小白日记3:kali渗透测试之被动信息收集(二)-dig、whios、dnsenum、fierce

一、DIG

linux下查询域名解析有两种选择,nslookup或者dig。Dig(Domain Information Groper)是一个在类Unix命令行模式下查询DNS包括NS记录,A记录,MX记录等相关信息的工具。

 

 

<span style="font-size:18px;">root@kali:~# dig -h
Usage:  dig [@global-server] [domain] [q-type] [q-class] {q-opt}
            {global-d-opt} host [@local-server] {local-d-opt}
            [ host [@local-server] {local-d-opt} [...]]
Where:  domain	  is in the Domain Name System
        q-class  is one of (in,hs,ch,...) [default: in]
        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a] <strong>#类型(……)默认a</strong>
                 (Use ixfr=version for type ixfr)
        q-opt    is one of:
                 -x dot-notation     (shortcut for reverse lookups)         #反向查询
                 -i                  (use IP6.INT for IPv6 reverse lookups) #使用IPv6反向查询
                 -f filename         (batch mode)                           #批处理模式
                 -b address[#port]   (bind to source address/port)          #绑定到源地址/端口
                 -p port             (specify port number)                  #指定端口名称
                 -q name             (specify query name)                   #指定查询名称
                 -t type             (specify query type)                   #指定查询类型
                 -c class            (specify query class)
                 -k keyfile          (specify tsig key file)
                 -y [hmac:]name:key  (specify named base64 tsig key)
                 -4                  (use IPv4 query transport only)
                 -6                  (use IPv6 query transport only)
                 -m                  (enable memory usage debugging)
        d-opt    is of the form +keyword[=value], where keyword is:
                 +[no]vc             (TCP mode)                        
                 +[no]tcp            (TCP mode, alternate syntax)
                 +time=###           (Set query timeout) [5]            #指定超时设定
                 +tries=###          (Set number of UDP attempts) [3]   #设置UDP发包数
                 +retry=###          (Set number of UDP retries) [2]    #设置UDP重试次数
                 +domain=###         (Set default domainname)
                 +bufsize=###        (Set EDNS0 Max UDP packet size)
                 +ndots=###          (Set NDOTS value)
                 +[no]edns[=###]     (Set EDNS version) [0]
                 +[no]search         (Set whether to use searchlist)
                 +[no]showsearch     (Search with intermediate results)
                 +[no]defname        (Ditto)
                 +[no]recurse        (Recursive mode)
                 +[no]ignore         (Don't revert to TCP for TC responses.)
                 +[no]fail           (Don't try next server on SERVFAIL)
                 +[no]besteffort     (Try to parse even illegal messages)
                 +[no]aaonly         (Set AA flag in query (+[no]aaflag))
                 +[no]adflag         (Set AD flag in query)
                 +[no]cdflag         (Set CD flag in query)
                 +[no]cl             (Control display of class in records)
                 +[no]cmd            (Control display of command line)
                 +[no]comments       (Control display of comment lines)
                 +[no]rrcomments     (Control display of per-record comments)
                 +[no]question       (Control display of question)
                 +[no]answer         (Control display of answer)              #控制响应输出
                 +[no]authority      (Control display of authority)
                 +[no]additional     (Control display of additional)
                 +[no]stats          (Control display of statistics)
                 +[no]short          (Disable everything except short
                                      form of answer)
                 +[no]ttlid          (Control display of ttls in records)
                 +[no]all            (Set or clear all display flags)         #是否输出所有显示标志 noall通常与answer使用
                 +[no]qr             (Print question before sending)
                 +[no]nssearch       (Search all authoritative nameservers)
                 +[no]identify       (ID responders in short answers)
                 +[no]trace          (Trace delegation down from root [+dnssec])   #DNS追踪
                 +[no]dnssec         (Request DNSSEC records)
                 +[no]nsid           (Request Name Server ID)
                 +[no]sigchase       (Chase DNSSEC signatures)
                 +trusted-key=####   (Trusted Key when chasing DNSSEC sigs)
                 +[no]topdown        (Do DNSSEC validation top down mode)
                 +[no]split=##       (Split hex/base64 fields into chunks)
                 +[no]multiline      (Print records in an expanded format)
                 +[no]onesoa         (AXFR prints only one soa record)
                 +[no]keepopen       (Keep the TCP socket open between queries)
        global d-opts and servers (before host name) affect all queries.
        local d-opts and servers (after host name) affect only that lookup.
        -h                           (print help and exit)
        -v                           (print version and exit)
</span>
</span>

命令详解

 

直接查询

 

<span style="font-size:18px;">root@kali:~# dig www.baidu.com                            #直接查询

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44198        #opcode,状态,ID
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 16 #标记

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280                           #版本,udp:1280
;; QUESTION SECTION:
;www.baidu.com.			IN	A

;; ANSWER SECTION:
www.baidu.com.		6	IN	CNAME	www.a.shifen.com.
www.a.shifen.com.	553	IN	A	14.215.177.38
www.a.shifen.com.	553	IN	A	14.215.177.37

