被动信息收集
基于公开渠道,不与目标系统产生直接交互,尽量避免留下痕迹(不进行大量扫描,正常交互范围)
信息收集内容
- IP段
- 域名
- 邮件地址(定位邮件服务器,分为个人搭建和公网邮件系统)
- 文档图片数据(可能是公开的、搜索引擎爬到的、泄漏的等)
- 公司地址(可进行物理渗透)
- 公司组织架构(针对不同部门、不同岗位展开渗透)
- 联系电话/传真号码
- 目标系统技术架构
- 公开的商业信息
信息用途
- 用信息描述目标
- 发现资产架构
- 社会工程学工具
- 物理缺口
信息收集-DNS(建议尝试不同的DNS服务器做查询)
DNS——域名解析成IP地址
- 域名与FQDN的区别(baidu.com叫域名,www.baidu.com叫FQDN-主机记录-完全限定域名)
- 域名记录:A(主机记录)、CNAME(别名记录)、NS(域名服务器)、MX(邮件服务器)、PTR(反向域名解析-IP->域名)
- 递归查询、迭代查询
DNS——nslookup
1、自动判断域名类型,逐级解析
nslookup www.sina.com(nslookup [-type=any] 163.com [8.8.8.8])
test@ubuntu:/opt/tools$ nslookup > www.sina.com Server: 127.0.1.1 //当前的DNS服务器 Address: 127.0.1.1#53 Non-authoritative answer: www.sina.com canonical name = us.sina.com.cn. //这里没有解析出IP地址,说明www.sina.com不是主机记录是一个CNAME记录 us.sina.com.cn canonical name = wwwus.sina.com. Name: wwwus.sina.com Address: 66.102.251.33 //这里其实nslookup已经自动执行下面步骤,解析出来最终结果 > us.sina.com.cn //CNAME Server: 127.0.1.1 Address: 127.0.1.1#53 Non-authoritative answer: us.sina.com.cn canonical name = wwwus.sina.com. Name: wwwus.sina.com Address: 66.102.251.33 > wwwus.sina.com //A记录-主机记录 Server: 127.0.1.1 Address: 127.0.1.1#53 Non-authoritative answer: Name: wwwus.sina.com Address: 66.102.251.33
2、手动配置类型
set type=a、nx、mx、ptr、any(或者set p=)
> set type=mx //只查询mx记录 > sina.com Server: 127.0.1.1 Address: 127.0.1.1#53 Non-authoritative answer: sina.com mail exchanger = 10 freemx2.sinamail.sina.com.cn. sina.com mail exchanger = 10 freemx3.sinamail.sina.com.cn. sina.com mail exchanger = 5 freemx1.sinamail.sina.com.cn. //默认情况下数值越小,优先级越高
> set type=a //查询A记录
> freemx1.sinamail.sina.com.cn
Server: 127.0.1.1
Address: 127.0.1.1#53
Non-authoritative answer:
Name: freemx1.sinamail.sina.com.cn
Address: 60.28.113.250
> set type=ns //NS域名服务器记录
> sina.com
Server: 127.0.1.1
Address: 127.0.1.1#53
Non-authoritative answer:
sina.com nameserver = ns3.sina.com.
sina.com nameserver = ns4.sina.com.cn.
sina.com nameserver = ns2.sina.com.
sina.com nameserver = ns2.sina.com.cn.
sina.com nameserver = ns1.sina.com.cn.
sina.com nameserver = ns3.sina.com.cn.
sina.com nameserver = ns4.sina.com.
sina.com nameserver = ns1.sina.com.
> set type=any //查询所有记录
> oppo.com
Server: 127.0.1.1
Address: 127.0.1.1#53
Non-authoritative answer:
oppo.com
origin = ns3.dnsv5.com
mail addr = enterprise3dnsadmin.dnspod.com
serial = 1501171870
refresh = 3600
retry = 180
expire = 1209600
minimum = 180 //下面的spf记录是反垃圾邮件
oppo.com text = "v=spf1 ip4:121.12.164.116 ip4:121.10.21.117 ip4:121.12.164.114 ip4:202.153.93.143 ip4:183.129.228.7 ip4:183.129.228.6 ip4:121.10.21.118 ip4:121.10.21.114 include:spf.dynect.net ~all"
oppo.com text = "google-site-verification=Bck8mAGGpQV1cumrBtcI-ih3_D3LVw26TFElSeeZuXE"
oppo.com mail exchanger = 10 mx01.oppo.com.
