渗透测试---被动信息收集详解
被动信息收集
- 一、被动信息收集简介
- 1.被动信息收集
- 2.信息收集的内容
- 3.信息收集的目的
- 二、被动信息收集方式
- 1.dig:域名解析查询
- ①直接查询
- ②按指定内容查询
- ③查新DNS版本信息
- ④DNS追踪,迭代/递归查询
- 2.nslookup:诊断DNS基础结构
- 3.whois:注册信息查询
- 4.dnsenum
- 5.fierce
- ①直接查询
- ②字典爆破
- 三、被动信息收集方式的重点(个人认为)
- 1.进入recon-ng环境
- 2.创建新的工作区
- 3.设置工作区参数
- 4.DNS查询
- 5.解析IP
- 6.生成报告
- 7.查看报告
- 四、桃花依旧笑春风
一、被动信息收集简介
1.被动信息收集
指通过公开渠道的可获得信息,与目标系统或者主机不产生直接的信息交互,以尽可能避免留下任何痕迹的信息收集方法。
2.信息收集的内容
IP地址段
域名信息
邮件地址
文档图片数据
公司地址
公司组织架构
联系电话/传真号码
人员姓名/职务
目标系统使用的技术架构
公开的商用信息
3.信息收集的目的
个人认为信息收集是为了获取目标系统的基础架构以及目标主机的ip地址段以及该对象的域名信息,以达到使用所收集的信息去描述目标系统或者主机的目的,并对之后的一些列扫描工作做准备,是渗透测试技术的第一个关键步骤。
二、被动信息收集方式
在这里我使用的系统环境是基于kali-linux-2018-W25-amd64的虚拟环境.
1.dig:域名解析查询
①直接查询
命令:dig 所要查询域名
root@yanxiao:~# dig www.sina.com
; <<>> DiG 9.11.3-1-Debian <<>> www.sina.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21747
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096
;; QUESTION SECTION:
;www.sina.com. IN A
;; ANSWER SECTION:
www.sina.com. 5 IN CNAME us.sina.com.cn.
us.sina.com.cn. 5 IN CNAME spool.grid.sinaedge.com.
spool.grid.sinaedge.com. 5 IN A 221.204.241.188
spool.grid.sinaedge.com. 5 IN A 61.158.251.244
;; Query time: 5 msec
;; SERVER: 192.168.181.2#53(192.168.181.2)
;; WHEN: Wed Jun 26 16:22:04 CST 2019
;; MSG SIZE rcvd: 135
②按指定内容查询
命令:dig @
root@yanxiao:~# dig @8.8.8.8 www.sina.com mx
; <<>> DiG 9.11.3-1-Debian <<>> @8.8.8.8 www.sina.com mx
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40167
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.sina.com. IN MX
;; ANSWER SECTION:
www.sina.com. 59 IN CNAME us.sina.com.cn.
us.sina.com.cn. 59 IN CNAME spool.grid.sinaedge.com.
;; AUTHORITY SECTION:
sinaedge.com. 59 IN SOA ns1.sinaedge.com. null.sinaedge.com. 20100707 10800 60 604800 60
;; Query time: 144 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jun 26 16:36:47 CST 2019
;; MSG SIZE rcvd: 148
结合noall与answer只显示查询结果,摒弃无关信息。
root@yanxiao:~# dig @8.8.8.8 +noall +answer mx sina.com
sina.com. 59 IN MX 5 freemx1.sinamail.sina.com.cn.
sina.com. 59 IN MX 10 freemx2.sinamail.sina.com.cn.
sina.com. 59 IN MX 10 freemx3.sinamail.sina.com.cn.
③查新DNS版本信息
命令:dig +noall +answer txt chaos VERSION.BIND @ns3.所要查询的域名
root@yanxiao:~# dig +noall +answer txt chaos VERSION.BIND @ns3.sina.com
VERSION.BIND. 0 CH TXT " "
#注:这里DNS版本信息应该是在双引号下显示,而此时为空并不是因为命令有误,
# 而是因为新浪将之版本信息隐藏
④DNS追踪,迭代/递归查询
命令:dig +trace 所要查询的域名
root@yanxiao:~# dig +trace +noall +answer sina.com
. 5 IN NS i.root-servers.net.
. 5 IN NS e.root-servers.net.
. 5 IN NS g.root-servers.net.
. 5 IN NS a.root-servers.net.
