信息收集
一、被动收集
1、dns信息收集
(1)、nsloopup(dns解析等)
nslookup命令用于查询DNS的记录,查看域名解析是否正常,在网络故障的时候用来诊断网络问题。
1、简单使用(不指定dns,默认使用本地的dns地址) [root@localhostgo_test]#nslookup www.baidu.com Server: 223.5.5.5 Address: 223.5.5.5#53 Non-authoritative answer: www.baidu.com canonical name = www.a.shifen.com. Name: www.a.shifen.com Address: 14.215.177.38 Name: www.a.shifen.com Address: 14.215.177.39 2、查询其他记录 语法: nslookup -qt=type domain [dns-server] type可以是以下这些类型: A ipv4地址记录 AAAA ipv6地址记录 AFSDB Andrew文件系统数据库服务器记录 ATMA ATM地址记录 CNAME 别名记录 HINFO 硬件配置记录,包括CPU、操作系统信息 ISDN 域名对应的ISDN号码 MB 存放指定邮箱的服务器 MG 邮件组记录 MINFO 邮件组和邮箱的信息记录 MR 改名的邮箱记录 MX 邮件服务器记录 NS 名字服务器记录 PTR 反向记录 RP 负责人记录 RT 路由穿透记录 SRV TCP服务器信息记录 TXT 域名对应的文本信息 X25 域名对应的X.25地址记录 例如: [root@localhostgo_test]#nslookup -qt=A www.baidu.com 8.8.8.8 *** Invalid option: qt=A Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: www.baidu.com canonical name = www.a.shifen.com. Name: www.a.shifen.com Address: 14.215.177.39 Name: www.a.shifen.com Address: 14.215.177.38
(2)、dig(dns解析等)
dig 命令主要用来从 DNS 域名服务器查询主机地址信息。
常见 DNS 记录的类型:
A 地址记录,用来指定域名的 IPv4 地址,如果需要将域名指向一个 IP 地址,就需要添加 A 记录。
AAAA 用来指定主机名(或域名)对应的 IPv6 地址记录。
CNAME 如果需要将域名指向另一个域名,再由另一个域名提供 ip 地址,就需要添加 CNAME 记录。
MX 如果需要设置邮箱,让邮箱能够收到邮件,需要添加 MX 记录。
NS 域名服务器记录,如果需要把子域名交给其他 DNS 服务器解析,就需要添加 NS 记录。
SOA SOA 这种记录是所有区域性文件中的强制性记录。它必须是一个文件中的第一个记录。
TXT 可以写任何东西,长度限制为 255。绝大多数的 TXT记录是用来做 SPF 记录(反垃圾邮件)。
使用:
1、简单使用 [root@localhostgo_test]#dig www.baidu.com ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> www.baidu.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28708 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; ANSWER SECTION: www.baidu.com. 59 IN CNAME www.a.shifen.com. www.a.shifen.com. 59 IN A 14.215.177.39 www.a.shifen.com. 59 IN A 14.215.177.38 ...... 2、查询CNAME类型记录 [root@localhostgo_test]#dig www.a.shifen.com CNAME ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> www.a.shifen.com CNAME ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43015 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.a.shifen.com. IN CNAME ;; AUTHORITY SECTION: a.shifen.com. 600 IN SOA ns1.a.shifen.com. baidu_dns_master.baidu.com. 1903260006 5 5 2592000 3600 ...... 3、指定的 DNS 服务器查询 [root@localhostgo_test]#dig @114.114.114.114 www.baidu.com ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> @114.114.114.114 www.baidu.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16976 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; ANSWER SECTION: www.baidu.com. 669 IN CNAME www.a.shifen.com. www.a.shifen.com. 251 IN A 14.215.177.38 www.a.shifen.com. 251 IN A 14.215.177.39 ...... 4、反向查询 我们可以使用 dig 的 -x 选项来反向解析 IP 地址对应的域名。 [root@localhostgo_test]#dig -x 114.114.114.114 +short public1.114dns.com. 5、控制显示结果 dig 命令默认返回的结果展示详细的信息,如果要获得精简的结果可以使用 +short 选项 [root@localhostgo_test]#dig +short www.baidu.com www.a.shifen.com. 14.215.177.38 14.215.177.39 6、查看 TTL(Time to Live) TTL 是 DNS 解析中很重要的指标,主要是控制 DNS 记录在 DNS 服务器上的缓存时间 [root@localhostgo_test]#dig www.baidu.com ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> www.baidu.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35251 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; ANSWER SECTION: www.baidu.com. 207 IN CNAME www.a.shifen.com. #207就是TTL值 www.a.shifen.com. 207 IN A 14.215.177.38 www.a.shifen.com. 207 IN A 14.215.177.39 7、跟踪整个查询过程 dig +trace www.baidu.com
