0x01.被動信息收集
阿新 • • 發佈:2017-08-20
mcg 正常 cmd nslookup free found 垃圾郵件 when 搭建
被動信息收集
基於公開渠道,不與目標系統產生直接交互,盡量避免留下痕跡(不進行大量掃描,正常交互範圍)
信息收集內容
- IP段
- 域名
- 郵件地址(定位郵件服務器,分為個人搭建和公網郵件系統)
- 文檔圖片數據(可能是公開的、搜索引擎爬到的、泄漏的等)
- 公司地址(可進行物理滲透)
- 公司組織架構(針對不同部門、不同崗位展開滲透)
- 聯系電話/傳真號碼
- 目標系統技術架構
- 公開的商業信息
信息用途
- 用信息描述目標
- 發現資產架構
- 社會工程學工具
- 物理缺口
信息收集-DNS(建議嘗試不同的DNS服務器做查詢)
DNS——域名解析成IP地址
- 域名與FQDN的區別(baidu.com叫域名,www.baidu.com叫FQDN-主機記錄-完全限定域名)
- 域名記錄:A(主機記錄)、CNAME(別名記錄)、NS(域名服務器)、MX(郵件服務器)、PTR(反向域名解析-IP->域名)
- 遞歸查詢、叠代查詢
DNS——nslookup
1、自動判斷域名類型,逐級解析
nslookup www.sina.com(nslookup [-type=any] 163.com [8.8.8.8])
[email protected]:/opt/tools$ nslookup > www.sina.com Server: 127.0.1.1 //當前的DNS服務器 Address: 127.0.1.1#53Non-authoritative answer: www.sina.com canonical name = us.sina.com.cn. //這裏沒有解析出IP地址,說明www.sina.com不是主機記錄是一個CNAME記錄 us.sina.com.cn canonical name = wwwus.sina.com. Name: wwwus.sina.com Address: 66.102.251.33 //這裏其實nslookup已經自動執行下面步驟,解析出來最終結果 > us.sina.com.cn //CNAME Server:127.0.1.1 Address: 127.0.1.1#53 Non-authoritative answer: us.sina.com.cn canonical name = wwwus.sina.com. Name: wwwus.sina.com Address: 66.102.251.33 > wwwus.sina.com //A記錄-主機記錄 Server: 127.0.1.1 Address: 127.0.1.1#53 Non-authoritative answer: Name: wwwus.sina.com Address: 66.102.251.33
2、手動配置類型
set type=a、nx、mx、ptr、any(或者set p=)
> set type=mx //只查詢mx記錄 > sina.com Server: 127.0.1.1 Address: 127.0.1.1#53 Non-authoritative answer: sina.com mail exchanger = 10 freemx2.sinamail.sina.com.cn. sina.com mail exchanger = 10 freemx3.sinamail.sina.com.cn. sina.com mail exchanger = 5 freemx1.sinamail.sina.com.cn. //默認情況下數值越小,優先級越高
> set type=a //查詢A記錄
> freemx1.sinamail.sina.com.cn
Server: 127.0.1.1
Address: 127.0.1.1#53
Non-authoritative answer:
Name: freemx1.sinamail.sina.com.cn
Address: 60.28.113.250
> set type=ns //NS域名服務器記錄
> sina.com
Server: 127.0.1.1
Address: 127.0.1.1#53
Non-authoritative answer:
sina.com nameserver = ns3.sina.com.
sina.com nameserver = ns4.sina.com.cn.
sina.com nameserver = ns2.sina.com.
sina.com nameserver = ns2.sina.com.cn.
sina.com nameserver = ns1.sina.com.cn.
sina.com nameserver = ns3.sina.com.cn.
sina.com nameserver = ns4.sina.com.
sina.com nameserver = ns1.sina.com.
> set type=any //查詢所有記錄
> oppo.com
Server: 127.0.1.1
Address: 127.0.1.1#53
Non-authoritative answer:
oppo.com
origin = ns3.dnsv5.com
mail addr = enterprise3dnsadmin.dnspod.com
serial = 1501171870
refresh = 3600
retry = 180
expire = 1209600
minimum = 180 //下面的spf記錄是反垃圾郵件
oppo.com text = "v=spf1 ip4:121.12.164.116 ip4:121.10.21.117 ip4:121.12.164.114 ip4:202.153.93.143 ip4:183.129.228.7 ip4:183.129.228.6 ip4:121.10.21.118 ip4:121.10.21.114 include:spf.dynect.net ~all"
oppo.com text = "google-site-verification=Bck8mAGGpQV1cumrBtcI-ih3_D3LVw26TFElSeeZuXE"
oppo.com mail exchanger = 10 mx01.oppo.com.
