Small white Diary passive information collection of 3:kali penetration Test (ii)-dig, Whios, Dnsenum, Fierce

Source: Internet
Author: User
Tags load net domain name server dns nameservers dnssec domain name registration domain server icann mx record

First, DIG

There are two options for querying domain name resolution under Linux, Nslookup or dig. Dig (Domain information Groper) is a tool that queries DNS for information such as NS Records, A records, MX records, and so on in Unix-like command-line mode.

<span style= "FONT-SIZE:18PX;" >[email protected]:~# Dig-husage:dig [@global-server] [domain] [q-type] [Q-class] {q-opt} {global-d- opt} host [@local-server] {local-d-opt} [host [@local-server] {local-d-opt} [...] Where:domain is in the domain Name System q-class is one of (In,hs,ch,...) [Default:in] Q-type is one of (A,any,mx,ns,soa,hinfo,axfr,txt,...) [Default:a] <strong> #类型 (... Default a</strong> (use Ixfr=version for type IXFR) q-opt is one of:-X Dot-not ation (shortcut for reverse lookups) #反向查询-I (use for IPV6 reverse L ookups) #使用IPv6反向查询-f filename (batch mode) #批处理模式-B A ddress[#port] (bind to source Address/port) #绑定到源地址/Port-P port (Specify port number ) #指定端口名称-Q name (speciFY query name) #指定查询名称-T type (specify query type) #指定查询类                 -C Class (Specify Query Class)-K keyfile (Specify Tsig key file) -Y [Hmac:]name:key (Specify named base64 tsig key)-4 (Use IPV4 query Tran Sport only)-6 (with IPV6 query transport only)-M (enabl             e Memory usage Debugging) d-opt is a form +keyword[=value], where keyword is: +[NO]VC                 (TCP mode) +[NO]TCP (TCP mode, alternate syntax) +time=### (set query timeout) [5] #指定超时设定 +tries=### (set number of UDP att empts) [3] #设置UDP发包数 +retry=### (Set number of UDP retries) [2] #设置UDP重试次数 + domain=### (SetDefault domainname) +bufsize=### (Set EDNS0 Max UDP packet size) +ndots=### (set NDOTS value) +[no]edns[=###] (set edns version) [0] +[no]search (SET WH Ether to use searchlist) +[no]showsearch (Search with intermediate results) +[no]defna Me (Ditto) +[no]recurse (Recursive mode) +[no]ignore (Don ' t revert t                 o TCP for TC responses.) +[no]fail (Don ' t try next server on SERVFAIL) +[no]besteffort (try to parse even illegal mes Sages) +[no]aaonly (set AA flag in Query (+[no]aaflag)) +[no]adflag (set A d flag in Query) +[no]cdflag (Set CD flag in Query) +[NO]CL (Control D        Isplay of Class in Records) +[no]cmd (Control display of command line)         +[no]comments (Control display of comment lines) +[no]rrcomments (Control display of PE R-record comments) +[no]question (Control display of question) +[no]answer (                 Control display of answer) #控制响应输出 +[no]authority (Control display of authority) +[no]additional (Control display of additional) +[no]stats (Control display of Stati Stics) +[no]short (Disable everything except short form of a Nswer) +[no]ttlid (Control display of TTLS in Records) +[no]all (Set o  R Clear All Display flags) #是否输出所有显示标志 Noall typically use +[NO]QR with answer (Print question before Sending) +[no]nssearch (Search all authoritative nameservers) +[no]identify ( ID responders in short aNswers) +[no]trace (trace delegation down from Root [+dnssec]) #DNS追踪 +[no]dnss EC (Request DNSSEC Records) +[no]nsid (Request Name Server ID) +[NO]SIGC                 Hase (Chase dnssec signatures) +trusted-key=#### (trusted key when chasing DNSSEC SIGs) +[no]topdown (do DNSSEC validation top down mode) +[no]split=## (Split hex/base64 field         s into chunks) +[no]multiline (Print Records in an expanded format) +[no]onesoa        (AXFR prints only one SOA record) +[no]keepopen (Keep the TCP socket open between queries)        Global d-opts and servers (before host name) affect all queries.        The local d-opts and servers (after host name) is affect only that lookup. -H (Print help and exit)-V (print version and exit) </span></span> 