;; AUTHORITY SECTION:
com.			67772	IN	NS	a.gtld-servers.net.
com.			67772	IN	NS	j.gtld-servers.net.
com.			67772	IN	NS	f.gtld-servers.net.
com.			67772	IN	NS	h.gtld-servers.net.
com.			67772	IN	NS	k.gtld-servers.net.
com.			67772	IN	NS	m.gtld-servers.net.
com.			67772	IN	NS	b.gtld-servers.net.
com.			67772	IN	NS	l.gtld-servers.net.
com.			67772	IN	NS	g.gtld-servers.net.
com.			67772	IN	NS	d.gtld-servers.net.
com.			67772	IN	NS	e.gtld-servers.net.
com.			67772	IN	NS	c.gtld-servers.net.
com.			67772	IN	NS	i.gtld-servers.net.

;; ADDITIONAL SECTION:
g.gtld-servers.net.	47412	IN	A	192.42.93.30
j.gtld-servers.net.	2442	IN	A	192.48.79.30
i.gtld-servers.net.	66535	IN	A	192.43.172.30
e.gtld-servers.net.	56469	IN	A	192.12.94.30
a.gtld-servers.net.	34163	IN	A	192.5.6.30
a.gtld-servers.net.	7565	IN	AAAA	2001:503:a83e::2:30
h.gtld-servers.net.	68265	IN	A	192.54.112.30
f.gtld-servers.net.	31194	IN	A	192.35.51.30
b.gtld-servers.net.	4732	IN	A	192.33.14.30
b.gtld-servers.net.	22851	IN	AAAA	2001:503:231d::2:30
l.gtld-servers.net.	42219	IN	A	192.41.162.30
c.gtld-servers.net.	34151	IN	A	192.26.92.30
m.gtld-servers.net.	47041	IN	A	192.55.83.30
d.gtld-servers.net.	25144	IN	A	192.31.80.30
k.gtld-servers.net.	65164	IN	A	192.52.178.30

;; Query time: 84 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Sep 06 15:50:49 CST 2016
;; MSG SIZE  rcvd: 589

</span>
 指定DNS域名服务器               #dig <查询子域名> <指定类型> @<指定DNS服务器ip>

 

dig www.baiadu.com mx @8.8.8.8

mx查询

 

 

反向查询        #dig -x <服务器IP地址>   #noall什么都不输出,answer只输出answer结果
#可能查询结果不一样,因为域名与IP地址个关系可以为一对多、多对一

DIG强大之处

1、查询DNS服务器的bing版本      #dig +noall +answer txt chaos VERSION.BID @<dns服务器即ns记录> 

∴用于查询域名下主机名的记录          ep:查询sina.com下的www.sina.com             #安全意识高的网站会把bing命令隐藏起来

###利用攻破dns服务器,获得其主机记录

 

2、DNS追踪             #dig +trace <域名>         #做递归查询

 

 

3、DNS区域传输   # dig @epDNS服务器 ep域名 axfr     #通俗来说是查询其备用DNS服务器

区域传送操作指的是一台后备服务器使用来自主服务器的数据刷新自己的zone数据库。这为运行中的DNS服务提供了一定的冗余度,其目的是为了防止主域名服务器因意外故障变得不可用时影响到全局。实现信息同步

###若dns区域传输配置错误,会导致任何人都可以连上DNS服务器

 

<span style="font-size:18px;">root@kali:~# dig @ns3.sina.com sina.com axfr

@ns3.sina.com sina.com axfr
(1 server found)
global options: +cmd</span>
<span style="font-size:18px;">connection timed out; no servers could be reached


</span>
相同作用命令:host -T -l sina.com ns3.sina.com  #-l进行asf2全区域传输

 

二、whois注册信息

#whois <域名>

 

<span style="font-size:18px;">root@kali:~# whois wooyun.org
Domain Name: WOOYUN.ORG
Domain ID: D159099935-LROR
WHOIS Server:
Referral URL: http://www.net.cn
Updated Date: 2016-01-15T00:24:32Z
Creation Date: 2010-05-06T08:50:48Z
Registry Expiry Date: 2024-05-06T08:50:48Z
Sponsoring Registrar: Hichina Zhicheng Technology Limited
Sponsoring Registrar IANA ID: 420
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant ID: hc556860480-cn
Registrant Name: Fang Xiao Dun
Registrant Organization: Fang Xiao Dun
Registrant Street: Haidian District JuYuan Road 6# 502
Registrant City: Beijing
Registrant State/Province: Beijing
Registrant Postal Code: 100080
Registrant Country: CN
Registrant Phone: +86.18610137578
Registrant Phone Ext:
Registrant Fax: +86.18610137578
Registrant Fax Ext:
Registrant Email: xssshell@gmail.com
Admin ID: HC-009652962-CN
Admin Name: Fang Xiaodun
Admin Organization: Beijing Bigfish Technology
Admin Street: Haidian District JuYuan Road 6# 502
Admin City: Beijing
Admin State/Province: Beijing
Admin Postal Code: 100080
Admin Country: CN
Admin Phone: +86.18610137578
Admin Phone Ext:
Admin Fax: +86.18610137578
Admin Fax Ext:
Admin Email: xssshell@gmail.com
Tech ID: HC-844637505-CN
Tech Name: Fang Xiaodun
Tech Organization: Beijing Bigfish Technology
Tech Street: Haidian District JuYuan Road 6# 502
Tech City: Beijing
Tech State/Province: Beijing
Tech Postal Code: 100080
Tech Country: CN
Tech Phone: +86.18610137578
Tech Phone Ext:
Tech Fax: +86.18610137578
Tech Fax Ext:
Tech Email: xssshell@gmail.com
Name Server: NS1.DNSV2.COM
Name Server: NS2.DNSV2.COM
DNSSEC: unsigned
>>> Last update of WHOIS database: 2016-09-02T21:50:05Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to(a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.

