被动信息收集-dns
信息收集是渗透前期最为重要的一步,其中被动信息收集相对主动信息收集(访问)更具有隐蔽和无害性。便于进行社工攻击。
被动信息收集主要特点
公开渠道可获得的信息
与目标系统不产生直接交互
尽量避免留下一切痕迹
主要归纳应用收集信息
信息收集的内容有很多,简略其下:
- IP地址段
- 域名信息
- 邮件地址
- ⽂档图⽚数据
- 公司地址
- 公司组织架构
- 联系电话 / 传真号码
- ⼈员姓名 / 职务
- 目标系统使⽤的技术架构
- 公开的商业信息
1.信息收集-DNS
域名记录:
- A: 主机记录,他会把一个域名解析到ip地址上
- Cname : 别名记录,他会把一个域名解析到另外一个域名上
- NS :这个域的域名服务器的地址记录
- MX: 邮件交换记录,它会指向这个域的SMTP交换记录
- ptr :反向解析,把ip 解析成域名的
完整的: www.baidu.com.
首次解析查询会进行迭代查询,先查(全球13台)根域服务器.-->com服务器 baidu.com. -->baidu.com的域名服务器找到:www.baidu.com.
我们运营商的DNS服务器是缓存服务器。这样把上面首次的ip与域名的对应记录本地DNS服务器会保存一份,后续就直接拿来直接用,即递归查询。
1.1 DNS信息收集-NSLOOKUP的使用
• nslookup www.sina.com • server //指定dns服务器查询 • type=a、mx、ns、any //指定查询类型;any是全部 • nslookup -type=ns example.com 156.154.70.22 //一句命令行查询
root@kali:~# nslookup > www.baidu.com Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: www.baidu.com canonical name = www.a.shifen.com. Name: www.a.shifen.com Address: 61.135.169.121 Name: www.a.shifen.com Address: 61.135.169.125 > www.a.shifen.com. Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: Name: www.a.shifen.com Address: 61.135.169.125 Name: www.a.shifen.com Address: 61.135.169.121 > www.sina.com Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: www.sina.com canonical name = us.sina.com.cn. us.sina.com.cn canonical name = spool.grid.sinaedge.com. Name: spool.grid.sinaedge.com Address: 121.22.4.29 > us.sina.com.cn Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: us.sina.com.cn canonical name = spool.grid.sinaedge.com. Name: spool.grid.sinaedge.com Address: 121.22.4.29 > spool.grid.sinaedge.com Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: Name: spool.grid.sinaedge.com Address: 121.22.4.29 > set type=a > www.sina.com Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: www.sina.com canonical name = us.sina.com.cn. us.sina.com.cn canonical name = spool.grid.sinaedge.com. Name: spool.grid.sinaedge.com Address: 121.22.4.29 > set type=mx > sina.com Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: sina.com mail exchanger = 10 freemx2.sinamail.sina.com.cn. sina.com mail exchanger = 10 freemx1.sinamail.sina.com.cn. sina.com mail exchanger = 10 freemx3.sinamail.sina.com.cn. Authoritative answers can be found from: > set type=a > freemx1.sinamail.sina.com.cn Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: Name: freemx1.sinamail.sina.com.cn Address: 39.156.6.104 > set type=ns > sina.com Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: sina.com nameserver = ns3.sina.com. sina.com nameserver = ns2.sina.com. sina.com nameserver = ns1.sina.com.cn. sina.com nameserver = ns4.sina.com. sina.com nameserver = ns2.sina.com.cn. sina.com nameserver = ns3.sina.com.cn. sina.com nameserver = ns4.sina.com.cn. sina.com nameserver = ns1.sina.com. Authoritative answers can be found from: > set type=ptr > 39.156.6.104 Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: *** Can't find 104.6.156.39.in-addr.arpa.: No answer // type可以简写为q // 这个可能是dns配置问题未成功反向查询 Authoritative answers can be found from: > set q=ptr > 39.156.6.104 Server: 192.168.56.2 Address: 192.168.56.2#53 ** server can't find 104.6.156.39.in-addr.arpa: NXDOMAIN > server 114.114.114.114 Default server: 114.114.114.114 Address: 114.114.114.114#53 > www.sina.com Server: 114.114.114.114 Address: 114.114.114.114#53 Non-authoritative answer: www.sina.com canonical name = us.sina.com.cn. us.sina.com.cn canonical name = spool.grid.sinaedge.com. Authoritative answers can be found from: sinaedge.com origin = ns1.sinaedge.com mail addr = null.sinaedge.com serial = 20100707 refresh = 10800 retry = 60 expire = 604800 minimum = 60 >
