渗透测试---被动信息收集详解
被动信息收集
一、被动信息收集简介
1.被动信息收集
指通过公开渠道的可获得信息,与目标系统或者主机不产生直接的信息交互,以尽可能避免留下任何痕迹的信息收集方法。
2.信息收集的内容
IP地址段
域名信息
邮件地址
文档图片数据
公司地址
公司组织架构
联系电话/传真号码
人员姓名/职务
目标系统使用的技术架构
公开的商用信息
3.信息收集的目的
个人认为信息收集是为了获取目标系统的基础架构以及目标主机的ip地址段以及该对象的域名信息,以达到使用所收集的信息去描述目标系统或者主机的目的,并对之后的一些列扫描工作做准备,是渗透测试技术的第一个关键步骤。
二、被动信息收集方式
在这里我使用的系统环境是基于kali-linux-2018-W25-amd64的虚拟环境.
1.dig:域名解析查询
①直接查询
命令:
dig 所要查询域名
root@yanxiao:~# dig www.sina.com ; <<>> DiG 9.11.3-1-Debian <<>> www.sina.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21747 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096 ;; QUESTION SECTION: ;www.sina.com. IN A ;; ANSWER SECTION: www.sina.com. 5 IN CNAME us.sina.com.cn. us.sina.com.cn. 5 IN CNAME spool.grid.sinaedge.com. spool.grid.sinaedge.com. 5 IN A 221.204.241.188 spool.grid.sinaedge.com. 5 IN A 61.158.251.244 ;; Query time: 5 msec ;; SERVER: 192.168.181.2#53(192.168.181.2) ;; WHEN: Wed Jun 26 16:22:04 CST 2019 ;; MSG SIZE rcvd: 135
②按指定内容查询
命令:
dig @<DNS服务器ip> <所查询的域名> <所查询的具体类型>
root@yanxiao:~# dig @8.8.8.8 www.sina.com mx ; <<>> DiG 9.11.3-1-Debian <<>> @8.8.8.8 www.sina.com mx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40167 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.sina.com. IN MX ;; ANSWER SECTION: www.sina.com. 59 IN CNAME us.sina.com.cn. us.sina.com.cn. 59 IN CNAME spool.grid.sinaedge.com. ;; AUTHORITY SECTION: sinaedge.com. 59 IN SOA ns1.sinaedge.com. null.sinaedge.com. 20100707 10800 60 604800 60 ;; Query time: 144 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Jun 26 16:36:47 CST 2019 ;; MSG SIZE rcvd: 148
结合
noall与
answer只显示查询结果,摒弃无关信息。
root@yanxiao:~# dig @8.8.8.8 +noall +answer mx sina.com sina.com. 59 IN MX 5 freemx1.sinamail.sina.com.cn. sina.com. 59 IN MX 10 freemx2.sinamail.sina.com.cn. sina.com. 59 IN MX 10 freemx3.sinamail.sina.com.cn.
