0x01 被动信息收集
2018-12-05 本文已影响0人
Gatociego
域名 dns 信息枚举
use auxiliary/gather/enum_dns
# 查看该模块的详细信息
msf auxiliary(gather/enum_dns) > info
Name: DNS Record Scanner and Enumerator
Module: auxiliary/gather/enum_dns
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Carlos Perez <carlos_perez@darkoperator.com>
Nixawk
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN yes The target domain
ENUM_A true yes Enumerate DNS A record
ENUM_AXFR true yes Initiate a zone transfer against each NS record
ENUM_BRT false yes Brute force subdomains and hostnames via the supplied wordlist
ENUM_CNAME true yes Enumerate DNS CNAME record
ENUM_MX true yes Enumerate DNS MX record
ENUM_NS true yes Enumerate DNS NS record
ENUM_RVL false yes Reverse lookup a range of IP addresses
ENUM_SOA true yes Enumerate DNS SOA record
ENUM_SRV true yes Enumerate the most common SRV records
ENUM_TLD false yes Perform a TLD expansion by replacing the TLD with the IANA TLD list
ENUM_TXT true yes Enumerate DNS TXT record
IPRANGE no The target address range or CIDR identifier
NS no Specify the nameserver to use for queries (default is system DNS)
STOP_WLDCRD false yes Stops bruteforce enumeration if wildcard resolution is detected
THREADS 1 no Threads for ENUM_BRT
WORDLIST /usr/share/metasploit-framework/data/wordlists/namelist.txt no Wordlist of subdomains
Description:
This module can be used to gather information about a domain from a
given DNS server by performing various DNS queries such as zone
transfers, reverse lookups, SRV record brute forcing, and other
techniques.
References:
https://cvedetails.com/cve/CVE-1999-0532/
OSVDB (492)
# 查看需要配置的参数
show options
# 详细设置
set domain baidu.com
set threads 10
# 查看还有哪些必须要设置的项没有设置
show missing
# 运行
run
# 部分结果
[!] dns wildcard is enable OR fake dns server
[*] querying DNS NS records for baidu.com
[+] baidu.com NS: ns7.baidu.com.
[+] baidu.com NS: ns2.baidu.com.
[+] baidu.com NS: ns4.baidu.com.
[+] baidu.com NS: dns.baidu.com.
[+] baidu.com NS: ns3.baidu.com.
[*] Attempting DNS AXFR for baidu.com from ns7.baidu.com.
W, [2018-12-05T14:30:38.990763 #1372] WARN -- : AXFR query, switching to TCP
[*] Attempting DNS AXFR for baidu.com from ns2.baidu.com.
W, [2018-12-05T14:30:39.245855 #1372] WARN -- : AXFR query, switching to TCP
[*] Attempting DNS AXFR for baidu.com from ns4.baidu.com.
W, [2018-12-05T14:30:39.544674 #1372] WARN -- : AXFR query, switching to TCP
[*] Attempting DNS AXFR for baidu.com from dns.baidu.com.
W, [2018-12-05T14:30:39.884481 #1372] WARN -- : AXFR query, switching to TCP
[*] Attempting DNS AXFR for baidu.com from ns3.baidu.com.
W, [2018-12-05T14:30:40.626614 #1372] WARN -- : AXFR query, switching to TCP
返回到上一级
back
通过指定公司名称获取信息
use /auxiliary/gather/corpwatch_look_name
set company_name baidu
set limit 1 # 限制返回的结果
run
通过多个搜索引擎获取子域名信息
usa auxiliary/gather/searchengine_subdomains_collector
set target baidu.com
run
通过censys搜索引擎获取信息
# 需要到censys注册,获取自己的apiid,secret
use auxiliary/gather/censys_search
set censys_dork baidu.com
set censys_uid 自己的UID
set censys_secret 自己的secret
set censys_searchtype ipv4
run
通过Shodan搜索引擎获取信息
# 需要注册获取自己的APIKEY
use auxiliary/gather/shodan_search
set query baidu.com
set shodan_apikey 自己的apikey
run
通过Shodan Honeysocre看服务器是不是一个蜜罐
use auxiliary/gather/shodan_honeyscore
set shodan_apikey 自己的apikey
set target 114.114.114.114
run
域名相关的email收集
use auxiliary/gather/search_email_collector
set domain baidu.com
set search_google false # 如果没有代理取消google搜索
run
