第一部分
被动信息收集
指公开渠道可获取的信息,且与目标系统不产生直接接触、尽量避免留下一切的痕迹,如利用OSINT(开源情报收集)。
信息收集内容
- IP地址段
- 域名信息
- 邮件地址
- 文档图案数据
- 公司地址
- 公司组织架构
- 联系电话/传真电话
- 人员姓名/职务
- 目标系统使用的技术架构
- 公开的商业信息
信息用途
- 用信息描述目标
- 发现(如主机等)
- 社会工程学攻击
- 物理缺口
DNS信息收集
域名与FQDN(Fully Qualified DomainName)全限定域名的区别:如www.sina.com是sina.com的主机记录,称为一个FQDN
如域名类型有下几种种类:
1 | A(主机记录) |
当域名服务器自身缓存的有解析的结果,直接返回,若不包含DNS记录,则受到请求后,会进一步进行域名查询,如发送给根域名服务器(www.sina.com.)、com域服务器(根域名服务器转到om服务器)、example.com域服务器(sina.com域名服务器的IP,找到了结果,并返回给DNS服务器)。之后DNS缓存一份,发送给客户端,并在一定时间后删除该缓存。
将本地主机到本地缓存DNS服务器称为为递归查询,而层级(根域、.com域等)的解析称为迭代查询。
例:域名服务器只做解析,(www.sina.com.)下属根域服务器、com服务器、example.com服务器。先发到本地运营商缓存服务器(递归查询流程),有返回,没有就查询.域服务器。如果不知道,返回给DNS,结果为.com域的域名服务器;DNS去请求.com服务器,不知道返回DNS,结果为域名服务器记录;DNS去访问sina.com的服务器(迭代查询),知道,DNS拿到结果后,先在本地缓存,过期后删除,返回给客户端,客户端再路由去访问网站服务器。
nslookup
命令查询从DNS到IP地址 1
2
3NSLOOKUP:
set type=a/ptr/mx/ns等,也可以server XXX.XXX.XXX.XXX设置域名解析服务器
如:nslookup 163.com -type=any @8.8.8.8 //查询IP,指定域名服务器为8.8.8.81
2
3
4
5
6
7
8
9root@kali:~# nslookup 163.com -type=any 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: 163.com
Address: 123.58.180.8
Name: 163.com
Address: 123.58.180.7
DIG
基本查询
DIG作用与nslookup类似,但也包含一些其他功能。如: 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33root@kali:~# dig sina.com any @8.8.8.8
; <<>> DiG 9.11.5-P4-5-Debian <<>> sina.com any @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5760
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;sina.com. IN ANY
;; ANSWER SECTION:
sina.com. 59 IN A 66.102.251.33
sina.com. 59 IN TXT "v=spf1 include:spf.sinamail.sina.com.cn -all"
sina.com. 299 IN SOA ns1.sina.com.cn. zhihao.staff.sina.com.cn. 2005042601 900 300 604800 300
sina.com. 21599 IN NS ns3.sina.com.
sina.com. 21599 IN NS ns1.sina.com.
sina.com. 21599 IN NS ns1.sina.com.cn.
sina.com. 21599 IN NS ns2.sina.com.
sina.com. 21599 IN NS ns4.sina.com.cn.
sina.com. 21599 IN NS ns3.sina.com.cn.
sina.com. 21599 IN NS ns2.sina.com.cn.
sina.com. 21599 IN NS ns4.sina.com.
sina.com. 59 IN MX 10 freemx3.sinamail.sina.com.cn.
sina.com. 59 IN MX 5 freemx1.sinamail.sina.com.cn.
sina.com. 59 IN MX 10 freemx2.sinamail.sina.com.cn.
;; Query time: 453 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: 三 5月 08 03:55:18 EDT 2019
;; MSG SIZE rcvd: 3951
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57//使用本地的默认DNS服务器查询:
root@kali:~# dig mail.163.com any
; <<>> DiG 9.11.5-P4-5-Debian <<>> mail.163.com any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10811
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 7, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mail.163.com. IN ANY
;; ANSWER SECTION:
mail.163.com. 311 IN CNAME mail163.ntes53.netease.com.
