信息收集是渗透前期最为重要的一步,其中被动信息收集相对主动信息收集(访问)更具有隐蔽和无害性。便于进行社工攻击。
被动信息收集主要特点
公开渠道可获得的信息
与目标系统不产生直接交互
尽量避免留下一切痕迹
主要归纳应用收集信息
信息收集的内容有很多,简略其下:
- IP地址段
- 域名信息
- 邮件地址
- ⽂档图⽚数据
- 公司地址
- 公司组织架构
- 联系电话 / 传真号码
- ⼈员姓名 / 职务
- 目标系统使⽤的技术架构
- 公开的商业信息
1.信息收集-DNS
域名记录:
- A: 主机记录,他会把一个域名解析到ip地址上
- Cname : 别名记录,他会把一个域名解析到另外一个域名上
- NS :这个域的域名服务器的地址记录
- MX: 邮件交换记录,它会指向这个域的SMTP交换记录
- ptr :反向解析,把ip 解析成域名的
完整的: www.baidu.com.
首次解析查询会进行迭代查询,先查(全球13台)根域服务器.-->com服务器 baidu.com. -->baidu.com的域名服务器找到:www.baidu.com.
我们运营商的DNS服务器是缓存服务器。这样把上面首次的ip与域名的对应记录本地DNS服务器会保存一份,后续就直接拿来直接用,即递归查询。
1.1 DNS信息收集-NSLOOKUP的使用
• nslookup www.sina.com • server //指定dns服务器查询 • type=a、mx、ns、any //指定查询类型;any是全部 • nslookup -type=ns example.com 156.154.70.22 //一句命令行查询
root@kali:~# nslookup > www.baidu.com Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: www.baidu.com canonical name = www.a.shifen.com. Name: www.a.shifen.com Address: 61.135.169.121 Name: www.a.shifen.com Address: 61.135.169.125 > www.a.shifen.com. Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: Name: www.a.shifen.com Address: 61.135.169.125 Name: www.a.shifen.com Address: 61.135.169.121 > www.sina.com Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: www.sina.com canonical name = us.sina.com.cn. us.sina.com.cn canonical name = spool.grid.sinaedge.com. Name: spool.grid.sinaedge.com Address: 121.22.4.29 > us.sina.com.cn Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: us.sina.com.cn canonical name = spool.grid.sinaedge.com. Name: spool.grid.sinaedge.com Address: 121.22.4.29 > spool.grid.sinaedge.com Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: Name: spool.grid.sinaedge.com Address: 121.22.4.29 > set type=a > www.sina.com Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: www.sina.com canonical name = us.sina.com.cn. us.sina.com.cn canonical name = spool.grid.sinaedge.com. Name: spool.grid.sinaedge.com Address: 121.22.4.29 > set type=mx > sina.com Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: sina.com mail exchanger = 10 freemx2.sinamail.sina.com.cn. sina.com mail exchanger = 10 freemx1.sinamail.sina.com.cn. sina.com mail exchanger = 10 freemx3.sinamail.sina.com.cn. Authoritative answers can be found from: > set type=a > freemx1.sinamail.sina.com.cn Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: Name: freemx1.sinamail.sina.com.cn Address: 39.156.6.104 > set type=ns > sina.com Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: sina.com nameserver = ns3.sina.com. sina.com nameserver = ns2.sina.com. sina.com nameserver = ns1.sina.com.cn. sina.com nameserver = ns4.sina.com. sina.com nameserver = ns2.sina.com.cn. sina.com nameserver = ns3.sina.com.cn. sina.com nameserver = ns4.sina.com.cn. sina.com nameserver = ns1.sina.com. Authoritative answers can be found from: > set type=ptr > 39.156.6.104 Server: 192.168.56.2 Address: 192.168.56.2#53 Non-authoritative answer: *** Can't find 104.6.156.39.in-addr.arpa.: No answer // type可以简写为q // 这个可能是dns配置问题未成功反向查询 Authoritative answers can be found from: > set q=ptr > 39.156.6.104 Server: 192.168.56.2 Address: 192.168.56.2#53 ** server can't find 104.6.156.39.in-addr.arpa: NXDOMAIN > server 114.114.114.114 Default server: 114.114.114.114 Address: 114.114.114.114#53 > www.sina.com Server: 114.114.114.114 Address: 114.114.114.114#53 Non-authoritative answer: www.sina.com canonical name = us.sina.com.cn. us.sina.com.cn canonical name = spool.grid.sinaedge.com. Authoritative answers can be found from: sinaedge.com origin = ns1.sinaedge.com mail addr = null.sinaedge.com serial = 20100707 refresh = 10800 retry = 60 expire = 604800 minimum = 60 >