Command explanation

Direct query

<span style= "FONT-SIZE:18PX;" >[email protected]:~# dig #直接查询; <<>> DiG 9.9.5-9+deb8u6-debian <<>>; Global options: +cmd;; Got answer:;; ->>header<<-opcode:query, Status:noerror, id:44198 #opcode, status, id;; Flags:qr Rd RA; Query:1, Answer:3, authority:13, additional:16 #标记; OPT pseudosection:; edns:version:0, Flags:; udp:1280 #版本, udp:1280; QUESTION Section:;; ANSWER section: ;; Authority section:;; ADDITIONAL section: A83E: : 0B.GTLD-SERVERS.NET.22851INAAAA2001:503:231D: :;; Query time:84 msec;; server: (; When:tue Sep 15:50:49 CST 2016;; MSG SIZE rcvd:589</span>
Specify DNS nameservers #dig < query subdomains > < specified type > @< Specify DNS Server ip>

Dig mx @

MX Query

Reverse query #dig-x < server IP address > #noall什么都不输出, answer output only answer results
#可能查询结果不一样, because the domain name and IP address can be a one-to-many, many-to-one

Dig the power of the place

1. Query the Bing version of the DNS server #dig +noall +answer txt chaos version. BID @<dns server is NS record >

∴ for querying the host name under a domain name EP: Query under #安全意识高的网站会把bing命令隐藏起来

# # #利用攻破dns服务器, get its host record

2. DNS Tracking #dig +trace < domain > #做递归查询

3. DNS zone transfer # dig @epDNS server EP domain name AXFR #通俗来说是查询其备用DNS服务器

A zone transfer operation refers to a backup server that uses data from the autonomous server to refresh its own zone database. This provides a degree of redundancy for the running DNS service, which is designed to prevent the primary domain server from affecting the global as an unexpected failure becomes unavailable. Implementing information synchronization

# # #若dns区域传输配置错误 that will cause anyone to connect to the DNS server

<span style= "FONT-SIZE:18PX;" >[email protected]:~# dig @ns3. AXFR (1 server found) global options: +CMD&L T;/span>
<span style= "FONT-SIZE:18PX;" >connection timed out; No servers could be reached</span>
Same function command: HOST-T-l #-l for asf2 full-zone transfer

Second, WHOIS registration information

#whois < domains >

<span style= "FONT-SIZE:18PX;" >[email protected]:~# whois wooyun.orgdomain Name:wooyun. Orgdomain Id:d159099935-lrorwhois server:referral url: date:2016-01-15t00:24:32zcreation Date:2010-05-06t08:50:48zregistry expiry date:2024-05-06t08:50:48zsponsoring Registrar:hichina Zhicheng Technology Limitedsponsoring Registrar IANA id:420domain status:clientdeleteprohibited Clientdeleteprohibiteddomain status:clienttransferprohibited Clienttransferprohibitedregistrant id:hc556860480-cnregistrant Name:fang Xiao dunregistrant Organization:fang Xiao Dunregistrant Street:haidian District Juyuan Road 6# 502Registrant city:beijingregistrant state/province:beijingregist Rant Postal code:100080registrant country:cnregistrant phone: +86.18610137578registrant phone ext:registrant 传真: +86.1 8610137578Registrant Fax ext:registrant Email: [Email protected]admin id:hc-009652962-cnadmin Name:fang XiaodunadminOrganization:beijing bigfish technologyadmin Street:haidian District Juyuan Road 6# 502Admin city:beijingadmin State/Pr Ovince:beijingadmin Postal code:100080admin country:cnadmin Phone: +86.18610137578admin phone ext:admin 传真: +86.186101 37578Admin Fax ext:admin Email: [Email protected]tech id:hc-844637505-cntech Name:fang Xiaoduntech organization:b Eijing bigfish Technologytech Street:haidian District Juyuan Road 6# 502Tech City:beijingtech State/province:beijingtec H Postal Code:100080tech Country:cntech phone: +86.18610137578tech Phone ext:tech 传真: +86.18610137578tech Fax Ext:Tech Email: [Email protected]name server:ns1. DNSV2. Comname Server:ns2. DNSV2. Comdnssec:unsigned>>> last update of the WHOIS database:2016-09-02t21:50:05z <<<for more information on Wh OIS status codes, please visit to public Interest Registry WHOIS information are provided to as Sist persons in determining the contents of a domain name Registration Record in the public Interest Registry Registry database. The data in this record was provided by public Interest Registry for informational purposes only, and public Interest Regis Try does not guarantee its accuracy. This service is intended only for query-based access. You agree so you'll use the this data only for lawful purposes and that, under no circumstances would you use this data to (  A) Allow, enable, or otherwise support for the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial Advertising or solicitations to entities other than the data recipient ' s own existing customers; or (b) enable high volume, automated, electronic processes this send queries or data to the systems of Registry Operator, A registrar, or afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by THis policy.</span> 

