渗透测试---被动信息收集详解
生活随笔
收集整理的這篇文章主要介紹了
渗透测试---被动信息收集详解
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
被動信息收集
- 一、被動信息收集簡介
- 1.被動信息收集
- 2.信息收集的內容
- 3.信息收集的目的
- 二、被動信息收集方式
- 1.dig:域名解析查詢
- ①直接查詢
- ②按指定內容查詢
- ③查新DNS版本信息
- ④DNS追蹤,迭代/遞歸查詢
- 2.nslookup:診斷DNS基礎結構
- 3.whois:注冊信息查詢
- 4.dnsenum
- 5.fierce
- ①直接查詢
- ②字典爆破
- 三、被動信息收集方式的重點(個人認為)
- 1.進入recon-ng環境
- 2.創建新的工作區
- 3.設置工作區參數
- 4.DNS查詢
- 5.解析IP
- 6.生成報告
- 7.查看報告
- 四、桃花依舊笑春風
一、被動信息收集簡介
1.被動信息收集
指通過公開渠道的可獲得信息,與目標系統或者主機不產生直接的信息交互,以盡可能避免留下任何痕跡的信息收集方法。
2.信息收集的內容
IP地址段
域名信息
郵件地址
文檔圖片數據
公司地址
公司組織架構
聯系電話/傳真號碼
人員姓名/職務
目標系統使用的技術架構
公開的商用信息
3.信息收集的目的
個人認為信息收集是為了獲取目標系統的基礎架構以及目標主機的ip地址段以及該對象的域名信息,以達到使用所收集的信息去描述目標系統或者主機的目的,并對之后的一些列掃描工作做準備,是滲透測試技術的第一個關鍵步驟。
二、被動信息收集方式
在這里我使用的系統環境是基于kali-linux-2018-W25-amd64的虛擬環境.
1.dig:域名解析查詢
①直接查詢
命令:dig 所要查詢域名
root@yanxiao:~# dig www.sina.com; <<>> DiG 9.11.3-1-Debian <<>> www.sina.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21747 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096 ;; QUESTION SECTION: ;www.sina.com. IN A;; ANSWER SECTION: www.sina.com. 5 IN CNAME us.sina.com.cn. us.sina.com.cn. 5 IN CNAME spool.grid.sinaedge.com. spool.grid.sinaedge.com. 5 IN A 221.204.241.188 spool.grid.sinaedge.com. 5 IN A 61.158.251.244;; Query time: 5 msec ;; SERVER: 192.168.181.2#53(192.168.181.2) ;; WHEN: Wed Jun 26 16:22:04 CST 2019 ;; MSG SIZE rcvd: 135②按指定內容查詢
命令:dig @<DNS服務器ip> <所查詢的域名> <所查詢的具體類型>
root@yanxiao:~# dig @8.8.8.8 www.sina.com mx; <<>> DiG 9.11.3-1-Debian <<>> @8.8.8.8 www.sina.com mx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40167 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.sina.com. IN MX;; ANSWER SECTION: www.sina.com. 59 IN CNAME us.sina.com.cn. us.sina.com.cn. 59 IN CNAME spool.grid.sinaedge.com.;; AUTHORITY SECTION: sinaedge.com. 59 IN SOA ns1.sinaedge.com. null.sinaedge.com. 20100707 10800 60 604800 60;; Query time: 144 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Jun 26 16:36:47 CST 2019 ;; MSG SIZE rcvd: 148結合noall與answer只顯示查詢結果,摒棄無關信息。
root@yanxiao:~# dig @8.8.8.8 +noall +answer mx sina.com sina.com. 59 IN MX 5 freemx1.sinamail.sina.com.cn. sina.com. 59 IN MX 10 freemx2.sinamail.sina.com.cn. sina.com. 59 IN MX 10 freemx3.sinamail.sina.com.cn.③查新DNS版本信息
命令:dig +noall +answer txt chaos VERSION.BIND @ns3.所要查詢的域名
root@yanxiao:~# dig +noall +answer txt chaos VERSION.BIND @ns3.sina.com VERSION.BIND. 0 CH TXT " " #注:這里DNS版本信息應該是在雙引號下顯示,而此時為空并不是因為命令有誤, # 而是因為新浪將之版本信息隱藏④DNS追蹤,迭代/遞歸查詢
命令:dig +trace 所要查詢的域名
root@yanxiao:~# dig +trace +noall +answer sina.com . 5 IN NS i.root-servers.net. . 5 IN NS e.root-servers.net. . 5 IN NS g.root-servers.net. . 5 IN NS a.root-servers.net. . 5 IN NS l.root-servers.net. . 5 IN NS b.root-servers.net. . 5 IN NS f.root-servers.net. . 5 IN NS h.root-servers.net. . 5 IN NS j.root-servers.net. . 5 IN NS k.root-servers.net. . 5 IN NS d.root-servers.net. . 5 IN NS c.root-servers.net. . 5 IN NS m.root-servers.net. . 