標籤:指令碼 email 顯示 資料 dnssec server ges bsp post
一、DIG
linux下查詢網域名稱解析有兩種選擇,nslookup或者dig。Dig(Domain Information Groper)是一個在類Unix命令列模式下查詢DNS包括NS記錄,A記錄,MX記錄等相關資訊的工具。
<span style="font-size:18px;">[email protected]:~# dig -hUsage: dig [@global-server] [domain] [q-type] [q-class] {q-opt} {global-d-opt} host [@local-server] {local-d-opt} [ host [@local-server] {local-d-opt} [...]]Where: domain is in the Domain Name System q-class is one of (in,hs,ch,...) [default: in] q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a] <strong>#類型(……)預設a</strong> (Use ixfr=version for type ixfr) q-opt is one of: -x dot-notation (shortcut for reverse lookups) #反向查詢 -i (use IP6.INT for IPv6 reverse lookups) #使用IPv6反向查詢 -f filename (batch mode) #批處理模式 -b address[#port] (bind to source address/port) #綁定到源地址/連接埠 -p port (specify port number) #指定連接埠名稱 -q name (specify query name) #指定查詢名稱 -t type (specify query type) #指定查詢類型 -c class (specify query class) -k keyfile (specify tsig key file) -y [hmac:]name:key (specify named base64 tsig key) -4 (use IPv4 query transport only) -6 (use IPv6 query transport only) -m (enable memory usage debugging) d-opt is of the form +keyword[=value], where keyword is: +[no]vc (TCP mode) +[no]tcp (TCP mode, alternate syntax) +time=### (Set query timeout) [5] #指定逾時設定 +tries=### (Set number of UDP attempts) [3] #設定UDP發包數 +retry=### (Set number of UDP retries) [2] #設定UDP重試次數 +domain=### (Set default domainname) +bufsize=### (Set EDNS0 Max UDP packet size) +ndots=### (Set NDOTS value) +[no]edns[=###] (Set EDNS version) [0] +[no]search (Set whether to use searchlist) +[no]showsearch (Search with intermediate results) +[no]defname (Ditto) +[no]recurse (Recursive mode) +[no]ignore (Don‘t revert to TCP for TC responses.) +[no]fail (Don‘t try next server on SERVFAIL) +[no]besteffort (Try to parse even illegal messages) +[no]aaonly (Set AA flag in query (+[no]aaflag)) +[no]adflag (Set AD flag in query) +[no]cdflag (Set CD flag in query) +[no]cl (Control display of class in records) +[no]cmd (Control display of command line) +[no]comments (Control display of comment lines) +[no]rrcomments (Control display of per-record comments) +[no]question (Control display of question) +[no]answer (Control display of answer) #控制響應輸出 +[no]authority (Control display of authority) +[no]additional (Control display of additional) +[no]stats (Control display of statistics) +[no]short (Disable everything except short form of answer) +[no]ttlid (Control display of ttls in records) +[no]all (Set or clear all display flags) #是否輸出所有顯示標誌 noall通常與answer使用 +[no]qr (Print question before sending) +[no]nssearch (Search all authoritative nameservers) +[no]identify (ID responders in short answers) +[no]trace (Trace delegation down from root [+dnssec]) #DNS追蹤 +[no]dnssec (Request DNSSEC records) +[no]nsid (Request Name Server ID) +[no]sigchase (Chase DNSSEC signatures) +trusted-key=#### (Trusted Key when chasing DNSSEC sigs) +[no]topdown (Do DNSSEC validation top down mode) +[no]split=## (Split hex/base64 fields into chunks) +[no]multiline (Print records in an expanded format) +[no]onesoa (AXFR prints only one soa record) +[no]keepopen (Keep the TCP socket open between queries) global d-opts and servers (before host name) affect all queries. local d-opts and servers (after host name) affect only that lookup. -h (print help and exit) -v (print version and exit)</span></span>
命令詳解
直接查詢