. 5 IN NS l.root-servers.net.
. 5 IN NS b.root-servers.net.
. 5 IN NS f.root-servers.net.
. 5 IN NS h.root-servers.net.
. 5 IN NS j.root-servers.net.
. 5 IN NS k.root-servers.net.
. 5 IN NS d.root-servers.net.
. 5 IN NS c.root-servers.net.
. 5 IN NS m.root-servers.net.
. 5 IN RRSIG NS 8 0 518400 20190709050000 20190626040000 25266 . KzQL7eH1xUR1o5RWy/pKJAwhzZ+86CkW7uWRJo64plyhMNMo/afOnrFb 7sHfBJmkKlAAAAAFDePWxBL2zLyWaOX4Tj05yd3mbF5t3rfeP/75EIFA 5R3pqV+cxZSijW2EVrXNbL3KaNpsYH9sYujGKvYPuf/WNarUkLUx7Xn9 gcsOX3ZS6KfZ8NIekE3+Bsuex+vnBhIlws1XlsvnUPGf/1hVXruAX2IB xlQIjT4zjLXEwuP4pgbpdRkbGlXOe7uWXtt2Ywja5+227DqrUuiA+wEF dKNFRX6T/0rZ3a/DPmKAy5d0Xgq2obEt5M32jepblE8hWz6WnTq/5R8i m0AahA==
;; Received 525 bytes from 192.168.181.2#53(192.168.181.2) in 12 ms
;; Received 1196 bytes from 192.112.36.4#53(g.root-servers.net) in 93 ms
;; Received 723 bytes from 192.33.14.30#53(b.gtld-servers.net) in 24 ms
sina.com. 60 IN A 66.102.251.33
;; Received 336 bytes from 180.149.138.199#53(ns2.sina.com.cn) in 22 ms
2.nslookup:诊断DNS基础结构
命令:nslookup -type=<选择要查询的类型例如:a记录、ns记录、mx记录> 所要查询域名
root@yanxiao:~# nslookup -type=a sina.com
Server: 192.168.181.2
Address: 192.168.181.2#53
Non-authoritative answer:
Name: sina.com
Address: 66.102.251.33
# 注:-type=a 查询主机记录
root@yanxiao:~# nslookup -type=ns sina.com
Server: 192.168.181.2
Address: 192.168.181.2#53
# 注:-type=ns 查询域名服务器记录
Non-authoritative answer:
sina.com nameserver = ns4.sina.com.
sina.com nameserver = ns4.sina.com.cn.
sina.com nameserver = ns3.sina.com.cn.
sina.com nameserver = ns3.sina.com.
sina.com nameserver = ns1.sina.com.cn.
sina.com nameserver = ns2.sina.com.
sina.com nameserver = ns2.sina.com.cn.
sina.com nameserver = ns1.sina.com.
Authoritative answers can be found from:
# 注:-type=mx 查询邮件服务器记录
root@yanxiao:~# nslookup -type=mx sina.com
Server: 192.168.181.2
Address: 192.168.181.2#53
Non-authoritative answer:
sina.com mail exchanger = 10 freemx3.sinamail.sina.com.cn.
sina.com mail exchanger = 10 freemx2.sinamail.sina.com.cn.
sina.com mail exchanger = 5 freemx1.sinamail.sina.com.cn.
Authoritative answers can be found from:
3.whois:注册信息查询
命令:whois 所要查询的域名
root@yanxiao:~# whois baidu.com
Domain Name: BAIDU.COM
Registry Domain ID: 11181110_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2019-05-09T04:30:46Z
Creation Date: 1999-10-11T11:05:17Z
Registry Expiry Date: 2026-10-11T11:05:17Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Name Server: NS1.BAIDU.COM
Name Server: NS2.BAIDU.COM
Name Server: NS3.BAIDU.COM
Name Server: NS4.BAIDU.COM
Name Server: NS7.BAIDU.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2019-06-26T09:02:43Z <<<
For more information on Whois status codes, please visit https://icann.org/epp
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: baidu.com
Registry Domain ID: 11181110_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2019-05-08T20:59:33-0700
Creation Date: 1999-10-11T04:05:17-0700
Registrar Registration Expiration Date: 2026-10-11T00:00:00-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)
Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)
Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)
Registrant Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Registrant State/Province: Beijing
Registrant Country: CN
Admin Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Admin State/Province: Beijing
Admin Country: CN
Tech Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Tech State/Province: Beijing
Tech Country: CN
Name Server: ns3.baidu.com
Name Server: ns4.baidu.com
Name Server: ns7.baidu.com
Name Server: ns2.baidu.com
Name Server: ns1.baidu.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2019-06-26T02:02:28-0700 <<<
For more information on WHOIS status codes, please visit:
https://www.icann.org/resources/pages/epp-status-codes
If you wish to contact this domain’s Registrant, Administrative, or Technical
contact, and such email address is not visible above, you may do so via our web
form, pursuant to ICANN’s Temporary Specification. To verify that you are not a
robot, please enter your email address to receive a link to a page that
facilitates email communication with the relevant contact(s).
