DNS简介
访问某网站的时候,我们只需要打开浏览器输入例如:www.baidu.com就可以解析到该网站.为了便于记住不需要输入长长的IP地址去访问,这时DNS把相对应的域名解析成IP地址,这就是DNS域名解析.
关于域名
域名的层次划分用点来分割,最低在左边,高的在右边.例如:www.baidu.com.域名服务是基于UDP实现端口号为53.子域名还划分国家,地区,组织.
域名还需要由遍及世界的域名服务器去解析,也进行划分高低层次,由高到低:根域名服务器,顶级域名服务器,权限域名服务器,本地域名服务器.实际上DNS系统是一种分布式地址信息数据库系统.
查询过程:主机先向本地域名服务器进行递归查询->本地域名服务器迭代查询,向根域名服务器查询->根域名服务器告诉本地域名服务器,下次该查询的顶级域名服务器dns.com的IP地址->本地域名服务器向顶级域名服务器dns.com进行查询->顶级域名服务器com告诉本地域名服务器,下一步查询权限服务器dns.baidu.com的IP地址->本地域名服务器向权限服务器dns.baidu.com进行查询->权限服务器dns.baidu.com告诉本地域名服务器所查询的主机的IP地址->本地域名服务器最后把查询结果告诉主机.
DNS侦查
DNS侦查关心的是:识别谁拥有一个特定域或一系列IP地址,定义实际域名的DNS信息和标识目标的IP地址以及目标之间的路由.
whois查询
whois是识别分配给网站的地址,相关信息数据包括注册用户的域名或IP地址等等.
root@zhaji:~# whois baidu.com
Domain Name: BAIDU.COM
Registry Domain ID: 11181110_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2017-07-28T02:36:28Z
Creation Date: 1999-10-11T11:05:17Z
Registry Expiry Date: 2026-10-11T11:05:17Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Name Server: DNS.BAIDU.COM
Name Server: NS2.BAIDU.COM
Name Server: NS3.BAIDU.COM
Name Server: NS4.BAIDU.COM
Name Server: NS7.BAIDU.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2018-10-16T09:18:57Z <<<
For more information on Whois status codes, please visit https://icann.org/epp
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: baidu.com
Registry Domain ID: 11181110_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2017-07-27T19:36:28-0700
Creation Date: 1999-10-11T04:05:17-0700
Registrar Registration Expiration Date: 2026-10-11T00:00:00-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)
Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)
Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)
Registrant Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Registrant State/Province: Beijing
Registrant Country: CN
Admin Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Admin State/Province: Beijing
Admin Country: CN
Tech Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Tech State/Province: Beijing
Tech Country: CN
Name Server: ns7.baidu.com
Name Server: ns2.baidu.com
Name Server: dns.baidu.com
Name Server: ns4.baidu.com
Name Server: ns3.baidu.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2018-10-16T02:15:43-0700 <<<
If certain contact information is not shown for a Registrant, Administrative,
or Technical contact, and you wish to send a message to these contacts, please
send your message to [email protected] and specify the domain name in
the subject line. We will forward that message to the underlying contact.
If you have a legitimate interest in viewing the non-public WHOIS details, send
your request and the reasons for your request to [email protected]
and specify the domain name in the subject line. We will review that request and
may ask for supporting documentation and explanation.
The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for
information purposes, and to assist persons in obtaining information about or
related to a domain name registration record. MarkMonitor.com does not guarantee
its accuracy. By submitting a WHOIS query, you agree that you will use this Data
only for lawful purposes and that, under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via e-mail (spam); or
(2) enable high volume, automated, electronic processes that apply to
MarkMonitor.com (or its systems).
MarkMonitor.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.
MarkMonitor is the Global Leader in Online Brand Protection.
MarkMonitor Domain Management(TM)
MarkMonitor Brand Protection(TM)
MarkMonitor AntiPiracy(TM)
MarkMonitor AntiFraud(TM)
Professional and Managed Services
Visit MarkMonitor at http://www.markmonitor.com
Contact us at +1.8007459229
In Europe, at +44.02032062220
For more information on Whois status codes, please visit
https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-enDmitry
dmitry会搜索子域,邮件地址,进行TCP扫描. 便于分析 可使用 -o 把查询的信息写入一个文本文件. 其他命令可指定查询
root@zhaji:~# dmitry -o webTest/output.txt www.baidu.com
Deepmagic Information Gathering Tool
"There be some deep magic going on"
Writing output to 'webTest/output.txt'
HostIP:61.135.169.121
HostName:www.baidu.com
Gathered Inet-whois information for 61.135.169.121
---------------------------------
inetnum: 61.14.228.0 - 61.255.255.255
netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK
descr: IPv4 address block not managed by the RIPE NCC
remarks: ------------------------------------------------------
remarks:
remarks: You can find the whois server to query, or the
remarks: IANA registry to query on this web page:
remarks: http://www.iana.org/assignments/ipv4-address-space
remarks:
remarks: You can access databases of other RIRs at:
remarks:
remarks: AFRINIC (Africa)
remarks: http://www.afrinic.net/ whois.afrinic.net
remarks:
remarks: APNIC (Asia Pacific)
remarks: http://www.apnic.net/ whois.apnic.net
remarks:
remarks: ARIN (Northern America)
remarks: http://www.arin.net/ whois.arin.net
remarks:
remarks: LACNIC (Latin America and the Carribean)
remarks: http://www.lacnic.net/ whois.lacnic.net
remarks:
remarks: IANA IPV4 Recovered Address Space
remarks: http://www.iana.org/assignments/ipv4-recovered-address-space/ipv4-recovered-address-space.xhtml
remarks:
remarks: ------------------------------------------------------
country: EU # Country is really world wide
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
status: ALLOCATED UNSPECIFIED
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: RIPE-NCC-HM-MNT
created: 2018-05-28T14:20:24Z
last-modified: 2018-09-04T13:35:08Z
source: RIPE
role: Internet Assigned Numbers Authority
address: see http://www.iana.org.