5 IN RRSIG NS 8 0 518400 20190709050000 20190626040000 25266 . KzQL7eH1xUR1o5RWy/pKJAwhzZ+86CkW7uWRJo64plyhMNMo/afOnrFb 7sHfBJmkKlAAAAAFDePWxBL2zLyWaOX4Tj05yd3mbF5t3rfeP/75EIFA 5R3pqV+cxZSijW2EVrXNbL3KaNpsYH9sYujGKvYPuf/WNarUkLUx7Xn9 gcsOX3ZS6KfZ8NIekE3+Bsuex+vnBhIlws1XlsvnUPGf/1hVXruAX2IB xlQIjT4zjLXEwuP4pgbpdRkbGlXOe7uWXtt2Ywja5+227DqrUuiA+wEF dKNFRX6T/0rZ3a/DPmKAy5d0Xgq2obEt5M32jepblE8hWz6WnTq/5R8i m0AahA== ;; Received 525 bytes from 192.168.181.2#53(192.168.181.2) in 12 ms;; Received 1196 bytes from 192.112.36.4#53(g.root-servers.net) in 93 ms;; Received 723 bytes from 192.33.14.30#53(b.gtld-servers.net) in 24 mssina.com. 60 IN A 66.102.251.33 ;; Received 336 bytes from 180.149.138.199#53(ns2.sina.com.cn) in 22 ms2.nslookup:診斷DNS基礎結構
命令:nslookup -type=<選擇要查詢的類型例如:a記錄、ns記錄、mx記錄> 所要查詢域名
root@yanxiao:~# nslookup -type=a sina.com Server: 192.168.181.2 Address: 192.168.181.2#53Non-authoritative answer: Name: sina.com Address: 66.102.251.33 # 注:-type=a 查詢主機記錄root@yanxiao:~# nslookup -type=ns sina.com Server: 192.168.181.2 Address: 192.168.181.2#53 # 注:-type=ns 查詢域名服務器記錄Non-authoritative answer: sina.com nameserver = ns4.sina.com. sina.com nameserver = ns4.sina.com.cn. sina.com nameserver = ns3.sina.com.cn. sina.com nameserver = ns3.sina.com. sina.com nameserver = ns1.sina.com.cn. sina.com nameserver = ns2.sina.com. sina.com nameserver = ns2.sina.com.cn. sina.com nameserver = ns1.sina.com.Authoritative answers can be found from:# 注:-type=mx 查詢郵件服務器記錄 root@yanxiao:~# nslookup -type=mx sina.com Server: 192.168.181.2 Address: 192.168.181.2#53Non-authoritative answer: sina.com mail exchanger = 10 freemx3.sinamail.sina.com.cn. sina.com mail exchanger = 10 freemx2.sinamail.sina.com.cn. sina.com mail exchanger = 5 freemx1.sinamail.sina.com.cn.Authoritative answers can be found from:3.whois:注冊信息查詢
命令:whois 所要查詢的域名
root@yanxiao:~# whois baidu.com Domain Name: BAIDU.COMRegistry Domain ID: 11181110_DOMAIN_COM-VRSNRegistrar WHOIS Server: whois.markmonitor.comRegistrar URL: http://www.markmonitor.comUpdated Date: 2019-05-09T04:30:46ZCreation Date: 1999-10-11T11:05:17ZRegistry Expiry Date: 2026-10-11T11:05:17ZRegistrar: MarkMonitor Inc.Registrar IANA ID: 292Registrar Abuse Contact Email: abusecomplaints@markmonitor.comRegistrar Abuse Contact Phone: +1.2083895740Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibitedDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibitedDomain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibitedDomain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibitedDomain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibitedDomain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibitedName Server: NS1.BAIDU.COMName Server: NS2.BAIDU.COMName Server: NS3.BAIDU.COMName Server: NS4.BAIDU.COMName Server: NS7.BAIDU.COMDNSSEC: unsignedURL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2019-06-26T09:02:43Z <<<For more information on Whois status codes, please visit https://icann.org/eppNOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration.TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time.The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: baidu.com Registry Domain ID: 