<span style="font-size:18px;">[email protected]:~# dig www.baidu.com #直接查詢; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> www.baidu.com;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44198 #opcode,狀態,ID;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 16 #標記;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1280 #版本,udp:1280;; QUESTION SECTION:;www.baidu.com.INA;; ANSWER SECTION:www.baidu.com.6INCNAMEwww.a.shifen.com.www.a.shifen.com.553INA14.215.177.38www.a.shifen.com.553INA14.215.177.37;; AUTHORITY SECTION:com.67772INNSa.gtld-servers.net.com.67772INNSj.gtld-servers.net.com.67772INNSf.gtld-servers.net.com.67772INNSh.gtld-servers.net.com.67772INNSk.gtld-servers.net.com.67772INNSm.gtld-servers.net.com.67772INNSb.gtld-servers.net.com.67772INNSl.gtld-servers.net.com.67772INNSg.gtld-servers.net.com.67772INNSd.gtld-servers.net.com.67772INNSe.gtld-servers.net.com.67772INNSc.gtld-servers.net.com.67772INNSi.gtld-servers.net.;; ADDITIONAL SECTION:g.gtld-servers.net.47412INA192.42.93.30j.gtld-servers.net.2442INA192.48.79.30i.gtld-servers.net.66535INA192.43.172.30e.gtld-servers.net.56469INA192.12.94.30a.gtld-servers.net.34163INA192.5.6.30a.gtld-servers.net.7565INAAAA2001:503:a83e::2:30h.gtld-servers.net.68265INA192.54.112.30f.gtld-servers.net.31194INA192.35.51.30b.gtld-servers.net.4732INA192.33.14.30b.gtld-servers.net.22851INAAAA2001:503:231d::2:30l.gtld-servers.net.42219INA192.41.162.30c.gtld-servers.net.34151INA192.26.92.30m.gtld-servers.net.47041INA192.55.83.30d.gtld-servers.net.25144INA192.31.80.30k.gtld-servers.net.65164INA192.52.178.30;; Query time: 84 msec;; SERVER: 192.168.1.1#53(192.168.1.1);; WHEN: Tue Sep 06 15:50:49 CST 2016;; MSG SIZE rcvd: 589</span>指定DNS網域名稱伺服器 #dig <查詢子網域名稱> <指定類型> @<指定DNS伺服器ip>
dig www.baiadu.com mx @8.8.8.8
mx查詢
反向查詢 #dig -x <伺服器IP地址> #noall什麼都不輸出,answer只輸出answer結果
#可能查詢結果不一樣,因為網域名稱與IP地址個關係可以為一對多、多對一
DIG強大之處
1、查詢DNS伺服器的bing版本 #dig +noall +answer txt chaos VERSION.BID @<dns伺服器即ns記錄>
∴用於查詢網域名稱下主機名稱的記錄 ep:查詢sina.com下的www.sina.com #安全意識高的網站會把bing命令隱藏起來
###利用攻破dns伺服器,獲得其主機記錄
2、DNS追蹤 #dig +trace <網域名稱> #做遞迴查詢
3、DNS地區傳輸 # dig @epDNS伺服器 ep網域名稱 axfr #通俗來說是查詢其備用DNS伺服器
地區傳送操作指的是一台後備伺服器使用來自主伺服器的資料重新整理自己的zone資料庫。這為運行中的DNS服務提供了一定的冗餘度,其目的是為了防止主網域名稱伺服器因意外故障變得不可用時影響到全域。實現資訊同步
###若dns地區傳輸配置錯誤,會導致任何人都可以連上DNS伺服器
<span style="font-size:18px;">[email protected]:~# dig @ns3.sina.com sina.com axfr@ns3.sina.com sina.com axfr(1 server found)global options: +cmd</span><span style="font-size:18px;">connection timed out; no servers could be reached</span>相同作用命令:host -T -l sina.com ns3.sina.com #-l進行asf2全地區傳輸
二、whois註冊資訊
#whois <網域名稱>
<span style="font-size:18px;">[email protected]:~# whois wooyun.orgDomain Name: WOOYUN.ORGDomain ID: D159099935-LRORWHOIS Server:Referral URL: http://www.net.cnUpdated Date: 2016-01-15T00:24:32ZCreation Date: 2010-05-06T08:50:48ZRegistry Expiry Date: 2024-05-06T08:50:48ZSponsoring Registrar: Hichina Zhicheng Technology LimitedSponsoring Registrar IANA ID: 420Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibitedDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibitedRegistrant ID: hc556860480-cnRegistrant Name: Fang Xiao DunRegistrant Organization: Fang Xiao DunRegistrant Street: Haidian District JuYuan Road 6# 502Registrant City: BeijingRegistrant State/Province: BeijingRegistrant Postal Code: 100080Registrant Country: CNRegistrant Phone: +86.18610137578Registrant Phone Ext:Registrant Fax: +86.18610137578Registrant Fax Ext:Registrant Email: [email protected]Admin ID: HC-009652962-CNAdmin Name: Fang XiaodunAdmin Organization: Beijing Bigfish TechnologyAdmin Street: Haidian District JuYuan Road 6# 502Admin City: BeijingAdmin State/Province: BeijingAdmin Postal Code: 100080Admin Country: CNAdmin Phone: +86.18610137578Admin Phone