2、DNS子域名等
(1)、DNS区域传输
1、使用dig命令
命令格式:dig @s1.example.com example.com axfr 1、获取ns记录 [root@localhostgo_test]dig +noall +answer sina.com ns sina.com. 43962 IN NS ns4.sina.com. sina.com. 43962 IN NS ns4.sina.com.cn. sina.com. 43962 IN NS ns1.sina.com. 2、区域传输(连接拒绝了) [root@localhostgo_test]dig +noall +answer @ns4.sina.com. sina.com axfr ; Transfer failed.
2、使用host进行区域传输
[root@localhostgo_test]#host -T -l sina.com ns4.sina.com. ; Transfer failed. Using domain server: Name: ns4.sina.com. Address: 123.125.29.99#53 Aliases: Host sina.com not found: 5(REFUSED) ; Transfer failed. #还是被拒绝了
(2)、DNS字典爆破
dnsdict6 (最好用)
1、dnsdict6安装
kali dnsdict6 安装 1、下载地址:https://github.com/mmoya/pkg-thc-ipv6/releases 2、安装 tar xf 2.7.tar.gz cd pkg-thc-ipv6-upstream-2.7/ apt-get install libpcap-dev libssl-dev make cp dnsdict6 /usr/bin/
2、dnsdict6使用
参数: -d 显示ipv6结果 -4 显示ipv4结果 -t 并发线程数,默认8,最大32 -[smlxu] 使用内置字典,从左往右大小递增 -D 使用本地字典文件 dnsdict6 -4 -t 32 -u baidu.com root@kali:~# dnsdict6 -4 -t 32 -u baidu.com Starting DNS enumeration work on baidu.com. ... Starting enumerating baidu.com. - creating 32 threads for 16726 words... Estimated time to completion: 2 to 6 minutes 1.baidu.com. => 180.149.133.125 0.baidu.com. => 180.149.144.203 01.baidu.com. => 115.239.210.116 01.baidu.com. => 180.101.212.65 11.baidu.com. => 220.181.57.55 3b.baidu.com. => 10.26.10.39 abs.baidu.com. => 180.149.144.4 aegis.baidu.com. => 10.48.57.240 adv.baidu.com. => 10.99.57.42 aib.baidu.com. => 180.149.131.162 acc.baidu.com. => 10.48.46.62 aic.baidu.com. => 10.26.5.60 aic.baidu.com. => 10.50.14.165 ads.baidu.com. => 10.42.4.225 adm.baidu.com. => 180.149.131.210 act.baidu.com. => 115.239.211.55 ad.baidu.com. => 182.61.62.50 ......
2、dnsenum
例子:
root@kali:~# dnsenum -f dnsbig.txt -dnsserver 8.8.8.8 baidu.com -o baidu.xml Smartmatch is experimental at /usr/bin/dnsenum line 698. Smartmatch is experimental at /usr/bin/dnsenum line 698. dnsenum VERSION:1.2.4 ----- baidu.com ----- Host's addresses: __________________ baidu.com. 389 IN A 220.181.57.216 baidu.com. 389 IN A 123.125.114.144 Name Servers: ______________ ns4.baidu.com. 14900 IN A 14.215.178.80 ns3.baidu.com. 1051 IN A 112.80.248.64 ns2.baidu.com. 21311 IN A 220.181.37.10 ns7.baidu.com. 13370 IN A 180.76.76.92 dns.baidu.com. 14710 IN A 202.108.22.220 Mail (MX) Servers: ___________________ jpmx.baidu.com. 1766 IN A 61.208.132.13 mx50.baidu.com. 106 IN A 180.76.13.18 mx.maillb.baidu.com. 29 IN A 180.76.13.18 mx.n.shifen.com. 299 IN A 220.181.50.185 mx.n.shifen.com. 299 IN A 220.181.3.85 mx1.baidu.com. 165 IN A 61.135.165.120 mx1.baidu.com. 165 IN A 220.181.50.185 .......