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
nic-hdl: IANA1-RIPE
remarks: For more information on IANA services
remarks: go to IANA web site at http://www.iana.org.
mnt-by: RIPE-NCC-MNT
created: 1970-01-01T00:00:00Z
last-modified: 2001-09-22T09:31:27Z
source: RIPE # Filtered
% This query was served by the RIPE Database Query Service version 1.92.6 (WAGYU)nslookup
nslookup查询 可指dns服务器 如不指定使用默认dns服务器
root@zhaji:~# nslookup www.baidu.com
Server: 10.198.1.1
Address: 10.198.1.1#53
Non-authoritative answer:
Name: www.baidu.com
Address: 61.135.169.121
Name: www.baidu.com
Address: 61.135.169.125
www.baidu.com canonical name = www.a.shifen.com. #识别的别名
还可检查是否DNS服务器被篡改
nslookup
> server
Default server: 10.198.1.1
Address: 10.198.1.1#53
更换dns服务器查询
root@zhaji:~# nslookup -type=ns baidu.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
baidu.com nameserver = ns2.baidu.com.
baidu.com nameserver = ns3.baidu.com.
baidu.com nameserver = ns7.baidu.com.
baidu.com nameserver = ns4.baidu.com.
baidu.com nameserver = dns.baidu.com.
lbd
lbd给定一个域检查是否使用DNS或者HTTP负载均衡
lbd www.baidu.com
lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.
Checking for DNS-Loadbalancing: FOUND
www.baidu.com has address 61.135.169.121
www.baidu.com has address 61.135.169.125
Checking for HTTP-Loadbalancing [Server]:
bfe/1.0.8.18
NOT FOUND
Checking for HTTP-Loadbalancing [Date]: 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, NOT FOUND
Checking for HTTP-Loadbalancing [Diff]: FOUND
< Etag: "575e1f5d-115"
< Last-Modified: Mon, 13 Jun 2016 02:50:05 GMT
> Etag: "575e1f5c-115"
> Last-Modified: Mon, 13 Jun 2016 02:50:04 GMT
www.baidu.com does Load-balancing. Found via Methods: DNS HTTP[Diff]
Recon-ng
这个开源框架比较强大,模块使用python编写,可自行建立改变模块也可利用第三方的API可能会被第三方跟踪.在kali中集成会把收集的数据放入数据库中. 有很多模块水土不服.
第一次启动会告知你没有安装的依赖
root@zhaji:~# recon-ng
[!] 'github_api' key not set. github_users module will likely fail at runtime. See 'keys add'.
[!] 'github_api' key not set. github_commits module will likely fail at runtime. See 'keys add'.
[!] 'censysio_id' key not set. censysio module will likely fail at runtime. See 'keys add'.
[!] 'censysio_secret' key not set. censysio module will likely fail at runtime. See 'keys add'.
[!] 'github_api' key not set. github_repos module will likely fail at runtime. See 'keys add'.
[!] 'fullcontact_api' key not set. fullcontact module will likely fail at runtime. See 'keys add'.
[!] 'google_api' key not set. youtube module will likely fail at runtime. See 'keys add'.
[!] 'flickr_api' key not set. flickr module will likely fail at runtime. See 'keys add'.
[!] 'twitter_api' key not set. twitter module will likely fail at runtime. See 'keys add'.
[!] 'twitter_secret' key not set. twitter module will likely fail at runtime. See 'keys add'.
[!] 'shodan_api' key not set. shodan module will likely fail at runtime. See 'keys add'.
[!] 'ipinfodb_api' key not set. ipinfodb module will likely fail at runtime. See 'keys add'.
[!] 'bing_api' key not set. bing_ip module will likely fail at runtime. See 'keys add'.
[!] 'github_api' key not set. github_miner module will likely fail at runtime. See 'keys add'.
[!] 'shodan_api' key not set. shodan_ip module will likely fail at runtime. See 'keys add'.
[!] 'pwnedlist_api' key not set. api_usage module will likely fail at runtime. See 'keys add'.
[!] 'pwnedlist_secret' key not set. api_usage module will likely fail at runtime. See 'keys add'.