11181110_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2019-05-08T20:59:33-0700 Creation Date: 1999-10-11T04:05:17-0700 Registrar Registration Expiration Date: 2026-10-11T00:00:00-0700 Registrar: MarkMonitor, Inc. Registrar IANA ID: 292 Registrar Abuse Contact Email: abusecomplaints@markmonitor.com Registrar Abuse Contact Phone: +1.2083895740 Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited) Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited) Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited) Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited) Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited) Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited) Registrant Organization: Beijing Baidu Netcom Science Technology Co., Ltd. Registrant State/Province: Beijing Registrant Country: CN Admin Organization: Beijing Baidu Netcom Science Technology Co., Ltd. Admin State/Province: Beijing Admin Country: CN Tech Organization: Beijing Baidu Netcom Science Technology Co., Ltd. Tech State/Province: Beijing Tech Country: CN Name Server: ns3.baidu.com Name Server: ns4.baidu.com Name Server: ns7.baidu.com Name Server: ns2.baidu.com Name Server: ns1.baidu.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2019-06-26T02:02:28-0700 <<<For more information on WHOIS status codes, please visit:https://www.icann.org/resources/pages/epp-status-codesIf you wish to contact this domain’s Registrant, Administrative, or Technical contact, and such email address is not visible above, you may do so via our web form, pursuant to ICANN’s Temporary Specification. To verify that you are not a robot, please enter your email address to receive a link to a page that facilitates email communication with the relevant contact(s).Web-based WHOIS:https://domains.markmonitor.com/whoisIf you have a legitimate interest in viewing the non-public WHOIS details, send your request and the reasons for your request to whoisrequest@markmonitor.com and specify the domain name in the subject line. We will review that request and may ask for supporting documentation and explanation.The data in MarkMonitor’s WHOIS database is provided for information purposes, and to assist persons in obtaining information about or related to a domain name’s registration record. While MarkMonitor believes the data to be accurate, the data is provided "as is" with no guarantee or warranties regarding its accuracy.By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to:(1) allow, enable, or otherwise support the transmission by email, telephone, or facsimile of mass, unsolicited, commercial advertising, or spam; or(2) enable high volume, automated, or electronic processes that send queries, data, or email to MarkMonitor (or its systems) or the domain name contacts (or its systems).MarkMonitor.com reserves the right to modify these terms at any time.By submitting this query, you agree to abide by this policy.MarkMonitor is the Global Leader in Online Brand Protection.MarkMonitor Domain Management(TM) MarkMonitor Brand Protection(TM) MarkMonitor AntiCounterfeiting(TM) MarkMonitor AntiPiracy(TM) MarkMonitor AntiFraud(TM) Professional and Managed ServicesVisit MarkMonitor at https://www.markmonitor.com Contact us at +1.8007459229 In Europe, at +44.02032062220 --4.dnsenum
