1. 渗透测试之信息收集

1.1 收集域名信息

1.1.1 whois查询

$ whois starbucks.com

 Domain Name: STARBUCKS.COM
   Registry Domain ID: 993367_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.corporatedomains.com
   Registrar URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.html
   Updated Date: 2018-10-20T05:46:56Z
   Creation Date: 1993-10-25T04:00:00Z
   Registry Expiry Date: 2019-10-24T04:00:00Z
   Registrar: CSC Corporate Domains, Inc.
   Registrar IANA ID: 299
   Registrar Abuse Contact Email: [email protected]
   Registrar Abuse Contact Phone: 8887802723
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
   Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
   Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
   Name Server: A4.NSTLD.COM
   Name Server: F4.NSTLD.COM
   Name Server: G4.NSTLD.COM
   Name Server: H4.NSTLD.COM
   Name Server: J4.NSTLD.COM
   Name Server: L4.NSTLD.COM
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2019-03-12T12:43:59Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

Domain Name: starbucks.com
Registry Domain ID: 993367_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.corporatedomains.com
Registrar URL: www.cscprotectsbrands.com
Updated Date: 2018-10-20T05:46:56Z
Creation Date: 1993-10-25T04:00:00Z
Registrar Registration Expiration Date: 2019-10-24T04:00:00Z
Registrar: CSC CORPORATE DOMAINS, INC.
Registrar IANA ID: 299
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.8887802723
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: serverDeleteProhibited http://www.icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited http://www.icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited http://www.icann.org/epp#serverUpdateProhibited
Registry Registrant ID:
Registrant Name: Internet Hostmaster
Registrant Organization: Starbucks Coffee Company
Registrant Street: 2401 Utah Avenue S, #800
Registrant City: Seattle
Registrant State/Province: WA
Registrant Postal Code: 98134
Registrant Country: US
Registrant Phone: +1.2063181575
Registrant Phone Ext:
Registrant Fax: +1.2063182439
Registrant Fax Ext:
Registrant Email: [email protected]
Registry Admin ID:
Admin Name: Internet Hostmaster
Admin Organization: Starbucks Coffee Company
Admin Street: 2401 Utah Avenue S, #800
Admin City: Seattle
Admin State/Province: WA
Admin Postal Code: 98134
Admin Country: US
Admin Phone: +1.2063181575
Admin Phone Ext:
Admin Fax: +1.2063182439
Admin Fax Ext:
Admin Email: [email protected]
Registry Tech ID:
Tech Name: Internet Hostmaster
Tech Organization: Starbucks Coffee Company
Tech Street: 2401 Utah Avenue S, #800
Tech City: Seattle
Tech State/Province: WA
Tech Postal Code: 98134
Tech Country: US
Tech Phone: +1.2063181575
Tech Phone Ext:
Tech Fax: +1.2063182439
Tech Fax Ext:
Tech Email: [email protected]
Name Server: g4.nstld.com
Name Server: a4.nstld.com
Name Server: j4.nstld.com
Name Server: h4.nstld.com
Name Server: f4.nstld.com
Name Server: l4.nstld.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2018-10-20T05:46:56Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

Corporation Service Company(c) (CSC)  The Trusted Partner of More than 50% of the 100 Best Global Brands.

Contact us to learn more about our enterprise solutions for Global Domain Name Registration and Management, Trademark Research and Watching, Brand, Logo and Auction Monitoring, as well SSL Certificate Services and DNS Hosting.

NOTICE: You are not authorized to access or query our WHOIS database through the use of high-volume, automated, electronic processes or for the purpose or purposes of using the data in any manner that violates these terms of use. The Data in the CSC WHOIS database is provided by CSC for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. CSC does not guarantee its accuracy. By submitting a WHOIS query, you agree to abide by the following terms of use: you agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to CSC (or its computer systems). CSC reserves the right to terminate your access to the WHOIS database in its sole discretion for any violations by you of these terms of use. CSC reserves the right to modify these terms at any time.

