DNS侦查工具

NS简介

访问某网站的时候,我们只需要打开浏览器输入例如:www.baidu.com就可以解析到该网站.为了便于记住不需要输入长长的IP地址去访问,这时DNS把相对应的域名解析成IP地址,这就是DNS域名解析.

关于域名

域名的层次划分用点来分割,最低在左边,高的在右边.例如:www.baidu.com.域名服务是基于UDP实现端口号为53.子域名还划分国家,地区,组织.

 

域名还需要由遍及世界的域名服务器去解析,也进行划分高低层次,由高到低:根域名服务器,顶级域名服务器,权限域名服务器,本地域名服务器.实际上DNS系统是一种分布式地址信息数据库系统.

查询过程:主机先向本地域名服务器进行递归查询->本地域名服务器迭代查询,向根域名服务器查询->根域名服务器告诉本地域名服务器,下次该查询的顶级域名服务器dns.com的IP地址->本地域名服务器向顶级域名服务器dns.com进行查询->顶级域名服务器com告诉本地域名服务器,下一步查询权限服务器dns.baidu.com的IP地址->本地域名服务器向权限服务器dns.baidu.com进行查询->权限服务器dns.baidu.com告诉本地域名服务器所查询的主机的IP地址->本地域名服务器最后把查询结果告诉主机.

DNS侦查

DNS侦查关心的是:识别谁拥有一个特定域或一系列IP地址,定义实际域名的DNS信息和标识目标的IP地址以及目标之间的路由.

whois查询

whois是识别分配给网站的地址,相关信息数据包括注册用户的域名或IP地址等等.

 

root@zhaji:~# whois baidu.com

Domain Name: BAIDU.COM

Registry Domain ID: 11181110_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.markmonitor.com

Registrar URL: http://www.markmonitor.com

Updated Date: 2017-07-28T02:36:28Z

Creation Date: 1999-10-11T11:05:17Z

Registry Expiry Date: 2026-10-11T11:05:17Z

Registrar: MarkMonitor Inc.

Registrar IANA ID: 292

Registrar Abuse Contact Email: abusecomplaints@markmonitor.com

Registrar Abuse Contact Phone: +1.2083895740

Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited

Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited

Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited

Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited

Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited

Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited

Name Server: DNS.BAIDU.COM

Name Server: NS2.BAIDU.COM

Name Server: NS3.BAIDU.COM

Name Server: NS4.BAIDU.COM

Name Server: NS7.BAIDU.COM

DNSSEC: unsigned

URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

>>> Last update of whois database: 2018-10-16T09:18:57Z <<<

 

For more information on Whois status codes, please visit https://icann.org/epp

 

NOTICE: The expiration date displayed in this record is the date the

registrar's sponsorship of the domain name registration in the registry is

currently set to expire. This date does not necessarily reflect the expiration

date of the domain name registrant's agreement with the sponsoring

registrar. Users may consult the sponsoring registrar's Whois database to

view the registrar's reported date of expiration for this registration.

 

TERMS OF USE: You are not authorized to access or query our Whois

database through the use of electronic processes that are high-volume and

automated except as reasonably necessary to register domain names or

modify existing registrations; the Data in VeriSign Global Registry

Services' ("VeriSign") Whois database is provided by VeriSign for

information purposes only, and to assist persons in obtaining information

about or related to a domain name registration record. VeriSign does not

guarantee its accuracy. By submitting a Whois query, you agree to abide

by the following terms of use: You agree that you may use this Data only

for lawful purposes and that under no circumstances will you use this Data

to: (1) allow, enable, or otherwise support the transmission of mass

unsolicited, commercial advertising or solicitations via e-mail, telephone,

or facsimile; or (2) enable high volume, automated, electronic processes

that Apply to VeriSign (or its computer systems). The compilation,

repackaging, dissemination or other use of this Data is expressly

prohibited without the prior written consent of VeriSign. You agree not to

use electronic processes that are automated and high-volume to access or

query the Whois database except as reasonably necessary to register

domain names or modify existing registrations. VeriSign reserves the right

to restrict your access to the Whois database in its sole discretion to ensure

operational stability. VeriSign may restrict or terminate your access to the

Whois database for failure to abide by these terms of use. VeriSign

reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and

Registrars.

Domain Name: baidu.com

Registry Domain ID: 11181110_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.markmonitor.com

Registrar URL: http://www.markmonitor.com

Updated Date: 2017-07-27T19:36:28-0700

Creation Date: 1999-10-11T04:05:17-0700

Registrar Registration Expiration Date: 2026-10-11T00:00:00-0700

Registrar: MarkMonitor, Inc.

