被动信息收集-dns

信息收集是渗透前期最为重要的一步,其中被动信息收集相对主动信息收集(访问)更具有隐蔽和无害性。便于进行社工攻击。

被动信息收集主要特点

公开渠道可获得的信息

与目标系统不产生直接交互

尽量避免留下一切痕迹

主要归纳应用收集信息

信息收集的内容有很多,简略其下:

  • IP地址段
  • 域名信息
  • 邮件地址
  • ⽂档图⽚数据
  • 公司地址
  • 公司组织架构
  • 联系电话 / 传真号码
  • ⼈员姓名 / 职务
  • 目标系统使⽤的技术架构
  • 公开的商业信息

1.信息收集-DNS

 

 

域名记录:

  • A: 主机记录,他会把一个域名解析到ip地址上
  • Cname : 别名记录,他会把一个域名解析到另外一个域名上
  • NS :这个域的域名服务器的地址记录
  • MX: 邮件交换记录,它会指向这个域的SMTP交换记录
  • ptr :反向解析,把ip 解析成域名的

 

完整的: www.baidu.com. 

首次解析查询会进行迭代查询,先查(全球13台)根域服务器.-->com服务器 baidu.com. -->baidu.com的域名服务器找到:www.baidu.com.

 我们运营商的DNS服务器是缓存服务器。这样把上面首次的ip与域名的对应记录本地DNS服务器会保存一份,后续就直接拿来直接用,即递归查询。

1.1 DNS信息收集-NSLOOKUP的使用

• nslookup www.sina.com
• server      //指定dns服务器查询
• type=a、mx、ns、any       //指定查询类型;any是全部
• nslookup -type=ns example.com 156.154.70.22     //一句命令行查询
root@kali:~# nslookup 
> www.baidu.com
Server:        192.168.56.2
Address:    192.168.56.2#53

Non-authoritative answer:
www.baidu.com    canonical name = www.a.shifen.com.
Name:    www.a.shifen.com
Address: 61.135.169.121
Name:    www.a.shifen.com
Address: 61.135.169.125
> www.a.shifen.com.
Server:        192.168.56.2
Address:    192.168.56.2#53

Non-authoritative answer:
Name:    www.a.shifen.com
Address: 61.135.169.125
Name:    www.a.shifen.com
Address: 61.135.169.121
> www.sina.com
Server:        192.168.56.2
Address:    192.168.56.2#53

Non-authoritative answer:
www.sina.com    canonical name = us.sina.com.cn.
us.sina.com.cn    canonical name = spool.grid.sinaedge.com.
Name:    spool.grid.sinaedge.com
Address: 121.22.4.29
> us.sina.com.cn
Server:        192.168.56.2
Address:    192.168.56.2#53

Non-authoritative answer:
us.sina.com.cn    canonical name = spool.grid.sinaedge.com.
Name:    spool.grid.sinaedge.com
Address: 121.22.4.29
> spool.grid.sinaedge.com
Server:        192.168.56.2
Address:    192.168.56.2#53

Non-authoritative answer:
Name:    spool.grid.sinaedge.com
Address: 121.22.4.29
> set type=a
> www.sina.com
Server:        192.168.56.2
Address:    192.168.56.2#53

Non-authoritative answer:
www.sina.com    canonical name = us.sina.com.cn.
us.sina.com.cn    canonical name = spool.grid.sinaedge.com.
Name:    spool.grid.sinaedge.com
Address: 121.22.4.29
> set type=mx
> sina.com
Server:        192.168.56.2
Address:    192.168.56.2#53

Non-authoritative answer:
sina.com    mail exchanger = 10 freemx2.sinamail.sina.com.cn.
sina.com    mail exchanger = 10 freemx1.sinamail.sina.com.cn.
sina.com    mail exchanger = 10 freemx3.sinamail.sina.com.cn.