dnsenum的目的是盡可能收集一個域的信息,它能夠通過谷歌或者字典文件猜測可能存在的域名,以及對一個網段進行反向查詢。
命令:dnsenum -enum 所要查詢的域名
5.fierce
fierce工具主要是對子域名進行掃描和收集信息。使用fierce工具獲得一個目標主機上所有IP地址和主機信息。
①直接查詢
命令:fierce -dns 所要查詢的域名
root@yanxiao:~# fierce -dns baidu.com DNS Servers for baidu.com:ns3.baidu.comns7.baidu.comdns.baidu.comns4.baidu.comns2.baidu.comTrying zone transfer first...Testing ns3.baidu.comRequest timed out or transfer not allowed.Testing ns7.baidu.comRequest timed out or transfer not allowed.Testing dns.baidu.comRequest timed out or transfer not allowed.Testing ns4.baidu.comRequest timed out or transfer not allowed.Testing ns2.baidu.comRequest timed out or transfer not allowed.Unsuccessful in zone transfer (it was worth a shot) Okay, trying the good old fashioned way... brute forceChecking for wildcard DNS... Nope. Good. Now performing 2280 test(s).........此處的發現結果不予顯示Subnets found (may want to probe here using nmap or unicornscan):......此處的發現結果不予顯示Done with Fierce scan: http://ha.ckers.org/fierce/ Found 220 entries.Have a nice day.②字典爆破
kali中的fierce中自帶一個字典可以用來實施字典爆破。
字典存放目錄:/usr/share/fierce/hosts.txt
命令:fierce -dnsserver 要使用的dns服務器 -dns 所要爆破的域名 -wordlist 字典路徑
三、被動信息收集方式的重點(個人認為)
recon-ng
recon-ng是由python編寫的一個開源的Web偵查(信息收集)框架。recon-ng框架是一個全特性的工具,使用它可以自動的收集信息和網絡偵查。默認集成數據庫,可把查詢結果結構化存儲在其中,有報告模塊,把結果導出為報告。
使用recon-ng的信息偵查方式有三個步驟:
1、DNS查詢 —— google、baidu、bing、yahoo、Brute force(有自己的字典)
2、解析IP地址(查詢數據庫)—— resolve模塊
3、生成報告 —— report模塊
具體如下實例所示:
1.進入recon-ng環境
root@yanxiao:~# recon-ng_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/ /\/ \\ /\Sponsored by... /\ /\/ \\V \/\/ \\/ // \\\\\ \\ \/\// // BLACK HILLS \/ \\www.blackhillsinfosec.com[recon-ng v4.9.3, Tim Tomes (@LaNMaSteR53)] [75] Recon modules [8] Reporting modules [2] Import modules [2] Exploitation modules [2] Discovery modules[recon-ng][default] >首次使用recon-ng,可以使用help查看所有可以執行的命令:
[recon-ng][default] > helpCommands (type [help|?] <topic>): --------------------------------- add Adds records to the database back Exits the current context delete Deletes records from the database exit Exits the framework help Displays this menu keys Manages framework API keys load Loads specified module pdb Starts a Python Debugger session query Queries the database record Records commands to a resource file reload Reloads all modules resource Executes commands from a resource file search Searches available modules set Sets module options shell Executes shell commands show Shows various framework items snapshots Manages workspace snapshots spool Spools output to a file unset Unsets module options use Loads specified module workspaces Manages workspaces查看recon-ng命令的使用方法:
