f10@t's blog

kali-渗透测试-信息收集2

字数统计: 3.4k阅读时长: 19 min
2019/05/10

第二部分

DNS区域传输

DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers.

DNS区域传输即DNS服务器间的信息同步,当一个DNS服务器发生变更时,可以同步到其他服务器,一般只发生在本域的DNS服务之间,如果出现配置的错误,就有机会拿下这个域下的所有的主机记录和IP地址,往往是黑客感兴趣的信息。DNS信息收集的目标就是获取目标域中的所有主机记录。

关于DNS区域传输,这里介绍的很详细。

dig进行区域传输

下面使用dig来进行区域传输。只需带上axfr参数即可:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
root@kali:~# dig sina.com ns         //先查找sina.com的NS记录


; <<>> DiG 9.11.5-P4-5-Debian <<>> sina.com ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33761
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096
;; QUESTION SECTION:
;sina.com. IN NS

;; ANSWER SECTION:
sina.com. 5 IN NS ns3.sina.com.
sina.com. 5 IN NS ns2.sina.com.
sina.com. 5 IN NS ns1.sina.com.
sina.com. 5 IN NS ns4.sina.com.cn.
sina.com. 5 IN NS ns3.sina.com.cn.
sina.com. 5 IN NS ns4.sina.com.
sina.com. 5 IN NS ns2.sina.com.cn.
sina.com. 5 IN NS ns1.sina.com.cn.

;; ADDITIONAL SECTION:
ns1.sina.com.cn. 5 IN A 202.106.184.166
ns2.sina.com.cn. 5 IN A 180.149.138.199
ns3.sina.com.cn. 5 IN A 123.125.29.99

;; Query time: 26 msec
;; SERVER: 10.10.10.2#53(10.10.10.2)
;; WHEN: 五 5月 10 07:40:19 EDT 2019
;; MSG SIZE rcvd: 240

root@kali:~#
root@kali:~#
root@kali:~#
root@kali:~# dig @ns3.sina.com. sina.com axfr //尝试获取它的axfr

; <<>> DiG 9.11.5-P4-5-Debian <<>> @ns3.sina.com. sina.com axfr
; (1 server found)
;; global options: +cmd
; Transfer failed. //可以看到被拒绝了
root@kali:~# dig @ns2.sina.com. sina.com axfr

; <<>> DiG 9.11.5-P4-5-Debian <<>> @ns2.sina.com. sina.com axfr //换一个DNS服务器试试
; (1 server found)
;; global options: +cmd
; Transfer failed. //仍然被拒绝(of course)

host获取DNS区域传输

先查看一下host的用法:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
host: illegal option -- -
Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time]
[-R number] [-m flag] hostname [server]
-a is equivalent to -v -t ANY
-c specifies query class for non-IN data
-C compares SOA records on authoritative nameservers
-d is equivalent to -v
-i IP6.INT reverse lookups
-l lists all hosts in a domain, using AXFR //AXFR
-m set memory debugging flag (trace|record|usage)
-N changes the number of dots allowed before root lookup is done
-r disables recursive processing
-R specifies number of retries for UDP packets
-s a SERVFAIL response should stop query
-t specifies the query type
-T enables TCP/IP mode
-v enables verbose output
-V print version number and exit
-w specifies to wait forever for a reply
-W specifies how long to wait for a reply
-4 use IPv4 query transport only
-6 use IPv6 query transport only

我们使用-l和-T参数来进行:

1
2
3
4
5
6
7
8
root@kali:~# host -T -l sina.com ns3.sina.com
Using domain server:
Name: ns3.sina.com
Address: 180.149.138.199#53
Aliases:

Host sina.com not found: 5(REFUSED) //当然结果也是拒绝的
; Transfer failed.