1.2 DNS信息收集-DIG的使用
• dig @8.8.8.8 www.sina.com mx • dig www.sina.com any • 反向查询:dig +noall +answer -x 8.8.8.8 //+noall +answer是只显示有用信息 • bind版本信息: dig +noall +answer txt chaos VERSION.BIND @ns3.dnsv4.com //查询DNS的版本以查询是否存在漏洞 • DNS追踪: dig +trace example.com //查询是否被DNS劫持,舍弃递归查询,像首次一样迭代查询
root@kali:~# nslookup sina.com -type=any Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: Name: sina.com Address: 66.102.251.24 root@kali:~# dig sina.com any ; <<>> DiG 9.10.6-Debian <<>> sina.com any ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 49538 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: Message has 11 extra bytes at end ;; QUESTION SECTION: ;sina.com. IN ANY ;; Query time: 597 msec ;; SERVER: 192.168.56.2#53(192.168.56.2) ;; WHEN: Fri Jan 31 04:37:14 EST 2020 ;; MSG SIZE rcvd: 37 root@kali:~# dig sina.com any @8.8.8.8 ; <<>> DiG 9.10.6-Debian <<>> sina.com any @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5774 ;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;sina.com. IN ANY ;; ANSWER SECTION: sina.com. 59 IN A 66.102.251.24 sina.com. 59 IN TXT "v=spf1 include:spf.sinamail.sina.com.cn -all" sina.com. 299 IN SOA ns1.sina.com.cn. zhihao.staff.sina.com.cn. 2005042601 900 300 604800 300 sina.com. 21599 IN NS ns1.sina.com.cn. sina.com. 21599 IN NS ns4.sina.com. sina.com. 21599 IN NS ns3.sina.com.cn. sina.com. 21599 IN NS ns4.sina.com.cn. sina.com. 21599 IN NS ns1.sina.com. sina.com. 21599 IN NS ns3.sina.com. sina.com. 21599 IN NS ns2.sina.com. sina.com. 21599 IN NS ns2.sina.com.cn. sina.com. 59 IN MX 10 freemx1.sinamail.sina.com.cn. sina.com. 59 IN MX 10 freemx2.sinamail.sina.com.cn. sina.com. 59 IN MX 10 freemx3.sinamail.sina.com.cn. ;; Query time: 52 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Jan 31 04:38:34 EST 2020 ;; MSG SIZE rcvd: 395 root@kali:~# dig sina.com any @114.114.114.114 ; <<>> DiG 9.10.6-Debian <<>> sina.com any @114.114.114.114 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32858 ;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;sina.com. IN ANY ;; ANSWER SECTION: sina.com. 3 IN A 66.102.251.24 sina.com. 1706 IN NS ns1.sina.com.cn. sina.com. 1706 IN NS ns2.sina.com. sina.com. 1706 IN NS ns3.sina.com. sina.com. 1706 IN NS ns4.sina.com. sina.com. 1706 IN NS ns4.sina.com.cn. sina.com. 1706 IN NS ns3.sina.com.cn. sina.com. 1706 IN NS ns2.sina.com.cn. sina.com. 1706 IN NS ns1.sina.com. ;; Query time: 26 msec ;; SERVER: 114.114.114.114#53(114.114.114.114) ;; WHEN: Fri Jan 31 04:38:55 EST 2020 ;; MSG SIZE rcvd: 197 root@kali:~# dig mail.163.com any ; <<>> DiG 9.10.6-Debian <<>> mail.163.com any ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65096 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mail.163.com. IN ANY ;; ANSWER SECTION: mail.163.com. 5 IN CNAME ntes53.mail.163.com. ;; Query