NS簡介
訪問某網站的時候,我們只需要打開瀏覽器輸入例如:www.baidu.com就可以解析到該網站.為了便于記住不需要輸入長長的IP地址去訪問,這時DNS把相對應的域名解析成IP地址,這就是DNS域名解析.
關于域名
域名的層次劃分用點來分割,最低在左邊,高的在右邊.例如:www.baidu.com.域名服務是基于UDP實現端口號為53.子域名還劃分國家,地區,組織.
域名還需要由遍及世界的域名服務器去解析,也進行劃分高低層次,由高到低:根域名服務器,頂級域名服務器,權限域名服務器,本地域名服務器.實際上DNS系統是一種分布式地址信息數據庫系統.
查詢過程:主機先向本地域名服務器進行遞歸查詢->本地域名服務器迭代查詢,向根域名服務器查詢->根域名服務器告訴本地域名服務器,下次該查詢的頂級域名服務器dns.com的IP地址->本地域名服務器向頂級域名服務器dns.com進行查詢->頂級域名服務器com告訴本地域名服務器,下一步查詢權限服務器dns.baidu.com的IP地址->本地域名服務器向權限服務器dns.baidu.com進行查詢->權限服務器dns.baidu.com告訴本地域名服務器所查詢的主機的IP地址->本地域名服務器最后把查詢結果告訴主機.
DNS偵查
DNS偵查關心的是:識別誰擁有一個特定域或一系列IP地址,定義實際域名的DNS信息和標識目標的IP地址以及目標之間的路由.
whois查詢
whois是識別分配給網站的地址,相關信息數據包括注冊用戶的域名或IP地址等等.
root@zhaji:~# whois baidu.com
Domain Name: BAIDU.COM
Registry Domain ID: 11181110_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2017-07-28T02:36:28Z
Creation Date: 1999-10-11T11:05:17Z
Registry Expiry Date: 2026-10-11T11:05:17Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Name Server: DNS.BAIDU.COM
Name Server: NS2.BAIDU.COM
Name Server: NS3.BAIDU.COM
Name Server: NS4.BAIDU.COM
Name Server: NS7.BAIDU.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2018-10-16T09:18:57Z <<<
For more information on Whois status codes, please visit https://icann.org/epp
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that Apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: baidu.com
Registry Domain ID: 11181110_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2017-07-27T19:36:28-0700
Creation Date: 1999-10-11T04:05:17-0700
Registrar Registration Expiration Date: 2026-10-11T00:00:00-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)
Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)
Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)
Registrant Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Registrant State/Province: Beijing
Registrant Country: CN
Admin Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Admin State/Province: Beijing
Admin Country: CN
Tech Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Tech State/Province: Beijing
Tech Country: CN
Name Server: ns7.baidu.com
Name Server: ns2.baidu.com
Name Server: dns.baidu.com
Name Server: ns4.baidu.com
Name Server: ns3.baidu.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2018-10-16T02:15:43-0700 <<<
If certain contact information is not shown for a Registrant, Administrative,
or Technical contact, and you wish to send a message to these contacts, please
send your message to whoisrelay@markmonitor.com and specify the domain name in
the subject line. We will forward that message to the underlying contact.
If you have a legitimate interest in viewing the non-public WHOIS details, send
your request and the reasons for your request to abusecomplaints@markmonitor.com
and specify the domain name in the subject line. We will review that request and
may ask for supporting documentation and explanation.
The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for
information purposes, and to assist persons in obtaining information about or
related to a domain name registration record. MarkMonitor.com does not guarantee
its accuracy. By submitting a WHOIS query, you agree that you will use this Data
only for lawful purposes and that, under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via e-mail (spam); or
(2) enable high volume, automated, electronic processes that apply to
MarkMonitor.com (or its systems).
MarkMonitor.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.
MarkMonitor is the Global Leader in Online Brand Protection.