Authoritative answers can be found from:
> set type=a
> freemx1.sinamail.sina.com.cn
Server:        192.168.56.2
Address:    192.168.56.2#53

Non-authoritative answer:
Name:    freemx1.sinamail.sina.com.cn
Address: 39.156.6.104
> set type=ns
> sina.com
Server:        192.168.56.2
Address:    192.168.56.2#53

Non-authoritative answer:
sina.com    nameserver = ns3.sina.com.
sina.com    nameserver = ns2.sina.com.
sina.com    nameserver = ns1.sina.com.cn.
sina.com    nameserver = ns4.sina.com.
sina.com    nameserver = ns2.sina.com.cn.
sina.com    nameserver = ns3.sina.com.cn.
sina.com    nameserver = ns4.sina.com.cn.
sina.com    nameserver = ns1.sina.com.

Authoritative answers can be found from:
> set type=ptr
> 39.156.6.104
Server:        192.168.56.2
Address:    192.168.56.2#53

Non-authoritative answer:
*** Can't find 104.6.156.39.in-addr.arpa.: No answer
// type可以简写为q
// 这个可能是dns配置问题未成功反向查询
Authoritative answers can be found from:
> set q=ptr 
> 39.156.6.104
Server:        192.168.56.2
Address:    192.168.56.2#53

** server can't find 104.6.156.39.in-addr.arpa: NXDOMAIN
> server 114.114.114.114
Default server: 114.114.114.114
Address: 114.114.114.114#53
> www.sina.com
Server:        114.114.114.114
Address:    114.114.114.114#53

Non-authoritative answer:
www.sina.com    canonical name = us.sina.com.cn.
us.sina.com.cn    canonical name = spool.grid.sinaedge.com.

Authoritative answers can be found from:
sinaedge.com
    origin = ns1.sinaedge.com
    mail addr = null.sinaedge.com
    serial = 20100707
    refresh = 10800
    retry = 60
    expire = 604800
    minimum = 60
> 
实例nslookup

1.2 DNS信息收集-DIG的使用

• dig @8.8.8.8 www.sina.com mx
• dig www.sina.com any
• 反向查询:dig +noall +answer -x 8.8.8.8   //+noall +answer是只显示有用信息
• bind版本信息: dig +noall +answer txt chaos VERSION.BIND @ns3.dnsv4.com   //查询DNS的版本以查询是否存在漏洞
• DNS追踪: dig +trace example.com     //查询是否被DNS劫持,舍弃递归查询,像首次一样迭代查询
root@kali:~# nslookup sina.com -type=any
Server:        192.168.56.2
Address:    192.168.56.2#53

Non-authoritative answer:
Name:    sina.com
Address: 66.102.251.24

root@kali:~# dig sina.com any

; <<>> DiG 9.10.6-Debian <<>> sina.com any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 49538
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Message has 11 extra bytes at end

;; QUESTION SECTION:
;sina.com.            IN    ANY

;; Query time: 597 msec
;; SERVER: 192.168.56.2#53(192.168.56.2)
;; WHEN: Fri Jan 31 04:37:14 EST 2020
;; MSG SIZE  rcvd: 37

root@kali:~# dig sina.com any @8.8.8.8

; <<>> DiG 9.10.6-Debian <<>> sina.com any @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5774
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;sina.com.            IN    ANY

;; ANSWER SECTION:
sina.com.        59    IN    A    66.102.251.24
sina.com.        59    IN    TXT    "v=spf1 include:spf.sinamail.sina.com.cn -all"
sina.com.        299    IN    SOA    ns1.sina.com.cn. zhihao.staff.sina.com.cn. 2005042601 900 300 604800 300
sina.com.        21599    IN    NS    ns1.sina.com.cn.
sina.com.        21599    IN    NS    ns4.sina.com.
sina.com.        21599    IN    NS    ns3.sina.com.cn.
sina.com.        21599    IN    NS    ns4.sina.com.cn.
sina.com.        21599    IN    NS    ns1.sina.com.
sina.com.        21599    IN    NS    ns3.sina.com.
sina.com.        21599    IN    NS    ns2.sina.com.
sina.com.        21599    IN    NS    ns2.sina.com.cn.
sina.com.        59    IN    MX    10 freemx1.sinamail.sina.com.cn.
sina.com.        59    IN    MX    10 freemx2.sinamail.sina.com.cn.
sina.com.        59    IN    MX    10 freemx3.sinamail.sina.com.cn.