Web-based WHOIS:
https://domains.markmonitor.com/whois
If you have a legitimate interest in viewing the non-public WHOIS details, send
your request and the reasons for your request to whoisrequest@markmonitor.com
and specify the domain name in the subject line. We will review that request and
may ask for supporting documentation and explanation.
The data in MarkMonitor’s WHOIS database is provided for information purposes,
and to assist persons in obtaining information about or related to a domain
name’s registration record. While MarkMonitor believes the data to be accurate,
the data is provided "as is" with no guarantee or warranties regarding its
accuracy.
By submitting a WHOIS query, you agree that you will use this data only for
lawful purposes and that, under no circumstances will you use this data to:
(1) allow, enable, or otherwise support the transmission by email, telephone,
or facsimile of mass, unsolicited, commercial advertising, or spam; or
(2) enable high volume, automated, or electronic processes that send queries,
data, or email to MarkMonitor (or its systems) or the domain name contacts (or
its systems).
MarkMonitor.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.
MarkMonitor is the Global Leader in Online Brand Protection.
MarkMonitor Domain Management(TM)
MarkMonitor Brand Protection(TM)
MarkMonitor AntiCounterfeiting(TM)
MarkMonitor AntiPiracy(TM)
MarkMonitor AntiFraud(TM)
Professional and Managed Services
Visit MarkMonitor at https://www.markmonitor.com
Contact us at +1.8007459229
In Europe, at +44.02032062220
--
4.dnsenum
dnsenum的目的是尽可能收集一个域的信息,它能够通过谷歌或者字典文件猜测可能存在的域名,以及对一个网段进行反向查询。
命令:dnsenum -enum 所要查询的域名
root@yanxiao:~# dnsenum -enum baidu.com
Smartmatch is experimental at /usr/bin/dnsenum line 698.
Smartmatch is experimental at /usr/bin/dnsenum line 698.
dnsenum VERSION:1.2.4
Warning: can't load Net::Whois::IP module, whois queries disabled.
Warning: can't load WWW::Mechanize module, Google scraping desabled.
----- baidu.com -----
Host's addresses:
__________________
baidu.com. 5 IN A 123.125.114.144
baidu.com. 5 IN A 220.181.38.148
Name Servers:
______________
ns4.baidu.com. 5 IN A 14.215.178.80
ns7.baidu.com. 5 IN A 180.76.76.92
dns.baidu.com. 5 IN A 202.108.22.220
ns2.baidu.com. 5 IN A 220.181.33.31
ns3.baidu.com. 5 IN A 112.80.248.64
Mail (MX) Servers:
___________________
mx.n.shifen.com. 5 IN A 61.135.165.120
mx.n.shifen.com. 5 IN A 111.202.115.85
mx50.baidu.com. 5 IN A 180.76.13.18
mx1.baidu.com. 5 IN A 220.181.50.185
mx1.baidu.com. 5 IN A 61.135.165.120
jpmx.baidu.com. 5 IN A 61.208.132.13
mx.maillb.baidu.com. 5 IN A 111.202.115.85
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
Trying Zone Transfer for baidu.com on ns4.baidu.com ...
AXFR record query failed: REFUSED
Trying Zone Transfer for baidu.com on dns.baidu.com ...
AXFR record query failed: REFUSED
Trying Zone Transfer for baidu.com on ns7.baidu.com ...
AXFR record query failed: REFUSED
Trying Zone Transfer for baidu.com on ns2.baidu.com ...
AXFR record query failed: REFUSED
Trying Zone Transfer for baidu.com on ns3.baidu.com ...
AXFR record query failed: REFUSED
brute force file not specified, bay.