[!] 'pwnedlist_api' key not set. domain_creds module will likely fail at runtime. See 'keys add'.
[!] 'pwnedlist_secret' key not set. domain_creds module will likely fail at runtime. See 'keys add'.
[!] 'pwnedlist_iv' key not set. domain_creds module will likely fail 可根据自己的需求安装 pip install name
[recon-ng][default] > help
Commands (type [help|?] <topic>):
---------------------------------
add Adds records to the database
back Exits the current context
delete Deletes records from the database
exit Exits the framework
help Displays this menu
keys Manages framework API keys
load Loads specified module
pdb Starts a Python Debugger session
query Queries the database
record Records commands to a resource file
reload Reloads all modules
resource Executes commands from a resource file
search Searches available modules
set Sets module options
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
unset Unsets module options
use Loads specified module
workspaces Manages workspaces
show modules显示模块 Tab 可自动补全
[recon-ng][default] > show modules
Discovery
---------
discovery/info_disclosure/cache_snoop
discovery/info_disclosure/interesting_files
Exploitation
------------
exploitation/injection/command_injector
exploitation/injection/xpath_bruter
Import
------
import/csv_file
import/list
Recon
-----
recon/companies-contacts/bing_linkedin_cache
recon/companies-contacts/jigsaw/point_usage
recon/companies-contacts/jigsaw/purchase_contact
recon/companies-contacts/jigsaw/search_contacts
recon/companies-multi/github_miner
recon/companies-multi/whois_miner
recon/contacts-contacts/mailtester
recon/contacts-contacts/mangle
recon/contacts-contacts/unmangle
recon/contacts-credentials/hibp_breach
recon/contacts-credentials/hibp_paste
recon/contacts-domains/migrate_contacts
recon/contacts-profiles/fullcontact
recon/credentials-credentials/adobe
recon/credentials-credentials/bozocrack
recon/credentials-credentials/hashes_org
recon/domains-contacts/metacrawler
recon/domains-contacts/pgp_search
recon/domains-contacts/whois_pocs
recon/domains-credentials/pwnedlist/account_creds
recon/domains-credentials/pwnedlist/api_usage
recon/domains-credentials/pwnedlist/domain_creds
recon/domains-credentials/pwnedlist/domain_ispwned
recon/domains-credentials/pwnedlist/leak_lookup
recon/domains-credentials/pwnedlist/leaks_dump
recon/domains-domains/brute_suffix
recon/domains-hosts/bing_domain_api
recon/domains-hosts/bing_domain_web
recon/domains-hosts/brute_hosts
recon/domains-hosts/builtwith
recon/domains-hosts/certificate_transparency
recon/domains-hosts/google_site_api
recon/domains-hosts/google_site_web
recon/domains-hosts/hackertarget
recon/domains-hosts/mx_spf_ip
recon/domains-hosts/netcraft
recon/domains-hosts/shodan_hostname
recon/domains-hosts/ssl_san
recon/domains-hosts/threatcrowd
recon/domains-vulnerabilities/ghdb
recon/domains-vulnerabilities/punkspider
recon/domains-vulnerabilities/xssed
recon/domains-vulnerabilities/xssposed
recon/hosts-domains/migrate_hosts
recon/hosts-hosts/bing_ip
recon/hosts-hosts/freegeoip
recon/hosts-hosts/ipinfodb
recon/hosts-hosts/resolve
recon/hosts-hosts/reverse_resolve
recon/hosts-hosts/ssltools
recon/hosts-locations/migrate_hosts
recon/hosts-ports/shodan_ip
recon/locations-locations/geocode
recon/locations-locations/reverse_geocode
recon/locations-pushpins/flickr
recon/locations-pushpins/picasa
recon/locations-pushpins/shodan
recon/locations-pushpins/twitter
recon/locations-pushpins/youtube
recon/netblocks-companies/whois_orgs
recon/netblocks-hosts/reverse_resolve
recon/netblocks-hosts/shodan_net
recon/netblocks-ports/census_2012
recon/netblocks-ports/censysio
recon/ports-hosts/migrate_ports
recon/profiles-contacts/dev_diver
recon/profiles-contacts/github_users
recon/profiles-profiles/namechk
recon/profiles-profiles/profiler
recon/profiles-profiles/twitter_mentioned
recon/profiles-profiles/twitter_mentions
recon/profiles-repositories/github_repos
recon/repositories-profiles/github_commits
recon/repositories-vulnerabilities/gists_search
recon/repositories-vulnerabilities/github_dorks
Reporting
---------
reporting/csv
reporting/html
reporting/json
reporting/list
reporting/proxifier
reporting/pushpin
reporting/xlsx
reporting/xml
选择模块 load
[recon-ng][default] > load recon/profiles-profiles/profiler
[recon-ng][default][profiler] > show options
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE csdn.net yes source of input (see 'show info' for details)
[recon-ng][default][profiler] > set SOURCE baidu.com
SOURCE => baidu.com
[recon-ng][default][profiler] > run
还有很多载荷供使用,需要梯子.还有攻击载荷.慢慢发掘吧.