Registrar IANA ID: 292

Registrar Abuse Contact Email: abusecomplaints@markmonitor.com

Registrar Abuse Contact Phone: +1.2083895740

Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)

Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)

Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)

Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)

Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)

Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)

Registrant Organization: Beijing Baidu Netcom Science Technology Co., Ltd.

Registrant State/Province: Beijing

Registrant Country: CN

Admin Organization: Beijing Baidu Netcom Science Technology Co., Ltd.

Admin State/Province: Beijing

Admin Country: CN

Tech Organization: Beijing Baidu Netcom Science Technology Co., Ltd.

Tech State/Province: Beijing

Tech Country: CN

Name Server: ns7.baidu.com

Name Server: ns2.baidu.com

Name Server: dns.baidu.com

Name Server: ns4.baidu.com

Name Server: ns3.baidu.com

DNSSEC: unsigned

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

>>> Last update of WHOIS database: 2018-10-16T02:15:43-0700 <<<

If certain contact information is not shown for a Registrant, Administrative,

or Technical contact, and you wish to send a message to these contacts, please

send your message to whoisrelay@markmonitor.com and specify the domain name in

the subject line. We will forward that message to the underlying contact.

If you have a legitimate interest in viewing the non-public WHOIS details, send

your request and the reasons for your request to abusecomplaints@markmonitor.com

and specify the domain name in the subject line. We will review that request and

may ask for supporting documentation and explanation.

The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for

information purposes, and to assist persons in obtaining information about or

related to a domain name registration record. MarkMonitor.com does not guarantee

its accuracy. By submitting a WHOIS query, you agree that you will use this Data

only for lawful purposes and that, under no circumstances will you use this Data to:

(1) allow, enable, or otherwise support the transmission of mass unsolicited,

commercial advertising or solicitations via e-mail (spam); or

(2) enable high volume, automated, electronic processes that apply to

MarkMonitor.com (or its systems).

MarkMonitor.com reserves the right to modify these terms at any time.

By submitting this query, you agree to abide by this policy.

 

MarkMonitor is the Global Leader in Online Brand Protection.

 

MarkMonitor Domain Management(TM)

MarkMonitor Brand Protection(TM)

MarkMonitor AntiPiracy(TM)

MarkMonitor AntiFraud(TM)

Professional and Managed Services

 

Visit MarkMonitor at http://www.markmonitor.com

Contact us at +1.8007459229

In Europe, at +44.02032062220

 

For more information on Whois status codes, please visit

https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en

 

Dmitry

dmitry会搜索子域,邮件地址,进行TCP扫描. 便于分析 可使用 -o 把查询的信息写入一个文本文件. 其他命令可指定查询

root@zhaji:~# dmitry -o webTest/output.txt www.baidu.com

Deepmagic Information Gathering Tool

"There be some deep magic going on"

 

Writing output to 'webTest/output.txt'

 

HostIP:61.135.169.121

HostName:www.baidu.com

 

Gathered Inet-whois information for 61.135.169.121

---------------------------------

 

inetnum: 61.14.228.0 - 61.255.255.255

netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK

descr: IPv4 address block not managed by the RIPE NCC

remarks: ------------------------------------------------------

remarks:

remarks: You can find the whois server to query, or the

remarks: IANA registry to query on this web page:

remarks: http://www.iana.org/assignments/ipv4-address-space

remarks:

remarks: You can access databases of other RIRs at:

remarks:

remarks: AFRINIC (Africa)

remarks: http://www.afrinic.net/ whois.afrinic.net

remarks:

remarks: APNIC (Asia Pacific)

remarks: http://www.apnic.net/ whois.apnic.net

remarks:

remarks: ARIN (Northern America)

remarks: http://www.arin.net/ whois.arin.net

remarks:

remarks: LACNIC (Latin America and the Carribean)

remarks: http://www.lacnic.net/ whois.lacnic.net

remarks:

remarks: IANA IPV4 Recovered Address Space

remarks: http://www.iana.org/assignments/ipv4-recovered-address-space/ipv4-recovered-address-space.xhtml

remarks:

remarks: ------------------------------------------------------

country: EU # Country is really world wide

admin-c: IANA1-RIPE

tech-c: IANA1-RIPE

status: ALLOCATED UNSPECIFIED

mnt-by: RIPE-NCC-HM-MNT

mnt-lower: RIPE-NCC-HM-MNT

created: 2018-05-28T14:20:24Z

last-modified: 2018-09-04T13:35:08Z

source: RIPE

 

role: Internet Assigned Numbers Authority

address: see http://www.iana.org.

admin-c: IANA1-RIPE

tech-c: IANA1-RIPE

nic-hdl: IANA1-RIPE

remarks: For more information on IANA services

remarks: go to IANA web site at http://www.iana.org.

mnt-by: RIPE-NCC-MNT

created: 1970-01-01T00:00:00Z

last-modified: 2001-09-22T09:31:27Z

source: RIPE # Filtered

 

