信息收集是渗透前期最为重要的一步,其中被动信息收集相对主动信息收集(访问)更具有隐蔽和无害性。便于进行社工攻击。
被动信息收集主要特点
公开渠道可获得的信息
与目标系统不产生直接交互
尽量避免留下一切痕迹
主要归纳应用收集信息
信息收集的内容有很多,简略其下:
- IP地址段
- 域名信息
- 邮件地址
- ⽂档图⽚数据
- 公司地址
- 公司组织架构
- 联系电话 / 传真号码
- ⼈员姓名 / 职务
- 目标系统使⽤的技术架构
- 公开的商业信息
1.信息收集-DNS
域名记录:
- A: 主机记录,他会把一个域名解析到ip地址上
- Cname : 别名记录,他会把一个域名解析到另外一个域名上
- NS :这个域的域名服务器的地址记录
- MX: 邮件交换记录,它会指向这个域的SMTP交换记录
- ptr :反向解析,把ip 解析成域名的
完整的: www.baidu.com.
首次解析查询会进行迭代查询,先查(全球13台)根域服务器.-->com服务器 baidu.com. -->baidu.com的域名服务器找到:www.baidu.com.
我们运营商的DNS服务器是缓存服务器。这样把上面首次的ip与域名的对应记录本地DNS服务器会保存一份,后续就直接拿来直接用,即递归查询。
1.1 DNS信息收集-NSLOOKUP的使用
• nslookup www.sina.com • server //指定dns服务器查询 • type=a、mx、ns、any //指定查询类型;any是全部 • nslookup -type=ns example.com 156.154.70.22 //一句命令行查询
root@kali:~# nslookup
> www.baidu.com
Server: 192.168.56.2
Address: 192.168.56.2#53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 61.135.169.121
Name: www.a.shifen.com
Address: 61.135.169.125
> www.a.shifen.com.
Server: 192.168.56.2
Address: 192.168.56.2#53
Non-authoritative answer:
Name: www.a.shifen.com
Address: 61.135.169.125
Name: www.a.shifen.com
Address: 61.135.169.121
> www.sina.com
Server: 192.168.56.2
Address: 192.168.56.2#53
Non-authoritative answer:
www.sina.com canonical name = us.sina.com.cn.
us.sina.com.cn canonical name = spool.grid.sinaedge.com.
Name: spool.grid.sinaedge.com
Address: 121.22.4.29
> us.sina.com.cn
Server: 192.168.56.2
Address: 192.168.56.2#53
Non-authoritative answer:
us.sina.com.cn canonical name = spool.grid.sinaedge.com.
Name: spool.grid.sinaedge.com
Address: 121.22.4.29
> spool.grid.sinaedge.com
Server: 192.168.56.2
Address: 192.168.56.2#53
Non-authoritative answer:
Name: spool.grid.sinaedge.com
Address: 121.22.4.29
> set type=a
> www.sina.com
Server: 192.168.56.2
Address: 192.168.56.2#53
Non-authoritative answer:
www.sina.com canonical name = us.sina.com.cn.
us.sina.com.cn canonical name = spool.grid.sinaedge.com.
Name: spool.grid.sinaedge.com
Address: 121.22.4.29
> set type=mx
> sina.com
Server: 192.168.56.2
Address: 192.168.56.2#53
Non-authoritative answer:
sina.com mail exchanger = 10 freemx2.sinamail.sina.com.cn.
sina.com mail exchanger = 10 freemx1.sinamail.sina.com.cn.
sina.com mail exchanger = 10 freemx3.sinamail.sina.com.cn.
Authoritative answers can be found from:
> set type=a
> freemx1.sinamail.sina.com.cn
Server: 192.168.56.2
Address: 192.168.56.2#53
Non-authoritative answer:
Name: freemx1.sinamail.sina.com.cn
Address: 39.156.6.104
> set type=ns
> sina.com
Server: 192.168.56.2
Address: 192.168.56.2#53
Non-authoritative answer:
sina.com nameserver = ns3.sina.com.
sina.com nameserver = ns2.sina.com.
sina.com nameserver = ns1.sina.com.cn.
sina.com nameserver = ns4.sina.com.
sina.com nameserver = ns2.sina.com.cn.
sina.com nameserver = ns3.sina.com.cn.
sina.com nameserver = ns4.sina.com.cn.
sina.com nameserver = ns1.sina.com.