③查新DNS版本信息
命令:
dig +noall +answer txt chaos VERSION.BIND @ns3.所要查询的域名
root@yanxiao:~# dig +noall +answer txt chaos VERSION.BIND @ns3.sina.com VERSION.BIND. 0 CH TXT " " #注:这里DNS版本信息应该是在双引号下显示,而此时为空并不是因为命令有误, # 而是因为新浪将之版本信息隐藏
④DNS追踪,迭代/递归查询
命令:
dig +trace 所要查询的域名
root@yanxiao:~# dig +trace +noall +answer sina.com . 5 IN NS i.root-servers.net. . 5 IN NS e.root-servers.net. . 5 IN NS g.root-servers.net. . 5 IN NS a.root-servers.net. . 5 IN NS l.root-servers.net. . 5 IN NS b.root-servers.net. . 5 IN NS f.root-servers.net. . 5 IN NS h.root-servers.net. . 5 IN NS j.root-servers.net. . 5 IN NS k.root-servers.net. . 5 IN NS d.root-servers.net. . 5 IN NS c.root-servers.net. . 5 IN NS m.root-servers.net. . 5 IN RRSIG NS 8 0 518400 20190709050000 20190626040000 25266 . KzQL7eH1xUR1o5RWy/pKJAwhzZ+86CkW7uWRJo64plyhMNMo/afOnrFb 7sHfBJmkKlAAAAAFDePWxBL2zLyWaOX4Tj05yd3mbF5t3rfeP/75EIFA 5R3pqV+cxZSijW2EVrXNbL3KaNpsYH9sYujGKvYPuf/WNarUkLUx7Xn9 gcsOX3ZS6KfZ8NIekE3+Bsuex+vnBhIlws1XlsvnUPGf/1hVXruAX2IB xlQIjT4zjLXEwuP4pgbpdRkbGlXOe7uWXtt2Ywja5+227DqrUuiA+wEF dKNFRX6T/0rZ3a/DPmKAy5d0Xgq2obEt5M32jepblE8hWz6WnTq/5R8i m0AahA== ;; Received 525 bytes from 192.168.181.2#53(192.168.181.2) in 12 ms ;; Received 1196 bytes from 192.112.36.4#53(g.root-servers.net) in 93 ms ;; Received 723 bytes from 192.33.14.30#53(b.gtld-servers.net) in 24 ms sina.com. 60 IN A 66.102.251.33 ;; Received 336 bytes from 180.149.138.199#53(ns2.sina.com.cn) in 22 ms
2.nslookup:诊断DNS基础结构
命令:
nslookup -type=<选择要查询的类型例如:a记录、ns记录、mx记录> 所要查询域名
root@yanxiao:~# nslookup -type=a sina.com Server: 192.168.181.2 Address: 192.168.181.2#53 Non-authoritative answer: Name: sina.com Address: 66.102.251.33 # 注:-type=a 查询主机记录 root@yanxiao:~# nslookup -type=ns sina.com Server: 192.168.181.2 Address: 192.168.181.2#53 # 注:-type=ns 查询域名服务器记录 Non-authoritative answer: sina.com nameserver = ns4.sina.com. sina.com nameserver = ns4.sina.com.cn. sina.com nameserver = ns3.sina.com.cn. sina.com nameserver = ns3.sina.com. sina.com nameserver = ns1.sina.com.cn. sina.com nameserver = ns2.sina.com. sina.com nameserver = ns2.sina.com.cn. sina.com nameserver = ns1.sina.com. Authoritative answers can be found from: # 注:-type=mx 查询邮件服务器记录 root@yanxiao:~# nslookup -type=mx sina.com Server: 192.168.181.2 Address: 192.168.181.2#53 Non-authoritative answer: sina.com mail exchanger = 10 freemx3.sinamail.sina.com.cn. sina.com mail exchanger = 10 freemx2.sinamail.sina.com.cn. sina.com mail exchanger = 5 freemx1.sinamail.sina.com.cn. Authoritative answers can be found from:
3.whois:注册信息查询
命令:
whois 所要查询的域名
root@yanxiao:~# whois baidu.com Domain Name: BAIDU.COM Registry Domain ID: 11181110_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2019-05-09T04:30:46Z Creation Date: 1999-10-11T11:05:17Z Registry Expiry Date: 2026-10-11T11:05:17Z Registrar: MarkMonitor Inc. Registrar IANA ID: 292 Registrar Abuse Contact Email: abusecomplaints@markmonitor.com Registrar Abuse Contact Phone: +1.2083895740 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited Name Server: NS1.BAIDU.COM Name Server: NS2.BAIDU.COM Name Server: NS3.BAIDU.COM Name Server: NS4.BAIDU.COM Name Server: NS7.BAIDU.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2019-06-26T09:02:43Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name regist 4000 ration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: baidu.com Registry Domain ID: 11181110_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2019-05-08T20:59:33-0700 Creation Date: 1999-10-11T04:05:17-0700 Registrar Registration Expiration Date: 2026-10-11T00:00:00-0700 Registrar: MarkMonitor, Inc. Registrar IANA ID: 292 Registrar Abuse Contact Email: abusecomplaints@markmonitor.com Registrar Abuse Contact Phone: +1.2083895740 Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited) Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited) Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited) Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited) Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited) Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited) Registrant Organization: Beijing Baidu Netcom Science Technology Co., Ltd. Registrant State/Province: Beijing Registrant Country: CN Admin Organization: Beijing Baidu Netcom Science Technology Co., Ltd. Admin State/Province: Beijing Admin Country: CN Tech Organization: Beijing Baidu Netcom Science Technology Co., Ltd. Tech State/Province: Beijing Tech Country: CN Name Server: ns3.baidu.com Name Server: ns4.baidu.com Name Server: ns7.baidu.com Name Server: ns2.baidu.com Name Server: ns1.baidu.