DNS字典爆破

我们可以使用爆破的手段来遍历出该DNS服器下的所有FQDN。这里总共有六种常见的方法,分别是:

  • fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist a.txt
  • dnsdict6 -d4 -t 16 -x sina.com (大佬很喜欢用)
  • dnsenum -f dnsbig.txt -dnsserver 8.8.8.8 sina.com -o sina.xml(功能很全,包括暴力、MX、NS、BIND等)
  • dnsmap sina.com -w dns.txt (贼慢)
  • dnsrecon -d sina.com --lifetime 10 -t brt -D dnsbig.txt (还挺快)
  • dnsrecon -t std -d sina.com

其中第1、3、5需要指定字典来爆破,kali中这些软件的安装目录中有一些很不错的字典,可以通过dpkg -L xxx来查看它的安装目录(或者find。

下面会分别进行演示,(没有跑完,只演示)  

fierce

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@kali:~# fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist /usr/share/fierce/hosts.txt 
DNS Servers for sina.com.cn:
ns4.sina.com.cn
ns1.sina.com.cn
ns3.sina.com.cn
ns2.sina.com.cn

Trying zone transfer first...

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
** Found 94952625625.sina.com.cn at 116.255.235.199.
** High probability of wildcard DNS.
Now performing 2280 test(s)...
123.126.45.14 1.sina.com.cn
123.126.45.75 8.sina.com.cn
123.126.45.68 a.sina.com.cn
222.22.29.100 a1.sina.com.cn
222.22.29.95 a1.sina.com.cn
222.22.29.96 a1.sina.com.cn
222.22.29.97 a1.sina.com.cn
222.22.29.101 a1.sina.com.cn
222.22.29.98 a1.sina.com.cn

这个的速度还可以,可以看到显示了目标的DNS服务器名称和爆破的FQDN结果。 

dnsdict6

这个kali中好像去掉了,apt中也没有找到,需要自己编译安装,安装的教程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@kali:~# dnsdict6 -d4 -t 16 -x sina.com  //(-t 强度(brt 爆破), -D 字典) 
Starting DNS enumeration work on sina.com. ...
Gathering NS and MX information...
NS of sina.com. is ns4.sina.com. => 123.125.29.99
NS of sina.com. is ns4.sina.com.cn. => 121.14.1.22
NS of sina.com. is ns1.sina.com. => 114.134.80.144
NS of sina.com. is ns2.sina.com. => 114.134.80.145
NS of sina.com. is ns3.sina.com. => 180.149.138.199
NS of sina.com. is ns2.sina.com.cn. => 180.149.138.199
NS of sina.com. is ns1.sina.com.cn. => 202.106.184.166
NS of sina.com. is ns3.sina.com.cn. => 123.125.29.99
No IPv6 address for NS entries found in DNS for domain sina.com.
MX of sina.com. is freemx1.sinamail.sina.com.cn. => 39.156.6.104
MX of sina.com. is freemx2.sinamail.sina.com.cn. => 121.14.32.117
MX of sina.com. is freemx3.sinamail.sina.com.cn. => 39.156.6.104
No IPv6 address for MX entries found in DNS for domain sina.com.

Starting enumerating sina.com. - creating 16 threads for 5887 words...
Estimated time to completion: 2 to 5 minutes
Warning: wildcard domain configured
*.sina.com. -> 116.255.235.199
Warning: wildcard domain configured (2nd test)
ads.sina.com. => 1.81.1.228
ads.sina.com. => 1.81.1.229
ads.sina.com. => 1.81.1.230
ads.sina.com. => 1.81.1.223
ads.sina.com. => 1.81.1.224
功能和第一个差不多,但是明显速度快了很多。

dnsenum

这个感觉是一个比较综合的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
root@kali:~# dnsenum -f /usr/share/dnsenum/dns.txt -dnsserver 8.8.8.8 sina.com -o sina.xml
Smartmatch is experimental at /usr/bin/dnsenum line 698.
Smartmatch is experimental at /usr/bin/dnsenum line 698.
dnsenum VERSION:1.2.4

----- sina.com -----


Host's addresses:
__________________

sina.com. 54 IN A 66.102.251.33


Name Servers:
______________

ns2.sina.com. 21599 IN A 114.134.80.145
ns1.sina.com.cn. 21594 IN A 202.106.184.166
ns4.sina.com. 21599 IN A 123.125.29.99
ns3.sina.com. 21599 IN A 180.149.138.199
ns3.sina.com.cn. 21599 IN A 123.125.29.99
ns4.sina.com.cn. 21599 IN A 121.14.1.22
ns1.sina.com. 21294 IN A 114.134.80.144
ns2.sina.com.cn. 2862 IN A 180.149.138.199