% This query was served by the RIPE Database Query Service version 1.92.6 (WAGYU)

 

nslookup

nslookup查询 可指dns服务器 如不指定使用默认dns服务器

root@zhaji:~# nslookup www.baidu.com

Server:10.198.1.1

Address:10.198.1.1#53

 

Non-authoritative answer:

Name:www.baidu.com

Address: 61.135.169.121

Name:www.baidu.com

Address: 61.135.169.125

www.baidu.comcanonical name = www.a.shifen.com. #识别的别名

还可检查是否DNS服务器被篡改

nslookup

> server

Default server: 10.198.1.1

Address: 10.198.1.1#53

更换dns服务器查询

root@zhaji:~# nslookup -type=ns baidu.com 8.8.8.8

Server:8.8.8.8

Address:8.8.8.8#53

 

Non-authoritative answer:

baidu.comnameserver = ns2.baidu.com.

baidu.comnameserver = ns3.baidu.com.

baidu.comnameserver = ns7.baidu.com.

baidu.comnameserver = ns4.baidu.com.

baidu.comnameserver = dns.baidu.com.

lbd

lbd给定一个域检查是否使用DNS或者HTTP负载均衡

lbd www.baidu.com

 

lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.

Written by Stefan Behte (http://ge.mine.nu)

Proof-of-concept! Might give false positives.

 

Checking for DNS-Loadbalancing: FOUND

www.baidu.com has address 61.135.169.121

www.baidu.com has address 61.135.169.125

 

Checking for HTTP-Loadbalancing [Server]:

bfe/1.0.8.18

NOT FOUND

 

Checking for HTTP-Loadbalancing [Date]: 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:07, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:08, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, 08:33:09, NOT FOUND

 

Checking for HTTP-Loadbalancing [Diff]: FOUND

< Etag: "575e1f5d-115"

< Last-Modified: Mon, 13 Jun 2016 02:50:05 GMT

> Etag: "575e1f5c-115"

> Last-Modified: Mon, 13 Jun 2016 02:50:04 GMT

 

www.baidu.com does Load-balancing. Found via Methods: DNS HTTP[Diff]

Recon-ng

这个开源框架比较强大,模块使用Python编写,可自行建立改变模块也可利用第三方的API可能会被第三方跟踪.在kali中集成会把收集的数据放入数据库中. 有很多模块水土不服.

第一次启动会告知你没有安装的依赖

root@zhaji:~# recon-ng

[!] 'github_api' key not set. github_users module will likely fail at runtime. See 'keys add'.

[!] 'github_api' key not set. github_commits module will likely fail at runtime. See 'keys add'.

[!] 'censysio_id' key not set. censysio module will likely fail at runtime. See 'keys add'.

[!] 'censysio_secret' key not set. censysio module will likely fail at runtime. See 'keys add'.

[!] 'github_api' key not set. github_repos module will likely fail at runtime. See 'keys add'.

[!] 'fullcontact_api' key not set. fullcontact module will likely fail at runtime. See 'keys add'.

[!] 'google_api' key not set. youtube module will likely fail at runtime. See 'keys add'.

[!] 'flickr_api' key not set. flickr module will likely fail at runtime. See 'keys add'.

[!] 'twitter_api' key not set. twitter module will likely fail at runtime. See 'keys add'.

[!] 'twitter_secret' key not set. twitter module will likely fail at runtime. See 'keys add'.

[!] 'shodan_api' key not set. shodan module will likely fail at runtime. See 'keys add'.

[!] 'ipinfodb_api' key not set. ipinfodb module will likely fail at runtime. See 'keys add'.

[!] 'bing_api' key not set. bing_ip module will likely fail at runtime. See 'keys add'.

[!] 'github_api' key not set. github_miner module will likely fail at runtime. See 'keys add'.

[!] 'shodan_api' key not set. shodan_ip module will likely fail at runtime. See 'keys add'.

[!] 'pwnedlist_api' key not set. api_usage module will likely fail at runtime. See 'keys add'.

[!] 'pwnedlist_secret' key not set. api_usage module will likely fail at runtime. See 'keys add'.

[!] 'pwnedlist_api' key not set. domain_creds module will likely fail at runtime. See 'keys add'.

[!] 'pwnedlist_secret' key not set. domain_creds module will likely fail at runtime. See 'keys add'.