time: 1176 msec ;; SERVER: 192.168.56.2#53(192.168.56.2) ;; WHEN: Fri Jan 31 04:39:33 EST 2020 ;; MSG SIZE rcvd: 51 root@kali:~# dig +noall +answer mail.163.com any mail.163.com. 5 IN CNAME ntes53.mail.163.com. root@kali:~# dig +noall +answer mail.163.com any |awk '{print $5}' ntes53.mail.163.com. root@kali:~# dig +noall +answer ntes53.mail.163.com any |awk '{print $5}' 123.126.97.202 root@kali:~# dig -x 123.126.97.202 ; <<>> DiG 9.10.6-Debian <<>> -x 123.126.97.202 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43235 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;202.97.126.123.in-addr.arpa. IN PTR ;; ANSWER SECTION: 202.97.126.123.in-addr.arpa. 5 IN PTR mail-m97202.mail.163.com. ;; Query time: 19 msec ;; SERVER: 192.168.56.2#53(192.168.56.2) ;; WHEN: Fri Jan 31 04:43:44 EST 2020 ;; MSG SIZE rcvd: 83 root@kali:~# dig +noall +answer txt chaos VERSION.BIND @ns3.dnsv4.com mail.163.com any ;; Warning, extra type option ;; Warning: query response not set ;; Warning: Message parser reports malformed message packet. VERSION.BIND. 0 CH TXT "6.0.1911.00" root@kali:~# dig +noall +answer txt chaos VERSION.BIND @ntes53.mail.163.com ;; connection timed out; no servers could be reached root@kali:~# dig +trace baidu.com ; <<>> DiG 9.10.6-Debian <<>> +trace baidu.com ;; global options: +cmd . 5 IN NS l.root-servers.net. . 5 IN NS d.root-servers.net. . 5 IN NS e.root-servers.net. . 5 IN NS b.root-servers.net. . 5 IN NS m.root-servers.net. . 5 IN NS c.root-servers.net. . 5 IN NS j.root-servers.net. . 5 IN NS i.root-servers.net. . 5 IN NS k.root-servers.net. . 5 IN NS f.root-servers.net. . 5 IN NS g.root-servers.net. . 5 IN NS a.root-servers.net. . 5 IN NS h.root-servers.net. ;; Received 228 bytes from 192.168.56.2#53(192.168.56.2) in 7 ms com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 86400 IN RRSIG DS 8 1 86400 20200213050000 20200131040000 33853 . zMeZpKg/LGzpVjlBUJRfkmk8tSvZW+L0UFHnzSn8agztJ8sMGU+knBLW 5LLoPoh6iG7exLV5wVIJZVh+0ISk3AG85VJXZ3HSTWcHZfjMOYI7JXpe pv/5JqT9Eai0ScEJAowDa1qctGOE/LHdNwr30VF8U0LoZL0iXVN3KQ4k iKnl0S0hB41KH+BHFcNpWqxKHRK2piMZRNe8+8Nu9I4GilfW/D90e69p SgG7puU3J3srarhccj0OS5WcLi6nsMf/2k0C6rQMe+WD7aOVZXoLts93 /thoNSWIprseKrYze2STnuG+T/VxzZRJ3fjoZARGHtDf3gTibHC2syXL xaXz5w== ;; Received 1169 bytes from 192.33.4.12#53(c.root-servers.net) in 217 ms baidu.com. 172800 IN NS ns2.baidu.com. baidu.com. 172800 IN NS ns3.baidu.com. baidu.com. 172800 IN NS ns4.baidu.com. baidu.com. 172800 IN NS ns1.baidu.com. baidu.com. 172800 IN NS ns7.baidu.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20200207054811 20200131043811 56311 com. N15f7ia8A0pd2A5iWM/8t+T6gs8mQJaOWe/aj3bs4cWxpG7WmCaquZp7 6gfbfotFmss+DuBm9MAd6bwe2fm9m60FQgROWGOZwGRrvZqawy/5eDeV sLIJqhnwM0lT1PuDgNe2SFYsV506melwC4cEtR8M6gkX3nwYMCf6Frus anO+4Lufi229N5Y00N4x9vrlO3zsGBR1yg2xBki9Ni379A== HPVUNU64MJQUM37BM3VJ6O2UBJCHOS00.com. 86400 IN NSEC3 1 1 0 - HPVVN3Q5E5GOQP2QFE2LEM4SVB9C0SJ6 NS DS RRSIG HPVUNU64MJQUM37BM3VJ6O2UBJCHOS00.com. 86400 IN RRSIG NSEC3 8 2 86400 20200206052237 20200130041237 56311 com. VDvkqJG0Q4KBg3ZDzgW3cIJIUHD0iQ/M7A5ZLgEdk1cz8ni7AeHTd4t7 s/lHxY9wYJ1O41J4P3ldPSrvln2Ye6Qb0jt0lt5NqiY9AXHISyEDQ6BJ YoQtLR2lnuaQrJrdLggxxRRSHB0ZfHnEnp8YyNpwwxKdZOpodDmJHlra