Name: oppo.com
Address: 60.12.225.132
oppo.com nameserver = ns4.dnsv5.com.
oppo.com nameserver = ns3.dnsv5.com.
3、指定解析服務器
server 8.8.8.8(不同DNS服務器解析出來的結果可能不同,智能DNS)
> server 8.8.8.8 Default server: 8.8.8.8 Address: 8.8.8.8#53 > www.sina.com Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: www.sina.com canonical name = us.sina.com.cn. us.sina.com.cn canonical name = wwwus.sina.com. Authoritative answers can be found from: sina.com origin = ns1.sina.com.cn mail addr = zhihao.staff.sina.com.cn serial = 2005042601 refresh = 900 retry = 300 expire = 604800 minimum = 300
DNS——dig(功能強於nslooup)
dig 163.com any @8.8.8.8
[email protected]:~$ dig sina.com any @8.8.8.8 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> sina.com any @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63412 ;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;sina.com. IN ANY ;; ANSWER SECTION: sina.com. 214 IN TXT "v=spf1 include:spf.sinamail.sina.com.cn -all" sina.com. 84745 IN NS ns2.sina.com.cn. sina.com. 84745 IN NS ns4.sina.com.cn. sina.com. 84745 IN NS ns2.sina.com. sina.com. 84745 IN NS ns1.sina.com. sina.com. 84745 IN NS ns1.sina.com.cn. sina.com. 84745 IN NS ns4.sina.com. sina.com. 84745 IN NS ns3.sina.com.cn. sina.com. 84745 IN NS ns3.sina.com. sina.com. 833 IN A 66.102.251.33 ;; Query time: 10 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Aug 20 15:59:49 CST 2017 ;; MSG SIZE rcvd: 265
dig +noall mail.163.com any(什麽都不顯示noall)
dig +noall +answer mail.163.com any(僅顯示answer)
[email protected]:~$ dig +noall +answer mail.163.com any mail.163.com. 590 IN CNAME mail163.ntes53.netease.com.
dig +noall +answer mail.163.com any | awk ‘{print $5}‘(結合管道輸出)
[email protected]:~$ dig +noall +answer mail.163.com any | awk ‘{print $5}‘ mail163.ntes53.netease.com.
dig -x IP地址(反向查詢)
[email protected]:~$ dig +noall +answer -x 220.181.14.135 135.14.181.220.in-addr.arpa. 86366 IN PTR mr14135.mail.163.com.
dig +noall +answer txt chaos VERSION.BIND @ns3.dnsv4.com(查詢BIND版本,根據版本漏洞獲取DNS服務器權限,拿下更多DNS記錄等)
[email protected]:~$ dig +noall +answer txt chaos VERSION.BIND @ns3.qq.com VERSION.BIND. 0 CH TXT "Why query me?Your IP had been logged!" //現在的DNS一般都做了保護模式
dig +trace sina.com(查詢過程,跳過緩存從根域開始)
[email protected]:~$ dig +trace www163.com ; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace www163.com ;; global options: +cmd . 202897 IN NS j.root-servers.net. . 202897 IN NS g.root-servers.net. . 202897 IN NS b.root-servers.net. . 202897 IN NS f.root-servers.net. . 202897 IN NS a.root-servers.net. . 202897 IN NS l.root-servers.net. . 202897 IN NS i.root-servers.net. . 202897 IN NS h.root-servers.net. . 202897 IN NS d.root-servers.net. . 202897 IN NS m.root-servers.net. . 202897 IN NS c.root-servers.net. . 202897 IN NS e.root-servers.net. . 202897 IN NS k.root-servers.net. . 