╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
┃被动信息收集 ┃
┃ 公开渠道可获得的信息 ┃
┃ 与目标系统不产生直接交互 ┃
┃ 尽量避免留下一切痕迹 ┃
┃ OSINT: ┃
┃ 美国军方:http:/irp/doddir/army/atp2-22-9.pdf ┃
┃ 北大西洋公约组织 :http://information-retrieval.info/docs/NATO-OSINT.html ┃
┃ ┃
┃ Passiva ┃
┃ reconnaissance ┃
┃ (no direct Active ┃
┃ interaction reconnaissance |╲ ┃
┃ ──────────────────── ╲ ┃
┃ ╲ ╲ More information ┃
┃ > ● ● ● > greater chance of ┃
┃ ╱ ╱ detection ┃
┃ ──────────────────── ╱ ┃
┃ Normal intercation |╱ ┃
┃ ┃
┃ ┃
┃信息收集内容 ┃
┃ IP地址段 ┃
┃ 域名信息 ┃
┃ 邮件地址 ┃
┃ 文档图片数据 ┃
┃ 公司地址 ┃
┃ 公司组织架构 ┃
┃ 联系电话/传真号码 ┃
┃ 人员姓名/职务 ┃
┃ 目标系统使用的技术架构 ┃
┃ 公开的商业信息 ┃
┃ ┃
┃信息用途 ┃
┃ 用信息描述目标 ┃
┃ 发现 ┃
┃ 社会工程学攻击 ┃
┃ 物理缺口 ┃
┃ ┃
┃信息收集——DNS ┃
┃ 域名解析成IP地址 ┃
┃ 域名与FQDN的区别 ┃
┃ 域名记录:A、C nmae、NS、MX、MX、ptr ┃
┃ ┃
┃ ┃
┃ 递归查询流程 ┃
┃ ┃
┃ 2 ┃
┃ ┌─────────→ ┃
┃ │ 3 根域服务器 ┃
┃ │┌────────→ ┃
┃ 1 ││ 4 ┃
┃DNS客户端 ──→DNS服务器───────→ ┃
┃ ←── ↑│ 5 com 服务器 ┃
┃ ││ ───────→ ┃
┃ ││ ┃
┃ ││ ┃
┃ ││ 6 ┃
┃ │└────────→ ┃
┃ │ 7 ┃
┃ └─────────→ 服务器 ┃
┃ ┃
┃ ┃
┃DNS信息收集—–NSLOOKUP ┃
┃ nslookup ┃
┃ server ┃
┃ type=a、mx、ns、any ┃
┃ nslookup -type=ns 156.154.70.22 ┃
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
A (Address) 记录是用来指定主机名(或域名)对应的IP地址记录。
说明:用户可以将该域名下的网站服务器指向到自己的web server上。同时也可以设置自己域名的二级域名。
MX :是邮件交换记录,它指向一个邮件服务器,用于电子邮件系统发邮件时根据 收信人的地址后缀来定位邮件服务器。
CNAME (Canonical Name)记录,(alias from one domain name to another)通常称别名指向
可以将注册的不同域名统统转到一个主域名上去!与A记录不同的是,CNAME别名记录设置的可以是一个域名的描述而不一定是IP地址!