;; AUTHORITY SECTION:
163.com. 110913 IN NS ns6.nease.net.
163.com. 110913 IN NS ns3.nease.net.
163.com. 110913 IN NS ns8.166.com.
163.com. 110913 IN NS ns5.nease.net.
163.com. 110913 IN NS ns4.nease.net.
163.com. 110913 IN NS ns1.nease.net.
163.com. 110913 IN NS ns2.166.com.
;; ADDITIONAL SECTION:
ns1.nease.net. 102634 IN A 123.58.173.177
ns3.nease.net. 98134 IN A 220.181.36.234
ns4.nease.net. 113712 IN A 123.125.48.245
ns5.nease.net. 110335 IN A 121.195.179.18
ns6.nease.net. 89622 IN A 52.215.24.44
;; Query time: 2 msec
;; SERVER: 10.10.10.2#53(10.10.10.2)
;; WHEN: 三 5月 08 05:47:45 EDT 2019
;; MSG SIZE rcvd: 297
//使用8.8.8.8来查询
root@kali:~# dig mail.163.com any
; <<>> DiG 9.11.5-P4-5-Debian <<>> mail.163.com any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10811
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 7, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mail.163.com. IN ANY
;; ANSWER SECTION:
mail.163.com. 311 IN CNAME mail163.ntes53.netease.com.
;; AUTHORITY SECTION:
163.com.
也有简便操作来省略一些不重要的信息(比如开头那一段):
1 | root@kali:~# dig +noall +answer mail.163.com any |
反向查询
dig中可以添加-x参数来进行反向查询域名,如: 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127root@kali:~# dig 163.com mx
; <<>> DiG 9.11.5-P4-5-Debian <<>> 163.com mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60399
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 7, ADDITIONAL: 14
;; QUESTION SECTION:
;163.com. IN MX
;; ANSWER SECTION:
163.com. 5 IN MX 50 163mx00.mxmail.netease.com.
163.com. 5 IN MX 10 163mx01.mxmail.netease.com.
163.com. 5 IN MX 10 163mx02.mxmail.netease.com.
163.com. 5 IN MX 10 163mx03.mxmail.netease.com.
;; AUTHORITY SECTION:
163.com. 5 IN NS ns1.nease.net.
163.com. 5 IN NS ns4.nease.net.
163.com. 5 IN NS ns6.nease.net.
163.com. 5 IN NS ns2.166.com.
163.com. 5 IN NS ns8.166.com.
163.com. 5 IN NS ns3.nease.net.
163.com. 5 IN NS ns5.nease.net.
;; ADDITIONAL SECTION:
163mx01.mxmail.netease.com. 5 IN A 220.181.14.136
163mx01.mxmail.netease.com. 5 IN A 220.181.14.137
163mx01.mxmail.netease.com. 5 IN A 220.181.14.138
163mx01.mxmail.netease.com. 5 IN A 220.181.14.139
163mx01.mxmail.netease.com. 5 IN A 220.181.14.140
163mx01.mxmail.netease.com. 5 IN A 220.181.14.141
163mx01.mxmail.netease.com. 5 IN A 220.181.14.142
163mx01.mxmail.netease.com. 5 IN A 220.181.14.143
163mx01.mxmail.netease.com. 5 IN A 220.181.14.135
163mx02.mxmail.netease.com. 5 IN A 220.181.14.146
163mx02.mxmail.netease.com. 5 IN A 220.181.14.147
163mx02.mxmail.netease.com. 5 IN A 220.181.14.148
163mx02.mxmail.netease.com. 5 IN A 220.181.14.149
163mx02.mxmail.netease.com. 5 IN A 220.181.14.150
;; Query time: 3 msec
;; SERVER: 10.10.10.2#53(10.10.10.2)
;; WHEN: 三 5月 08 04:03:48 EDT 2019
;; MSG SIZE rcvd: 499
//进一步dig
root@kali:~# dig 163mx03.mxmail.netease.com
; <<>> DiG 9.11.5-P4-5-Debian <<>> 163mx03.mxmail.netease.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33520
