渗透测试之数据收集
閱讀時間:全文 1043 字,預估用時 6 分鐘
創作日期:2017-06-06
文章標籤:
![]()
上篇文章:渗透测试之目标主机识别
下篇文章:burp_suite
BEGIN
Ox01 前言
数据收集常用作网站攻击的前奏,收集数据在整个渗透过程中有着至关重要的作用。
Ox02 测试环境
Description: Kali GNU/Linux Rolling
Linux xxx 4.9.0-kali4-amd64 #1 SMP Debian 4.9.25-1kali1 (2017-05-04) x86_64 GNU/Linux
Ox03 域名反查及信息收集
用whois获取域名的注册信息,包含注册人的电话号码、邮箱地址、域名商信息等。
Ox>> whois baidu.com
(部分如下)
Registry Tech ID:
Tech Name: Domain Admin
Tech Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Tech Street: 3F Baidu Campus No.10, Shangdi 10th Street Haidian District
Tech City: Beijing
Tech State/Province: Beijing
Tech Postal Code: 100085
Tech Country: CN
Tech Phone: +86.1059928888
Tech Phone Ext:
Tech Fax: +86.1059928888
Tech Fax Ext:
Tech Email: domainmaster@baidu.com
Name Server: ns7.baidu.com
Name Server: ns4.baidu.com
Name Server: dns.baidu.com
Name Server: ns2.baidu.com
Name Server: ns3.baidu.com通过host查看访问域名时的dns解析记录,如:
Ox>> host howduudu.xyz
howduudu.xyz is an alias for zhenxianluo.github.io.
zhenxianluo.github.io is an alias for github.map.fastly.net.
github.map.fastly.net has address 151.101.72.133第一句说域名howduudu.xyz是域名zhenxianluo.github.io的别名。
第二句同第一句。
第三句指域名github.map.fastly.net的ip地址为151.101.72.133。
dig方法相比host更详细
Ox>> dig howduudu.xyz
; <<>> DiG 9.10.3-P4-Debian <<>> howduudu.xyz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60272
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;howduudu.xyz. IN A
;; ANSWER SECTION:
howduudu.xyz. 300 IN CNAME zhenxianluo.github.io.
zhenxianluo.github.io. 615 IN CNAME github.map.fastly.net.
github.map.fastly.net. 300 IN A 151.101.72.133
;; Query time: 30 msec
;; SERVER: 192.168.5.1#53(192.168.5.1)
;; WHEN: Mon Jun 05 22:06:18 CST 2017
;; MSG SIZE rcvd: 116fierce工具暴力找出所有子域名,很靠谱哦
Ox>> fierce -dns jhc.cn -threads 3
DNS Servers for jhc.cn:
dns1.jhc.cn
dns3.jhc.cn
dns2.jhc.cn
Trying zone transfer first...
unresolvable name: dns1.jhc.cn at /usr/bin/fierce line 226.
Testing dns1.jhc.cn
Request timed out or transfer not allowed.
Testing dns3.jhc.cn
Request timed out or transfer not allowed.
Testing dns2.jhc.cn
Request timed out or transfer not allowed.
Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force
Checking for wildcard DNS...
Nope. Good.
Now performing 2280 test(s)...
122.227.41.198 by.jhc.cn
122.227.41.195 dns2.jhc.cn
210.32.68.3 dns1.jhc.cn
211.140.143.3 dns3.jhc.cn
122.227.41.198 gh.jhc.cn
122.227.41.198 info.jhc.cn
122.227.41.198 lib.jhc.cn
122.227.41.201 mail.jhc.cn
122.227.41.198 news.jhc.cn
122.227.41.198 office.jhc.cn
122.227.41.201 spam.jhc.cn
122.227.41.198 tw.jhc.cn
122.227.41.196 vpn.jhc.cn
122.227.41.198 www.jhc.cn
Subnets found (may want to probe here using nmap or unicornscan):
122.227.41.0-255 : 12 hostnames found.