[!] 'pwnedlist_iv' key not set. domain_creds module will likely fail

可根据自己的需求安装 pip install name

[recon-ng][default] > help

 

Commands (type [help|?] <topic>):

---------------------------------

add Adds records to the database

back Exits the current context

delete Deletes records from the database

exit Exits the framework

help Displays this menu

keys Manages framework API keys

load Loads specified module

pdb Starts a Python Debugger session

query Queries the database

record Records commands to a resource file

reload Reloads all modules

resource Executes commands from a resource file

search Searches available modules

set Sets module options

shell Executes shell commands

show Shows various framework items

snapshots Manages workspace snapshots

spool Spools output to a file

unset Unsets module options

use Loads specified module

workspaces Manages workspaces

show modules显示模块 Tab 可自动补全

[recon-ng][default] > show modules

 

Discovery

---------

discovery/info_disclosure/cache_snoop

discovery/info_disclosure/interesting_files

 

Exploitation

------------

exploitation/injection/command_injector

exploitation/injection/xpath_bruter

 

Import

------

import/csv_file

import/list

 

Recon

-----

recon/companies-contacts/bing_linkedin_cache

recon/companies-contacts/jigsaw/point_usage

recon/companies-contacts/jigsaw/purchase_contact

recon/companies-contacts/jigsaw/search_contacts

recon/companies-multi/github_miner

recon/companies-multi/whois_miner

recon/contacts-contacts/mailtester

recon/contacts-contacts/mangle

recon/contacts-contacts/unmangle

recon/contacts-credentials/hibp_breach

recon/contacts-credentials/hibp_paste

recon/contacts-domains/migrate_contacts

recon/contacts-profiles/fullcontact

recon/credentials-credentials/adobe

recon/credentials-credentials/bozocrack

recon/credentials-credentials/hashes_org

recon/domains-contacts/metacrawler

recon/domains-contacts/pgp_search

recon/domains-contacts/whois_pocs

recon/domains-credentials/pwnedlist/account_creds

recon/domains-credentials/pwnedlist/api_usage

recon/domains-credentials/pwnedlist/domain_creds

recon/domains-credentials/pwnedlist/domain_ispwned

recon/domains-credentials/pwnedlist/leak_lookup

recon/domains-credentials/pwnedlist/leaks_dump

recon/domains-domains/brute_suffix

recon/domains-hosts/bing_domain_api

recon/domains-hosts/bing_domain_web

recon/domains-hosts/brute_hosts

recon/domains-hosts/builtwith

recon/domains-hosts/certificate_transparency

recon/domains-hosts/google_site_api

recon/domains-hosts/google_site_web

recon/domains-hosts/hackertarget

recon/domains-hosts/mx_spf_ip

recon/domains-hosts/netcraft

recon/domains-hosts/shodan_hostname

recon/domains-hosts/ssl_san

recon/domains-hosts/threatcrowd

recon/domains-vulnerabilities/ghdb

recon/domains-vulnerabilities/punkspider

recon/domains-vulnerabilities/xssed

recon/domains-vulnerabilities/xssposed

recon/hosts-domains/migrate_hosts

recon/hosts-hosts/bing_ip

recon/hosts-hosts/freegeoip

recon/hosts-hosts/ipinfodb

recon/hosts-hosts/resolve

recon/hosts-hosts/reverse_resolve

recon/hosts-hosts/ssltools

recon/hosts-locations/migrate_hosts

recon/hosts-ports/shodan_ip

recon/locations-locations/geocode

recon/locations-locations/reverse_geocode

recon/locations-pushpins/flickr

recon/locations-pushpins/picasa

recon/locations-pushpins/shodan

recon/locations-pushpins/twitter

recon/locations-pushpins/youtube

recon/netblocks-companies/whois_orgs

recon/netblocks-hosts/reverse_resolve

recon/netblocks-hosts/shodan_net

recon/netblocks-ports/census_2012

recon/netblocks-ports/censysio

recon/ports-hosts/migrate_ports

recon/profiles-contacts/dev_diver

recon/profiles-contacts/github_users

recon/profiles-profiles/namechk

recon/profiles-profiles/profiler

recon/profiles-profiles/twitter_mentioned

recon/profiles-profiles/twitter_mentions

recon/profiles-repositories/github_repos

recon/repositories-profiles/github_commits

recon/repositories-vulnerabilities/gists_search

recon/repositories-vulnerabilities/github_dorks

 

Reporting

---------

reporting/csv

reporting/html

reporting/json

reporting/list

reporting/proxifier

reporting/pushpin

reporting/xlsx

reporting/xml

选择模块 load

[recon-ng][default] > load recon/profiles-profiles/profiler

[recon-ng][default][profiler] > show options

 

Name Current Value Required Description

------ ------------- -------- -----------

SOURCE csdn.net yes source of input (see 'show info' for details)

[recon-ng][default][profiler] > set SOURCE baidu.com

SOURCE => baidu.com

[recon-ng][default][profiler] > run

 

版权声明：本文为博主原创文章，遵循 CC 4.0 BY-SA 版权协议，转载请附上原文出处链接和本声明。

本文链接：https://blog.csdn.net/freegotocpp/article/details/83089023