3、dnsrecon
例子:
root@kali:~# dnsrecon -t std -d sina.com [*] Performing General Enumeration of Domain: [*] Checking for Zone Transfer for sina.com name servers [*] Resolving SOA Record [-] Error while resolving SOA record. [*] Resolving NS Records [*] NS Servers found: [*] NS ns4.sina.com 123.125.29.99 [*] NS ns2.sina.com 114.134.80.145 [*] NS ns4.sina.com.cn 121.14.1.22 [*] NS ns1.sina.com.cn 202.106.184.166 [*] NS ns1.sina.com 114.134.80.144 [*] NS ns3.sina.com 180.149.138.199 [*] NS ns3.sina.com.cn 123.125.29.99 [*] NS ns2.sina.com.cn 180.149.138.199 [*] Removing any duplicate NS server IP Addresses... ......
(3)、DNS注册信息
1、whois
例子:
root@kali:~# whois baidu.com ##查询域名信息 Domain Name: BAIDU.COM Registry Domain ID: 11181110_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2019-01-25T04:08:55Z Creation Date: 1999-10-11T11:05:17Z Registry Expiry Date: 2026-10-11T11:05:17Z Registrar: MarkMonitor Inc. Registrar IANA ID: 292 Registrar Abuse Contact Email: abusecomplaints@markmonitor.com Registrar Abuse Contact Phone: +1.2083895740 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited Name Server: NS1.BAIDU.COM Name Server: NS2.BAIDU.COM Name Server: NS3.BAIDU.COM ###查询域名信息省略法律声明 whois -H baidu.com
二、主动收集
(1)、二层发现
1、netdiscover
可用于无线和交换网络环境
主动:(主动arp容易触发报警)
netdiscover -i eth0 -r 10.0.0.0/24 #网段 netdiscover -l iplist.txt #基于文件
被动:
netdiscover -p #被动等待
2、Scapy
安装:
apt-get install python-gnuplot
使用:
root@kali:~# scapy WARNING: No route found for IPv6 destination :: (no default route?) INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools Welcome to Scapy (2.3.3) >>> ARP().display() #显示arp包信息 ###[ ARP ]### hwtype= 0x1 ptype= 0x800 hwlen= 6 plen= 4 op= who-has hwsrc= 00:0c:29:3a:9c:30 psrc= 10.0.0.128 hwdst= 00:00:00:00:00:00 pdst= 0.0.0.0 >>> ARP.pdst="10.0.0.200" #指定10.0.0.200发送arp包 >>> sr1(ARP(pdst="10.0.0.200")) #发送请求,如果目标地址不存在,若不加任何参数,scapy则会一直发出请求 Begin emission: ...........WARNING: Mac address to reach destination not found. Using broadcast. ..Finished to send 1 packets. ....................................^C >>> sr1(ARP(pdst="10.0.0.200"),timeout=1,verbose=1) #过增加timeout参数,可以解决上述问题,超时1s即不在发送 Begin emission: WARNING: Mac address to reach destination not found. Using broadcast. Finished to send 1 packets. Received 3 packets, got 0 answers, remaining 1 packets
(2)、三层发现
优点:
可路由
速度比较快
缺点:
速度比二层慢
经常被边界防火墙过滤
1、ping
ping -c 3 123.125.114.144
2、nmap
nmap -sn 123.125.114.144-255 nmap -iL iplist.txt -sn #指定文件
3、Scapy