Authoritative answers can be found from:
> set type=ptr
> 39.156.6.104
Server: 192.168.56.2
Address: 192.168.56.2#53
Non-authoritative answer:
*** Can't find 104.6.156.39.in-addr.arpa.: No answer
// type可以简写为q
// 这个可能是dns配置问题未成功反向查询
Authoritative answers can be found from:
> set q=ptr
> 39.156.6.104
Server: 192.168.56.2
Address: 192.168.56.2#53
** server can't find 104.6.156.39.in-addr.arpa: NXDOMAIN
> server 114.114.114.114
Default server: 114.114.114.114
Address: 114.114.114.114#53
> www.sina.com
Server: 114.114.114.114
Address: 114.114.114.114#53
Non-authoritative answer:
www.sina.com canonical name = us.sina.com.cn.
us.sina.com.cn canonical name = spool.grid.sinaedge.com.
Authoritative answers can be found from:
sinaedge.com
origin = ns1.sinaedge.com
mail addr = null.sinaedge.com
serial = 20100707
refresh = 10800
retry = 60
expire = 604800
minimum = 60
>
实例nslookup
1.2 DNS信息收集-DIG的使用
• dig @8.8.8.8 www.sina.com mx • dig www.sina.com any • 反向查询:dig +noall +answer -x 8.8.8.8 //+noall +answer是只显示有用信息 • bind版本信息: dig +noall +answer txt chaos VERSION.BIND @ns3.dnsv4.com //查询DNS的版本以查询是否存在漏洞 • DNS追踪: dig +trace example.com //查询是否被DNS劫持,舍弃递归查询,像首次一样迭代查询
root@kali:~# nslookup sina.com -type=any
Server: 192.168.56.2
Address: 192.168.56.2#53
Non-authoritative answer:
Name: sina.com
Address: 66.102.251.24
root@kali:~# dig sina.com any
; <<>> DiG 9.10.6-Debian <<>> sina.com any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 49538
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Message has 11 extra bytes at end
;; QUESTION SECTION:
;sina.com. IN ANY
;; Query time: 597 msec
;; SERVER: 192.168.56.2#53(192.168.56.2)
;; WHEN: Fri Jan 31 04:37:14 EST 2020
;; MSG SIZE rcvd: 37
root@kali:~# dig sina.com any @8.8.8.8
; <<>> DiG 9.10.6-Debian <<>> sina.com any @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5774
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;sina.com. IN ANY
;; ANSWER SECTION:
sina.com. 59 IN A 66.102.251.24
sina.com. 59 IN TXT "v=spf1 include:spf.sinamail.sina.com.cn -all"
sina.com. 299 IN SOA ns1.sina.com.cn. zhihao.staff.sina.com.cn. 2005042601 900 300 604800 300
sina.com. 21599 IN NS ns1.sina.com.cn.
sina.com. 21599 IN NS ns4.sina.com.
sina.com. 21599 IN NS ns3.sina.com.cn.
sina.com. 21599 IN NS ns4.sina.com.cn.
sina.com. 21599 IN NS ns1.sina.com.
sina.com. 21599 IN NS ns3.sina.com.
sina.com. 21599 IN NS ns2.sina.com.
sina.com. 21599 IN NS ns2.sina.com.cn.
sina.com. 59 IN MX 10 freemx1.sinamail.sina.com.cn.
sina.com. 59 IN MX 10 freemx2.sinamail.sina.com.cn.
sina.com. 59 IN MX 10 freemx3.sinamail.sina.com.cn.
;; Query time: 52 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jan 31 04:38:34 EST 2020
;; MSG SIZE rcvd: 395
root@kali:~# dig sina.com any @114.114.114.114
; <<>> DiG 9.10.6-Debian <<>> sina.com any @114.114.114.114
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32858
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;sina.com. IN ANY
;; ANSWER SECTION:
sina.com. 3 IN A 66.102.251.24
sina.com. 1706 IN NS ns1.sina.com.cn.
sina.com. 1706 IN NS ns2.sina.com.
sina.com. 1706 IN NS ns3.sina.com.
sina.com. 1706 IN NS ns4.sina.com.
sina.com. 1706 IN NS ns4.sina.com.cn.
sina.com. 1706 IN NS ns3.sina.com.cn.
sina.com. 1706 IN NS ns2.sina.com.cn.
sina.com. 1706 IN NS ns1.sina.com.
;; Query time: 26 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Fri Jan 31 04:38:55 EST 2020
;; MSG SIZE rcvd: 197
root@kali:~# dig mail.163.com any
; <<>> DiG 9.10.6-Debian <<>> mail.163.com any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65096
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;mail.163.com. IN ANY
;; ANSWER SECTION:
mail.163.com. 5 IN CNAME ntes53.mail.163.com.
;; Query time: 1176 msec
;; SERVER: 192.168.56.2#53(192.168.56.2)
;; WHEN: Fri Jan 31 04:39:33 EST 2020
;; MSG SIZE rcvd: 51
root@kali:~# dig +noall +answer mail.163.com any
mail.163.com. 5 IN CNAME ntes53.mail.163.com.
root@kali:~# dig +noall +answer mail.163.com any |awk '{print $5}'
ntes53.mail.163.com.
root@kali:~# dig +noall +answer ntes53.mail.163.com any |awk '{print $5}'
123.126.97.202
root@kali:~# dig -x 123.126.97.202
; <<>> DiG 9.10.6-Debian <<>> -x 123.126.97.202
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43235
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;202.97.126.123.in-addr.arpa. IN PTR
;; ANSWER SECTION:
202.97.126.123.in-addr.arpa. 5 IN PTR mail-m97202.mail.163.com.
;; Query time: 19 msec
;; SERVER: 192.168.56.2#53(192.168.56.2)
;; WHEN: Fri Jan 31 04:43:44 EST 2020
;; MSG SIZE rcvd: 83
root@kali:~# dig +noall +answer txt chaos VERSION.BIND @ns3.dnsv4.com mail.163.com any
;; Warning, extra type option
;; Warning: query response not set
;; Warning: Message parser reports malformed message packet.
VERSION.BIND. 0 CH TXT "6.0.1911.00"
root@kali:~# dig +noall +answer txt chaos VERSION.BIND @ntes53.mail.163.com
;; connection timed out; no servers could be reached
root@kali:~# dig +trace baidu.com
; <<>> DiG 9.10.6-Debian <<>> +trace baidu.com
;; global options: +cmd
. 5 IN NS l.root-servers.net.
. 5 IN NS d.root-servers.net.
. 5 IN NS e.root-servers.net.
. 5 IN NS b.root-servers.net.
. 5 IN NS m.root-servers.net.
. 5 IN NS c.root-servers.net.
. 5 IN NS j.root-servers.net.
. 5 IN NS i.root-servers.net.
. 5 IN NS k.root-servers.net.
. 5 IN NS f.root-servers.net.
. 5 IN NS g.root-servers.net.
. 5 IN NS a.root-servers.net.
. 5 IN NS h.root-servers.net.
;; Received 228 bytes from 192.168.56.2#53(192.168.56.2) in 7 ms
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20200213050000 20200131040000 33853 . zMeZpKg/LGzpVjlBUJRfkmk8tSvZW+L0UFHnzSn8agztJ8sMGU+knBLW 5LLoPoh6iG7exLV5wVIJZVh+0ISk3AG85VJXZ3HSTWcHZfjMOYI7JXpe pv/5JqT9Eai0ScEJAowDa1qctGOE/LHdNwr30VF8U0LoZL0iXVN3KQ4k iKnl0S0hB41KH+BHFcNpWqxKHRK2piMZRNe8+8Nu9I4GilfW/D90e69p SgG7puU3J3srarhccj0OS5WcLi6nsMf/2k0C6rQMe+WD7aOVZXoLts93 /thoNSWIprseKrYze2STnuG+T/VxzZRJ3fjoZARGHtDf3gTibHC2syXL xaXz5w==
;; Received 1169 bytes from 192.33.4.12#53(c.root-servers.net) in 217 ms
baidu.com. 172800 IN NS ns2.baidu.com.
baidu.com. 172800 IN NS ns3.baidu.com.
baidu.com. 172800 IN NS ns4.baidu.com.
baidu.com. 172800 IN NS ns1.baidu.com.
baidu.com. 172800 IN NS ns7.baidu.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20200207054811 20200131043811 56311 com. N15f7ia8A0pd2A5iWM/8t+T6gs8mQJaOWe/aj3bs4cWxpG7WmCaquZp7 6gfbfotFmss+DuBm9MAd6bwe2fm9m60FQgROWGOZwGRrvZqawy/5eDeV sLIJqhnwM0lT1PuDgNe2SFYsV506melwC4cEtR8M6gkX3nwYMCf6Frus anO+4Lufi229N5Y00N4x9vrlO3zsGBR1yg2xBki9Ni379A==
HPVUNU64MJQUM37BM3VJ6O2UBJCHOS00.com. 86400 IN NSEC3 1 1 0 - HPVVN3Q5E5GOQP2QFE2LEM4SVB9C0SJ6 NS DS RRSIG
HPVUNU64MJQUM37BM3VJ6O2UBJCHOS00.com. 86400 IN RRSIG NSEC3 8 2 86400 20200206052237 20200130041237 56311 com. VDvkqJG0Q4KBg3ZDzgW3cIJIUHD0iQ/M7A5ZLgEdk1cz8ni7AeHTd4t7 s/lHxY9wYJ1O41J4P3ldPSrvln2Ye6Qb0jt0lt5NqiY9AXHISyEDQ6BJ YoQtLR2lnuaQrJrdLggxxRRSHB0ZfHnEnp8YyNpwwxKdZOpodDmJHlra jFYnRZjtyaQc8MP4kaDMR5wEXkuuaXA+Jnjq56sMa0Onbg==
;; Received 757 bytes from 192.26.92.30#53(c.gtld-servers.net) in 129 ms
baidu.com. 600 IN A 39.156.69.79
baidu.com. 600 IN A 220.181.38.148
baidu.com. 86400 IN NS ns2.baidu.com.
baidu.com. 86400 IN NS ns7.baidu.com.
baidu.com. 86400 IN NS dns.baidu.com.
baidu.com. 86400 IN NS ns4.baidu.com.
baidu.com. 86400 IN NS ns3.baidu.com.
;; Received 240 bytes from 14.215.178.80#53(ns4.baidu.com) in 714 ms
root@kali:~# dig +noall +answer txt chaos VERSION.BIND @ns2.baidu.com
dig: couldn't get address for 'ns2.baidu.com': failure
root@kali:~# dig +noall +answer txt chaos VERSION.BIND @ns2.baidu.com.
dig: couldn't get address for 'ns2.baidu.com.': failure
root@kali:~# dig +noall +answer txt chaos VERSION.BIND @ns2.baidu.com. any
;; Warning, extra type option
VERSION.BIND. 0 CH TXT "baidu dns"
VERSION.BIND. 86400 CH SOA VERSION.BIND. hostmaster.VERSION.BIND. 0 28800 7200 604800 86400
VERSION.BIND. 0 CH NS VERSION.BIND.
root@kali:~#
示例dig
dns区域传输:一台dn做了修改有同步机制,同步机制就是使用的是区域传输的方法
• dig @ns1.example.com example.com axfr //传输方法是axfr • host -T -l sina.com 8.8.8.8
1.3 DNS字典爆破
fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist a.txt dnsdict6 -d4 -t 16 -x sina.com //-t 线程数 dnsenum -f dnsbig.txt -dnsserver 8.8.8.8 sina.com -o sina.xml dnsmap sina.com -w dns.txt dnsrecon -d sina.com --lifetime 10 -t brt -D dnsbig.txt dnsrecon -t std -d sina.com
root@kali:~# fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist a.txt
DNS Servers for sina.com.cn:
ns3.sina.com.cn
ns2.sina.com.cn
ns4.sina.com.cn
ns1.sina.com.cn
Trying zone transfer first...
Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force
Can't open a.txt or the default wordlist
Exiting...
root@kali:~# dpkg -L fierce
/.
/usr
/usr/bin
/usr/bin/fierce
/usr/share
/usr/share/doc
/usr/share/doc/fierce
/usr/share/doc/fierce/changelog.Debian.gz
/usr/share/doc/fierce/copyright
/usr/share/fierce
/usr/share/fierce/hosts.txt
root@kali:~# fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist /usr/share/fierce/hosts.txt
DNS Servers for sina.com.cn:
ns4.sina.com.cn
ns3.sina.com.cn
ns1.sina.com.cn
ns2.sina.com.cn
Trying zone transfer first...
Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force
Checking for wildcard DNS...
Nope. Good.
Now performing 2280 test(s)...
123.126.45.14 1.sina.com.cn
123.126.45.14 8.sina.com.cn
123.126.45.68 a.sina.com.cn
125.39.135.216 a1.sina.com.cn
60.28.226.27 a1.sina.com.cn
125.39.135.217 a1.sina.com.cn
60.28.226.31 a1.sina.com.cn
125.39.135.218 a1.sina.com.cn
60.28.226.32 a1.sina.com.cn
125.39.135.219 a1.sina.com.cn
60.28.226.36 a1.sina.com.cn
125.39.135.220 a1.sina.com.cn
125.39.135.221 a1.sina.com.cn
125.39.135.236 a1.sina.com.cn
125.39.135.237 a1.sina.com.cn
60.28.226.25 a2.sina.com.cn
125.39.135.219 a2.sina.com.cn
60.28.226.26 a2.sina.com.cn
125.39.135.220 a2.sina.com.cn
60.28.226.27 a2.sina.com.cn
125.39.135.221 a2.sina.com.cn
60.28.226.31 a2.sina.com.cn
125.39.135.236 a2.sina.com.cn
125.39.135.237 a2.sina.com.cn
125.39.135.216 a2.sina.com.cn
125.39.135.217 a2.sina.com.cn
125.39.135.218 a2.sina.com.cn
125.39.135.216 ad.sina.com.cn
60.28.226.27 ad.sina.com.cn
125.39.135.217 ad.sina.com.cn
60.28.226.31 ad.sina.com.cn
125.39.135.218 ad.sina.com.cn
60.28.226.32 ad.sina.com.cn
125.39.135.219 ad.sina.com.cn
60.28.226.36 ad.sina.com.cn
125.39.135.220 ad.sina.com.cn
125.39.135.221 ad.sina.com.cn
125.39.135.236 ad.sina.com.cn
125.39.135.237 ad.sina.com.cn
60.28.226.25 ads.sina.com.cn
125.39.135.219 ads.sina.com.cn
60.28.226.26 ads.sina.com.cn
125.39.135.220 ads.sina.com.cn
60.28.226.27 ads.sina.com.cn
125.39.135.221 ads.sina.com.cn
60.28.226.31 ads.sina.com.cn
125.39.135.236 ads.sina.com.cn
125.39.135.237 ads.sina.com.cn
125.39.135.216 ads.sina.com.cn
125.39.135.217 ads.sina.com.cn
125.39.135.218 ads.sina.com.cn
123.126.45.14 app.sina.com.cn
123.126.45.14 apps.sina.com.cn
123.125.105.243 aq.sina.com.cn
60.28.226.25 ar.sina.com.cn
125.39.135.219 ar.sina.com.cn
60.28.226.26 ar.sina.com.cn
125.39.135.220 ar.sina.com.cn
60.28.226.27 ar.sina.com.cn
125.39.135.221 ar.sina.com.cn
60.28.226.31 ar.sina.com.cn
125.39.135.236 ar.sina.com.cn
125.39.135.237 ar.sina.com.cn
125.39.135.216 ar.sina.com.cn
125.39.135.217 ar.sina.com.cn
125.39.135.218 ar.sina.com.cn
202.108.35.252 atlas.sina.com.cn
180.149.134.158 auth.sina.com.cn
121.22.4.29 auto.sina.com.cn
58.63.237.124 b.sina.com.cn
202.108.37.51 b2b.sina.com.cn
123.126.45.14 ba.sina.com.cn
fierce示例
root@kali:~# dpkg -L dnsenum /. /usr /usr/bin /usr/bin/dnsenum /usr/share /usr/share/dnsenum /usr/share/dnsenum/dns.txt /usr/share/doc /usr/share/doc/dnsenum /usr/share/doc/dnsenum/README.md /usr/share/doc/dnsenum/changelog.Debian.gz /usr/share/doc/dnsenum/copyright root@kali:~# dnsenum -f /usr/share/dnsenum/dns.txt -dnsserver 8.8.8.8 sina.com -o Smartmatch is experimental at /usr/bin/dnsenum line 698. Smartmatch is experimental at /usr/bin/dnsenum line 698. dnsenum VERSION:1.2.4 Option o requires an argument ----- sina.com ----- Host's addresses: __________________ sina.com. 59 IN A 66.102.251.24 Name Servers: ______________ ns1.sina.com. 21599 IN A 114.134.80.144 ns2.sina.com.cn. 21599 IN A 180.149.138.199 ns4.sina.com. 21599 IN A 123.125.29.99 ns3.sina.com.cn. 21599 IN A 123.125.29.99 ns1.sina.com.cn. 21599 IN A 36.51.252.8 ns2.sina.com. 21544 IN A 114.134.80.145 ns4.sina.com.cn. 21599 IN A 121.14.1.22 ns3.sina.com. 21599 IN A 180.149.138.199 Mail (MX) Servers: ___________________ freemx2.sinamail.sina.com.cn. 59 IN A 121.14.32.117 freemx3.sinamail.sina.com.cn. 59 IN A 123.126.45.192 freemx1.sinamail.sina.com.cn. 59 IN A 39.156.6.104 Trying Zone Transfers and getting Bind Versions: _________________________________________________ root@kali:~# dnsenum -f /usr/share/dnsenum/dns.txt -dnsserver 8.8.8.8 sina.com -o sina.xml Smartmatch is experimental at /usr/bin/dnsenum line 698. Smartmatch