Name: oppo.com
Address: 60.12.225.132
oppo.com nameserver = ns4.dnsv5.com.
oppo.com nameserver = ns3.dnsv5.com.
3、指定解析服务器
server 8.8.8.8(不同DNS服务器解析出来的结果可能不同,智能DNS)
> server 8.8.8.8 Default server: 8.8.8.8 Address: 8.8.8.8#53 > www.sina.com Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: www.sina.com canonical name = us.sina.com.cn. us.sina.com.cn canonical name = wwwus.sina.com. Authoritative answers can be found from: sina.com origin = ns1.sina.com.cn mail addr = zhihao.staff.sina.com.cn serial = 2005042601 refresh = 900 retry = 300 expire = 604800 minimum = 300
DNS——dig(功能强于nslooup)
dig 163.com any @8.8.8.8
test@ubuntu:~$ dig sina.com any @8.8.8.8 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> sina.com any @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63412 ;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;sina.com. IN ANY ;; ANSWER SECTION: sina.com. 214 IN TXT "v=spf1 include:spf.sinamail.sina.com.cn -all" sina.com. 84745 IN NS ns2.sina.com.cn. sina.com. 84745 IN NS ns4.sina.com.cn. sina.com. 84745 IN NS ns2.sina.com. sina.com. 84745 IN NS ns1.sina.com. sina.com. 84745 IN NS ns1.sina.com.cn. sina.com. 84745 IN NS ns4.sina.com. sina.com. 84745 IN NS ns3.sina.com.cn. sina.com. 84745 IN NS ns3.sina.com. sina.com. 833 IN A 66.102.251.33 ;; Query time: 10 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Aug 20 15:59:49 CST 2017 ;; MSG SIZE rcvd: 265
dig +noall mail.163.com any(什么都不显示noall)
dig +noall +answer mail.163.com any(仅显示answer)
test@ubuntu:~$ dig +noall +answer mail.163.com any mail.163.com. 590 IN CNAME mail163.ntes53.netease.com.
dig +noall +answer mail.163.com any | awk '{print $5}'(结合管道输出)
test@ubuntu:~$ dig +noall +answer mail.163.com any | awk '{print $5}' mail163.ntes53.netease.com.
dig -x IP地址(反向查询)
test@ubuntu:~$ dig +noall +answer -x 220.181.14.135 135.14.181.220.in-addr.arpa. 86366 IN PTR mr14135.mail.163.com.
dig +noall +answer txt chaos VERSION.BIND @ns3.dnsv4.com(查询BIND版本,根据版本漏洞获取DNS服务器权限,拿下更多DNS记录等)
test@ubuntu:~$ dig +noall +answer txt chaos VERSION.BIND @ns3.qq.com VERSION.BIND. 0 CH TXT "Why query me?Your IP had been logged!" //现在的DNS一般都做了保护模式
dig +trace sina.com(查询过程,跳过缓存从根域开始)
test@ubuntu:~$ dig +trace www163.com ; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace www163.com ;; global options: +cmd . 202897 IN NS j.root-servers.net. . 202897 IN NS g.root-servers.net. . 202897 IN NS b.root-servers.net. . 202897 IN NS f.root-servers.net. . 202897 IN NS a.root-servers.net. . 202897 IN NS l.root-servers.net. . 202897 IN NS i.root-servers.net. . 202897 IN NS h.root-servers.net. . 202897 IN NS d.root-servers.net. . 202897 IN NS m.root-servers.net. . 202897 IN NS c.root-servers.net. . 202897 IN NS e.root-servers.net. . 202897 IN NS k.root-servers.net. . 