[recon-ng][default] > recon-ng -h [*] Command: recon-ng -h usage: recon-ng [-h] [-v] [-w workspace] [-r filename] [--no-check][--no-analytics]recon-ng - Tim Tomes (@LaNMaSteR53) tjt1980[at]gmail.comoptional arguments:-h, --help show this help message and exit-v, --version show program's version number and exit-w workspace load/create a workspace-r filename load commands from a resource file--no-check disable version check--no-analytics disable analytics reporting2.創建新的工作區
這一步相對來說可有可無,但是為了養成良好習慣,在進行不同的案例之前為這個案例單獨建一個工作區我個人認為是比較重要的,方便之后的管理以及查詢。
命令:workspaces list,顯示已存在的工作表
這里要說明一下,若進入到recon-ng環境中時創建工作表可以用下列命令:
命令:workspaces add 工作區名
若還是在kali環境下,則使用下列命令直接創建新工作區或者進入已經存在的工作區:
命令:recon-ng -w 工作區名
3.設置工作區參數
這里的工作區參數也可以直接跳過不進行設置,不影響結果;不過需要注意的是不設置參數的話,對方是很容易發現你用recon-ng對他進行掃描,所以建議還是進行設置,設置參數之后掃描會更加隱蔽
命令:show options
要進行設置的參數信息命令:
set USER-AGENT Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 [recon-ng][sina-test] > set USER-AGENT Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 USER-AGENT => Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 [recon-ng][sina-test] > show optionsName Current Value Required Description---------- ------------- -------- -----------NAMESERVER 8.8.8.8 yes nameserver for DNS interrogationPROXY no proxy server (address:port)THREADS 10 yes number of threads (where applicable)TIMEOUT 10 yes socket timeout (seconds)USER-AGENT Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 yes user-agent stringVERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug)可以看到對工作區參數中的USER-AGENT這一項進行了修改。
4.DNS查詢
通過搜索引擎(google、baidu、bing、yahoo)或者使用 brute force(暴力破解) 去查找主機記錄。
命令:search <goole/baidu/bing/yahoo/brute>
這里會發現baidu和yahoo在recon-ng環境暫時不能使用。
我在這里使用的是brute模塊。
選擇要使用的模塊,這里我選擇了recon/domains-hosts/brute_hosts模塊。
命令:use 所要使用的模塊
查看該模塊參數:
[recon-ng][sina-test][brute_hosts] > show optionsName Current Value Required Description-------- ------------- -------- -----------SOURCE default yes source of input (see 'show info' for details)WORDLIST /usr/share/recon-ng/data/hostnames.txt yes path to hostname wordlist設置參數:
命令:set SOURCE 所要發現的域名
運行:
命令:run
查看粗略的表格,會在終端中顯示出上一步中發現的IP地址的各項信息:
命令:show hosts
查詢工作表模塊當前的設置:
命令:show info
這一步的作用是為了在當前工作區使用當前模塊進行繼續發現的工作,查詢狀態之后只需修改需要發現的域名即可。
5.解析IP
返回工作區更換模塊:
命令:back
尋找解析模塊resolve:
命令:search resolve
選擇要使用的模塊,我這里選擇的是recon/hosts-hosts/resolve模塊。
命令:use recon/hosts-hosts/resolve
設置模塊參數:
[recon-ng][sina-test][resolve] > show optionsName Current Value Required Description------ ------------- -------- -----------SOURCE default yes source of input (see 'show info' for details)[recon-ng][sina-test][resolve] > set SOURCE query select host from hosts SOURCE => query select host from hosts這里設置的是從剛才的DNS查詢中得到的hosts表中進行取樣解析。
運行:
6.生成報告
這一部分內容在以后的企業工作中是必備的一步,客戶最終看到的也是這一部分的內容。
先退出解析模塊至工作區,之后選擇報告模塊,設置報告模塊參數,話不多說,進代碼塊QAQ:
7.查看報告
打開瀏覽器,在url一欄搜索剛才所設置的路徑:
其中的Hosts是可以打開看詳細信息的,在這里我就不打開看了。
至此,被動信息收集便告一段落,總結的不到位或者出現錯誤的地方還望CSDN各位前輩批評指點。
四、桃花依舊笑春風
這篇文章是繼三月份第一次在CSDN發表文章以來第二次繼續在CSDN這個平臺發表自己的一些所學所感。之前三月份那一次因為各種原因沒能堅持下來,這次呢,既因為學習進度到了滲透測試最重要的一部分kali系統以及各種工具的操作,也因為想以在CSDN堅持寫博客的方法砥礪自己,讓不時的總結鞏固所學的知識成為一種習慣,加油!!!愿自己以及諸君不日就可以春風得意馬蹄疾,一日看盡長安花。
總結
以上是生活随笔為你收集整理的渗透测试---被动信息收集详解的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 开发一个App来为你的女神“化妆”!
- 下一篇: 湖南省工信厅党组书记、厅长雷绍业一行莅临