;; Query time: 52 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jan 31 04:38:34 EST 2020
;; MSG SIZE  rcvd: 395

root@kali:~# dig sina.com any @114.114.114.114

; <<>> DiG 9.10.6-Debian <<>> sina.com any @114.114.114.114
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32858
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;sina.com.            IN    ANY

;; ANSWER SECTION:
sina.com.        3    IN    A    66.102.251.24
sina.com.        1706    IN    NS    ns1.sina.com.cn.
sina.com.        1706    IN    NS    ns2.sina.com.
sina.com.        1706    IN    NS    ns3.sina.com.
sina.com.        1706    IN    NS    ns4.sina.com.
sina.com.        1706    IN    NS    ns4.sina.com.cn.
sina.com.        1706    IN    NS    ns3.sina.com.cn.
sina.com.        1706    IN    NS    ns2.sina.com.cn.
sina.com.        1706    IN    NS    ns1.sina.com.

;; Query time: 26 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Fri Jan 31 04:38:55 EST 2020
;; MSG SIZE  rcvd: 197

root@kali:~# dig mail.163.com any

; <<>> DiG 9.10.6-Debian <<>> mail.163.com any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65096
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mail.163.com.            IN    ANY

;; ANSWER SECTION:
mail.163.com.        5    IN    CNAME    ntes53.mail.163.com.

;; Query time: 1176 msec
;; SERVER: 192.168.56.2#53(192.168.56.2)
;; WHEN: Fri Jan 31 04:39:33 EST 2020
;; MSG SIZE  rcvd: 51

root@kali:~# dig +noall +answer mail.163.com any
mail.163.com.        5    IN    CNAME    ntes53.mail.163.com.
root@kali:~# dig +noall +answer mail.163.com any |awk '{print $5}'
ntes53.mail.163.com.
root@kali:~# dig +noall +answer ntes53.mail.163.com any |awk '{print $5}'
123.126.97.202

root@kali:~# dig -x 123.126.97.202

; <<>> DiG 9.10.6-Debian <<>> -x 123.126.97.202
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43235
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;202.97.126.123.in-addr.arpa.    IN    PTR

;; ANSWER SECTION:
202.97.126.123.in-addr.arpa. 5    IN    PTR    mail-m97202.mail.163.com.

;; Query time: 19 msec
;; SERVER: 192.168.56.2#53(192.168.56.2)
;; WHEN: Fri Jan 31 04:43:44 EST 2020
;; MSG SIZE  rcvd: 83

root@kali:~# dig +noall +answer txt chaos VERSION.BIND @ns3.dnsv4.com mail.163.com any
;; Warning, extra type option
;; Warning: query response not set
;; Warning: Message parser reports malformed message packet.
VERSION.BIND.        0    CH    TXT    "6.0.1911.00"
root@kali:~# dig +noall +answer txt chaos VERSION.BIND @ntes53.mail.163.com
;; connection timed out; no servers could be reached
root@kali:~# dig +trace baidu.com

; <<>> DiG 9.10.6-Debian <<>> +trace baidu.com
;; global options: +cmd
.            5    IN    NS    l.root-servers.net.
.            5    IN    NS    d.root-servers.net.
.            5    IN    NS    e.root-servers.net.
.            5    IN    NS    b.root-servers.net.
.            5    IN    NS    m.root-servers.net.
.            5    IN    NS    c.root-servers.net.
.            5    IN    NS    j.root-servers.net.
.            5    IN    NS    i.root-servers.net.
.            5    IN    NS    k.root-servers.net.
.            5    IN    NS    f.root-servers.net.
.            5    IN    NS    g.root-servers.net.
.            5    IN    NS    a.root-servers.net.
.            5    IN    NS    h.root-servers.net.
;; Received 228 bytes from 192.168.56.2#53(192.168.56.2) in 7 ms