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 7, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096
;; QUESTION SECTION:
;163mx03.mxmail.netease.com. IN A
;; ANSWER SECTION:
163mx03.mxmail.netease.com. 5 IN A 220.181.14.163
163mx03.mxmail.netease.com. 5 IN A 220.181.14.164
163mx03.mxmail.netease.com. 5 IN A 220.181.14.156
163mx03.mxmail.netease.com. 5 IN A 220.181.14.157
163mx03.mxmail.netease.com. 5 IN A 220.181.14.158
163mx03.mxmail.netease.com. 5 IN A 220.181.14.159
163mx03.mxmail.netease.com. 5 IN A 220.181.14.160
163mx03.mxmail.netease.com. 5 IN A 220.181.14.161
163mx03.mxmail.netease.com. 5 IN A 220.181.14.162
;; AUTHORITY SECTION:
netease.com. 5 IN NS ns2.166.com.
netease.com. 5 IN NS ns6.nease.net.
netease.com. 5 IN NS ns1.nease.net.
netease.com. 5 IN NS ns5.nease.net.
netease.com. 5 IN NS ns8.166.com.
netease.com. 5 IN NS ns4.nease.net.
netease.com. 5 IN NS ns3.nease.net.
;; ADDITIONAL SECTION:
ns1.nease.net. 5 IN A 123.58.173.177
ns3.nease.net. 5 IN A 220.181.36.234 //拿这个实验
ns4.nease.net. 5 IN A 123.125.48.245
ns5.nease.net. 5 IN A 121.195.179.18
ns6.nease.net. 5 IN A 52.215.24.44
;; Query time: 13 msec
;; SERVER: 10.10.10.2#53(10.10.10.2)
;; WHEN: 三 5月 08 04:04:46 EDT 2019
;; MSG SIZE rcvd: 418
//随便挑一个ip进行反向查询
root@kali:~# dig -x 220.181.14.163
; <<>> DiG 9.11.5-P4-5-Debian <<>> -x 220.181.14.163
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40392
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 7
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096
;; QUESTION SECTION:
;163.14.181.220.in-addr.arpa. IN PTR
;; ANSWER SECTION:
163.14.181.220.in-addr.arpa. 5 IN PTR m14-163.188.com. //可以看到和ns3.nease.net不一样,属于一个ip对应多个域名的正常情况
;; AUTHORITY SECTION:
181.220.in-addr.arpa. 5 IN NS idc-ns2.bjtelecom.net.
181.220.in-addr.arpa. 5 IN NS idc-ns3.bjtelecom.net.
181.220.in-addr.arpa. 5 IN NS idc-ns1.bjtelecom.net.
;; ADDITIONAL SECTION:
idc-ns1.bjtelecom.net. 5 IN A 218.30.26.68
idc-ns1.bjtelecom.net. 5 IN AAAA 240e:0:9000:200::68
idc-ns2.bjtelecom.net. 5 IN A 218.30.26.70
idc-ns2.bjtelecom.net. 5 IN AAAA 240e:0:9000:200::70
idc-ns3.bjtelecom.net. 5 IN A 211.100.2.125
idc-ns3.bjtelecom.net. 5 IN AAAA 240e:0:9000:201::72
;; Query time: 60 msec
;; SERVER: 10.10.10.2#53(10.10.10.2)
;; WHEN: 三 5月 08 04:05:21 EDT 2019
;; MSG SIZE rcvd: 296
BIND信息
大多数DNS服务器使用的软件是BIND,有些DNS服务器可能会泄露它的BIND版本信息,可能包含可利用的漏洞。BIND信息为TXT类型,chao字段如:
1 | root@kali:~# dig +noall +answer txt chaos VERSION.BIND @ns3.dnsv4.com |
但是大部分情况下该信息是隐藏的: 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37//寻找DNS服务器记录
root@kali:~# dig sina.com NS
; <<>> DiG 9.11.5-P4-5-Debian <<>> sina.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29746
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096
;; QUESTION SECTION:
;sina.com. IN NS
;; ANSWER SECTION:
sina.com. 5 IN NS ns3.sina.com.cn.