Ext:Admin Fax: +86.18610137578Admin Fax Ext:Admin Email: [email protected]Tech ID: HC-844637505-CNTech Name: Fang XiaodunTech Organization: Beijing Bigfish TechnologyTech Street: Haidian District JuYuan Road 6# 502Tech City: BeijingTech State/Province: BeijingTech Postal Code: 100080Tech Country: CNTech Phone: +86.18610137578Tech Phone Ext:Tech Fax: +86.18610137578Tech Fax Ext:Tech Email: [email protected]Name Server: NS1.DNSV2.COMName Server: NS2.DNSV2.COMDNSSEC: unsigned>>> Last update of WHOIS database: 2016-09-02T21:50:05Z <<<For more information on Whois status codes, please visit https://icann.org/eppAccess to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to(a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient‘s own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.</span>
whios網站提供圖形化但結果可能不盡人意
三、DNSenum
dnsenum的目的是儘可能收集一個域的資訊,它能夠通過Google或者字典檔案猜測可能存在的網域名稱,以及對一個網段進行反向查詢。它可以查詢網站的主機地址資訊、網域名稱伺服器、mx record(函件交換記錄),在網域名稱伺服器上執行axfr請求,通過Google指令碼得到擴充網域名稱資訊(google hacking),提取自網域名稱並查詢,計算C類地址並執行whois查詢,執行反向查詢,把位址區段寫入檔案。
常用用法:
<span style="font-size:24px;">[email protected]:~# dnsenum -enum baidu.comdnsenum.pl VERSION:1.2.3Warning: can‘t load Net::Whois::IP module, whois queries disabled.----- baidu.com -----Host‘s addresses:__________________baidu.com. 346 IN A 220.181.57.217baidu.com. 346 IN A 111.13.101.208baidu.com. 346 IN A 123.125.114.144baidu.com. 346 IN A 180.149.132.47Name Servers:______________ns2.baidu.com. 76012 IN A 61.135.165.235ns4.baidu.com. 25326 IN A 220.181.38.10ns3.baidu.com. 38813 IN A 220.181.37.10ns7.baidu.com. 78929 IN A 119.75.219.82dns.baidu.com. 35202 IN A 202.108.22.220Mail (MX) Servers:___________________mx1.baidu.com. 600 IN A 61.135.163.61jpmx.baidu.com. 2599 IN A 61.208.132.13mx50.baidu.com. 600 IN A 61.135.163.61mx.n.shifen.com. 600 IN A 220.181.3.77Trying Zone Transfers and getting Bind Versions:_________________________________________________Trying Zone Transfer for baidu.com on ns4.baidu.com ... </span></span>
常用參數 --threads [number] 設定使用者可同時啟動並執行進程 -r 允許遞迴查詢 -d 設定WHOIS請求之間的時間延遲數(s) -o 指定輸出位置 -w 啟用WHOIS請求
四、fierce
fierce工具主要是對子網域名稱進行掃描和收集資訊。使用fierce工具獲得一個目標主機上所有IP地址和主機資訊。
<span style="font-size:18px;">[email protected]:~# fierce -dns baidu.comDNS Servers for baidu.com:ns4.baidu.comns2.baidu.comns3.baidu.comns7.baidu.comdns.baidu.comTrying zone transfer first...Testing ns4.baidu.comRequest timed out or transfer not allowed.Testing ns2.baidu.comRequest timed out or transfer not allowed.Testing ns3.baidu.comRequest timed out or transfer not allowed.Testing ns7.baidu.comRequest timed out or transfer not allowed.Testing dns.baidu.comRequest timed out or transfer not allowed.Unsuccessful in zone transfer (it was worth a shot)Okay, trying the good old fashioned way... brute forceChecking for wildcard DNS...Nope. Good.Now performing 2280 test(s)...10.94.49.39access.baidu.com10.11.252.74accounts.baidu.com10.26.109.19admin.baidu.com10.42.4.225ads.baidu.com172.22.15.17agent.baidu.com172.22.15.16agent.baidu.com10.57.8.26alpha.baidu.com</span><span style="font-size:18px;">…………………………………………</span>
fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist a.txt
###ep:尋找字典
dpkg -L fierce
dnsdict6 -d4 -t 16 -x sina.com #-t:線程數 #-d:顯示IPv6地址和mx、ns #-d4:IPv4 #指定字典大小[-l/m/x/u]
#dnsdict6:速度快,字典大、全、精準
dnsenum -f dnsbig.txt -dnsserver 8.8.8.8 sina.com -o sina.xml
dnsmap sina.com -w dns.txt
dnsrecon -d sina.com --lifetime 10 -t brt -D dnsbig.txt
dnsrecon -t std -d sina.com
可靠參考點擊開啟連結
小白日記,未完待續……
小白日記3:kali滲透測試之被動資訊收集(二)-dig、whios、dnsenum、fierce
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