com.            172800    IN    NS    d.gtld-servers.net.
com.            172800    IN    NS    a.gtld-servers.net.
com.            172800    IN    NS    c.gtld-servers.net.
com.            172800    IN    NS    j.gtld-servers.net.
com.            172800    IN    NS    k.gtld-servers.net.
com.            172800    IN    NS    e.gtld-servers.net.
com.            172800    IN    NS    l.gtld-servers.net.
com.            172800    IN    NS    m.gtld-servers.net.
com.            172800    IN    NS    f.gtld-servers.net.
com.            172800    IN    NS    b.gtld-servers.net.
com.            172800    IN    NS    i.gtld-servers.net.
com.            172800    IN    NS    h.gtld-servers.net.
com.            172800    IN    NS    g.gtld-servers.net.
com.            86400    IN    DS    30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.            86400    IN    RRSIG    DS 8 1 86400 20200213050000 20200131040000 33853 . zMeZpKg/LGzpVjlBUJRfkmk8tSvZW+L0UFHnzSn8agztJ8sMGU+knBLW 5LLoPoh6iG7exLV5wVIJZVh+0ISk3AG85VJXZ3HSTWcHZfjMOYI7JXpe pv/5JqT9Eai0ScEJAowDa1qctGOE/LHdNwr30VF8U0LoZL0iXVN3KQ4k iKnl0S0hB41KH+BHFcNpWqxKHRK2piMZRNe8+8Nu9I4GilfW/D90e69p SgG7puU3J3srarhccj0OS5WcLi6nsMf/2k0C6rQMe+WD7aOVZXoLts93 /thoNSWIprseKrYze2STnuG+T/VxzZRJ3fjoZARGHtDf3gTibHC2syXL xaXz5w==
;; Received 1169 bytes from 192.33.4.12#53(c.root-servers.net) in 217 ms

baidu.com.        172800    IN    NS    ns2.baidu.com.
baidu.com.        172800    IN    NS    ns3.baidu.com.
baidu.com.        172800    IN    NS    ns4.baidu.com.
baidu.com.        172800    IN    NS    ns1.baidu.com.
baidu.com.        172800    IN    NS    ns7.baidu.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A  NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20200207054811 20200131043811 56311 com. N15f7ia8A0pd2A5iWM/8t+T6gs8mQJaOWe/aj3bs4cWxpG7WmCaquZp7 6gfbfotFmss+DuBm9MAd6bwe2fm9m60FQgROWGOZwGRrvZqawy/5eDeV sLIJqhnwM0lT1PuDgNe2SFYsV506melwC4cEtR8M6gkX3nwYMCf6Frus anO+4Lufi229N5Y00N4x9vrlO3zsGBR1yg2xBki9Ni379A==
HPVUNU64MJQUM37BM3VJ6O2UBJCHOS00.com. 86400 IN NSEC3 1 1 0 - HPVVN3Q5E5GOQP2QFE2LEM4SVB9C0SJ6  NS DS RRSIG
HPVUNU64MJQUM37BM3VJ6O2UBJCHOS00.com. 86400 IN RRSIG NSEC3 8 2 86400 20200206052237 20200130041237 56311 com. VDvkqJG0Q4KBg3ZDzgW3cIJIUHD0iQ/M7A5ZLgEdk1cz8ni7AeHTd4t7 s/lHxY9wYJ1O41J4P3ldPSrvln2Ye6Qb0jt0lt5NqiY9AXHISyEDQ6BJ YoQtLR2lnuaQrJrdLggxxRRSHB0ZfHnEnp8YyNpwwxKdZOpodDmJHlra jFYnRZjtyaQc8MP4kaDMR5wEXkuuaXA+Jnjq56sMa0Onbg==
;; Received 757 bytes from 192.26.92.30#53(c.gtld-servers.net) in 129 ms

baidu.com.        600    IN    A    39.156.69.79
baidu.com.        600    IN    A    220.181.38.148
baidu.com.        86400    IN    NS    ns2.baidu.com.
baidu.com.        86400    IN    NS    ns7.baidu.com.
baidu.com.        86400    IN    NS    dns.baidu.com.
baidu.com.        86400    IN    NS    ns4.baidu.com.
baidu.com.        86400    IN    NS    ns3.baidu.com.
;; Received 240 bytes from 14.215.178.80#53(ns4.baidu.com) in 714 ms

root@kali:~# dig +noall +answer txt chaos VERSION.BIND @ns2.baidu.com
dig: couldn't get address for 'ns2.baidu.com': failure
root@kali:~# dig +noall +answer txt chaos VERSION.BIND @ns2.baidu.com.
dig: couldn't get address for 'ns2.baidu.com.': failure
root@kali:~# dig +noall +answer txt chaos VERSION.BIND @ns2.baidu.com. any
;; Warning, extra type option
VERSION.BIND.        0    CH    TXT    "baidu dns"
VERSION.BIND.        86400    CH    SOA    VERSION.BIND. hostmaster.VERSION.BIND. 0 28800 7200 604800 86400
VERSION.BIND.        0    CH    NS    VERSION.BIND.
root@kali:~# 
示例dig

 dns区域传输:一台dn做了修改有同步机制,同步机制就是使用的是区域传输的方法

• dig @ns1.example.com example.com axfr   //传输方法是axfr
• host -T -l sina.com 8.8.8.8