MarkMonitor Domain Management(TM)
MarkMonitor Brand Protection(TM)
MarkMonitor AntiPiracy(TM)
MarkMonitor AntiFraud(TM)
Professional and Managed Services
Visit MarkMonitor at http://www.markmonitor.com
Contact us at +1.8007459229
In Europe, at +44.02032062220
For more information on Whois status codes, please visit
https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en
Dmitry
dmitry會搜索子域,郵件地址,進行TCP掃描. 便于分析 可使用 -o 把查詢的信息寫入一個文本文件. 其他命令可指定查詢
root@zhaji:~# dmitry -o webTest/output.txt www.baidu.com
Deepmagic Information Gathering Tool
"There be some deep magic going on"
Writing output to 'webTest/output.txt'
HostIP:61.135.169.121
HostName:www.baidu.com
Gathered Inet-whois information for 61.135.169.121
---------------------------------
inetnum: 61.14.228.0 - 61.255.255.255
netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK
descr: IPv4 address block not managed by the RIPE NCC
remarks: ------------------------------------------------------
remarks:
remarks: You can find the whois server to query, or the
remarks: IANA registry to query on this web page:
remarks: http://www.iana.org/assignments/ipv4-address-space
remarks:
remarks: You can access databases of other RIRs at:
remarks:
remarks: AFRINIC (Africa)
remarks: http://www.afrinic.net/ whois.afrinic.net
remarks:
remarks: APNIC (Asia Pacific)
remarks: http://www.apnic.net/ whois.apnic.net
remarks:
remarks: ARIN (Northern America)
remarks: http://www.arin.net/ whois.arin.net
remarks:
remarks: LACNIC (Latin America and the Carribean)
remarks: http://www.lacnic.net/ whois.lacnic.net
remarks:
remarks: IANA IPV4 Recovered Address Space
remarks: http://www.iana.org/assignments/ipv4-recovered-address-space/ipv4-recovered-address-space.xhtml
remarks:
remarks: ------------------------------------------------------
country: EU # Country is really world wide
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
status: ALLOCATED UNSPECIFIED
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: RIPE-NCC-HM-MNT
created: 2018-05-28T14:20:24Z
last-modified: 2018-09-04T13:35:08Z
source: RIPE
role: Internet Assigned Numbers Authority
address: see http://www.iana.org.
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
nic-hdl: IANA1-RIPE
remarks: For more information on IANA services
remarks: go to IANA web site at http://www.iana.org.
mnt-by: RIPE-NCC-MNT
created: 1970-01-01T00:00:00Z
last-modified: 2001-09-22T09:31:27Z
source: RIPE # Filtered
% This query was served by the RIPE Database Query Service version 1.92.6 (WAGYU)
nslookup
nslookup查詢 可指dns服務器 如不指定使用默認dns服務器
root@zhaji:~# nslookup www.baidu.com
Server:10.198.1.1
Address:10.198.1.1#53
Non-authoritative answer:
Name:www.baidu.com
Address: 61.135.169.121
Name:www.baidu.com
Address: 61.135.169.125
www.baidu.comcanonical name = www.a.shifen.com. #識別的別名
還可檢查是否DNS服務器被篡改
nslookup
> server
Default server: 10.198.1.1
Address: 10.198.1.1#53
更換dns服務器查詢
root@zhaji:~# nslookup -type=ns baidu.com 8.8.8.8
Server:8.8.8.8
Address:8.8.8.8#53
Non-authoritative answer:
baidu.comnameserver = ns2.baidu.com.
baidu.comnameserver = ns3.baidu.com.
baidu.comnameserver = ns7.baidu.com.
baidu.comnameserver = ns4.baidu.com.
baidu.comnameserver = dns.baidu.com.
lbd
lbd給定一個域檢查是否使用DNS或者HTTP負載均衡
lbd www.baidu.com
lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.