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2019-06-26T02:02:28-0700 <<< For more information on WHOIS status codes, please visit: https://www.icann.org/resources/pages/epp-status-codes If you wish to contact this domain’s Registrant, Administrative, or Technical contact, and such email address is not visible above, you may do so via our web form, pursuant to ICANN’s Temporary Specification. To verify that you are not a robot, please enter your email address to receive a link to a page that facilitates email communication with the relevant contact(s). Web-based WHOIS: https://domains.markmonitor.com/whois If you have a legitimate interest in viewing the non-public WHOIS details, send your request and the reasons for your request to whoisrequest@markmonitor.com and specify the domain name in the subject line. We will review that request and may ask for supporting documentation and explanation. The data in MarkMonitor’s WHOIS database is provided for information purposes, and to assist persons in obtaining information about or related to a domain name’s registration record. While MarkMonitor believes the data to be accurate, the data is provided "as is" with no guarantee or warranties regarding its accuracy. By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) allow, enable, or otherwise support the transmission by email, telephone, or facsimile of mass, unsolicited, commercial advertising, or spam; or (2) enable high volume, automated, or electronic processes that send queries, data, or email to MarkMonitor (or its systems) or the domain name contacts (or its systems). MarkMonitor.com reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. MarkMonitor is the Global Leader in Online Brand Protection. MarkMonitor Domain Management(TM) MarkMonitor Brand Protection(TM) MarkMonitor AntiCounterfeiting(TM) MarkMonitor AntiPiracy(TM) MarkMonitor AntiFraud(TM) Professional and Managed Services Visit MarkMonitor at https://www.markmonitor.com Contact us at +1.8007459229 In Europe, at +44.02032062220 --
4.dnsenum
dnsenum的目的是尽可能收集一个域的信息,它能够通过谷歌或者字典文件猜测可能存在的域名,以及对一个网段进行反向查询。
命令:
dnsenum -enum 所要查询的域名
root@yanxiao:~# dnsenum -enum baidu.com Smartmatch is experimental at /usr/bin/dnsenum line 698. Smartmatch is experimental at /usr/bin/dnsenum line 698. dnsenum VERSION:1.2.4 Warning: can't load Net::Whois::IP module, whois queries disabled. Warning: can't load WWW::Mechanize module, Google scraping desabled. ----- baidu.com ----- Host's addresses: __________________ baidu.com. 5 IN A 123.125.114.144 baidu.com. 5 IN A 220.181.38.148 Name Servers: ______________ ns4.baidu.com. 5 IN A 14.215.178.80 ns7.baidu.com. 5 IN A 180.76.76.92 dns.baidu.com. 5 IN A 202.108.22.220 ns2.baidu.com. 5 IN A 220.181.33.31 ns3.baidu.com. 5 IN A 112.80.248.64 Mail (MX) Servers: ___________________ mx.n.shifen.com. 5 IN A 61.135.165.120 mx.n.shifen.com. 5 IN A 111.202.115.85 mx50.baidu.com. 5 IN A 180.76.13.18 mx1.baidu.com. 5 IN A 220.181.50.185 mx1.baidu.com. 5 IN A 61.135.165.120 jpmx.baidu.com. 5 IN A 61.208.132.13 mx.maillb.baidu.com. 5 IN A 111.202.115.85 Trying Zone Transfers and getting Bind Versions: _________________________________________________ Trying Zone Transfer for baidu.com on ns4.baidu.com ... AXFR record query failed: REFUSED Trying Zone Transfer for baidu.com on dns.baidu.com ... AXFR record query failed: REFUSED Trying Zone Transfer for baidu.com on ns7.baidu.com ... AXFR record query failed: REFUSED Trying Zone Transfer for baidu.com on ns2.baidu.com ... AXFR record query failed: REFUSED Trying Zone Transfer for baidu.com on ns3.baidu.com ... AXFR record query failed: REFUSED brute force file not specified, bay.