root@kali:~# scapy WARNING: No route found for IPv6 destination :: (no default route?) INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools Welcome to Scapy (2.3.3) >>> a=sr1(IP(dst="123.125.114.144")/ICMP(),timeout=1) Begin emission: ....Finished to send 1 packets. .* Received 6 packets, got 1 answers, remaining 0 packets
4、fping
fping 123.125.114.144 -c 3 fping -g 123.125.114.144/24 #网段 fping -f iplist.txt #指定文件
5、hping
能够发送几乎任意TCP/IP包
功能强大但每次只能扫描一个目标
hping3 123.125.114.144 --icmp -c 2
(3)、四层发现
优点:
可路由且结果可靠
不太可能被防火墙过滤
可以发现所有端口都被过滤的主机
缺点:
基于状态过滤的防火墙可能过滤扫描
全端口扫描速度慢
1、Scapy
##ACK——TCP Port——RST >>> a=sr1(IP(dst="10.0.0.128")/TCP(dport=80,flags='A'),timeout=1) Begin emission: Finished to send 1 packets. .......... Received 10 packets, got 0 answers, remaining 1 packets ##UDP——UDP Port——ICMP (UDP发现不可靠) >>> i=IP() >>> u=UDP() >>> u.dport=33333 >>> r=(i/u) >>> a=sr1(r,timeout=1,verbose=1) Begin emission: Finished to send 1 packets. Received 4 packets, got 0 answers, remaining 1 packets
2、hping3
hping3 --udp 123.125.114.144 -c 2 #UDP hping3 123.125.114.144 -c 2 #TCP
(4)、端口扫描
1、端口扫描 nmap -v 220.181.57.216 2、网段内存活的机器 nmap -sP 10.0.0.1/24 3、扫描指定IP的指定端口 nmap 220.181.57.216 -p 80 4、隐蔽端口扫描 nmap -sS 220.181.57.216 -p 80,443 nmap -sS 220.181.57.216 -p 1-1000 --open #使用hping3进行隐蔽端口扫描 hping3 220.181.57.216 --scan 80 -S hping3 220.181.57.216 --scan 80-500 -S hping3 220.181.57.216 --scan 80,443 -S #Scapy隐蔽扫描 >>> sr1(IP(dst="10.0.0.128")/TCP(dport=23),timeout=5,verbose=1) Begin emission: Finished to send 1 packets. Received 3 packets, got 0 answers, remaining 1 packets
(5)、服务扫描、服务识别
1、nmap
root@kali:~# nmap 220.181.57.216 -p 80 -sV
2、nc
nc -nv 220.181.57.216 80
3、dmitry
dmitry -pb 10.0.0.128
4、amap
amap -B 10.0.0.128 22
(6)、操作系统识别
1、nmap
root@kali:~# nmap -O 10.0.0.128 Starting Nmap 7.60 ( https://nmap.org ) at 2019-03-26 16:50 CST Nmap scan report for 10.0.0.128 Host is up (0.000054s latency). Not shown: 999 closed ports PORT STATE SERVICE 22/tcp open ssh Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.8 - 4.9 Network Distance: 0 hops OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 3.92 seconds
2、xprobe2
xprobe2 10.0.0.128
(7)、防火墙识别
1、nmap
nmap -sA 123.125.114.144 -p 22
(8)、负载均衡识别
1、lbd
lbd www.baidu.com
(9)、waf识别
1、wafw00f
wafw00f http://www.microsoft.com
2、nmap
nmap www.microsoft.com --script=http-waf-detect.nse
(10)、smb共享服务扫描
1、nmap
nmap -v -p139,445 192.168.1.9 nmap -v -p139,445 192.168.1.9 --script=smb-os-discovery.nse
(11)、smtp邮件服务扫描
1、nmap
nmap smtp.163.com -p25 --script=smtp-open-relay.nse
nmap smtp.163.com -p465--script=smtp-open-relay.nse
nmap smtp.163.com -p25 --script=smtp-enum-users.nse --script-args=smtp-enuusers.methods={VRFY}
2、smtp-user-enum
smtp-user-enum -MVRFY -U user.txt -t smtp.163.com #指定文件
浙公网安备 33010602011771号