Checking for DNS-Loadbalancing: FOUND
www.baidu.com has address 61.135.169.121
www.baidu.com has address 61.135.169.125
Checking for HTTP-Loadbalancing [Server]:
bfe/1.0.8.18
NOT FOUND
Checking for HTTP-Loadbalancing [Date]: 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, NOT FOUND
Checking for HTTP-Loadbalancing [Diff]: FOUND
< Etag: "575e1f5d-115"
< Last-Modified: Mon, 13 Jun 2016 02:50:05 GMT
> Etag: "575e1f5c-115"
> Last-Modified: Mon, 13 Jun 2016 02:50:04 GMT
www.baidu.com does Load-balancing. Found via Methods: DNS HTTP[Diff]
Recon-ng
這個開源框架比較強大,模塊使用Python編寫,可自行建立改變模塊也可利用第三方的API可能會被第三方跟蹤.在kali中集成會把收集的數據放入數據庫中. 有很多模塊水土不服.
第一次啟動會告知你沒有安裝的依賴
root@zhaji:~# recon-ng
[!] 'github_api' key not set. github_users module will likely fail at runtime. See 'keys add'.
[!] 'github_api' key not set. github_commits module will likely fail at runtime. See 'keys add'.
[!] 'censysio_id' key not set. censysio module will likely fail at runtime. See 'keys add'.
[!] 'censysio_secret' key not set. censysio module will likely fail at runtime. See 'keys add'.
[!] 'github_api' key not set. github_repos module will likely fail at runtime. See 'keys add'.
[!] 'fullcontact_api' key not set. fullcontact module will likely fail at runtime. See 'keys add'.
[!] 'google_api' key not set. youtube module will likely fail at runtime. See 'keys add'.
[!] 'flickr_api' key not set. flickr module will likely fail at runtime. See 'keys add'.
[!] 'twitter_api' key not set. twitter module will likely fail at runtime. See 'keys add'.
[!] 'twitter_secret' key not set. twitter module will likely fail at runtime. See 'keys add'.
[!] 'shodan_api' key not set. shodan module will likely fail at runtime. See 'keys add'.
[!] 'ipinfodb_api' key not set. ipinfodb module will likely fail at runtime. See 'keys add'.
[!] 'bing_api' key not set. bing_ip module will likely fail at runtime. See 'keys add'.
[!] 'github_api' key not set. github_miner module will likely fail at runtime. See 'keys add'.
[!] 'shodan_api' key not set. shodan_ip module will likely fail at runtime. See 'keys add'.
[!] 'pwnedlist_api' key not set. api_usage module will likely fail at runtime. See 'keys add'.
[!] 'pwnedlist_secret' key not set. api_usage module will likely fail at runtime. See 'keys add'.
[!] 'pwnedlist_api' key not set. domain_creds module will likely fail at runtime. See 'keys add'.
[!] 'pwnedlist_secret' key not set. domain_creds module will likely fail at runtime. See 'keys add'.