5.fierce
fierce工具主要是对子域名进行扫描和收集信息。使用fierce工具获得一个目标主机上所有IP地址和主机信息。
①直接查询
命令:fierce -dns 所要查询的域名
root@yanxiao:~# fierce -dns baidu.com
DNS Servers for baidu.com:
ns3.baidu.com
ns7.baidu.com
dns.baidu.com
ns4.baidu.com
ns2.baidu.com
Trying zone transfer first...
Testing ns3.baidu.com
Request timed out or transfer not allowed.
Testing ns7.baidu.com
Request timed out or transfer not allowed.
Testing dns.baidu.com
Request timed out or transfer not allowed.
Testing ns4.baidu.com
Request timed out or transfer not allowed.
Testing ns2.baidu.com
Request timed out or transfer not allowed.
Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force
Checking for wildcard DNS...
Nope. Good.
Now performing 2280 test(s)...
......此处的发现结果不予显示
Subnets found (may want to probe here using nmap or unicornscan):
......此处的发现结果不予显示
Done with Fierce scan: http://ha.ckers.org/fierce/
Found 220 entries.
Have a nice day.
②字典爆破
kali中的fierce中自带一个字典可以用来实施字典爆破。
字典存放目录:/usr/share/fierce/hosts.txt
命令:fierce -dnsserver 要使用的dns服务器 -dns 所要爆破的域名 -wordlist 字典路径
root@yanxiao:~# fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist /usr/share/fierce/hosts.txt
DNS Servers for sina.com.cn:
ns2.sina.com.cn
ns3.sina.com.cn
ns1.sina.com.cn
ns4.sina.com.cn
Trying zone transfer first...
Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force
Checking for wildcard DNS...
Nope. Good.
Now performing 2280 test(s)...
......此处的发现结果不予显示
Subnets found (may want to probe here using nmap or unicornscan):
......此处的发现结果不予显示
Done with Fierce scan: http://ha.ckers.org/fierce/
Found 458 entries.
Have a nice day.
三、被动信息收集方式的重点(个人认为)
recon-ng
recon-ng是由python编写的一个开源的Web侦查(信息收集)框架。recon-ng框架是一个全特性的工具,使用它可以自动的收集信息和网络侦查。默认集成数据库,可把查询结果结构化存储在其中,有报告模块,把结果导出为报告。
使用recon-ng的信息侦查方式有三个步骤:
1、DNS查询 —— google、baidu、bing、yahoo、Brute force(有自己的字典)
2、解析IP地址(查询数据库)—— resolve模块
3、生成报告 —— report模块
具体如下实例所示:
1.进入recon-ng环境
root@yanxiao:~# recon-ng
_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
/\
/ \\ /\
Sponsored by... /\ /\/ \\V \/\
/ \\/ // \\\\\ \\ \/\
// // BLACK HILLS \/ \\
www.blackhillsinfosec.com
[recon-ng v4.9.3, Tim Tomes (@LaNMaSteR53)]
[75] Recon modules
[8] Reporting modules
[2] Import modules
[2] Exploitation modules
[2] Discovery modules
[recon-ng][default] >
首次使用recon-ng,可以使用help查看所有可以执行的命令:
[recon-ng][default] > help
Commands (type [help|?] <topic>):
---------------------------------
add Adds records to the database
back Exits the current context
delete Deletes records from the database
exit Exits the framework
help Displays this menu
keys Manages framework API keys
load Loads specified module
pdb Starts a Python Debugger session
query Queries the database
record Records commands to a resource file
reload Reloads all modules
resource Executes commands from a resource file
search Searches available modules
set Sets module options
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
unset Unsets module options
use Loads specified module
workspaces Manages workspaces
查看recon-ng命令的使用方法:
[recon-ng][default] > recon-ng -h
[*] Command: recon-ng -h
usage: recon-ng [-h] [-v] [-w workspace] [-r filename] [--no-check]
[--no-analytics]
recon-ng - Tim Tomes (@LaNMaSteR53) tjt1980[at]gmail.com
optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exit
-w workspace load/create a workspace
-r filename load commands from a resource file
--no-check disable version check
--no-analytics disable analytics reporting
2.创建新的工作区
这一步相对来说可有可无,但是为了养成良好习惯,在进行不同的案例之前为这个案例单独建一个工作区我个人认为是比较重要的,方便之后的管理以及查询。
命令:workspaces list,显示已存在的工作表
[recon-ng][default] > workspaces list
+------------+