jFYnRZjtyaQc8MP4kaDMR5wEXkuuaXA+Jnjq56sMa0Onbg== ;; Received 757 bytes from 192.26.92.30#53(c.gtld-servers.net) in 129 ms baidu.com. 600 IN A 39.156.69.79 baidu.com. 600 IN A 220.181.38.148 baidu.com. 86400 IN NS ns2.baidu.com. baidu.com. 86400 IN NS ns7.baidu.com. baidu.com. 86400 IN NS dns.baidu.com. baidu.com. 86400 IN NS ns4.baidu.com. baidu.com. 86400 IN NS ns3.baidu.com. ;; Received 240 bytes from 14.215.178.80#53(ns4.baidu.com) in 714 ms root@kali:~# dig +noall +answer txt chaos VERSION.BIND @ns2.baidu.com dig: couldn't get address for 'ns2.baidu.com': failure root@kali:~# dig +noall +answer txt chaos VERSION.BIND @ns2.baidu.com. dig: couldn't get address for 'ns2.baidu.com.': failure root@kali:~# dig +noall +answer txt chaos VERSION.BIND @ns2.baidu.com. any ;; Warning, extra type option VERSION.BIND. 0 CH TXT "baidu dns" VERSION.BIND. 86400 CH SOA VERSION.BIND. hostmaster.VERSION.BIND. 0 28800 7200 604800 86400 VERSION.BIND. 0 CH NS VERSION.BIND. root@kali:~#
dns区域传输:一台dn做了修改有同步机制,同步机制就是使用的是区域传输的方法
• dig @ns1.example.com example.com axfr //传输方法是axfr • host -T -l sina.com 8.8.8.8
1.3 DNS字典爆破
fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist a.txt dnsdict6 -d4 -t 16 -x sina.com //-t 线程数 dnsenum -f dnsbig.txt -dnsserver 8.8.8.8 sina.com -o sina.xml dnsmap sina.com -w dns.txt dnsrecon -d sina.com --lifetime 10 -t brt -D dnsbig.txt dnsrecon -t std -d sina.com
root@kali:~# fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist a.txt DNS Servers for sina.com.cn: ns3.sina.com.cn ns2.sina.com.cn ns4.sina.com.cn ns1.sina.com.cn Trying zone transfer first... Unsuccessful in zone transfer (it was worth a shot) Okay, trying the good old fashioned way... brute force Can't open a.txt or the default wordlist Exiting... root@kali:~# dpkg -L fierce /. /usr /usr/bin /usr/bin/fierce /usr/share /usr/share/doc /usr/share/doc/fierce /usr/share/doc/fierce/changelog.Debian.gz /usr/share/doc/fierce/copyright /usr/share/fierce /usr/share/fierce/hosts.txt root@kali:~# fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist /usr/share/fierce/hosts.txt DNS Servers for sina.com.cn: ns4.sina.com.cn ns3.sina.com.cn ns1.sina.com.cn ns2.sina.com.cn Trying zone transfer first... Unsuccessful in zone transfer (it was worth a shot) Okay, trying the good old fashioned way... brute force Checking for wildcard DNS... Nope. Good. Now performing 2280 test(s)... 123.126.45.14 1.sina.com.cn 123.126.45.14 8.sina.com.cn 123.126.45.68 a.sina.com.cn 125.39.135.216 a1.sina.com.cn 60.28.226.27 a1.sina.com.cn 125.39.135.217 a1.sina.com.cn 60.28.226.31 a1.sina.com.cn 125.39.135.218 a1.sina.com.cn 60.28.226.32 a1.sina.com.cn 125.39.135.219 a1.sina.com.cn 60.28.226.36 a1.sina.com.cn 125.39.135.220 a1.sina.com.cn 125.39.135.221 a1.sina.com.cn 125.39.135.236 a1.sina.com.cn 125.39.135.237 a1.sina.com.cn 60.28.226.25 a2.sina.com.cn 125.39.135.219 a2.sina.com.cn 60.28.226.26 a2.sina.com.cn 125.39.135.220 a2.sina.com.cn 60.28.226.27 a2.sina.com.cn 125.39.135.221 a2.sina.com.cn 60.28.226.31 a2.sina.com.cn 125.39.135.236 a2.sina.com.cn 125.39.135.237 a2.sina.com.cn 125.39.135.216 a2.sina.com.cn 125.39.135.217 a2.sina.com.cn 125.39.135.218 a2.sina.com.cn 125.39.135.216 