读书笔记-信息收集1
一.枚举服务
枚举允许用户从网络中收集一类的所有相关信息
1.dns枚举工具dnsenum功能:
1.通过谷歌或字典猜测可能存在的域名
2.对一个网段进行反向查询
3.查询网站的主机地址信息,域名服务器和邮件交换记录
4.在域名服务器上执行axfr请求,然后通过谷歌脚本得到扩展域名信息,提取子域名并查询,最后计算c类地址并执行whois查询,执行反向查询,把地址段写入文件。
输入dnsenum --enum benet.com 结果如下:
smartmatch is experimental at /usr/bin/dnsenum line 698. smartmatch is experimental at /usr/bin/dnsenum line 698. dnsenum version:1.2.4 warning: can't load net::whois::ip module, whois queries disabled. warning: can't load www::mechanize module, google scraping desabled.
----- benet.com -----host's addresses:__________________
benet.com. 300 in a 69.172.201.153
wildcard detection using: axzajtibcbxx_______________________________________
axzajtibcbxx.benet.com. 300 in a 69.172.201.153
!!!!!!!!!!!!!!!!!!!!!!!!!!!! wildcards detected, all subdomains will point to the same ip address omitting results containing 69.172.201.153. maybe you are using opendns servers.!!!!!!!!!!!!!!!!!!!!!!!!!!!!name servers:______________
ns2.uniregistrymarket.link. 60 in a 176.74.176.175 ns2.uniregistrymarket.link. 60 in a 176.74.176.176 ns1.uniregistrymarket.link. 60 in a 64.96.240.54 ns1.uniregistrymarket.link. 60 in a 64.96.241.73
mail (mx) servers:___________________trying zone transfers and getting bind versions:_________________________________________________
trying zone transfer for benet.com on ns2.uniregistrymarket.link ... axfr record query failed: notauth trying zone transfer for benet.com on ns1.uniregistrymarket.link ... axfr record query failed: notauth brute force file not specified, bay.
输出信息显示了dns服务的详细信息。包括主机地址,域名服务器地址和邮件服务地址。
2.dns枚举工具fierce
功能:
对子域名进行扫描和收集信息
使用fierce工具获取一个目标主机上所有ip地址和主机信息。执行命令如下
root@kali:~#fierce -dns baidu.com
结果省略
输出的信息显示了baidu.com下所有的子域。
3.snmp枚举工具snmpwalk
snmpwalk是一个snmp应用程序。使用snmp的getnext请求,查询指定的所有oid(snmp协议中的对象标识)树信息,并显示给用户。
root@kali:~# snmpwalk -c public 192.168.41.138 -v 2c
尝试失败。。。
4.snmp枚举工具snmpcheck
root@kali:~# snmpcheck -t 192.168.41.138
同样尝试失败。。。
5.smtp枚举工具smtp-user-enum
root@kali:~# smtp-user-enum -m vrfy -u /tmp/users.txt -t 192.168.41.138
二.测试网络范围
1.域名查询工具dmitrydmitry工具是用来查询ip或whois信息的。
whois是用来查询域名是否已经被注册及已经注册域名的详细信息的数据库。
root@kali:~# dmitry -wnpb rzchina.net
子网掩码转换
root@kali:~# netmask -s rzchina.net 180.178.61.83/255.255.255.255
2.路由跟踪工具scapy功能:
交互式生成数据包或数据包集合
对数据包进行操作
发送数据包
包嗅探
应答和反馈匹配
root@kali:~# scapy
warning: no route found for ipv6 destination :: (no default route?)
info: can't import python ecdsa lib. disabled certificate manipulation tools
welcome to scapy (2.3.3)
>>> ans,unans=sr(ip(dst="www.rzchina.net/30",ttl=(1,6))/tcp())
begin emission:
....................**.**.**.**.**..****..**..............finished to send 24 packets.
....................................................................................................
.................................................................................................................................................................................................traceback (most recent call last):
file "<console>", line 1, in <module>
file "/usr/lib/python2.7/dist-packages/scapy/sendrecv.py", line 337, in sr
a,b=sndrcv(s,x,*args,**kargs)
file "/usr/lib/python2.7/dist-packages/scapy/sendrecv.py", line 137, in sndrcv
inp, out, err = select(inmask,[],[], remaintime)
error: (4, 'interrupted system call')
>>>
以表的形式查看数据包发送情况,执行命令如下所示:
>>ans.make_table(lambda(s,r):(s.dst,s.ttl,r.src))
尝试失败。。。
使用scapy查看tcp路由跟踪信息
>>> res,unans=traceroute(["www.google.com","www.kali.org","www.rzchina.net"],dport=[80,443],maxttl=20,retry=-2) begin emission: *.*.*.*.*.*.*.*.*.*.*.*.finished to send 120 packets. begin emission: finished to send 108 packets. begin emission: finished to send 108 packets. .. received 26 packets, got 12 answers, remaining 108 packets 180.178.61.83:tcp443 180.178.61.83:tcp80 192.124.249.10:tcp443 192.124.249.10:tcp80 31.13.84.1:tcp443 31.13.84.1:tcp80 1 192.168.1.1 11 192.168.1.1 11 192.168.1.1 11 192.168.1.1 11 192.168.1.1 11 192.168.1.1 11 2 42.198.120.1 11 42.198.120.1 11 42.198.120.1 11 42.198.120.1 11 42.198.120.1 11 42.198.120.1 11 >>>