Mail (MX) Servers:
___________________

freemx2.sinamail.sina.com.cn. 59 IN A 121.14.32.117
freemx3.sinamail.sina.com.cn. 59 IN A 39.156.6.104
freemx1.sinamail.sina.com.cn. 59 IN A 39.156.6.104


Trying Zone Transfers and getting Bind Versions:
_________________________________________________


Trying Zone Transfer for sina.com on ns2.sina.com ...
AXFR record query failed: REFUSED

Trying Zone Transfer for sina.com on ns1.sina.com.cn ...
AXFR record query failed: REFUSED

Trying Zone Transfer for sina.com on ns4.sina.com ...
AXFR record query failed: REFUSED

Trying Zone Transfer for sina.com on ns3.sina.com ...
AXFR record query failed: REFUSED

Trying Zone Transfer for sina.com on ns3.sina.com.cn ...
AXFR record query failed: REFUSED

Trying Zone Transfer for sina.com on ns4.sina.com.cn ...
AXFR record query failed: REFUSED

Trying Zone Transfer for sina.com on ns1.sina.com ...
AXFR record query failed: REFUSED

Trying Zone Transfer for sina.com on ns2.sina.com.cn ...
AXFR record query failed: REFUSED


Brute forcing with /usr/share/dnsenum/dns.txt:
_______________________________________________

......
可以看到它把目标的MX记录、NS记录、AXFR、BIND信息都进行了收集,最后会尝试爆破。 

dnsmap

emmmmmmmm这个真心不建议用,很慢。。。体验感极差。  

dnsrecon

这个的速度也不错,-d为目标域名、lifetime为时间,超过这个时间的请求就会放弃、-t 是方式,brtbrute force爆破、-D后跟你的字典。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root@kali:~# dnsrecon -d sina.com --lifetime 10 -t brt -D /usr/share/dnsrecon/namelist.txt 
[*] Performing host and subdomain brute force against sina.com
[!] Wildcard resolution is enabled on this domain
[!] It is resolving to 116.255.235.199
[!] All queries will resolve to this address!!
[*] Do you wish to continue? y/n
y
[*] A 02.sina.com 116.255.235.199
[*] A 0.sina.com 116.255.235.199
[*] A 12.sina.com 116.255.235.199
[*] A 1.sina.com 116.255.235.199
[*] A 10.sina.com 116.255.235.199
[*] A 13.sina.com 116.255.235.199
[*] A 11.sina.com 116.255.235.199
[*] A 14.sina.com 116.255.235.199
[*] A 17.sina.com 116.255.235.199
[*] A 15.sina.com 116.255.235.199
[*] A 19.sina.com 116.255.235.199
[*] A 18.sina.com 116.255.235.199
[*] A 16.sina.com 116.255.235.199
[*] A 20.sina.com 116.255.235.199
[*] A 2.sina.com 116.255.235.199
.....

也可以使用这个形式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@kali:~# dnsrecon -t std -d sina.com -D /usr/share/dnsrecon/namelist.txt 
[*] Performing General Enumeration of Domain:sina.com
[!] Wildcard resolution is enabled on this domain
[!] It is resolving to 116.255.235.199
[!] All queries will resolve to this address!!
[-] DNSSEC is not configured for sina.com
[*] NS ns2.sina.com.cn 180.149.138.199
[*] Bind Version for 180.149.138.199
[*] NS ns2.sina.com 114.134.80.145
[*] NS ns4.sina.com 123.125.29.99
[*] Bind Version for 123.125.29.99
[*] NS ns3.sina.com 180.149.138.199
[*] Bind Version for 180.149.138.199
[*] NS ns3.sina.com.cn 123.125.29.99
[*] Bind Version for 123.125.29.99
[*] NS ns4.sina.com.cn 121.14.1.22
[*] Bind Version for 121.14.1.22
[*] NS ns1.sina.com.cn 202.106.184.166
[*] Bind Version for 202.106.184.166
[*] NS ns1.sina.com 114.134.80.144
......