ad.sina.com.cn 60.28.226.27 ad.sina.com.cn 125.39.135.217 ad.sina.com.cn 60.28.226.31 ad.sina.com.cn 125.39.135.218 ad.sina.com.cn 60.28.226.32 ad.sina.com.cn 125.39.135.219 ad.sina.com.cn 60.28.226.36 ad.sina.com.cn 125.39.135.220 ad.sina.com.cn 125.39.135.221 ad.sina.com.cn 125.39.135.236 ad.sina.com.cn 125.39.135.237 ad.sina.com.cn 60.28.226.25 ads.sina.com.cn 125.39.135.219 ads.sina.com.cn 60.28.226.26 ads.sina.com.cn 125.39.135.220 ads.sina.com.cn 60.28.226.27 ads.sina.com.cn 125.39.135.221 ads.sina.com.cn 60.28.226.31 ads.sina.com.cn 125.39.135.236 ads.sina.com.cn 125.39.135.237 ads.sina.com.cn 125.39.135.216 ads.sina.com.cn 125.39.135.217 ads.sina.com.cn 125.39.135.218 ads.sina.com.cn 123.126.45.14 app.sina.com.cn 123.126.45.14 apps.sina.com.cn 123.125.105.243 aq.sina.com.cn 60.28.226.25 ar.sina.com.cn 125.39.135.219 ar.sina.com.cn 60.28.226.26 ar.sina.com.cn 125.39.135.220 ar.sina.com.cn 60.28.226.27 ar.sina.com.cn 125.39.135.221 ar.sina.com.cn 60.28.226.31 ar.sina.com.cn 125.39.135.236 ar.sina.com.cn 125.39.135.237 ar.sina.com.cn 125.39.135.216 ar.sina.com.cn 125.39.135.217 ar.sina.com.cn 125.39.135.218 ar.sina.com.cn 202.108.35.252 atlas.sina.com.cn 180.149.134.158 auth.sina.com.cn 121.22.4.29 auto.sina.com.cn 58.63.237.124 b.sina.com.cn 202.108.37.51 b2b.sina.com.cn 123.126.45.14 ba.sina.com.cn
root@kali:~# dpkg -L dnsenum /. /usr /usr/bin /usr/bin/dnsenum /usr/share /usr/share/dnsenum /usr/share/dnsenum/dns.txt /usr/share/doc /usr/share/doc/dnsenum /usr/share/doc/dnsenum/README.md /usr/share/doc/dnsenum/changelog.Debian.gz /usr/share/doc/dnsenum/copyright root@kali:~# dnsenum -f /usr/share/dnsenum/dns.txt -dnsserver 8.8.8.8 sina.com -o Smartmatch is experimental at /usr/bin/dnsenum line 698. Smartmatch is experimental at /usr/bin/dnsenum line 698. dnsenum VERSION:1.2.4 Option o requires an argument ----- sina.com ----- Host's addresses: __________________ sina.com. 59 IN A 66.102.251.24 Name Servers: ______________ ns1.sina.com. 21599 IN A 114.134.80.144 ns2.sina.com.cn. 21599 IN A 180.149.138.199 ns4.sina.com. 21599 IN A 123.125.29.99 ns3.sina.com.cn. 21599 IN A 123.125.29.99 ns1.sina.com.cn. 21599 IN A 36.51.252.8 ns2.sina.com. 21544 IN A 114.134.80.145 ns4.sina.com.cn. 21599 IN A 121.14.1.22 ns3.sina.com. 21599 IN A 180.149.138.199 Mail (MX) Servers: ___________________ freemx2.sinamail.sina.com.cn. 59 IN A 121.14.32.117 freemx3.sinamail.sina.com.cn. 59 IN A 123.126.45.192 freemx1.sinamail.sina.com.cn. 59 IN A 39.156.6.104 Trying Zone Transfers and getting Bind Versions: _________________________________________________ root@kali:~# dnsenum -f /usr/share/dnsenum/dns.txt -dnsserver 8.8.8.8 sina.com -o sina.xml Smartmatch is experimental at /usr/bin/dnsenum line 698. Smartmatch is experimental at /usr/bin/dnsenum line 698. dnsenum VERSION:1.2.4 ----- sina.com ----- Host's addresses: __________________ sina.com. 59 IN A 66.102.251.24 Name Servers: ______________ ns1.sina.com.cn. 21491 IN A 36.51.252.8 ns2.sina.com.cn. 21490 IN A 180.149.138.199 ns3.sina.com.cn. 21599 IN A 123.125.29.99 ns4.sina.com. 21599 IN A 123.125.29.99 ns1.sina.com. 21599 IN A 114.134.80.144 ns2.sina.com. 21599 IN A 114.134.80.145 ns3.sina.com. 