1.3 DNS字典爆破

fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist a.txt
dnsdict6 -d4 -t 16 -x sina.com    //-t 线程数 
dnsenum -f dnsbig.txt -dnsserver 8.8.8.8 sina.com -o sina.xml
dnsmap sina.com -w dns.txt
dnsrecon -d sina.com --lifetime 10 -t brt -D dnsbig.txt
dnsrecon -t std -d sina.com
root@kali:~# fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist a.txt
DNS Servers for sina.com.cn:
    ns3.sina.com.cn
    ns2.sina.com.cn
    ns4.sina.com.cn
    ns1.sina.com.cn

Trying zone transfer first...

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force
Can't open a.txt or the default wordlist
Exiting...
root@kali:~# dpkg -L fierce
/.
/usr
/usr/bin
/usr/bin/fierce
/usr/share
/usr/share/doc
/usr/share/doc/fierce
/usr/share/doc/fierce/changelog.Debian.gz
/usr/share/doc/fierce/copyright
/usr/share/fierce
/usr/share/fierce/hosts.txt
root@kali:~# fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist /usr/share/fierce/hosts.txt
DNS Servers for sina.com.cn:
    ns4.sina.com.cn
    ns3.sina.com.cn
    ns1.sina.com.cn
    ns2.sina.com.cn

Trying zone transfer first...

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
Nope. Good.
Now performing 2280 test(s)...
123.126.45.14    1.sina.com.cn
123.126.45.14    8.sina.com.cn
123.126.45.68    a.sina.com.cn
125.39.135.216    a1.sina.com.cn
60.28.226.27    a1.sina.com.cn
125.39.135.217    a1.sina.com.cn
60.28.226.31    a1.sina.com.cn
125.39.135.218    a1.sina.com.cn
60.28.226.32    a1.sina.com.cn
125.39.135.219    a1.sina.com.cn
60.28.226.36    a1.sina.com.cn
125.39.135.220    a1.sina.com.cn
125.39.135.221    a1.sina.com.cn
125.39.135.236    a1.sina.com.cn
125.39.135.237    a1.sina.com.cn
60.28.226.25    a2.sina.com.cn
125.39.135.219    a2.sina.com.cn
60.28.226.26    a2.sina.com.cn
125.39.135.220    a2.sina.com.cn
60.28.226.27    a2.sina.com.cn
125.39.135.221    a2.sina.com.cn
60.28.226.31    a2.sina.com.cn
125.39.135.236    a2.sina.com.cn
125.39.135.237    a2.sina.com.cn
125.39.135.216    a2.sina.com.cn
125.39.135.217    a2.sina.com.cn
125.39.135.218    a2.sina.com.cn
125.39.135.216    ad.sina.com.cn
60.28.226.27    ad.sina.com.cn
125.39.135.217    ad.sina.com.cn
60.28.226.31    ad.sina.com.cn
125.39.135.218    ad.sina.com.cn
60.28.226.32    ad.sina.com.cn
125.39.135.219    ad.sina.com.cn
60.28.226.36    ad.sina.com.cn
125.39.135.220    ad.sina.com.cn
125.39.135.221    ad.sina.com.cn
125.39.135.236    ad.sina.com.cn
125.39.135.237    ad.sina.com.cn
60.28.226.25    ads.sina.com.cn
125.39.135.219    ads.sina.com.cn
60.28.226.26    ads.sina.com.cn
125.39.135.220    ads.sina.com.cn
60.28.226.27    ads.sina.com.cn
125.39.135.221    ads.sina.com.cn
60.28.226.31    ads.sina.com.cn
125.39.135.236    ads.sina.com.cn
125.39.135.237    ads.sina.com.cn
125.39.135.216    ads.sina.com.cn
125.39.135.217    ads.sina.com.cn
125.39.135.218    ads.sina.com.cn
123.126.45.14    app.sina.com.cn
123.126.45.14    apps.sina.com.cn
123.125.105.243    aq.sina.com.cn
60.28.226.25    ar.sina.com.cn
125.39.135.219    ar.sina.com.cn
60.28.226.26    ar.sina.com.cn
125.39.135.220    ar.sina.com.cn
60.28.226.27    ar.sina.com.cn
125.39.135.221    ar.sina.com.cn
60.28.226.31    ar.sina.com.cn
125.39.135.236    ar.sina.com.cn
125.39.135.237    ar.sina.com.cn
125.39.135.216    ar.sina.com.cn
125.39.135.217    ar.sina.com.cn
125.39.135.218    ar.sina.com.cn
202.108.35.252    atlas.sina.com.cn
180.149.134.158    auth.sina.com.cn
121.22.4.29    auto.sina.com.cn
58.63.237.124    b.sina.com.cn
202.108.37.51    b2b.sina.com.cn
123.126.45.14    ba.sina.com.cn
fierce示例
root@kali:~# dpkg -L dnsenum
/.
/usr
/usr/bin
/usr/bin/dnsenum
/usr/share
/usr/share/dnsenum
/usr/share/dnsenum/dns.txt
/usr/share/doc
/usr/share/doc/dnsenum
/usr/share/doc/dnsenum/README.md
/usr/share/doc/dnsenum/changelog.Debian.gz
/usr/share/doc/dnsenum/copyright
root@kali:~# dnsenum -f /usr/share/dnsenum/dns.txt -dnsserver 8.8.8.8 sina.com -o
Smartmatch is experimental at /usr/bin/dnsenum line 698.
Smartmatch is experimental at /usr/bin/dnsenum line 698.
dnsenum VERSION:1.2.4
Option o requires an argument

