules/recon/domains-hosts/brute_hosts.py
    Author: Tim Tomes (@LaNMaSteR53)

Description:
  Brute forces host names using DNS. Updates the 'hosts' table with the results.

Options:
  Name      Current Value                           Required  Description
  --------  -------------                           --------  -----------
  SOURCE    sina.com                                yes       source of input (see 'show info' for details)
  WORDLIST  /usr/share/recon-ng/data/hostnames.txt  yes       path to hostname wordlist

Source Options:
  default        SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
  <string>       string representing a single input
  <path>         path to a file containing a list of inputs
  query <sql>    database query returning one column of inputs

这一步的作用是为了在当前工作区使用当前模块进行继续发现的工作,查询状态之后只需修改需要发现的域名即可。

5.解析IP

返回工作区更换模块:
命令:back

[recon-ng][sina-test][brute_hosts] > back
[recon-ng][sina-test] > 

寻找解析模块resolve:
命令:search resolve

[recon-ng][sina-test] > search resolve
[*] Searching for 'resolve'...

  Recon
  -----
    recon/hosts-hosts/resolve
    recon/hosts-hosts/reverse_resolve
    recon/netblocks-hosts/reverse_resolve

选择要使用的模块,我这里选择的是recon/hosts-hosts/resolve模块。
命令:use recon/hosts-hosts/resolve

[recon-ng][sina-test] > use recon/hosts-hosts/resolve
[recon-ng][sina-test][resolve] > 

设置模块参数:

[recon-ng][sina-test][resolve] > show options

  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  default        yes       source of input (see 'show info' for details)

[recon-ng][sina-test][resolve] > set SOURCE query select host from hosts
SOURCE => query select host from hosts

这里设置的是从刚才的DNS查询中得到的hosts表中进行取样解析。
运行:

[recon-ng][sina-test][resolve] > run

......此处发现结果不予显示

-------
SUMMARY
-------
[*] 662 total (662 new) hosts found.

6.生成报告

这一部分内容在以后的企业工作中是必备的一步,客户最终看到的也是这一部分的内容。
先退出解析模块至工作区,之后选择报告模块,设置报告模块参数,话不多说,进代码块QAQ:

[recon-ng][sina-test][resolve] > back

[recon-ng][sina-test] > search report
[*] Searching for 'report'...

  Reporting
  ---------
    reporting/csv
    reporting/html
    reporting/json
    reporting/list
    reporting/proxifier
    reporting/pushpin
    reporting/xlsx
    reporting/xml

[recon-ng][sina-test] > use reporting/html

[recon-ng][sina-test][html] > show options

  Name      Current Value                                      Required  Description
  --------  -------------                                      --------  -----------
  CREATOR                                                      yes       creator name for the report footer
  CUSTOMER                                                     yes       customer name for the report header
  FILENAME  /root/.recon-ng/workspaces/sina-test/results.html  yes       path and filename for report output
  SANITIZE  True                                               yes       mask sensitive data in the report

[recon-ng][sina-test][html] > set CREATOR yanxiao   #设置创建者
CREATOR => yanxiao
[recon-ng][sina-test][html] > ser CUSTOMER SINA.com  #设置目标名
[*] Command: ser CUSTOMER SINA.com
[recon-ng][sina-test][html] > set FILENAME /root/sina-test.html  #设置html文件路径
FILENAME => /root/sina-test.html
[recon-ng][sina-test][html] > run
[*] Report generated at '/root/sina-test.html'.

7.查看报告

打开浏览器,在url一栏搜索刚才所设置的路径:
渗透测试---被动信息收集详解_第1张图片
其中的Hosts是可以打开看详细信息的,在这里我就不打开看了。


至此,被动信息收集便告一段落,总结的不到位或者出现错误的地方还望CSDN各位前辈批评指点。

四、桃花依旧笑春风

这篇文章是继三月份第一次在CSDN发表文章以来第二次继续在CSDN这个平台发表自己的一些所学所感。之前三月份那一次因为各种原因没能坚持下来,这次呢,既因为学习进度到了渗透测试最重要的一部分kali系统以及各种工具的操作,也因为想以在CSDN坚持写博客的方法砥砺自己,让不时的总结巩固所学的知识成为一种习惯,加油!!!愿自己以及诸君不日就可以春风得意马蹄疾,一日看尽长安花。

你可能感兴趣的:(渗透测试kali)