5.fierce
fierce工具主要是对子域名进行扫描和收集信息。使用fierce工具获得一个目标主机上所有IP地址和主机信息。
①直接查询
命令:
fierce -dns 所要查询的域名
root@yanxiao:~# fierce -dns baidu.com DNS Servers for baidu.com: ns3.baidu.com ns7.baidu.com dns.baidu.com ns4.baidu.com ns2.baidu.com Trying zone transfer first... Testing ns3.baidu.com Request timed out or transfer not allowed. Testing ns7.baidu.com Request timed out or transfer not allowed. Testing dns.baidu.com Request timed out or transfer not allowed. Testing ns4.baidu.com Request timed out or transfer not allowed. Testing ns2.baidu.com Request timed out or transfer not allowed. Unsuccessful in zone transfer (it was worth a shot) Okay, trying the good old fashioned way... brute force Checking for wildcard DNS... Nope. Good. Now performing 2280 test(s)... ......此处的发现结果不予显示 Subnets found (may want to probe here using nmap or unicornscan): ......此处的发现结果不予显示 Done with Fierce scan: http://ha.ckers.org/fierce/ Found 220 entries. Have a nice day.
②字典爆破
kali中的fierce中自带一个字典可以用来实施字典爆破。
字典存放目录:
/usr/share/fierce/hosts.txt
命令:
fierce -dnsserver 要使用的dns服务器 -dns 所要爆破的域名 -wordlist 字典路径
root@yanxiao:~# fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist /usr/share/fierce/hosts.txt DNS Servers for sina.com.cn: ns2.sina.com.cn ns3.sina.com.cn ns1.sina.com.cn ns4.sina.com.cn Trying zone transfer first... Unsuccessful in zone transfer (it was worth a shot) Okay, trying the good old fashioned way... brute force Checking for wildcard DNS... Nope. Good. Now performing 2280 test(s)... ......此处的发现结果不予显示 Subnets found (may want to probe here using nmap or unicornscan): ......此处的发现结果不予显示 Done with Fierce scan: http://ha.ckers.org/fierce/ Found 458 entries. Have a nice day.