-----   sina.com   -----


Host's addresses:
__________________

sina.com.                                59       IN    A        66.102.251.24


Name Servers:
______________

ns1.sina.com.                            21599    IN    A        114.134.80.144
ns2.sina.com.cn.                         21599    IN    A        180.149.138.199
ns4.sina.com.                            21599    IN    A        123.125.29.99
ns3.sina.com.cn.                         21599    IN    A        123.125.29.99
ns1.sina.com.cn.                         21599    IN    A        36.51.252.8
ns2.sina.com.                            21544    IN    A        114.134.80.145
ns4.sina.com.cn.                         21599    IN    A        121.14.1.22
ns3.sina.com.                            21599    IN    A        180.149.138.199


Mail (MX) Servers:
___________________

freemx2.sinamail.sina.com.cn.            59       IN    A        121.14.32.117
freemx3.sinamail.sina.com.cn.            59       IN    A        123.126.45.192
freemx1.sinamail.sina.com.cn.            59       IN    A        39.156.6.104


Trying Zone Transfers and getting Bind Versions:
_________________________________________________

root@kali:~# dnsenum -f /usr/share/dnsenum/dns.txt -dnsserver 8.8.8.8 sina.com -o sina.xml
Smartmatch is experimental at /usr/bin/dnsenum line 698.
Smartmatch is experimental at /usr/bin/dnsenum line 698.
dnsenum VERSION:1.2.4

-----   sina.com   -----


Host's addresses:
__________________

sina.com.                                59       IN    A        66.102.251.24


Name Servers:
______________

ns1.sina.com.cn.                         21491    IN    A        36.51.252.8
ns2.sina.com.cn.                         21490    IN    A        180.149.138.199
ns3.sina.com.cn.                         21599    IN    A        123.125.29.99
ns4.sina.com.                            21599    IN    A        123.125.29.99
ns1.sina.com.                            21599    IN    A        114.134.80.144
ns2.sina.com.                            21599    IN    A        114.134.80.145
ns3.sina.com.                            21599    IN    A        180.149.138.199
ns4.sina.com.cn.                         21599    IN    A        121.14.1.22


Mail (MX) Servers:
___________________

freemx1.sinamail.sina.com.cn.            59       IN    A        39.156.6.104
freemx2.sinamail.sina.com.cn.            59       IN    A        121.14.32.117
freemx3.sinamail.sina.com.cn.            4        IN    A        123.126.45.192