210.32.68.0-255 : 1 hostnames found.
211.140.143.0-255 : 1 hostnames found.
Done with Fierce scan: http://ha.ckers.org/fierce/
Found 14 entries.
Have a nice day.ipv6的dns扫描:dnsdict6 howduudu.xyz
其它方式:dnsenum howduudu.xyz
综合的扫描工具dmitry
dmitry -h查看帮助信息。
dmitry: invalid option -- 'h'
Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host
-o Save output to %host.txt or to file specified by -o file
-i Perform a whois lookup on the IP address of a host
-w Perform a whois lookup on the domain name of a host
-n Retrieve Netcraft.com information on a host
-s Perform a search for possible subdomains
-e Perform a search for possible email addresses
-p Perform a TCP port scan on a host
* -f Perform a TCP port scan on a host showing output reporting filtered ports
* -b Read in the banner received from the scanned port
* -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )
*Requires the -p flagged to be passed部分介绍:
-0 输出扫描内容到指定文件
-w 输出域名的whois信息
-p 目标主机开放端口扫描
-e 通过google及altavista搜索所有可能的电子邮件
-n 从Netcraft.com中获取站点信息
-s 搜索所有可能的子域名
路由跟踪 traceroute 和 tcptraceroute
Ox>> traceroute howduudu.xyz
部分路由
traceroute to howduudu.xyz (151.101.72.133), 30 hops max, 60 byte packets
1 QK365.lan (192.168.5.1) 3.434 ms 3.524 ms 5.869 ms
2 192.168.1.1 (192.168.1.1) 7.040 ms 8.157 ms 9.340 ms
3 124.74.149.50 (124.74.14×.50) 28.168 ms 124.74.149.54 (124.74.14×.54) 28.647 ms 124.74.35.154 (124.74.3×.154) 28.742 ms
4 124.74.149.53 (124.74.149.53) 15.069 ms 18.958 ms 18.951 ms
5 124.74.211.173 (124.74.211.173) 18.911 ms 22.665 ms 22.668 ms
6 * 101.95.120.78 (101.95.120.78) 8.005 ms 8.186 msOx>> tcptraceroute howduudu.xyz
(本机到howduudu.xyz的全部路径)
Selected device wlan0, address 192.168.5.110, port 40481 for outgoing packets
Tracing the path to howduudu.xyz (151.101.72.133) on TCP port 80 (http), 30 hops max
1 192.168.5.1 4.560 ms 1.884 ms 3.721 ms
2 192.168.1.1 2.156 ms 2.142 ms 2.442 ms
3 124.74.3*.154 51.455 ms
124.74.14*.50 5.863 ms
124.74.3*.154 6.512 ms
4 124.74.14*.53 8.674 ms 5.557 ms 5.761 ms
5 124.74.21*.173 6.054 ms 9.828 ms 7.298 ms
6 101.95.120.78 6.734 ms 10.039 ms 6.557 ms
7 * * *
8 202.97.90.57 9.894 ms 10.282 ms 6.573 ms
9 p64-7-0-0.r26.tokyjp05.jp.bb.gin.ntt.net (129.250.66.61) 165.322 ms * 90.804 ms
10 * * ae-1.r31.tokyjp05.jp.bb.gin.ntt.net (129.250.2.153) 63.338 ms
11 129.250.3.253 92.424 ms 90.773 ms *
12 117.103.177.222 62.440 ms 141.758 ms 61.843 ms
13 151.101.72.133 [open] 138.521 ms 105.353 ms 107.867 msOx04 总结
通过对各类dns扫描工具的使用可以很容易的获得目标网站站长的个人信息,包括但不限于手机号、邮箱等个人信息,并可以扫描出目标域名的所有子域名,及tcp请求到目标主机的路由过程。方便后续的信息利用、弱口令测试等多个后续环节,敬请期待…
FINISH
上篇文章:渗透测试之目标主机识别
下篇文章:burp_suite