is experimental at /usr/bin/dnsenum line 698. dnsenum VERSION:1.2.4 ----- sina.com ----- Host's addresses: __________________ sina.com. 59 IN A 66.102.251.24 Name Servers: ______________ ns1.sina.com.cn. 21491 IN A 36.51.252.8 ns2.sina.com.cn. 21490 IN A 180.149.138.199 ns3.sina.com.cn. 21599 IN A 123.125.29.99 ns4.sina.com. 21599 IN A 123.125.29.99 ns1.sina.com. 21599 IN A 114.134.80.144 ns2.sina.com. 21599 IN A 114.134.80.145 ns3.sina.com. 21599 IN A 180.149.138.199 ns4.sina.com.cn. 21599 IN A 121.14.1.22 Mail (MX) Servers: ___________________ freemx1.sinamail.sina.com.cn. 59 IN A 39.156.6.104 freemx2.sinamail.sina.com.cn. 59 IN A 121.14.32.117 freemx3.sinamail.sina.com.cn. 4 IN A 123.126.45.192 Trying Zone Transfers and getting Bind Versions: _________________________________________________ Trying Zone Transfer for sina.com on ns1.sina.com.cn ... AXFR record query failed: REFUSED Trying Zone Transfer for sina.com on ns2.sina.com.cn ... AXFR record query failed: REFUSED Trying Zone Transfer for sina.com on ns3.sina.com.cn ... AXFR record query failed: REFUSED Trying Zone Transfer for sina.com on ns4.sina.com ... AXFR record query failed: REFUSED Trying Zone Transfer for sina.com on ns1.sina.com ... AXFR record query failed: REFUSED Trying Zone Transfer for sina.com on ns2.sina.com ... AXFR record query failed: REFUSED Trying Zone Transfer for sina.com on ns3.sina.com ... AXFR record query failed: REFUSED Trying Zone Transfer for sina.com on ns4.sina.com.cn ... AXFR record query failed: REFUSED Brute forcing with /usr/share/dnsenum/dns.txt: _______________________________________________ ads.sina.com. 59 IN CNAME ww1.sinaimg.cn.w.alikunlun.com. ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 125.39.135.219 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 60.28.226.37 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 60.28.226.25 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 60.28.226.40 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 60.28.226.26 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 125.39.135.218 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 125.39.135.237 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 125.39.135.216 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 125.39.135.221 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 125.39.135.236 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 125.39.135.220 ww1.sinaimg.cn.w.alikunlun.com. 59 IN A 125.39.135.217 blog.sina.com. 59 IN CNAME blog.sina.com.cn. blog.sina.com.cn. 59 IN CNAME blogx.sina.com.cn. blogx.sina.com.cn. 59 IN A 123.126.45.92 client.sina.com. 59 IN A 10.10.10.10 election.sina.com. 59 IN CNAME ww10.sina.com. ww10.sina.com. 59 IN A 71.5.7.191 elections.sina.com. 59 IN CNAME ww10.sina.com. ww10.sina.com. 59 IN A 71.5.7.191 europe.sina.com. 59 IN CNAME spit.sina.com. spit.sina.com. 59 IN A 71.5.7.171 finance.sina.com. 59 IN A 10.10.10.10 forum.sina.com. 59 IN CNAME us.sina.com. us.sina.com. 59 IN A 66.102.251.24 forums.sina.com. 59 IN CNAME us.sina.com. us.sina.com. 59 IN A 66.102.251.24 ftp.sina.com. 59 IN CNAME blossom.sina.com. blossom.sina.com. 59 IN A 71.5.7.14 g.sina.com. 59 IN A 202.106.169.230 jobs.sina.com. 59 IN CNAME spit.sina.com. spit.sina.com. 59 IN A 71.5.7.171 lists.sina.com. 59 IN A 66.102.251.33 log.sina.com. 59 IN CNAME log1.sina.com. mail.sina.com. 59 IN CNAME mail.sina.com.cn. mail.sina.com.cn. 59 IN CNAME w5.dpool.sina.com.cn. w5.dpool.sina.com.cn. 59 IN A 123.126.45.14 marketing.sina.com. 59 IN A 71.5.7.205 members.sina.com. 59 IN A 66.102.251.33 ^C root@kali:~#dnsenum示例