| Workspaces |
+------------+
| default |
| sina |
+------------+
这里要说明一下,若进入到recon-ng环境中时创建工作表可以用下列命令:
命令:workspaces add 工作区名
[recon-ng][default] > workspaces add sina-test
[recon-ng][sina-test] > workspaces list
+------------+
| Workspaces |
+------------+
| default |
| sina-test |
| sina |
+------------+
#删除工作表
[recon-ng][sina-test] > workspaces delete sina-test
[recon-ng][default] > workspaces list
+------------+
| Workspaces |
+------------+
| default |
| sina |
+------------+
若还是在kali环境下,则使用下列命令直接创建新工作区或者进入已经存在的工作区:
命令:recon-ng -w 工作区名
root@yanxiao:~# recon-ng -w sina-test
[recon-ng][sina-test] > workspaces list
+------------+
| Workspaces |
+------------+
| default |
| sina-test |
| sina |
+------------+
3.设置工作区参数
这里的工作区参数也可以直接跳过不进行设置,不影响结果;不过需要注意的是不设置参数的话,对方是很容易发现你用recon-ng对他进行扫描,所以建议还是进行设置,设置参数之后扫描会更加隐蔽
命令:show options
[recon-ng][sina-test] > show options
Name Current Value Required Description
---------- ------------- -------- -----------
NAMESERVER 8.8.8.8 yes nameserver for DNS interrogation
PROXY no proxy server (address:port)
THREADS 10 yes number of threads (where applicable)
TIMEOUT 10 yes socket timeout (seconds)
USER-AGENT Recon-ng/v4 yes user-agent string
VERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug)
要进行设置的参数信息命令:
set USER-AGENT Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
[recon-ng][sina-test] > set USER-AGENT Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
USER-AGENT => Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
[recon-ng][sina-test] > show options
Name Current Value Required Description
---------- ------------- -------- -----------
NAMESERVER 8.8.8.8 yes nameserver for DNS interrogation
PROXY no proxy server (address:port)
THREADS 10 yes number of threads (where applicable)
TIMEOUT 10 yes socket timeout (seconds)
USER-AGENT Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 yes user-agent string
VERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug)
可以看到对工作区参数中的USER-AGENT这一项进行了修改。
4.DNS查询
通过搜索引擎(google、baidu、bing、yahoo)或者使用 brute force(暴力破解) 去查找主机记录。
命令:search
[recon-ng][sina-test] > search google
[*] Searching for 'google'...
Recon
-----
recon/domains-hosts/google_site_api
recon/domains-hosts/google_site_web
[recon-ng][sina-test] > search baidu
[*] Searching for 'baidu'...
[!] No modules found containing 'baidu'.
[recon-ng][sina-test] > search bing
[*] Searching for 'bing'...
Recon
-----
recon/companies-contacts/bing_linkedin_cache
recon/domains-hosts/bing_domain_api
recon/domains-hosts/bing_domain_web
recon/hosts-hosts/bing_ip
[recon-ng][sina-test] > search yahoo
[*] Searching for 'yahoo'...
[!] No modules found containing 'yahoo'.
[recon-ng][sina-test] > search brute
[*] Searching for 'brute'...
Exploitation
------------
exploitation/injection/xpath_bruter
Recon
-----
recon/domains-domains/brute_suffix
recon/domains-hosts/brute_hosts
这里会发现baidu和yahoo在recon-ng环境暂时不能使用。
我在这里使用的是brute模块。
选择要使用的模块,这里我选择了recon/domains-hosts/brute_hosts模块。
命令:use 所要使用的模块
[recon-ng][sina-test] > use recon/domains-hosts/brute_hosts
[recon-ng][sina-test][brute_hosts] >
查看该模块参数:
[recon-ng][sina-test][brute_hosts] > show options
Name Current Value Required Description
-------- ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)
WORDLIST /usr/share/recon-ng/data/hostnames.txt yes path to hostname wordlist
设置参数:
命令:set SOURCE 所要发现的域名
[recon-ng][sina-test][brute_hosts] > set SOURCE sina.com
SOURCE => sina.com
运行:
命令:run
[recon-ng][sina-test][brute_hosts] > run
--------
SINA.COM
--------
......此处的发现结果不予显示
-------
SUMMARY
-------
[*] 288 total (247 new) hosts found.