Register your domain name at http://www.cscglobal.com


➜  ~ whois starbucks.com.cn
Domain Name: starbucks.com.cn
ROID: 20021209s10011s00064641-cn
Domain Status: clientTransferProhibited
Registrant ID: hc0758810115230
Registrant: 星巴克企业管理（中国）有限公司
Registrant Contact Email: [email protected]
Sponsoring Registrar: 阿里云计算有限公司（万网）
Name Server: ns3.dnsv4.com
Name Server: ns4.dnsv4.com
Registration Time: 1998-09-23 00:00:00
Expiration Time: 2019-09-23 00:00:00
DNSSEC: unsigned

还可以在以下网站查询域名的信息

https://whois.aizhan.com/ 
http://whois.chinaz.com/ 
https://www.virustotal.com/#/home/url

1.1.2 备案信息

http://www.beianbeian.com

序号	单位名称	单位性质	网站备案/许可证号	网站名称	网站首页网址	审核时间
1	星巴克企业管理（中国）有限公司	企业	沪ICP备17003747号-1[反查]	星巴克中国官网	www.starbucks.com.cn	2018-07-09

天眼查查询企业信息

https://www.tianyancha.com/company/803257297

1.2 收集敏感信息

利用搜索引擎的语法

关键字	说明
site	指定域名
inurl	url中存在关键字的网页
intext	网页正文中的关键字
filetype	指定文件类型
intitle	网页标题中的关键字
link	link:baidu.com 即表示返回所有和baidu.com做了链接的URL
info	查找指定的一些基本信息
cache	搜索google里关于某些内容的缓存

1.3 收集子域名信息

https://github.com/aboul3la/Sublist3r
python sublist3r.py -d starbucks.com.cn


https://github.com/lijiejie/subDomainsBrute
python subDomainsBrute.py starbucks.com.cn