Whios Web site provides graphical but results may disappointments

Third, Dnsenum

The purpose of Dnsenum is to collect as much information as possible from a domain, which can guess the possible domain names through Google or dictionary files, and reverse-query a network segment. It can query the host address information of the website, the domain name server, the MX record (Correspondence Exchange record), executes the AXFR request on the domain name server, obtains the extension domain information through the Google script (Google hacking), extracts from the domain name and inquires, calculates the C class address and carries on the WHOIS inquiry, Perform a reverse query to write the address segment to the file.

Common usage:

<span style= "FONT-SIZE:24PX;" >[email protected]:~# dnsenum-enum version:1.2.3warning:can ' t load net::whois::ip module                               , WHOIS queries ' s                               346 in A                               346 in A                               346 in A                           346 in A                           76012 in A                           25326 in A                           38813 in A                           78929 in A 35202 in A (MX)                          In A                          2599 in A                         In A Zone transfers and getting Bind versions:______________________________________ ___________trying Zone Transfer for on ... </span></span>

Common parameters
--threads [number] Set up processes that users can run concurrently
-R Allow recursive queries
-D Set the number of time delays between WHOIS requests (s)
-O Specify the output location
-W Enable WHOIS requests

Iv. Fierce

The fierce tool primarily scans and collects information on sub-domains. Use the fierce tool to obtain all IP addresses and host information on a target host.

<span style= "font-size:18px;" >[email protected]:~# Fierce-dns Baidu.comdns Servers for Zone Transfer First ... Testing timed out or transfer not allowed. Testing timed out or transfer not allowed. Testing timed out or transfer not allowed. Testing timed out or transfer not allowed. Testing timed out or transfer not allowed. Unsuccessful in zone transfer (it is worth a shot) Okay, trying the good old fashioned ... brute forcechecking for wild Card DNS ... Nope. performing 2280 Test (s) ...</span> 
<span style= "FONT-SIZE:18PX;" >................................................</span>

    • The dictionary exploded #若DNS服务器不允许进行区域传输 #kali2.0 Do not bring your own dnsdict

Fierce-dnsserver A.txt

# # #ep: Find a dictionary

Dpkg-l Fierce

Dnsdict6-d4-t 16-x #-t: Number of Threads #-d: Show IPv6 address and MX, ns #-d4:ipv4 #指定字典大小 [-l/m/x/u]

#dnsdict6: Fast, dictionary large, full, accurate

Dnsenum-f dnsbig.txt-dnsserver sina.xml
Dnsmap Dns.txt
dnsrecon-d 10-t brt-d dnsbig.txt

Dnsrecon-t std-d

Reliable reference click to open link

Little white Diary, not to be continued ...

Small white Diary passive information collection of 3:kali penetration Test (ii)-dig, Whios, Dnsenum, Fierce

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.