Trying Zone Transfers and getting Bind Versions:
_________________________________________________


Trying Zone Transfer for sina.com on ns1.sina.com.cn ... 
AXFR record query failed: REFUSED

Trying Zone Transfer for sina.com on ns2.sina.com.cn ... 
AXFR record query failed: REFUSED

Trying Zone Transfer for sina.com on ns3.sina.com.cn ... 
AXFR record query failed: REFUSED

Trying Zone Transfer for sina.com on ns4.sina.com ... 
AXFR record query failed: REFUSED

Trying Zone Transfer for sina.com on ns1.sina.com ... 
AXFR record query failed: REFUSED

Trying Zone Transfer for sina.com on ns2.sina.com ... 
AXFR record query failed: REFUSED

Trying Zone Transfer for sina.com on ns3.sina.com ... 
AXFR record query failed: REFUSED

Trying Zone Transfer for sina.com on ns4.sina.com.cn ... 
AXFR record query failed: REFUSED


Brute forcing with /usr/share/dnsenum/dns.txt:
_______________________________________________

ads.sina.com.                            59       IN    CNAME    ww1.sinaimg.cn.w.alikunlun.com.
ww1.sinaimg.cn.w.alikunlun.com.          59       IN    A        125.39.135.219
ww1.sinaimg.cn.w.alikunlun.com.          59       IN    A        60.28.226.37
ww1.sinaimg.cn.w.alikunlun.com.          59       IN    A        60.28.226.25
ww1.sinaimg.cn.w.alikunlun.com.          59       IN    A        60.28.226.40
ww1.sinaimg.cn.w.alikunlun.com.          59       IN    A        60.28.226.26
ww1.sinaimg.cn.w.alikunlun.com.          59       IN    A        125.39.135.218
ww1.sinaimg.cn.w.alikunlun.com.          59       IN    A        125.39.135.237
ww1.sinaimg.cn.w.alikunlun.com.          59       IN    A        125.39.135.216
ww1.sinaimg.cn.w.alikunlun.com.          59       IN    A        125.39.135.221
ww1.sinaimg.cn.w.alikunlun.com.          59       IN    A        125.39.135.236
ww1.sinaimg.cn.w.alikunlun.com.          59       IN    A        125.39.135.220
ww1.sinaimg.cn.w.alikunlun.com.          59       IN    A        125.39.135.217
blog.sina.com.                           59       IN    CNAME    blog.sina.com.cn.
blog.sina.com.cn.                        59       IN    CNAME    blogx.sina.com.cn.
blogx.sina.com.cn.                       59       IN    A        123.126.45.92
client.sina.com.                         59       IN    A        10.10.10.10
election.sina.com.                       59       IN    CNAME    ww10.sina.com.
ww10.sina.com.                           59       IN    A        71.5.7.191
elections.sina.com.                      59       IN    CNAME    ww10.sina.com.
ww10.sina.com.                           59       IN    A        71.5.7.191
europe.sina.com.                         59       IN    CNAME    spit.sina.com.
spit.sina.com.                           59       IN    A        71.5.7.171
finance.sina.com.                        59       IN    A        10.10.10.10
forum.sina.com.                          59       IN    CNAME    us.sina.com.
us.sina.com.                             59       IN    A        66.102.251.24
forums.sina.com.                         59       IN    CNAME    us.sina.com.
us.sina.com.                             59       IN    A        66.102.251.24
ftp.sina.com.                            59       IN    CNAME    blossom.sina.com.
blossom.sina.com.                        59       IN    A         71.5.7.14
g.sina.com.                              59       IN    A        202.106.169.230
jobs.sina.com.                           59       IN    CNAME    spit.sina.com.
spit.sina.com.                           59       IN    A        71.5.7.171
lists.sina.com.                          59       IN    A        66.102.251.33
log.sina.com.                            59       IN    CNAME    log1.sina.com.
mail.sina.com.                           59       IN    CNAME    mail.sina.com.cn.
mail.sina.com.cn.                        59       IN    CNAME    w5.dpool.sina.com.cn.
w5.dpool.sina.com.cn.                    59       IN    A        123.126.45.14
marketing.sina.com.                      59       IN    A        71.5.7.205
members.sina.com.                        59       IN    A        66.102.251.33
^C
root@kali:~# 
dnsenum示例