1.4 DNS注册信息
(1)whois查询 是一个标准的互联网协议(kali自带)
root@kali:~# whois sina.com
Domain Name: SINA.COM
Registry Domain ID: 2243615_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.paycenter.com.cn
Registrar URL: http://www.xinnet.com
Updated Date: 2018-12-20T09:17:25Z
Creation Date: 1998-09-16T04:00:00Z
Registry Expiry Date: 2021-09-15T04:00:00Z
Registrar: Xin Net Technology Corporation
Registrar IANA ID: 120
Registrar Abuse Contact Email: supervision@xinnet.com
Registrar Abuse Contact Phone: +86.1087127926
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Name Server: NS1.SINA.COM
Name Server: NS1.SINA.COM.CN
Name Server: NS2.SINA.COM
Name Server: NS2.SINA.COM.CN
Name Server: NS3.SINA.COM
Name Server: NS3.SINA.COM.CN
Name Server: NS4.SINA.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2020-01-31T10:39:14Z <<<
For more information on Whois status codes, please visit https://icann.org/epp
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name:sina.com
Registry Domain ID:
Registrar WHOIS Server:whois.paycenter.com.cn
Registrar URL:http://www.xinnet.com
Updated Date:2018-09-12T01:18:05.00Z
Creation Date:1998-09-15T20:00:00.00Z
Registrar Registration Expiration Date:2021-09-14T20:00:00.00Z
Registrar:XINNET TECHNOLOGY CORPORATION
Registrar IANA ID:120
Registrar Abuse Contact Email:supervision@xinnet.com
Registrar Abuse Contact Phone:+86.1087128064
Reseller:
Domain Status:
Registry Registrant ID:
Registrant Name:
Registrant Organization:
Registrant Street:
Registrant City:
Registrant State/Province:
Registrant Postal Code:
Registrant Country:
Registrant Phone:
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:
Registry Admin ID:
Admin Name:
Admin Organization:
Admin Street:
Admin City:
Admin State/Province:
Admin PostalCode:
Admin Country:
Admin Phone:
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email:
Registry Tech ID:
Tech Name:
Tech Organization:
Tech Street:
Tech City:
Tech State/Province:
Tech PostalCode:
Tech Country:
Tech Phone:
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email:
Name Server:ns1.sina.com.cn
Name Server:ns2.sina.com.cn
Name Server:ns3.sina.com.cn
Name Server:ns1.sina.com
Name Server:ns4.sina.com
Name Server:ns3.sina.com
DNSSEC:unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2020-01-31T10:39:32.00Z <<<:
For more information on Whois status codes, please visit https://icann.org/epp
The Data in Paycenter's WHOIS database is provided by Paycenter
for information purposes, and to assist persons in obtaining
information about or related to a domain name registration record.
Paycenter does not guarantee its accuracy. By submitting
a WHOIS query, you agree that you will use this Data only
for lawful purposes and that,
under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission
of mass unsolicited, commercial advertising or solicitations
via e-mail (spam); or
(2) enable high volume, automated, electronic processes that
apply to Paycenter or its systems.
Paycenter reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.!!
whois示例
也可以用这些网站:可查域名服务商拥有者以及邮箱电话地址等
https://whois.aizhan.com https://whois.china.com https://www.virustotal.com
(备案信息查询)
天眼查: http://www.tianyancha.co
ICP备案查询网:http://www.beianbeian.com
------------------
①子域名检测工具:Layer子域名挖掘机 、sublist3r、subDomiansBrute
②搜索引擎枚举: site:baidu.com
③第三方网站搜; --.老牛逼了:
DNSdumpter: https://dnsdumpster.com/
子域名爆破网站: https://phpinfo.me/domain
IP反查绑定域名: http://dns.aizhan.com
④证书透明度公开日志枚举
SSL/TLS公共日志网站 https://crt.sh/
或者 https://censys.io/
ethtool