subDomainsBrute 从dns暴力枚举子域名，可以枚举到搜索引擎搜不到的域名

sublist3r 从搜索引擎查询子域名

https://dnsdumpster.com/

证书透明度公开日志枚举

查看https证书的日志

https://crt.sh/?q=starbucks.com.cn

https://censys.io/ipv4?q=starbucks.com.cn

1.4 收集常用端口信息

➜  ~ nmap -A 180.153.48.188
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-13 21:35 CST
Nmap scan report for 180.153.48.188
Host is up (0.030s latency).
Not shown: 980 closed ports
PORT     STATE    SERVICE        VERSION
42/tcp   filtered nameserver
80/tcp   open     http-proxy     HAProxy http proxy 1.3.1 or later
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Did not follow redirect to https://180.153.48.188/
88/tcp   open     http-proxy     HAProxy http proxy 1.3.1 or later
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Did not follow redirect to https://180.153.48.188:88/
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
443/tcp  open     ssl/http       nginx
|_http-server-header: nginx
|_http-title: \xE6\x98\x9F\xE5\xB7\xB4\xE5\x85\x8B | \xE7\x94\xA8\xE6\xAF\x8F\xE4\xB8\x80\xE6\x9D\xAF\xE5\x92\x96\xE5\x95\xA1\xE4\xBC\xA0\xE9\x80\x92\xE6\x98\x9F\xE5\xB7\xB4\xE5\x85\x8B\xE7\x8B\xAC\xE7\x89\xB9\xE7\x9A\x84\xE5\x92\x96\xE5\x95\xA1\xE4\xBD...
| ssl-cert: Subject: commonName=www.starbucks.com.cn/organizationName=Starbucks Coffee Company/stateOrProvinceName=Washington/countryName=US
| Subject Alternative Name: DNS:www.starbucks.com.cn, DNS:achievement.starbucks.com.cn, DNS:api.starbucks.com.cn, DNS:auth.starbucks.com.cn, DNS:callcenter.starbucks.com.cn, DNS:cards.starbucks.com.cn, DNS:coupons.starbucks.com.cn, DNS:emsr.starbucks.com.cn, DNS:giftcard.starbucks.com.cn, DNS:old.giftcard.starbucks.com.cn, DNS:old.rewards.starbucks.com.cn, DNS:profile.starbucks.com.cn, DNS:rewards.starbucks.com.cn
| Not valid before: 2018-06-26T00:00:00
|_Not valid after:  2019-06-26T23:59:59
|_ssl-date: TLS randomness does not represent time
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
901/tcp  filtered samba-swat
1025/tcp filtered NFS-or-IIS
1068/tcp filtered instl_bootc
1434/tcp filtered ms-sql-m
3128/tcp filtered squid-http
3333/tcp filtered dec-notes
4444/tcp filtered krb524
5800/tcp filtered vnc-http
5900/tcp filtered vnc
6129/tcp filtered unknown
6667/tcp filtered irc
9999/tcp open     ssl/abyss?
| ssl-cert: Subject: commonName=www.starbucks.com.cn/organizationName=Starbucks Coffee Company/stateOrProvinceName=Washington/countryName=US
| Subject Alternative Name: DNS:www.starbucks.com.cn, DNS:achievement.starbucks.com.cn, DNS:api.starbucks.com.cn, DNS:auth.starbucks.com.cn, DNS:callcenter.starbucks.com.cn, DNS:cards.starbucks.com.cn, DNS:coupons.starbucks.com.cn, DNS:emsr.starbucks.com.cn, DNS:giftcard.starbucks.com.cn, DNS:old.giftcard.starbucks.com.cn, DNS:old.rewards.starbucks.com.cn, DNS:profile.starbucks.com.cn, DNS:rewards.starbucks.com.cn
| Not valid before: 2018-06-26T00:00:00
|_Not valid after:  2019-06-26T23:59:59
|_ssl-date: 2019-03-13T13:37:13+00:00; 0s from scanner time.
Device type: load balancer|PBX|specialized|firewall
Running (JUST GUESSING): F5 Networks TMOS 11.6.X|11.4.X (87%), Vodavi embedded (85%), AVtech embedded (85%), OSRAM embedded (85%)
OS CPE: cpe:/o:f5:tmos:11.6 cpe:/h:vodavi:xts-ip cpe:/h:osram:lightify cpe:/o:f5:tmos:11.4
Aggressive OS guesses: F5 BIG-IP Local Traffic Manager load balancer (TMOS 11.6) (87%), Vodavi XTS-IP PBX (85%), AVtech Room Alert 26W environmental monitor (85%), OSRAM Lightify ZigBee gateway (85%), F5 BIG-IP AFM firewall (85%), F5 BIG-IP load balancer (TMOS 11.4) (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 14 hops
Service Info: Device: load balancer

TRACEROUTE (using port 3389/tcp)
HOP RTT      ADDRESS
1   0.35 ms  XiaoQiang (192.168.31.1)
2   ... 3
4   3.12 ms  124.65.61.21
5   8.41 ms  123.126.0.125
6   31.16 ms 219.158.6.166
7   71.74 ms 219.158.8.230
8   76.11 ms 202.97.17.181
9   28.22 ms 202.97.46.25
10  ...
11  34.20 ms 101.95.207.6
12  32.55 ms 124.74.232.66
13  28.14 ms 124.74.184.77
14  28.57 ms 180.153.48.188

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.98 seconds

1.5 指纹识别

http://whatweb.bugscaner.com
http://www.yunsee.cn/
https://www.whatweb.net/

1.6 查找真实ip

目标服务器存在CDN

使用多地ping, 如果ip都是一样的，极有可能不存在CDN

https://ping.chinaz.com     可以使用国内的多地ping，还可以使用海外多地ping
https://www.17ce.com/

绕过CDN寻找真实IP

内部邮箱源
扫描网站测试文件
分站域名
国外访问  https://asm.ca.com/en/ping.php 可能会得到真实ip
查询域名的解析记录 https://www.netcraft.com/
如果有app, 尝试抓包
绕过CloudFlare CDN查找真实ip  "cloudflare watch"

如何验证真实ip
如果是web，直接用ip访问，看是否和域名访问

1.7 收集敏感目录文件

DirBuster (kali自带该工具，由OWASP用Java开发的工具)
御剑后台扫描珍藏版
wwwscan
Spinder.py
Sensitivefilescan
Weakfilescan

1.8 社会工程学

收集信息的过程中，可以给收集到的电子邮箱，发送邮件，然后等到回复邮件，可以分析邮件头来收集真实ip以及内部电子邮件服务器的相关信息。
。。。

渗透测试之信息收集