Small white Diary passive information collection of 2:kali penetration test (i)

First, passive information collection

Passive information collection refers to the information available through the open channel, and the target system does not produce direct interaction, as far as possible to avoid leaving all traces of information detection. The information collected by passive detection technology can be broadly divided into two categories, namely configuration information and status information.

Passive detection of information that can be collected

features	passive technology
IP address or address segment	probing for survival
mac address	Internal sniffing arp,dhcp
domain name information and hostname	external sniffing DNS, internal sniffing netbios,arp,dhcp
operating system System and version	fingerprint information
applications running
user name and password
Device type (server, client)	port and protocol usage, ICMP
Operating Services	ports and protocol usage
device Run status	activity level and ICMP
app Status	external activity level for devices on the app port
link Run status	activity level and ICMP
Link takes advantage of	activity level
Device Logical Location	TTL-based distance hop count
e-mail address, company address, company organization structure, contact phone/fax number, person name/title	prepare for social engineering
document picture data
public Business information

About open source Intelligent Information collection articles:
U.S. military: Http://www.fas.org/irp/dodair/army/atp2-22-2.pdf
North Atlantic Treaty Organization: http://information-retireval.info/docs/NATO-OSINT.html

DNS of domain Name System

Domain name System,dns is a service on the Internet. It is a distributed database that maps domain names and IP addresses to each other, making it easier for people to access the Internet. DNS uses TCP and UDP port 53. Currently, the limit for each level of domain name length is 63 characters, and the total length of the domain name cannot exceed 253 characters.  dns and Fqndfqdn: (Fully qualified domain name) fully qualified domain name, refers to the hostname plus the full path, all the domain members in the sequence are listed in the full path. The domain name can be logically and accurately represent where the host is, or it can be said that the full domain name is a complete representation of the host name. (For example: dns:sina.com;fqnd:www.sina.com)   host name to IP address mapping there are two ways: 1) static mapping, each device is configured host-to-IP address mapping, each device independently maintains its own mapping table, and only for the use of this device ; 2) dynamic mapping, establish a set of domain Name resolution system (DNS), only on the dedicated DNS server to configure the host-to-IP address mapping, network needs to use host name communication device, first need to DNS server to query the host IP address.   Domain name structure Typically, the general structure of the Internet host domain name is: hostname. Level three domain name. Level two domain name. The top-level domain name of the Internet is registered and managed by the Internet Network association domain name Registry Query Committee responsible for network address allocation, which also assigns a unique IP address to each host on the Internet. There are three major network information centers around the world: Inter-nic in the United States, the United States and other regions, Ripe-nic in the Netherlands, responsible for the European region and APNIC in Japan, responsible for the Asia Pacific region.   record type 1. Host record (a record): A record is an important record for name resolution, which maps a specific host name to the IP address of the corresponding host. 2. Alias record (CNAME record): The CNAME record is used to point an alias to a record, so there is no need to create another new a record for a new name. 3.ipv6 host record (AAAA record): Corresponds to a record that maps a specific hostname to the IPV6 address of a host. 4. Mail exchange record (MX record): Used to point an e-mail message ending with that domain name to the corresponding mail server for processing 5. Domain Name server record (NS record): Used to indicate which server is resolving the domain name. Can query a subdomain DNS record 6.PTR record, is an e-mail record in the Mail Exchange records, is used for the e-mail delivery process of reverse address resolution7. Service location record (SRV record): Used to define the location of the server that provides a specific service, such as host (hostname), port number, and so on. 8.NAPTR Record: It provides a regular expression to map a domain name. One of the most famous applications for Naptr Records is for enum queries. There are two ways to resolve DNS queries for   domain names: recursion and iteration. DNS Client settings Use a DNS server that is typically a recursive server that handles DNS query requests from clients until the final result is returned. And the DNS server generally uses iterative query method.   

Third, Dns-nslookup

Nslookup is a command-line tool that monitors whether DNS servers in a network can correctly implement domain name resolution. Used to query DNS records, to see if domain name resolution is normal, to diagnose network problems when a network failure it is available in Windows NT/2000/XP (which can be used later in Windows systems, such as WIN7,WIN8, etc.).