202897 IN RRSIG NS 8 0 518400 20170829050000 20170816040000 15768 . Dw1E3oCc0/16dZsOu77LbkBH3J225c/tU7DOrWN6RAPmNgS7uBycwjww KVvoWqUiMRBx8zfOk3RN4svR+El5Xjy5jhN5Ba2ZhuCrrHzhNlWmOL8L EKUY9TMJEkl7kiFAOO+H25bOlrcRUV4yif67MfYMl+F7sPc56O9w1/6j E57lBdwafZAZYSZ7CThFb8UDU/QgLnI6LFta8tWjmbG3zhFXZyodOrkq tktkPgNWy9Wqcv3asRc21gEr74W5ZSo5BriJrtIVFQ+rx7ewFbb97Axo 9e3bkoNyUCgZiSdt6YfVYTnPngax9JSAiKLsiBI4NOMPaZP0kWu4ypRp NZLMCg== ;; Received 525 bytes from 127.0.1.1#53(127.0.1.1) in 21 ms com. 114894 IN NS e.gtld-servers.net. com. 114894 IN NS g.gtld-servers.net. com. 114894 IN NS f.gtld-servers.net. com. 114894 IN NS a.gtld-servers.net. com. 114894 IN NS m.gtld-servers.net. com. 114894 IN NS c.gtld-servers.net. com. 114894 IN NS h.gtld-servers.net. com. 114894 IN NS k.gtld-servers.net. com. 114894 IN NS l.gtld-servers.net. com. 114894 IN NS i.gtld-servers.net. com. 114894 IN NS b.gtld-servers.net. com. 114894 IN NS j.gtld-servers.net. com. 114894 IN NS d.gtld-servers.net. com. 31125 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 31125 IN RRSIG DS 8 1 86400 20170901170000 20170819160000 15768 . EmAR+AZJ7iqSBsOfa8pawMWgsVe35TdvIVJh6Pg2lHlthvIhi2nxaV0n wEy7ZV7/WDMsR5ZDO9Msh7q3RTMUkqkXFrVVK301tdgq7xcDVyToIV3Y tonYkV0Ig5H1qptYHOnPyDSeeABurkmdkI6/PqgJMgFWyhBvvAB3qz0e xahU8P0VMSPCQ1bZKtpvGhKz0sUc3fRM0dZC8E2varrxSjSnEpY71EDl X7HyrlCCpyTgpa4ge6mQ2ayZrMTUmYFKt2eN7WZmVNATTAfap78QlGRx FbBOsrRmTNev2E/IMutbvPChm2K5FO1PmrrmxrdUqchh293pCswg8eKc BOsaUQ== ;; Received 1170 bytes from 192.58.128.30#53(j.root-servers.net) in 10 ms www163.com. 10349 IN NS dns1.acsite.net. www163.com. 10349 IN NS dns2.acsite.net. ;; Received 87 bytes from 192.33.14.30#53(b.gtld-servers.net) in 10 ms www163.com. 10344 IN NS dns1.acsite.net. www163.com. 10344 IN NS dns2.acsite.net. ;; BAD (HORIZONTAL) REFERRAL ;; Received 119 bytes from 198.15.68.212#53(dns2.acsite.net) in 29 ms com. 114880 IN NS f.gtld-servers.net. com. 114880 IN NS m.gtld-servers.net. com. 114880 IN NS l.gtld-servers.net. com. 114880 IN NS b.gtld-servers.net. com. 114880 IN NS d.gtld-servers.net. com. 114880 IN NS h.gtld-servers.net. com. 114880 IN NS g.gtld-servers.net. com. 114880 IN NS a.gtld-servers.net. com. 114880 IN NS j.gtld-servers.net. com. 114880 IN NS k.gtld-servers.net. com. 114880 IN NS c.gtld-servers.net. com. 114880 IN NS i.gtld-servers.net. com. 114880 IN NS e.gtld-servers.net. com. 31111 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 31111 IN RRSIG DS 8 1 86400 20170901170000 20170819160000 15768 . EmAR+AZJ7iqSBsOfa8pawMWgsVe35TdvIVJh6Pg2lHlthvIhi2nxaV0n wEy7ZV7/WDMsR5ZDO9Msh7q3RTMUkqkXFrVVK301tdgq7xcDVyToIV3Y tonYkV0Ig5H1qptYHOnPyDSeeABurkmdkI6/PqgJMgFWyhBvvAB3qz0e xahU8P0VMSPCQ1bZKtpvGhKz0sUc3fRM0dZC8E2varrxSjSnEpY71EDl X7HyrlCCpyTgpa4ge6mQ2ayZrMTUmYFKt2eN7WZmVNATTAfap78QlGRx FbBOsrRmTNev2E/IMutbvPChm2K5FO1PmrrmxrdUqchh293pCswg8eKc BOsaUQ== ;; BAD REFERRAL ;; Received 1170 bytes from 174.128.253.29#53(dns1.acsite.net) in 13 ms
DNS——區域傳輸
dig @ns1.example.com example.com axfr
host -T -l example.com ns1.example.com(-T使用TCP,-l進行域傳輸)
0x01.被動信息收集