查看粗略的表格,会在终端中显示出上一步中发现的IP地址的各项信息:
命令:show hosts
[recon-ng][sina-test][brute_hosts] > show hosts
+------------------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | module |
+------------------------------------------------------------------------------------------------------------------+
......此处发现结果不予显示
+------------------------------------------------------------------------------------------------------------------+
查询工作表模块当前的设置:
命令:show info
[recon-ng][sina-test][brute_hosts] > show info
Name: DNS Hostname Brute Forcer
Path: modules/recon/domains-hosts/brute_hosts.py
Author: Tim Tomes (@LaNMaSteR53)
Description:
Brute forces host names using DNS. Updates the 'hosts' table with the results.
Options:
Name Current Value Required Description
-------- ------------- -------- -----------
SOURCE sina.com yes source of input (see 'show info' for details)
WORDLIST /usr/share/recon-ng/data/hostnames.txt yes path to hostname wordlist
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs
这一步的作用是为了在当前工作区使用当前模块进行继续发现的工作,查询状态之后只需修改需要发现的域名即可。
5.解析IP
返回工作区更换模块:
命令:back
[recon-ng][sina-test][brute_hosts] > back
[recon-ng][sina-test] >
寻找解析模块resolve:
命令:search resolve
[recon-ng][sina-test] > search resolve
[*] Searching for 'resolve'...
Recon
-----
recon/hosts-hosts/resolve
recon/hosts-hosts/reverse_resolve
recon/netblocks-hosts/reverse_resolve
选择要使用的模块,我这里选择的是recon/hosts-hosts/resolve模块。
命令:use recon/hosts-hosts/resolve
[recon-ng][sina-test] > use recon/hosts-hosts/resolve
[recon-ng][sina-test][resolve] >
设置模块参数:
[recon-ng][sina-test][resolve] > show options
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)
[recon-ng][sina-test][resolve] > set SOURCE query select host from hosts
SOURCE => query select host from hosts
这里设置的是从刚才的DNS查询中得到的hosts表中进行取样解析。
运行:
[recon-ng][sina-test][resolve] > run
......此处发现结果不予显示
-------
SUMMARY
-------
[*] 662 total (662 new) hosts found.
6.生成报告
这一部分内容在以后的企业工作中是必备的一步,客户最终看到的也是这一部分的内容。
先退出解析模块至工作区,之后选择报告模块,设置报告模块参数,话不多说,进代码块QAQ:
[recon-ng][sina-test][resolve] > back
[recon-ng][sina-test] > search report
[*] Searching for 'report'...
Reporting
---------
reporting/csv
reporting/html
reporting/json
reporting/list
reporting/proxifier
reporting/pushpin
reporting/xlsx
reporting/xml
[recon-ng][sina-test] > use reporting/html
[recon-ng][sina-test][html] > show options
Name Current Value Required Description
-------- ------------- -------- -----------
CREATOR yes creator name for the report footer
CUSTOMER yes customer name for the report header
FILENAME /root/.recon-ng/workspaces/sina-test/results.html yes path and filename for report output
SANITIZE True yes mask sensitive data in the report
[recon-ng][sina-test][html] > set CREATOR yanxiao #设置创建者
CREATOR => yanxiao
[recon-ng][sina-test][html] > ser CUSTOMER SINA.com #设置目标名
[*] Command: ser CUSTOMER SINA.com
[recon-ng][sina-test][html] > set FILENAME /root/sina-test.html #设置html文件路径
FILENAME => /root/sina-test.html
[recon-ng][sina-test][html] > run
[*] Report generated at '/root/sina-test.html'.
7.查看报告
打开浏览器,在url一栏搜索刚才所设置的路径:
其中的Hosts是可以打开看详细信息的,在这里我就不打开看了。
至此,被动信息收集便告一段落,总结的不到位或者出现错误的地方还望CSDN各位前辈批评指点。
四、桃花依旧笑春风
这篇文章是继三月份第一次在CSDN发表文章以来第二次继续在CSDN这个平台发表自己的一些所学所感。之前三月份那一次因为各种原因没能坚持下来,这次呢,既因为学习进度到了渗透测试最重要的一部分kali系统以及各种工具的操作,也因为想以在CSDN坚持写博客的方法砥砺自己,让不时的总结巩固所学的知识成为一种习惯,加油!!!愿自己以及诸君不日就可以春风得意马蹄疾,一日看尽长安花。