202897 IN RRSIG NS 8 0 518400 20170829050000 20170816040000 15768 . Dw1E3oCc0/16dZsOu77LbkBH3J225c/tU7DOrWN6RAPmNgS7uBycwjww KVvoWqUiMRBx8zfOk3RN4svR+El5Xjy5jhN5Ba2ZhuCrrHzhNlWmOL8L EKUY9TMJEkl7kiFAOO+H25bOlrcRUV4yif67MfYMl+F7sPc56O9w1/6j E57lBdwafZAZYSZ7CThFb8UDU/QgLnI6LFta8tWjmbG3zhFXZyodOrkq tktkPgNWy9Wqcv3asRc21gEr74W5ZSo5BriJrtIVFQ+rx7ewFbb97Axo 9e3bkoNyUCgZiSdt6YfVYTnPngax9JSAiKLsiBI4NOMPaZP0kWu4ypRp NZLMCg== ;; Received 525 bytes from 127.0.1.1#53(127.0.1.1) in 21 ms com. 114894 IN NS e.gtld-servers.net. com. 114894 IN NS g.gtld-servers.net. com. 114894 IN NS f.gtld-servers.net. com. 114894 IN NS a.gtld-servers.net. com. 114894 IN NS m.gtld-servers.net. com. 114894 IN NS c.gtld-servers.net. com. 114894 IN NS h.gtld-servers.net. com. 114894 IN NS k.gtld-servers.net. com. 114894 IN NS l.gtld-servers.net. com. 114894 IN NS i.gtld-servers.net. com. 114894 IN NS b.gtld-servers.net. com. 114894 IN NS j.gtld-servers.net. com. 114894 IN NS d.gtld-servers.net. com. 31125 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 31125 IN RRSIG DS 8 1 86400 20170901170000 20170819160000 15768 . EmAR+AZJ7iqSBsOfa8pawMWgsVe35TdvIVJh6Pg2lHlthvIhi2nxaV0n wEy7ZV7/WDMsR5ZDO9Msh7q3RTMUkqkXFrVVK301tdgq7xcDVyToIV3Y tonYkV0Ig5H1qptYHOnPyDSeeABurkmdkI6/PqgJMgFWyhBvvAB3qz0e xahU8P0VMSPCQ1bZKtpvGhKz0sUc3fRM0dZC8E2varrxSjSnEpY71EDl X7HyrlCCpyTgpa4ge6mQ2ayZrMTUmYFKt2eN7WZmVNATTAfap78QlGRx FbBOsrRmTNev2E/IMutbvPChm2K5FO1PmrrmxrdUqchh293pCswg8eKc BOsaUQ== ;; Received 1170 bytes from 192.58.128.30#53(j.root-servers.net) in 10 ms www163.com. 10349 IN NS dns1.acsite.net. www163.com. 10349 IN NS dns2.acsite.net. ;; Received 87 bytes from 192.33.14.30#53(b.gtld-servers.net) in 10 ms www163.com. 10344 IN NS dns1.acsite.net. www163.com. 10344 IN NS dns2.acsite.net. ;; BAD (HORIZONTAL) REFERRAL ;; Received 119 bytes from 198.15.68.212#53(dns2.acsite.net) in 29 ms com. 114880 IN NS f.gtld-servers.net. com. 114880 IN NS m.gtld-servers.net. com. 114880 IN NS l.gtld-servers.net. com. 114880 IN NS b.gtld-servers.net. com. 114880 IN NS d.gtld-servers.net. com. 114880 IN NS h.gtld-servers.net. com. 114880 IN NS g.gtld-servers.net. com. 114880 IN NS a.gtld-servers.net. com. 114880 IN NS j.gtld-servers.net. com. 114880 IN NS k.gtld-servers.net. com. 114880 IN NS c.gtld-servers.net. com. 114880 IN NS i.gtld-servers.net. com. 114880 IN NS e.gtld-servers.net. com. 31111 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 31111 IN RRSIG DS 8 1 86400 20170901170000 20170819160000 15768 . EmAR+AZJ7iqSBsOfa8pawMWgsVe35TdvIVJh6Pg2lHlthvIhi2nxaV0n wEy7ZV7/WDMsR5ZDO9Msh7q3RTMUkqkXFrVVK301tdgq7xcDVyToIV3Y tonYkV0Ig5H1qptYHOnPyDSeeABurkmdkI6/PqgJMgFWyhBvvAB3qz0e xahU8P0VMSPCQ1bZKtpvGhKz0sUc3fRM0dZC8E2varrxSjSnEpY71EDl X7HyrlCCpyTgpa4ge6mQ2ayZrMTUmYFKt2eN7WZmVNATTAfap78QlGRx FbBOsrRmTNev2E/IMutbvPChm2K5FO1PmrrmxrdUqchh293pCswg8eKc BOsaUQ== ;; BAD REFERRAL ;; Received 1170 bytes from 174.128.253.29#53(dns1.acsite.net) in 13 ms
DNS——区域传输
dig @ns1.example.com example.com axfr
host -T -l example.com ns1.example.com(-T使用TCP,-l进行域传输)