sina.com. 5 IN NS ns2.sina.com.cn.
sina.com. 5 IN NS ns4.sina.com.
sina.com. 5 IN NS ns1.sina.com.
sina.com. 5 IN NS ns1.sina.com.cn.
sina.com. 5 IN NS ns4.sina.com.cn.
sina.com. 5 IN NS ns3.sina.com.
sina.com. 5 IN NS ns2.sina.com.
;; ADDITIONAL SECTION:
ns1.sina.com.cn. 5 IN A 202.106.184.166
ns2.sina.com.cn. 5 IN A 180.149.138.199
ns3.sina.com.cn. 5 IN A 123.125.29.99
ns4.sina.com.cn. 5 IN A 121.14.1.22
;; Query time: 116 msec
;; SERVER: 10.10.10.2#53(10.10.10.2)
;; WHEN: 三 5月 08 04:15:57 EDT 2019
;; MSG SIZE rcvd: 256
root@kali:~# dig +noall +answer txt chaos VERSION.BIND @ns2.sina.com
VERSION.BIND. 0 CH TXT " " //这里就没显示
trace追踪功能
有时会发生DNS劫持的现象,可以通过trace来发现问题。下面是wireshark截包来显示解析www.sina.com这个FQDN的整个过程。
从前两行可以看出,我的本机向配置的DNS服务器发出查询:
查询内容:NS记录类型、类是(IN)Internet。
服务器返回的结果:13个根域名服务器的域名
紧接着又向服务器查询了这十三个根域名A记录的ip地址
xxxxxxxxxx root@kali:~# whois qq.com Domain Name: QQ.COM Registry Domain ID: 2895300_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2019-01-30T03:30:02Z Creation Date: 1995-05-04T04:00:00Z Registry Expiry Date: 2027-07-27T02:09:19Z //注册到期日 Registrar: MarkMonitor Inc. //注册员 Registrar IANA ID: 292 Registrar Abuse Contact Email: abusecomplaints@markmonitor.com Registrar Abuse Contact Phone: +1.2083895740 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited Name Server: NS1.QQ.COM Name Server: NS2.QQ.COM Name Server: NS3.QQ.COM Name Server: NS4.QQ.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/>>> Last update of whois database: 2019-05-10T15:26:50Z <<<For more information on Whois status codes, please visit https://icann.org/eppNOTICE: The expiration date displayed in this record is the date theregistrar's sponsorship of the domain name registration in the registry iscurrently set to expire. This date does not necessarily reflect the expirationdate of the domain name registrant's agreement with the sponsoringregistrar. Users may consult the sponsoring registrar's Whois database toview the registrar's reported date of expiration for this registration.TERMS OF USE: You are not authorized to access or query our Whoisdatabase through the use of electronic processes that are high-volume andautomated except as reasonably necessary to register domain names ormodify existing registrations; the Data in VeriSign Global RegistryServices' ("VeriSign") Whois database is provided by VeriSign forinformation purposes only, and to assist persons in obtaining informationabout or related to a domain name registration record. VeriSign does notguarantee its accuracy. By submitting a Whois query, you agree to abideby the following terms of use: You agree that you may use this Data onlyfor lawful purposes and that under no circumstances will you use this Datato: (1) allow, enable, or otherwise support the transmission of massunsolicited, commercial advertising or solicitations via e-mail, telephone,or facsimile; or (2) enable high volume, automated, electronic processesthat apply to VeriSign (or its computer systems). The compilation,repackaging, dissemination or other use of this Data is expresslyprohibited without the prior written consent of VeriSign. You agree not touse electronic processes that are automated and high-volume to access orquery the Whois database except as reasonably necessary to registerdomain names or modify existing registrations. VeriSign reserves the rightto restrict your access to the Whois database in its sole discretion to ensureoperational stability. VeriSign may restrict or terminate your access to