三、被动信息收集方式的重点(个人认为)
recon-ng
recon-ng是由python编写的一个开源的Web侦查(信息收集)框架。recon-ng框架是一个全特性的工具,使用它可以自动的收集信息和网络侦查。默认集成数据库,可把查询结果结构化存储在其中,有报告模块,把结果导出为报告。
使用recon-ng的信息侦查方式有三个步骤:
1、DNS查询 —— google、baidu、bing、yahoo、Brute force(有自己的字典)
2、解析IP地址(查询数据库)—— resolve模块
3、生成报告 —— report模块
具体如下实例所示:
1.进入recon-ng环境
root@yanxiao:~# recon-ng _/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/ /\ / \\ /\ Sponsored by... /\ /\/ \\V \/\ / \\/ // \\\\\ \\ \/\ // // BLACK HILLS \/ \\ www.blackhillsinfosec.com [recon-ng v4.9.3, Tim Tomes (@LaNMaSteR53)] [75] Recon modules [8] Reporting modules [2] Import modules [2] Exploitation modules [2] Discovery modules [recon-ng][default] >
首次使用recon-ng,可以使用
help查看所有可以执行的命令:
[recon-ng][default] > help Commands (type [help|?] <topic>): --------------------------------- add Adds records to the database back Exits the current context delete Deletes records from the database exit Exits the framework help Displays this menu keys Manages framework API keys load Loads specified module pdb Starts a Python Debugger session query Queries the database record Records commands to a resource file reload Reloads all modules resource Executes commands from a resource file search Searches available modules set Sets module options shell Executes shell commands show Shows various framework items snapshots Manages workspace snapshots spool Spools output to a file unset Unsets module options use Loads specified module workspaces Manages workspaces
查看recon-ng命令的使用方法:
[recon-ng][default] > recon-ng -h [*] Command: recon-ng -h usage: recon-ng [-h] [-v] [-w workspace] [-r filename] [--no-check] [--no-analytics] recon-ng - Tim Tomes (@LaNMaSteR53) tjt1980[at]gmail.com optional arguments: -h, --help show this help message and exit -v, --version show program's version number and exit < 4000 span class="token operator">-w workspace load/create a workspace -r filename load commands from a resource file --no-check disable version check --no-analytics disable analytics reporting
2.创建新的工作区
这一步相对来说可有可无,但是为了养成良好习惯,在进行不同的案例之前为这个案例单独建一个工作区我个人认为是比较重要的,方便之后的管理以及查询。
命令:
workspaces list,显示已存在的工作表
[recon-ng][default] > workspaces list +------------+ | Workspaces | +------------+ | default | | sina | +------------+
这里要说明一下,若进入到recon-ng环境中时创建工作表可以用下列命令:
命令:
workspaces add 工作区名
[recon-ng][default] > workspaces add sina-test [recon-ng][sina-test] > workspaces list +------------+ | Workspaces | +------------+ | default | | sina-test | | sina | +------------+ #删除工作表 [recon-ng][sina-test] > workspaces delete sina-test [recon-ng][default] > workspaces list +------------+ | Workspaces | +------------+ | default | | sina | +------------+
若还是在kali环境下,则使用下列命令直接创建新工作区或者进入已经存在的工作区:
命令:
recon-ng -w 工作区名
root@yanxiao:~# recon-ng -w sina-test [recon-ng][sina-test] > workspaces list +------------+ | Workspaces | +------------+ | default | | sina-test | | sina | +------------+
3.设置工作区参数
这里的工作区参数也可以直接跳过不进行设置,不影响结果;不过需要注意的是不设置参数的话,对方是很容易发现你用recon-ng对他进行扫描,所以建议还是进行设置,设置参数之后扫描会更加隐蔽
命令:
show options
[recon-ng][sina-test] > show options Name Current Value Required Description ---------- ------------- -------- ----------- NAMESERVER 8.8.8.8 yes nameserver for DNS interrogation PROXY no proxy server (address:port) THREADS 10 yes number of threads (where applicable) TIMEOUT 10 yes socket timeout (seconds) USER-AGENT Recon-ng/v4 yes user-agent string VERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug)
要进行设置的参数信息命令:
set USER-AGENT Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
[recon-ng][sina-test] > set USER-AGENT Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0USER-AGENT => Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 [recon-ng][sina-test] > show options Name Current Value Required Description ---------- ------------- -------- ----------- NAMESERVER 8.8.8.8 yes nameserver for DNS interrogation PROXY no proxy server (address:port) THREADS 10 yes number of threads (where applicable) TIMEOUT 10 yes socket timeout (seconds) USER-AGENT Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 yes user-agent string VERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug)