Operation manual query: Man nslookup

<span style= "FONT-SIZE:18PX;"  >nslookup (1) BIND9 NSLOOKUP (1) name Nslookup-query Internet name Servers Interactivelysynopsis nslookup [-option] [name |-] [server]description nslookup is a program to Quer  Y Internet domain name servers. Nslookup has modes:interactive and non-interactive. Interactive mode allows the user to query name servers for information about various hosts and domains or to P       Rint a list of hosts in a domain. Non-interactive mode is used to print just the name and requested information for a host or domain. ARGUMENTS Interactive mode is entered in the following cases:1. When no ARGUMENTS was given (the default Nam  E server would be used) 2. When the first argument are a hyphen (-) and the second argument is the host name or Internet address of a name server. Non-interactive mode is used when the name or Internet address of the host Tobe looked uP is given as the first argument. The optional second argumentspecifies the host name or address of a name server. Options can also is specified on the command line if they precede thearguments and is prefixed with a hyphen.  For example, to-change the Defaultquery type to host information, and the initial-timeout to ten seconds, type:nslookup                                                      -query=hinfo-timeout=10 #-Query =hinfo timeout =10interactive COMMANDS #交互式命令 host [Server] look up information for host using the current default Server or using server, if specified. If Host is an Internet address and the query type is A or PTR, the name of the host is returned.           If Host is a name and does not has a trailing period, the search list is used to qualify the name.       To look up a host is not in the current domain, append a period to the name. Server domain lserver domain           Change of the default server to domain; Lserver uses the initial server to look up information on domain, while server uses the current DEF Ault server.       If an authoritative answer can ' t is found, the names of servers that might has the answer is returned.           Root not implemented finger no implemented LS not implemented view           Not implemented help not implemented?       Not implemented exit Exits the program. Set Keyword[=value] This command was used to change state information that affects the lookups.                   Valid keywords Are:all Prints The current values of the frequently used options To set.               Information about the current default server and host is also printed.               class= "Value" of the query class to one of:        In the Internet class CH the Chaos class                                                                HS the Hesiod class any                       Wildcard the class specifies the protocol group of the                       Information.                (Default = in; abbreviation = CL) [No]debug Turn on or off the display of the full response packet and any intermediate                   Response packets when searching.                (Default = nodebug; abbreviation = [no]deb) [NO]D2 Turn Debugging mode on or off.                   This displays more on what's Nslookup is doing.                (Default = NOD2) domain=name Sets the search list to name. [No]search If the lookup request contains At least one period but doesn ' t end with a trailing period, append the domain names I                   n the domain search list to the request until a answer is received.                   (default = Search) Port=value The default TCP/UDP name server port to value. (Default = abbreviation = PO) querytype=value type=value Ch                   Ange the type of the information query.                (Default = A; abbreviations = q, ty) [No]recurse tell ' the name server to query servers if it does is not the inform                   ation. (Default = recurse; abbreviation = [No]rec) Ndots=number Set The number of dots (label Sep arators) in a domain that would disable searching.               Absolute names always stop searching. Retry=number                  Set the number of retries to number. Timeout=number Change the initial timeout interval for waiting in a reply to number s                Econds.                   [NO]VC always use a virtual circuit when sending requests to the server.                (Default = NOVC) [No]fail Try the next nameserver if a nameserver responds with SERVFAIL or a referral                   (nofail) or terminate query (fail) on such a response. (Default = nofail) Files/etc/resolv.confsee ALSO Dig (1), host (1), named (8). AUTHOR Andrew cherensoncopyright Copyright?                     2004-2007, the Internet Systems Consortium, Inc. ("ISC") BIND9 June 30, 2000 NSLOOKUP (1) </span>

query Example

<span style= "FONT-SIZE:18PX;"                                                                 >[email protected]:~# nslookup #进入nslookup模式 > server  #查询本机DNS服务器Default server:192.168.1.1address:192.168.1.1#53> Sina.comserver:192.168.1.1address:192.168.1.1#53non-authoritative answer:name:sina.comaddress:66.102.251.33> Set Type=a #指定类型为A > sina.comserver:192.168.1.1address:192.1                                                           68.1.1#53non-authoritative answer:name:sina.comaddress:66.102.251.33> Set Type=mx #指定类型为MX > Sina.com #注: Cannot enter WWW.SINA.C Om and other host domain name Server:192.168.1.1address:192.168.1.1#53non-authoritative answer: #优先 Grade Sina.commail exchanger = Freemx3.sinamail.sina.com.cn.sina.commail EXCHANGER = 5 Freemx1.sinamail.sina.com.cn.sina.comMail exchanger = Freemx2.sinamail.sina.com.cn.Authoritative answers can be found from:comnameserver = K.GTLD-SERVERS.N Et.comnameserver = F.gtld-servers.net.comnameserver = G.gtld-servers.net.comnameserver = M.gtld-servers.net.comnameserver = H.gtld-servers.net.comnameserver = L.gtld-servers.net.comnameserver = A.gtld-servers.net.comnameserver = D.gtld-servers.net.comnameserver = J.gtld-servers.net.comnameserver = I.gtld-servers.net.comnameserver = B.gtld-servers.net.comnameserver = E.gtld-servers.net.comnameserver = C.gtld-servers.net.g.gtld-servers.netinternet address = 192.42.93.30j.gtld-servers.netinternet Address = 192.48.79.30i.gtld-servers.netinternet address = 192.43.172.30e.gtld-servers.netinternet Address = 192.12.94.30a.gtld-servers.netinternet address = 192.5.6.30a.gtld-servers.nethas AAAA address 2001:503:a83e: : 2:30h.gtld-servers.netinternet address = 192.54.112.30f.gtld-servers.netinternet Address = 192.35.51.30b.gtld-servers.netinternet address = 192.33.14.30</span&Gt 

Specify the domain name resolution server

<span style= "FONT-SIZE:18PX;" >[email protected]:~# nslookup> Server 156.154.70.22                          #指定域名解析服务器Default server:156.154.70.22address: 156.154.70.22#53> sina.comserver:156.154.70.22address:156.154.70.22#53non-authoritative Answer:Name: Sina.comaddress:66.102.251.33> </span>

Long instructions

<span style= "FONT-SIZE:18PX;" >[email protected]:~# nslookup-q=ns sina.com 156.154.70.22                       #-q is type shorthand, 156: For the specified DNS server : 156.154.70.22address:156.154.70.22#53non-authoritative answer:sina.comnameserver = Ns2.sina.com.cn.sina.comnameserver = Ns1.sina.com.sina.comnameserver = Ns1.sina.com.cn.sina.comnameserver = Ns2.sina.com.sina.comnameserver = Ns4.sina.com.cn.sina.comnameserver = Ns4.sina.com.sina.comnameserver = Ns3.sina.com.cn.sina.comnameserver = ns3.sina.com.Authoritative answers can be found from:ns1.sina.cominternet address = 114.134.80.144ns2.sina.cominternet Address = 114.134.80.145ns3.sina.cominternet Address = 61.172.201.254ns4.sina.cominternet address = 123.125.29.99</span>

Small white Diary passive information collection of 2:kali penetration test (i)