</span>

 

 

whios网站提供图形化但结果可能不尽人意

三、DNSenum

dnsenum的目的是尽可能收集一个域的信息,它能够通过谷歌或者字典文件猜测可能存在的域名,以及对一个网段进行反向查询。它可以查询网站的主机地址信息、域名服务器、mx record(函件交换记录),在域名服务器上执行axfr请求,通过谷歌脚本得到扩展域名信息(google hacking),提取自域名并查询,计算C类地址并执行whois查询,执行反向查询,把地址段写入文件。

常用用法:

 

 

<span style="font-size:24px;">root@kali:~# dnsenum -enum baidu.com
dnsenum.pl VERSION:1.2.3
Warning: can't load Net::Whois::IP module, whois queries disabled.

-----   baidu.com   -----


Host's addresses:
__________________

baidu.com.                               346      IN    A        220.181.57.217
baidu.com.                               346      IN    A        111.13.101.208
baidu.com.                               346      IN    A        123.125.114.144
baidu.com.                               346      IN    A        180.149.132.47


Name Servers:
______________

ns2.baidu.com.                           76012    IN    A        61.135.165.235
ns4.baidu.com.                           25326    IN    A        220.181.38.10
ns3.baidu.com.                           38813    IN    A        220.181.37.10
ns7.baidu.com.                           78929    IN    A        119.75.219.82
dns.baidu.com.                           35202    IN    A        202.108.22.220


Mail (MX) Servers:
___________________

mx1.baidu.com.                           600      IN    A        61.135.163.61
jpmx.baidu.com.                          2599     IN    A        61.208.132.13
mx50.baidu.com.                          600      IN    A        61.135.163.61
mx.n.shifen.com.                         600      IN    A        220.181.3.77


Trying Zone Transfers and getting Bind Versions:
_________________________________________________


Trying Zone Transfer for baidu.com on ns4.baidu.com ... </span>

</span>

 

 

常用参数
--threads [number] 设置用户可同时运行的进程
-r 允许递归查询
-d 设置WHOIS请求之间的时间延迟数(s)
-o 指定输出位置
-w 启用WHOIS请求

四、fierce

fierce工具主要是对子域名进行扫描和收集信息。使用fierce工具获得一个目标主机上所有IP地址和主机信息。

 

<span style="font-size:18px;">root@kali:~# fierce -dns baidu.com
DNS Servers for baidu.com:
	ns4.baidu.com
	ns2.baidu.com
	ns3.baidu.com
	ns7.baidu.com
	dns.baidu.com

Trying zone transfer first...
	Testing ns4.baidu.com
		Request timed out or transfer not allowed.
	Testing ns2.baidu.com
		Request timed out or transfer not allowed.
	Testing ns3.baidu.com
		Request timed out or transfer not allowed.
	Testing ns7.baidu.com
		Request timed out or transfer not allowed.
	Testing dns.baidu.com
		Request timed out or transfer not allowed.

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
Nope. Good.
Now performing 2280 test(s)...
10.94.49.39	access.baidu.com
10.11.252.74	accounts.baidu.com
10.26.109.19	admin.baidu.com
10.42.4.225	ads.baidu.com
172.22.15.17	agent.baidu.com
172.22.15.16	agent.baidu.com
10.57.8.26	alpha.baidu.com

</span>
<span style="font-size:18px;">…………………………………………</span>

 

  • 字典爆破   #若DNS服务器不允许进行区域传输  #kali2.0不自带dnsdict

fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist a.txt

###ep:查找字典

dpkg -L fierce

dnsdict6 -d4 -t 16 -x sina.com    #-t:线程数 #-d:显示IPv6地址和mx、ns #-d4:IPv4 #指定字典大小[-l/m/x/u]

#dnsdict6:速度快,字典大、全、精准

dnsenum -f dnsbig.txt -dnsserver 8.8.8.8 sina.com -o sina.xml
dnsmap sina.com -w dns.txt
dnsrecon -d sina.com --lifetime 10 -t brt -D dnsbig.txt

dnsrecon -t std -d sina.com

 

可靠参考点击打开链接

小白日记,未完待续……

posted on 2016-10-22 23:02  子轩非鱼  阅读(853)  评论(0编辑  收藏  举报

导航