21599 IN A 180.149.138.199 ns4.sina.com.cn. 21599 IN A 121.14.1.22 Mail (MX) Servers: ___________________ freemx1.sinamail.sina.com.cn. 59 IN A 39.156.6.104 freemx2.sinamail.sina.com.cn. 59 IN A 121.14.32.117 freemx3.sinamail.sina.com.cn. 4 IN A 123.126.45.192 Trying Zone Transfers and getting Bind Versions: _________________________________________________ Trying Zone Transfer for sina.com on ns1.sina.com.cn ... AXFR record query failed: REFUSED Trying Zone Transfer for sina.com on ns2.sina.com.cn ... AXFR record query failed: REFUSED Trying Zone Transfer for sina.com on ns3.sina.com.cn ... AXFR record query failed: REFUSED Trying Zone Transfer for sina.com on ns4.sina.com ... AXFR record query failed: REFUSED Trying Zone Transfer for sina.com on ns1.sina.com ... AXFR record query failed: REFUSED Trying Zone Transfer for sina.com on ns2.sina.com ... AXFR record query failed: REFUSED Trying Zone Transfer for sina.com on ns3.sina.com ... AXFR record query failed: REFUSED Trying Zone Transfer for sina.com on ns4.sina.com.cn ... AXFR record query failed: REFUSED Brute forcing with /usr/share/dnsenum/dns.txt: _______________________________________________ ads.sina.com. 59 IN CNAME ww1.sinaimg.cn.w.alikunlun.com. ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 125.39.135.219 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 60.28.226.37 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 60.28.226.25 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 60.28.226.40 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 60.28.226.26 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 125.39.135.218 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 125.39.135.237 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 125.39.135.216 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 125.39.135.221 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 125.39.135.236 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 125.39.135.220 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 125.39.135.217 blog.sina.com. 59 IN CNAME blog.sina.com.cn. blog.sina.com.cn. 59 IN CNAME blogx.sina.com.cn. blogx.sina.com.cn. 59 IN A 123.126.45.92 client.sina.com. 59 IN A 10.10.10.10 election.sina.com. 59 IN CNAME ww10.sina.com. ww10.sina.com. 59 IN A 71.5.7.191 elections.sina.com. 59 IN CNAME ww10.sina.com. ww10.sina.com. 59 IN A 71.5.7.191 europe.sina.com. 59 IN CNAME spit.sina.com. spit.sina.com. 59 IN A 71.5.7.171 finance.sina.com. 59 IN A 10.10.10.10 forum.sina.com. 59 IN CNAME us.sina.com. us.sina.com. 59 IN A 66.102.251.24 forums.sina.com. 59 IN CNAME us.sina.com. us.sina.com. 59 IN A 66.102.251.24 ftp.sina.com. 59 IN CNAME blossom.sina.com. blossom.sina.com. 59 IN A 71.5.7.14 g.sina.com. 59 IN A 202.106.169.230 jobs.sina.com. 59 IN CNAME spit.sina.com. spit.sina.com. 59 IN A 71.5.7.171 lists.sina.com. 59 IN A 66.102.251.33 log.sina.com. 59 IN CNAME log1.sina.com. mail.sina.com. 59 IN CNAME mail.sina.com.cn. mail.sina.com.cn. 59 IN CNAME w5.dpool.sina.com.cn. w5.dpool.sina.com.cn. 59 IN A 123.126.45.14 marketing.sina.com. 59 IN A 71.5.7.205 members.sina.com. 59 IN A 66.102.251.33 ^C root@kali:~#
1.4 DNS注册信息
(1)whois查询 是一个标准的互联网协议(kali自带)