可以看到对工作区参数中的USER-AGENT这一项进行了修改。
4.DNS查询
通过搜索引擎(google、baidu、bing、yahoo)或者使用 brute force(暴力破解) 去查找主机记录。
命令:
search <goole/baidu/bing/yahoo/brute>
[recon-ng][sina-test] > search google [*] Searching for 'google'... Recon ----- recon/domains-hosts/google_site_api recon/domains-hosts/google_site_web [recon-ng][sina-test] > search baidu [*] Searching for 'baidu'... [!] No modules found containing 'baidu'. [recon-ng][sina-test] > search bing [*] Searching for 'bing'... Recon ----- recon/companies-contacts/bing_linkedin_cache recon/domains-hosts/bing_domain_api recon/domains-hosts/bing_domain_web recon/hosts-hosts/bing_ip [recon-ng][sina-test] > search yahoo [*] Searching for 'yahoo'... [!] No modules found containing 'yahoo'. [recon-ng][sina-test] > search brute [*] Searching for 'brute'... Exploitation ------------ exploitation/injection/xpath_bruter Recon ----- recon/domains-domains/brute_suffix recon/domains-hosts/brute_hosts
这里会发现baidu和yahoo在recon-ng环境暂时不能使用。
我在这里使用的是brute模块。
选择要使用的模块,这里我选择了
recon/domains-hosts/brute_hosts模块。
命令:
use 所要使用的模块
[recon-ng][sina-test] > use recon/domains-hosts/brute_hosts [recon-ng][sina-test][brute_hosts] >
查看该模块参数:
[recon-ng][sina-test][brute_hosts] > show options Name Current Value Required Description -------- ------------- -------- ----------- SOURCE default yes source of input (see 'show info' for details) WORDLIST /usr/share/recon-ng/data/hostnames.txt yes path to hostname wordlist
设置参数:
命令:
set SOURCE 所要发现的域名
[recon-ng][sina-test][brute_hosts] > set SOURCE sina.com SOURCE => sina.com
运行:
命令:
run
[recon-ng][sina-test][brute_hosts] > run -------- SINA.COM -------- ......此处的发现结果不予显示 ------- SUMMARY ------- [*] 288 total (247 new) hosts found.
查看粗略的表格,会在终端中显示出上一步中发现的IP地址的各项信息:
命令:
show hosts
[recon-ng][sina-test][brute_hosts] > show hosts +------------------------------------------------------------------------------------------------------------------+ | rowid | host | ip_address | region | country | latitude | longitude | module | +------------------------------------------------------------------------------------------------------------------+ ......此处发现结果不予显示 +------------------------------------------------------------------------------------------------------------------+
查询工作表模块当前的设置:
命令:
show info
[recon-ng][sina-test][brute_hosts] > show info Name: DNS Hostname Brute Forcer Path: modules/recon/domains 3ff7 -hosts/brute_hosts.py Author: Tim Tomes (@LaNMaSteR53) Description: Brute forces host names using DNS. Updates the 'hosts' table with the results. Options: Name Current Value Required Description -------- ------------- -------- ----------- SOURCE sina.com yes source of input (see 'show info' for details) WORDLIST /usr/share/recon-ng/data/hostnames.txt yes path to hostname wordlist Source Options: default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL <string> string representing a single input <path> path to a file containing a list of inputs query <sql> database query returning one column of inputs
这一步的作用是为了在当前工作区使用当前模块进行继续发现的工作,查询状态之后只需修改需要发现的域名即可。
5.解析IP
返回工作区更换模块:
命令:
back
[recon-ng][sina-test][brute_hosts] > back [recon-ng][sina-test] >
寻找解析模块resolve:
命令:
search resolve
[recon-ng][sina-test] > search resolve [*] Searching for 'resolve'... Recon ----- recon/hosts-hosts/resolve recon/hosts-hosts/reverse_resolve recon/netblocks-hosts/reverse_resolve
选择要使用的模块,我这里选择的是
recon/hosts-hosts/resolve模块。
命令:
use recon/hosts-hosts/resolve
[recon-ng][sina-test] > use recon/hosts-hosts/resolve [recon-ng][sina-test][resolve] >
设置模块参数:
[recon-ng][sina-test][resolve] > show options Name Current Value Required Description ------ ------------- -------- ----------- SOURCE default yes source of input (see 'show info' for details) [recon-ng][sina-test][resolve] > set SOURCE query select host from hosts SOURCE => query select host from hosts
这里设置的是从刚才的DNS查询中得到的hosts表中进行取样解析。
运行:
[recon-ng][sina-test][resolve] > run ......此处发现结果不予显示 ------- SUMMARY ------- [*] 662 total (662 new) hosts found.