DNS注册信息

通过查看DNS注册信息可以获得很多后期用于渗透或社会工程学的信息。命令是whois查询。

下面的网址是经常用于DNS查询注册信息的网址:

  • AFRINIC http://www.afrinic.net (非洲的)
  • APNIC http://www.apnic.net (太平洋地区)
  • ARIN http://ws.arin.net
  • IANA http://www.iana.com (国际组织的)
  • ICANN http://www.icann.org
  • LACNIC http://www.lacnic.net
  • NRO http://www.nro.net
  • RIPE http://www.ripe.net
  • InterNic http://www.internic.net (最早的IP地址分配公司)

下面我们查看一下qq.com的信息:  

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
root@kali:~# whois qq.com
Domain Name: QQ.COM
Registry Domain ID: 2895300_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2019-01-30T03:30:02Z
Creation Date: 1995-05-04T04:00:00Z
Registry Expiry Date: 2027-07-27T02:09:19Z //注册到期日
Registrar: MarkMonitor Inc. //注册员
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Name Server: NS1.QQ.COM
Name Server: NS2.QQ.COM
Name Server: NS3.QQ.COM
Name Server: NS4.QQ.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2019-05-10T15:26:50Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: qq.com
Registry Domain ID: 2895300_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2019-01-29T19:24:11-0800
Creation Date: 1995-05-03T21:00:00-0700
Registrar Registration Expiration Date: 2027-07-26T19:09:19-0700
Registrar: MarkMonitor, Inc. //域名的注册商是MarkMonitor
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)
Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)
Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)
Registrant Organization: Shenzhen Tencent Computer Systems CO.,Ltd
Registrant State/Province: Guang Dong
Registrant Country: CN
Admin Organization: Shenzhen Tencent Computer Systems CO.,Ltd
Admin State/Province: Guang Dong
Admin Country: CN
Tech Organization: Shenzhen Tencent Computer Systems CO.,Ltd
Tech State/Province: Guang Dong
Tech Country: CN
Name Server: ns2.qq.com //四台DNS服务器
Name Server: ns1.qq.com
Name Server: ns3.qq.com
Name Server: ns4.qq.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2019-05-10T08:17:56-0700 <<<

For more information on WHOIS status codes, please visit:
https://www.icann.org/resources/pages/epp-status-codes

If you wish to contact this domain’s Registrant, Administrative, or Technical
contact, and such email address is not visible above, you may do so via our web
form, pursuant to ICANN’s Temporary Specification. To verify that you are not a
robot, please enter your email address to receive a link to a page that
facilitates email communication with the relevant contact(s).

Web-based WHOIS:
https://domains.markmonitor.com/whois

If you have a legitimate interest in viewing the non-public WHOIS details, send
your request and the reasons for your request to whoisrequest@markmonitor.com
and specify the domain name in the subject line. We will review that request and
may ask for supporting documentation and explanation.

The data in MarkMonitor’s WHOIS database is provided for information purposes,
and to assist persons in obtaining information about or related to a domain
name’s registration record. While MarkMonitor believes the data to be accurate,
the data is provided "as is" with no guarantee or warranties regarding its
accuracy.

By submitting a WHOIS query, you agree that you will use this data only for
lawful purposes and that, under no circumstances will you use this data to:
(1) allow, enable, or otherwise support the transmission by email, telephone,
or facsimile of mass, unsolicited, commercial advertising, or spam; or
(2) enable high volume, automated, or electronic processes that send queries,
data, or email to MarkMonitor (or its systems) or the domain name contacts (or
its systems).

MarkMonitor.com reserves the right to modify these terms at any time.

By submitting this query, you agree to abide by this policy.

MarkMonitor is the Global Leader in Online Brand Protection.

MarkMonitor Domain Management(TM)
MarkMonitor Brand Protection(TM)
MarkMonitor AntiCounterfeiting(TM)
MarkMonitor AntiPiracy(TM)
MarkMonitor AntiFraud(TM)
Professional and Managed Services

Visit MarkMonitor at https://www.markmonitor.com
Contact us at +1.8007459229
In Europe, at +44.02032062220
--

CATALOG
  1. 1. DNS区域传输
    1. 1.1. dig进行区域传输
    2. 1.2. host获取DNS区域传输
  2. 2. DNS字典爆破
    1. 2.1. fierce
    2. 2.2. dnsdict6
    3. 2.3. dnsenum
    4. 2.4. dnsmap
    5. 2.5. dnsrecon
  3. 3. DNS注册信息