root@kali:~# whois sina.com Domain Name: SINA.COM Registry Domain ID: 2243615_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.paycenter.com.cn Registrar URL: http://www.xinnet.com Updated Date: 2018-12-20T09:17:25Z Creation Date: 1998-09-16T04:00:00Z Registry Expiry Date: 2021-09-15T04:00:00Z Registrar: Xin Net Technology Corporation Registrar IANA ID: 120 Registrar Abuse Contact Email: supervision@xinnet.com Registrar Abuse Contact Phone: +86.1087127926 Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited Name Server: NS1.SINA.COM Name Server: NS1.SINA.COM.CN Name Server: NS2.SINA.COM Name Server: NS2.SINA.COM.CN Name Server: NS3.SINA.COM Name Server: NS3.SINA.COM.CN Name Server: NS4.SINA.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2020-01-31T10:39:14Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name:sina.com Registry Domain ID: Registrar WHOIS Server:whois.paycenter.com.cn Registrar URL:http://www.xinnet.com Updated Date:2018-09-12T01:18:05.00Z Creation Date:1998-09-15T20:00:00.00Z Registrar Registration Expiration Date:2021-09-14T20:00:00.00Z Registrar:XINNET TECHNOLOGY CORPORATION Registrar IANA ID:120 Registrar Abuse Contact Email:supervision@xinnet.com Registrar Abuse Contact Phone:+86.1087128064 Reseller: Domain Status: Registry Registrant ID: Registrant Name: Registrant Organization: Registrant Street: Registrant City: Registrant State/Province: Registrant Postal Code: Registrant Country: Registrant Phone: Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: Registry Admin ID: Admin Name: Admin Organization: Admin Street: Admin City: Admin State/Province: Admin PostalCode: Admin Country: Admin Phone: Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: Registry Tech ID: Tech Name: Tech Organization: Tech Street: Tech City: Tech State/Province: Tech PostalCode: Tech Country: Tech Phone: Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: Name Server:ns1.sina.com.cn Name Server:ns2.sina.com.cn Name Server:ns3.sina.com.cn Name Server:ns1.sina.com Name Server:ns4.sina.com Name Server:ns3.sina.com DNSSEC:unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2020-01-31T10:39:32.00Z <<<: For more information on Whois status codes, please visit https://icann.org/epp The Data in Paycenter's WHOIS database is provided by Paycenter for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Paycenter does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this Data only for lawful purposes and that, under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail (spam); or (2) enable high volume, automated, electronic processes that apply to Paycenter or its systems. Paycenter reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.!!
也可以用这些网站:可查域名服务商拥有者以及邮箱电话地址等
https://whois.aizhan.com https://whois.china.com https://www.virustotal.com
(备案信息查询)
天眼查: http://www.tianyancha.co
ICP备案查询网:http://www.beianbeian.com
------------------
①子域名检测工具:Layer子域名挖掘机 、sublist3r、subDomiansBrute
②搜索引擎枚举: site:baidu.com
③第三方网站搜; --.老牛逼了:
DNSdumpter: https://dnsdumpster.com/
子域名爆破网站: https://phpinfo.me/domain
IP反查绑定域名: http://dns.aizhan.com
④证书透明度公开日志枚举
SSL/TLS公共日志网站 https://crt.sh/
或者 https://censys.io/
ethtool
为美好的生活奋斗!