6.生成报告
这一部分内容在以后的企业工作中是必备的一步,客户最终看到的也是这一部分的内容。
先退出解析模块至工作区,之后选择报告模块,设置报告模块参数,话不多说,进代码块QAQ:
[recon-ng][sina-test][resolve] > back [recon-ng][sina-test] > search report [*] Searching for 'report'... Reporting --------- reporting/csv reporting/html reporting/json reporting/list reporting/proxifier reporting/pushpin reporting/xlsx reporting/xml [recon-ng][sina-test] > use reporting/html [recon-ng][sina-test][html] > show options Name Current Value Required Description -------- ------------- -------- ----------- CREATOR yes creator name for the report footer CUSTOMER yes customer name for the report header FILENAME /root/.recon-ng/workspaces/sina-test/results.html yes path and filename for report output SANITIZE True yes mask sensitive data in the report [recon-ng][sina-test][html] > set CREATOR yanxiao #设置创建者 CREATOR => yanxiao [recon-ng][sina-test][html] > ser CUSTOMER SINA.com #设置目标名 [*] Command: ser CUSTOMER SINA.com [recon-ng][sina-test][html] > set FILENAME /root/sina-test.html #设置html文件路径 FILENAME => /root/sina-test.html [recon-ng][sina-test][html] > run [*] Report generated at '/root/sina-test.html'.
7.查看报告
打开浏览器,在url一栏搜索刚才所设置的路径:
其中的Hosts是可以打开看详细信息的,在这里我就不打开看了。
四、桃花依旧笑春风
这篇文章是继三月份第一次在CSDN发表文章以来第二次继续在CSDN这个平台发表自己的一些所学所感。之前三月份那一次因为各种原因没能坚持下来,这次呢,既因为学习进度到了渗透测试最重要的一部分kali系统以及各种工具的操作,也因为想以在CSDN坚持写博客的方法砥砺自己,让不时的总结巩固所学的知识成为一种习惯,加油!!!愿自己以及诸君不日就可以春风得意马蹄疾,一日看尽长安花。
- 小白日记4:kali渗透测试之被动信息收集(三)--Shodan、Google
- 小白日记3:kali渗透测试之被动信息收集(二)-dig、whios、dnsenum、fierce
- 小白日记2:kali渗透测试之被动信息收集(一)
- 渗透测试 | 信息收集 | 1-被动信息收集
- 小白日记6:kali渗透测试之被动信息收集(五)-Recon-ng
- Kali 渗透测试- 全主动信息收集-发现
- 新手科普 | 渗透测试之信息收集
- 小白日记8:kali渗透测试之主动信息收集(二)三层发现:ping、traceroute、scapy、nmap、fping、Hping
- 新手科普 | 渗透测试之信息收集
- 新手科普 | 渗透测试之信息收集
- 渗透测试之信息收集DNS篇
- 渗透测试---主动信息收集
- Kali渗透(二)之被动信息收集——搜索引擎
- [渗透测试]python内网渗透信息收集脚本
- 渗透测试之信息收集nmap篇
- 小白日记7:kali渗透测试之主动信息收集-发现(一)--二层发现:arping/shell脚本,Netdiscover,scapy
- 安全渗透测试笔记-------信息收集中名词解释