[!] 'pwnedlist_iv' key not set. domain_creds module will likely fail
可根據自己的需求安裝 pip install name
[recon-ng][default] > help
Commands (type [help|?] <topic>):
---------------------------------
add Adds records to the database
back Exits the current context
delete Deletes records from the database
exit Exits the framework
help Displays this menu
keys Manages framework API keys
load Loads specified module
pdb Starts a Python Debugger session
query Queries the database
record Records commands to a resource file
reload Reloads all modules
resource Executes commands from a resource file
search Searches available modules
set Sets module options
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
unset Unsets module options
use Loads specified module
workspaces Manages workspaces
show modules顯示模塊 Tab 可自動補全
[recon-ng][default] > show modules
Discovery
---------
discovery/info_disclosure/cache_snoop
discovery/info_disclosure/interesting_files
Exploitation
------------
exploitation/injection/command_injector
exploitation/injection/xpath_bruter
Import
------
import/csv_file
import/list
Recon
-----
recon/companies-contacts/bing_linkedin_cache
recon/companies-contacts/jigsaw/point_usage
recon/companies-contacts/jigsaw/purchase_contact
recon/companies-contacts/jigsaw/search_contacts
recon/companies-multi/github_miner
recon/companies-multi/whois_miner
recon/contacts-contacts/mailtester
recon/contacts-contacts/mangle
recon/contacts-contacts/unmangle
recon/contacts-credentials/hibp_breach
recon/contacts-credentials/hibp_paste
recon/contacts-domains/migrate_contacts
recon/contacts-profiles/fullcontact
recon/credentials-credentials/adobe
recon/credentials-credentials/bozocrack
recon/credentials-credentials/hashes_org
recon/domains-contacts/metacrawler
recon/domains-contacts/pgp_search
recon/domains-contacts/whois_pocs
recon/domains-credentials/pwnedlist/account_creds
recon/domains-credentials/pwnedlist/api_usage
recon/domains-credentials/pwnedlist/domain_creds
recon/domains-credentials/pwnedlist/domain_ispwned
recon/domains-credentials/pwnedlist/leak_lookup
recon/domains-credentials/pwnedlist/leaks_dump
recon/domains-domains/brute_suffix
recon/domains-hosts/bing_domain_api
recon/domains-hosts/bing_domain_web
recon/domains-hosts/brute_hosts
recon/domains-hosts/builtwith
recon/domains-hosts/certificate_transparency
recon/domains-hosts/google_site_api
recon/domains-hosts/google_site_web
recon/domains-hosts/hackertarget
recon/domains-hosts/mx_spf_ip
recon/domains-hosts/netcraft
recon/domains-hosts/shodan_hostname
recon/domains-hosts/ssl_san
recon/domains-hosts/threatcrowd
recon/domains-vulnerabilities/ghdb
recon/domains-vulnerabilities/punkspider
recon/domains-vulnerabilities/xssed
recon/domains-vulnerabilities/xssposed
recon/hosts-domains/migrate_hosts
recon/hosts-hosts/bing_ip
recon/hosts-hosts/freegeoip
recon/hosts-hosts/ipinfodb
recon/hosts-hosts/resolve
recon/hosts-hosts/reverse_resolve
recon/hosts-hosts/ssltools
recon/hosts-locations/migrate_hosts
recon/hosts-ports/shodan_ip
recon/locations-locations/geocode
recon/locations-locations/reverse_geocode
recon/locations-pushpins/flickr
recon/locations-pushpins/picasa
recon/locations-pushpins/shodan
recon/locations-pushpins/twitter
recon/locations-pushpins/youtube
recon/netblocks-companies/whois_orgs
recon/netblocks-hosts/reverse_resolve
recon/netblocks-hosts/shodan_net
recon/netblocks-ports/census_2012
recon/netblocks-ports/censysio
recon/ports-hosts/migrate_ports
recon/profiles-contacts/dev_diver
recon/profiles-contacts/github_users
recon/profiles-profiles/namechk
recon/profiles-profiles/profiler
recon/profiles-profiles/twitter_mentioned
recon/profiles-profiles/twitter_mentions
recon/profiles-repositories/github_repos
recon/repositories-profiles/github_commits
recon/repositories-vulnerabilities/gists_search
recon/repositories-vulnerabilities/github_dorks
Reporting
---------
reporting/csv
reporting/html
reporting/json
reporting/list
reporting/proxifier
reporting/pushpin
reporting/xlsx
reporting/xml
選擇模塊 load
[recon-ng][default] > load recon/profiles-profiles/profiler
[recon-ng][default][profiler] > show options
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE csdn.net yes source of input (see 'show info' for details)
[recon-ng][default][profiler] > set SOURCE baidu.com
SOURCE => baidu.com
[recon-ng][default][profiler] > run
版權聲明:本文為博主原創文章,遵循 CC 4.0 BY-SA 版權協議,轉載請附上原文出處鏈接和本聲明。
本文鏈接:https://blog.csdn.net/freegotocpp/article/details/83089023