theWhois database for failure to abide by these terms of use. VeriSignreserves the right to modify these terms at any time.The Registry database contains ONLY .COM, .NET, .EDU domains andRegistrars.Domain Name: qq.comRegistry Domain ID: 2895300_DOMAIN_COM-VRSNRegistrar WHOIS Server: whois.markmonitor.comRegistrar URL: http://www.markmonitor.comUpdated Date: 2019-01-29T19:24:11-0800Creation Date: 1995-05-03T21:00:00-0700Registrar Registration Expiration Date: 2027-07-26T19:09:19-0700Registrar: MarkMonitor, Inc. //域名的注册商是MarkMonitorRegistrar IANA ID: 292Registrar Abuse Contact Email: abusecomplaints@markmonitor.comRegistrar Abuse Contact Phone: +1.2083895740Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)Registrant Organization: Shenzhen Tencent Computer Systems CO.,LtdRegistrant State/Province: Guang DongRegistrant Country: CNAdmin Organization: Shenzhen Tencent Computer Systems CO.,LtdAdmin State/Province: Guang DongAdmin Country: CNTech Organization: Shenzhen Tencent Computer Systems CO.,LtdTech State/Province: Guang DongTech Country: CNName Server: ns2.qq.com //四台DNS服务器Name Server: ns1.qq.comName Server: ns3.qq.comName Server: ns4.qq.comDNSSEC: unsignedURL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/>>> Last update of WHOIS database: 2019-05-10T08:17:56-0700 <<<For more information on WHOIS status codes, please visit: https://www.icann.org/resources/pages/epp-status-codesIf you wish to contact this domain’s Registrant, Administrative, or Technicalcontact, and such email address is not visible above, you may do so via our webform, pursuant to ICANN’s Temporary Specification. To verify that you are not arobot, please enter your email address to receive a link to a page thatfacilitates email communication with the relevant contact(s).Web-based WHOIS: https://domains.markmonitor.com/whoisIf you have a legitimate interest in viewing the non-public WHOIS details, sendyour request and the reasons for your request to whoisrequest@markmonitor.comand specify the domain name in the subject line. We will review that request andmay ask for supporting documentation and explanation.The data in MarkMonitor’s WHOIS database is provided for information purposes,and to assist persons in obtaining information about or related to a domainname’s registration record. While MarkMonitor believes the data to be accurate,the data is provided "as is" with no guarantee or warranties regarding itsaccuracy.By submitting a WHOIS query, you agree that you will use this data only forlawful purposes and that, under no circumstances will you use this data to: (1) allow, enable, or otherwise support the transmission by email, telephone,or facsimile of mass, unsolicited, commercial advertising, or spam; or (2) enable high volume, automated, or electronic processes that send queries,data, or email to MarkMonitor (or its systems) or the domain name contacts (orits systems).MarkMonitor.com reserves the right to modify these terms at any time.By submitting this query, you agree to abide by this policy.MarkMonitor is the Global Leader in Online Brand Protection.MarkMonitor Domain Management(TM)MarkMonitor Brand Protection(TM)MarkMonitor AntiCounterfeiting(TM)MarkMonitor AntiPiracy(TM)MarkMonitor AntiFraud(TM)Professional and Managed ServicesVisit MarkMonitor at https://www.markmonitor.comContact us at +1.8007459229In Europe, at +44.02032062220--bash
根域服务器返回的内容:一系列baidu的DNS解析服务器的NS记录
紧接着又向DNS服务器查询了这些服务器的ip
和上面一样,随便挑了一个进行查询:
最终得到了Cname记录结果:
这个过程也应证了DNS解析的迭代查询