1.4 DNS注册信息

(1)whois查询 是一个标准的互联网协议(kali自带)

root@kali:~# whois sina.com
   Domain Name: SINA.COM
   Registry Domain ID: 2243615_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.paycenter.com.cn
   Registrar URL: http://www.xinnet.com
   Updated Date: 2018-12-20T09:17:25Z
   Creation Date: 1998-09-16T04:00:00Z
   Registry Expiry Date: 2021-09-15T04:00:00Z
   Registrar: Xin Net Technology Corporation
   Registrar IANA ID: 120
   Registrar Abuse Contact Email: supervision@xinnet.com
   Registrar Abuse Contact Phone: +86.1087127926
   Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
   Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
   Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
   Name Server: NS1.SINA.COM
   Name Server: NS1.SINA.COM.CN
   Name Server: NS2.SINA.COM
   Name Server: NS2.SINA.COM.CN
   Name Server: NS3.SINA.COM
   Name Server: NS3.SINA.COM.CN
   Name Server: NS4.SINA.COM
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2020-01-31T10:39:14Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name:sina.com
Registry Domain ID:
Registrar WHOIS Server:whois.paycenter.com.cn
Registrar URL:http://www.xinnet.com
Updated Date:2018-09-12T01:18:05.00Z
Creation Date:1998-09-15T20:00:00.00Z
Registrar Registration Expiration Date:2021-09-14T20:00:00.00Z
Registrar:XINNET TECHNOLOGY CORPORATION
Registrar IANA ID:120
Registrar Abuse Contact Email:supervision@xinnet.com
Registrar Abuse Contact Phone:+86.1087128064
Reseller:
Domain Status:
Registry Registrant ID:
Registrant Name:
Registrant Organization:
Registrant Street:
Registrant City:
Registrant State/Province:
Registrant Postal Code:
Registrant Country:
Registrant Phone:
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:
Registry Admin ID:
Admin Name:
Admin Organization:
Admin Street:
Admin City:
Admin State/Province:
Admin PostalCode:
Admin Country:
Admin Phone:
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email:
Registry Tech ID:
Tech Name:
Tech Organization:
Tech Street:
Tech City:
Tech State/Province:
Tech PostalCode:
Tech Country:
Tech Phone:
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email:
Name Server:ns1.sina.com.cn
Name Server:ns2.sina.com.cn
Name Server:ns3.sina.com.cn
Name Server:ns1.sina.com
Name Server:ns4.sina.com
Name Server:ns3.sina.com
DNSSEC:unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2020-01-31T10:39:32.00Z <<<: 

For more information on Whois status codes, please visit https://icann.org/epp

The Data in Paycenter's WHOIS database is provided by Paycenter
for information purposes, and to assist persons in obtaining
information about or related to a domain name registration record.
Paycenter does not guarantee its accuracy.  By submitting
a WHOIS query, you agree that you will use this Data only
for lawful purposes and that, 
under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission
of mass unsolicited, commercial advertising or solicitations
via e-mail (spam); or
(2) enable high volume, automated, electronic processes that
apply to Paycenter or its systems.
Paycenter reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.!!
whois示例

也可以用这些网站:可查域名服务商拥有者以及邮箱电话地址等

https://whois.aizhan.com
https://whois.china.com
https://www.virustotal.com
(备案信息查询)
天眼查: http://www.tianyancha.co
ICP备案查询网:http://www.beianbeian.com
------------------
①子域名检测工具:Layer子域名挖掘机 、sublist3r、subDomiansBrute
②搜索引擎枚举: site:baidu.com
③第三方网站搜; --.老牛逼了:
DNSdumpter: https://dnsdumpster.com/
子域名爆破网站: https://phpinfo.me/domain
IP反查绑定域名: http://dns.aizhan.com
④证书透明度公开日志枚举
SSL/TLS公共日志网站 https://crt.sh/
或者 https://censys.io/

 

 

 ethtool

posted @ 2020-01-31 18:48  香农Shannon  阅读(1037)  评论(0编辑  收藏  举报