URL (Uniform Resource Locator )转发:网址转发
功能:如果您没有一台独立的服务器(也就是没有一个独立的IP地址)或者您还有一个域名B,您想访问A域名时访问到B域名的内容,这时您就可以通过URL转发来实现。 添加URL转发时,值需要是一个合法的URL地址:
NS(Name Server)记录
是域名服务器记录,用来指定该域名由哪个DNS服务器来进行解析。
您注册域名时,总有默认的DNS服务器,每个注册的域名都是由一个
DNS域名服务器来进行解析的,
DNS服务器NS记录地址一般以以下的形式出现:
PTR记录 邮件交换记录:A记录和PTR记录,A记录解析名字到地址,而PTR记录解析地址到名字。地址是指一个客户端的IP地址,名字是指一个客户的完全合格域名。
TXT 记录,一般指为某个主机名或域名设置的说明
root:~# nslookup> Server:192.168.198.2Address: 192.168.198.2#53
就这样一层一层的解析;解析完成
当我们只想查A记录的时候,我们可以
> set type=a//只查a记录> Server:192.168.198.2Address: 192.168.198.2#53Non-authoritative answer: canonical name = . canonical name = . canonical name = . canonical name = .Name: Address: 202.102.75.147
当我们只想查mx记录的时候,我们可以
> set type=mx> Server:192.168.198.2Address: 192.168.198.2#53Non-authoritative answer: mail exchanger = 10 freemx2.. mail exchanger = 5 freemx1.. mail exchanger = 10 freemx3..Authoritative answers can be found from:> freemx1..Server:192.168.198.2Address: 192.168.198.2#53Non-authoritative answer:*** Can't find freemx1..: No answerAuthoritative answers can be found from:origin = mail addr = zhihao.serial = 0825refresh = 1800retry = 600expire = 604801minimum = 600
那我们再查一下主机记录;
> set type=a> > freemx1..Server:192.168.198.2Address: 192.168.198.2#53
我们可以查看域名服务器的地址
> set type=ns> Server:192.168.198.2Address: 192.168.198.2#53Non-authoritative answer: nameserver = . nameserver = . nameserver = . nameserver = . nameserver = . nameserver = . nameserver = . nameserver = .Authoritative answers can be found from
把主机名解析成对应的IP地址;
> set type=a> Server:192.168.198.2Address: 192.168.198.2#53Non-authoritative answer:Name: Address: 61.172.201.254> set q=ptr> 202.108.3.242Server:192.168.198.2Address: 192.168.198.2#53Non-authoritative answer:242.3.108.202.in-addr.arpa name = mail3-242..Authoritative answers can be found from
我们根据ip地址来解析一下网站名字
> set q=ptr(q是type的简写)> 202.108.3.242Server:192.168.198.2Address: 192.168.198.2#53Non-authoritative answer:242.3.108.202.in-addr.arpa name = mail3-242..Authoritative answers can be found from:
我们再 根据mail3-242..来解析一下A地址
> set q=a> mail3-242..Server:192.168.198.2Address: 192.168.198.2#53** server can't find mail3-242.: NXDOMAIN
可以看到一个域名可以对应多个IP
举个栗子:
> server 202.106.0.20Default server: 202.106.0.20Address: 202.106.0.20#53> Server:202.106.0.20Address: 202.106.0.20#53Non-authoritative answer: canonical name = . canonical name = . canonical name = . canonical name = .Name: Address: 202.108.33.60> server 8.8.8.8 //谷歌的IP地址Default server: 8.8.8.8Address: 8.8.8.8#53> Server:8.8.8.8Address: 8.8.8.8#53Non-authoritative answer: canonical name = . canonical name = .Name: Address: 66.102.251.33
现在的互联网上大部分的网站都会采用智能DNS
智能DNS的意思是:终端用户所处的网络不同,DNS查询结果是不一样的
使用set q=any,可以显示全部的记录
> set q=any> Server:8.8.8.8Address: 8.8.8.8#53Non-authoritative answer:Name: Address: 66.102. text = "v=spf1 include:spf. -all" //spf记录,它的作用反垃圾邮件origin = mail addr = zhihao.serial = 042601refresh = 900retry = 300expire = 604800minimum =nameserver = . nameserver = . nameserver = . nameserver = . nameserver = . nameserver = . nameserver = . nameserver = . mail exchanger = 10 freemx2.. mail exchanger = 10 freemx3.. mail exchanger = 5 freemx1..Authoritative answers can be found from:
root@kali:~# nslookup -q=any 114.114.114.114Server:114.114.114.114Address: 114.114.114.114#53Non-authoritative answer: text = "v=spf1 include: -all" mail exchanger = 50 ease. mail exchanger = 10 ease. mail exchanger = 10 ease. mail exchanger = 10 .Name: Address: 123.58.180.7Name: Address: 123.58. nameserver = . nameserver = . nameserver = . nameserver = . nameserver = . nameserver = . nameserver = . nameserver = .Authoritative answers can be found from: