被動(dòng)信息收集

• 一、被動(dòng)信息收集簡(jiǎn)介
• • 1.被動(dòng)信息收集
  • 2.信息收集的內(nèi)容
  • 3.信息收集的目的
• 二、被動(dòng)信息收集方式
• • 1.dig:域名解析查詢
  • • ①直接查詢
    • ②按指定內(nèi)容查詢
    • ③查新DNS版本信息
    • ④DNS追蹤，迭代/遞歸查詢
  • 2.nslookup:診斷DNS基礎(chǔ)結(jié)構(gòu)
  • 3.whois:注冊(cè)信息查詢
  • 4.dnsenum
  • 5.fierce
  • • ①直接查詢
    • ②字典爆破
• 三、被動(dòng)信息收集方式的重點(diǎn)（個(gè)人認(rèn)為）
• • 1.進(jìn)入recon-ng環(huán)境
  • 2.創(chuàng)建新的工作區(qū)
  • 3.設(shè)置工作區(qū)參數(shù)
  • 4.DNS查詢
  • 5.解析IP
  • 6.生成報(bào)告
  • 7.查看報(bào)告
• 四、桃花依舊笑春風(fēng)

---

一、被動(dòng)信息收集簡(jiǎn)介

1.被動(dòng)信息收集

指通過公開渠道的可獲得信息，與目標(biāo)系統(tǒng)或者主機(jī)不產(chǎn)生直接的信息交互，以盡可能避免留下任何痕跡的信息收集方法。

2.信息收集的內(nèi)容

IP地址段
域名信息
郵件地址
文檔圖片數(shù)據(jù)
公司地址
公司組織架構(gòu)
聯(lián)系電話/傳真號(hào)碼
人員姓名/職務(wù)
目標(biāo)系統(tǒng)使用的技術(shù)架構(gòu)
公開的商用信息

3.信息收集的目的

個(gè)人認(rèn)為信息收集是為了獲取目標(biāo)系統(tǒng)的基礎(chǔ)架構(gòu)以及目標(biāo)主機(jī)的ip地址段以及該對(duì)象的域名信息，以達(dá)到使用所收集的信息去描述目標(biāo)系統(tǒng)或者主機(jī)的目的，并對(duì)之后的一些列掃描工作做準(zhǔn)備，是滲透測(cè)試技術(shù)的第一個(gè)關(guān)鍵步驟。

---

二、被動(dòng)信息收集方式

在這里我使用的系統(tǒng)環(huán)境是基于kali-linux-2018-W25-amd64的虛擬環(huán)境.

1.dig:域名解析查詢

①直接查詢

命令：dig 所要查詢域名

root@yanxiao:~# dig www.sina.com; <<>> DiG 9.11.3-1-Debian <<>> www.sina.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21747 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096 ;; QUESTION SECTION: ;www.sina.com. IN A;; ANSWER SECTION: www.sina.com. 5 IN CNAME us.sina.com.cn. us.sina.com.cn. 5 IN CNAME spool.grid.sinaedge.com. spool.grid.sinaedge.com. 5 IN A 221.204.241.188 spool.grid.sinaedge.com. 5 IN A 61.158.251.244;; Query time: 5 msec ;; SERVER: 192.168.181.2#53(192.168.181.2) ;; WHEN: Wed Jun 26 16:22:04 CST 2019 ;; MSG SIZE rcvd: 135

②按指定內(nèi)容查詢

命令：dig @<DNS服務(wù)器ip> <所查詢的域名> <所查詢的具體類型>

root@yanxiao:~# dig @8.8.8.8 www.sina.com mx; <<>> DiG 9.11.3-1-Debian <<>> @8.8.8.8 www.sina.com mx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40167 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.sina.com. IN MX;; ANSWER SECTION: www.sina.com. 59 IN CNAME us.sina.com.cn. us.sina.com.cn. 59 IN CNAME spool.grid.sinaedge.com.;; AUTHORITY SECTION: sinaedge.com. 59 IN SOA ns1.sinaedge.com. null.sinaedge.com. 20100707 10800 60 604800 60;; Query time: 144 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Jun 26 16:36:47 CST 2019 ;; MSG SIZE rcvd: 148

結(jié)合noall與answer只顯示查詢結(jié)果，摒棄無(wú)關(guān)信息。

root@yanxiao:~# dig @8.8.8.8 +noall +answer mx sina.com sina.com. 59 IN MX 5 freemx1.sinamail.sina.com.cn. sina.com. 59 IN MX 10 freemx2.sinamail.sina.com.cn. sina.com. 59 IN MX 10 freemx3.sinamail.sina.com.cn.

③查新DNS版本信息

命令：dig +noall +answer txt chaos VERSION.BIND @ns3.所要查詢的域名

root@yanxiao:~# dig +noall +answer txt chaos VERSION.BIND @ns3.sina.com VERSION.BIND. 0 CH TXT " " #注：這里DNS版本信息應(yīng)該是在雙引號(hào)下顯示，而此時(shí)為空并不是因?yàn)槊钣姓`， # 而是因?yàn)樾吕藢⒅姹拘畔㈦[藏

④DNS追蹤，迭代/遞歸查詢

命令：dig +trace 所要查詢的域名

root@yanxiao:~# dig +trace +noall +answer sina.com . 5 IN NS i.root-servers.net. . 5 IN NS e.root-servers.net. . 5 IN NS g.root-servers.net. . 5 IN NS a.root-servers.net. . 5 IN NS l.root-servers.net. . 5 IN NS b.root-servers.net. . 5 IN NS f.root-servers.net. . 5 IN NS h.root-servers.net. . 5 IN NS j.root-servers.net. . 5 IN NS k.root-servers.net. . 5 IN NS d.root-servers.net. . 5 IN NS c.root-servers.net. . 5 IN NS m.root-servers.net. . 5 IN RRSIG NS 8 0 518400 20190709050000 20190626040000 25266 . KzQL7eH1xUR1o5RWy/pKJAwhzZ+86CkW7uWRJo64plyhMNMo/afOnrFb 7sHfBJmkKlAAAAAFDePWxBL2zLyWaOX4Tj05yd3mbF5t3rfeP/75EIFA 5R3pqV+cxZSijW2EVrXNbL3KaNpsYH9sYujGKvYPuf/WNarUkLUx7Xn9 gcsOX3ZS6KfZ8NIekE3+Bsuex+vnBhIlws1XlsvnUPGf/1hVXruAX2IB xlQIjT4zjLXEwuP4pgbpdRkbGlXOe7uWXtt2Ywja5+227DqrUuiA+wEF dKNFRX6T/0rZ3a/DPmKAy5d0Xgq2obEt5M32jepblE8hWz6WnTq/5R8i m0AahA== ;; Received 525 bytes from 192.168.181.2#53(192.168.181.2) in 12 ms;; Received 1196 bytes from 192.112.36.4#53(g.root-servers.net) in 93 ms;; Received 723 bytes from 192.33.14.30#53(b.gtld-servers.net) in 24 mssina.com. 60 IN A 66.102.251.33 ;; Received 336 bytes from 180.149.138.199#53(ns2.sina.com.cn) in 22 ms

---

2.nslookup:診斷DNS基礎(chǔ)結(jié)構(gòu)

命令：nslookup -type=<選擇要查詢的類型例如：a記錄、ns記錄、mx記錄> 所要查詢域名

root@yanxiao:~# nslookup -type=a sina.com Server: 192.168.181.2 Address: 192.168.181.2#53Non-authoritative answer: Name: sina.com Address: 66.102.251.33 # 注：-type=a 查詢主機(jī)記錄root@yanxiao:~# nslookup -type=ns sina.com Server: 192.168.181.2 Address: 192.168.181.2#53 # 注：-type=ns 查詢域名服務(wù)器記錄Non-authoritative answer: sina.com nameserver = ns4.sina.com. sina.com nameserver = ns4.sina.com.cn. sina.com nameserver = ns3.sina.com.cn. sina.com nameserver = ns3.sina.com. sina.com nameserver = ns1.sina.com.cn. sina.com nameserver = ns2.sina.com. sina.com nameserver = ns2.sina.com.cn. sina.com nameserver = ns1.sina.com.Authoritative answers can be found from:# 注：-type=mx 查詢郵件服務(wù)器記錄 root@yanxiao:~# nslookup -type=mx sina.com Server: 192.168.181.2 Address: 192.168.181.2#53Non-authoritative answer: sina.com mail exchanger = 10 freemx3.sinamail.sina.com.cn. sina.com mail exchanger = 10 freemx2.sinamail.sina.com.cn. sina.com mail exchanger = 5 freemx1.sinamail.sina.com.cn.Authoritative answers can be found from:

---

3.whois:注冊(cè)信息查詢

命令：whois 所要查詢的域名

root@yanxiao:~# whois baidu.com Domain Name: BAIDU.COMRegistry Domain ID: 11181110_DOMAIN_COM-VRSNRegistrar WHOIS Server: whois.markmonitor.comRegistrar URL: http://www.markmonitor.comUpdated Date: 2019-05-09T04:30:46ZCreation Date: 1999-10-11T11:05:17ZRegistry Expiry Date: 2026-10-11T11:05:17ZRegistrar: MarkMonitor Inc.Registrar IANA ID: 292Registrar Abuse Contact Email: abusecomplaints@markmonitor.comRegistrar Abuse Contact Phone: +1.2083895740Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibitedDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibitedDomain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibitedDomain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibitedDomain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibitedDomain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibitedName Server: NS1.BAIDU.COMName Server: NS2.BAIDU.COMName Server: NS3.BAIDU.COMName Server: NS4.BAIDU.COMName Server: NS7.BAIDU.COMDNSSEC: unsignedURL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2019-06-26T09:02:43Z <<<For more information on Whois status codes, please visit https://icann.org/eppNOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration.TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time.The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: baidu.com Registry Domain ID: 11181110_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2019-05-08T20:59:33-0700 Creation Date: 1999-10-11T04:05:17-0700 Registrar Registration Expiration Date: 2026-10-11T00:00:00-0700 Registrar: MarkMonitor, Inc. Registrar IANA ID: 292 Registrar Abuse Contact Email: abusecomplaints@markmonitor.com Registrar Abuse Contact Phone: +1.2083895740 Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited) Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited) Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited) Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited) Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited) Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited) Registrant Organization: Beijing Baidu Netcom Science Technology Co., Ltd. Registrant State/Province: Beijing Registrant Country: CN Admin Organization: Beijing Baidu Netcom Science Technology Co., Ltd. Admin State/Province: Beijing Admin Country: CN Tech Organization: Beijing Baidu Netcom Science Technology Co., Ltd. Tech State/Province: Beijing Tech Country: CN Name Server: ns3.baidu.com Name Server: ns4.baidu.com Name Server: ns7.baidu.com Name Server: ns2.baidu.com Name Server: ns1.baidu.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2019-06-26T02:02:28-0700 <<<For more information on WHOIS status codes, please visit:https://www.icann.org/resources/pages/epp-status-codesIf you wish to contact this domain’s Registrant, Administrative, or Technical contact, and such email address is not visible above, you may do so via our web form, pursuant to ICANN’s Temporary Specification. To verify that you are not a robot, please enter your email address to receive a link to a page that facilitates email communication with the relevant contact(s).Web-based WHOIS:https://domains.markmonitor.com/whoisIf you have a legitimate interest in viewing the non-public WHOIS details, send your request and the reasons for your request to whoisrequest@markmonitor.com and specify the domain name in the subject line. We will review that request and may ask for supporting documentation and explanation.The data in MarkMonitor’s WHOIS database is provided for information purposes, and to assist persons in obtaining information about or related to a domain name’s registration record. While MarkMonitor believes the data to be accurate, the data is provided "as is" with no guarantee or warranties regarding its accuracy.By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to:(1) allow, enable, or otherwise support the transmission by email, telephone, or facsimile of mass, unsolicited, commercial advertising, or spam; or(2) enable high volume, automated, or electronic processes that send queries, data, or email to MarkMonitor (or its systems) or the domain name contacts (or its systems).MarkMonitor.com reserves the right to modify these terms at any time.By submitting this query, you agree to abide by this policy.MarkMonitor is the Global Leader in Online Brand Protection.MarkMonitor Domain Management(TM) MarkMonitor Brand Protection(TM) MarkMonitor AntiCounterfeiting(TM) MarkMonitor AntiPiracy(TM) MarkMonitor AntiFraud(TM) Professional and Managed ServicesVisit MarkMonitor at https://www.markmonitor.com Contact us at +1.8007459229 In Europe, at +44.02032062220 --

---

4.dnsenum

dnsenum的目的是盡可能收集一個(gè)域的信息，它能夠通過谷歌或者字典文件猜測(cè)可能存在的域名，以及對(duì)一個(gè)網(wǎng)段進(jìn)行反向查詢。
命令：dnsenum -enum 所要查詢的域名

root@yanxiao:~# dnsenum -enum baidu.com Smartmatch is experimental at /usr/bin/dnsenum line 698. Smartmatch is experimental at /usr/bin/dnsenum line 698. dnsenum VERSION:1.2.4 Warning: can't load Net::Whois::IP module, whois queries disabled. Warning: can't load WWW::Mechanize module, Google scraping desabled.----- baidu.com -----Host's addresses: __________________baidu.com. 5 IN A 123.125.114.144 baidu.com. 5 IN A 220.181.38.148Name Servers: ______________ns4.baidu.com. 5 IN A 14.215.178.80 ns7.baidu.com. 5 IN A 180.76.76.92 dns.baidu.com. 5 IN A 202.108.22.220 ns2.baidu.com. 5 IN A 220.181.33.31 ns3.baidu.com. 5 IN A 112.80.248.64Mail (MX) Servers: ___________________mx.n.shifen.com. 5 IN A 61.135.165.120 mx.n.shifen.com. 5 IN A 111.202.115.85 mx50.baidu.com. 5 IN A 180.76.13.18 mx1.baidu.com. 5 IN A 220.181.50.185 mx1.baidu.com. 5 IN A 61.135.165.120 jpmx.baidu.com. 5 IN A 61.208.132.13 mx.maillb.baidu.com. 5 IN A 111.202.115.85Trying Zone Transfers and getting Bind Versions: _________________________________________________Trying Zone Transfer for baidu.com on ns4.baidu.com ... AXFR record query failed: REFUSEDTrying Zone Transfer for baidu.com on dns.baidu.com ... AXFR record query failed: REFUSEDTrying Zone Transfer for baidu.com on ns7.baidu.com ... AXFR record query failed: REFUSEDTrying Zone Transfer for baidu.com on ns2.baidu.com ... AXFR record query failed: REFUSEDTrying Zone Transfer for baidu.com on ns3.baidu.com ... AXFR record query failed: REFUSEDbrute force file not specified, bay.

---

5.fierce

fierce工具主要是對(duì)子域名進(jìn)行掃描和收集信息。使用fierce工具獲得一個(gè)目標(biāo)主機(jī)上所有IP地址和主機(jī)信息。

①直接查詢

命令：fierce -dns 所要查詢的域名

root@yanxiao:~# fierce -dns baidu.com DNS Servers for baidu.com:ns3.baidu.comns7.baidu.comdns.baidu.comns4.baidu.comns2.baidu.comTrying zone transfer first...Testing ns3.baidu.comRequest timed out or transfer not allowed.Testing ns7.baidu.comRequest timed out or transfer not allowed.Testing dns.baidu.comRequest timed out or transfer not allowed.Testing ns4.baidu.comRequest timed out or transfer not allowed.Testing ns2.baidu.comRequest timed out or transfer not allowed.Unsuccessful in zone transfer (it was worth a shot) Okay, trying the good old fashioned way... brute forceChecking for wildcard DNS... Nope. Good. Now performing 2280 test(s).........此處的發(fā)現(xiàn)結(jié)果不予顯示Subnets found (may want to probe here using nmap or unicornscan):......此處的發(fā)現(xiàn)結(jié)果不予顯示Done with Fierce scan: http://ha.ckers.org/fierce/ Found 220 entries.Have a nice day.

②字典爆破

kali中的fierce中自帶一個(gè)字典可以用來(lái)實(shí)施字典爆破。
字典存放目錄：/usr/share/fierce/hosts.txt
命令：fierce -dnsserver 要使用的dns服務(wù)器 -dns 所要爆破的域名 -wordlist 字典路徑

root@yanxiao:~# fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist /usr/share/fierce/hosts.txtDNS Servers for sina.com.cn:ns2.sina.com.cnns3.sina.com.cnns1.sina.com.cnns4.sina.com.cnTrying zone transfer first...Unsuccessful in zone transfer (it was worth a shot) Okay, trying the good old fashioned way... brute forceChecking for wildcard DNS... Nope. Good. Now performing 2280 test(s).........此處的發(fā)現(xiàn)結(jié)果不予顯示Subnets found (may want to probe here using nmap or unicornscan):......此處的發(fā)現(xiàn)結(jié)果不予顯示Done with Fierce scan: http://ha.ckers.org/fierce/ Found 458 entries.Have a nice day.

---

三、被動(dòng)信息收集方式的重點(diǎn)（個(gè)人認(rèn)為）

recon-ng
recon-ng是由python編寫的一個(gè)開源的Web偵查（信息收集）框架。recon-ng框架是一個(gè)全特性的工具，使用它可以自動(dòng)的收集信息和網(wǎng)絡(luò)偵查。默認(rèn)集成數(shù)據(jù)庫(kù)，可把查詢結(jié)果結(jié)構(gòu)化存儲(chǔ)在其中，有報(bào)告模塊，把結(jié)果導(dǎo)出為報(bào)告。

使用recon-ng的信息偵查方式有三個(gè)步驟：
1、DNS查詢 —— google、baidu、bing、yahoo、Brute force（有自己的字典）
2、解析IP地址（查詢數(shù)據(jù)庫(kù)）—— resolve模塊
3、生成報(bào)告 —— report模塊

具體如下實(shí)例所示：

1.進(jìn)入recon-ng環(huán)境

root@yanxiao:~# recon-ng_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/ /\/ \\ /\Sponsored by... /\ /\/ \\V \/\/ \\/ // \\\\\ \\ \/\// // BLACK HILLS \/ \\www.blackhillsinfosec.com[recon-ng v4.9.3, Tim Tomes (@LaNMaSteR53)] [75] Recon modules [8] Reporting modules [2] Import modules [2] Exploitation modules [2] Discovery modules[recon-ng][default] >

首次使用recon-ng，可以使用help查看所有可以執(zhí)行的命令：

[recon-ng][default] > helpCommands (type [help|?] <topic>): --------------------------------- add Adds records to the database back Exits the current context delete Deletes records from the database exit Exits the framework help Displays this menu keys Manages framework API keys load Loads specified module pdb Starts a Python Debugger session query Queries the database record Records commands to a resource file reload Reloads all modules resource Executes commands from a resource file search Searches available modules set Sets module options shell Executes shell commands show Shows various framework items snapshots Manages workspace snapshots spool Spools output to a file unset Unsets module options use Loads specified module workspaces Manages workspaces

查看recon-ng命令的使用方法：

[recon-ng][default] > recon-ng -h [*] Command: recon-ng -h usage: recon-ng [-h] [-v] [-w workspace] [-r filename] [--no-check][--no-analytics]recon-ng - Tim Tomes (@LaNMaSteR53) tjt1980[at]gmail.comoptional arguments:-h, --help show this help message and exit-v, --version show program's version number and exit-w workspace load/create a workspace-r filename load commands from a resource file--no-check disable version check--no-analytics disable analytics reporting

2.創(chuàng)建新的工作區(qū)

這一步相對(duì)來(lái)說(shuō)可有可無(wú)，但是為了養(yǎng)成良好習(xí)慣，在進(jìn)行不同的案例之前為這個(gè)案例單獨(dú)建一個(gè)工作區(qū)我個(gè)人認(rèn)為是比較重要的，方便之后的管理以及查詢。
命令：workspaces list,顯示已存在的工作表

[recon-ng][default] > workspaces list+------------+| Workspaces |+------------+| default || sina |+------------+

這里要說(shuō)明一下，若進(jìn)入到recon-ng環(huán)境中時(shí)創(chuàng)建工作表可以用下列命令：
命令：workspaces add 工作區(qū)名

[recon-ng][default] > workspaces add sina-test[recon-ng][sina-test] > workspaces list+------------+| Workspaces |+------------+| default || sina-test || sina |+------------+#刪除工作表 [recon-ng][sina-test] > workspaces delete sina-test[recon-ng][default] > workspaces list+------------+| Workspaces |+------------+| default || sina |+------------+

若還是在kali環(huán)境下，則使用下列命令直接創(chuàng)建新工作區(qū)或者進(jìn)入已經(jīng)存在的工作區(qū)：
命令：recon-ng -w 工作區(qū)名

root@yanxiao:~# recon-ng -w sina-test[recon-ng][sina-test] > workspaces list+------------+| Workspaces |+------------+| default || sina-test || sina |+------------+

3.設(shè)置工作區(qū)參數(shù)

這里的工作區(qū)參數(shù)也可以直接跳過不進(jìn)行設(shè)置，不影響結(jié)果；不過需要注意的是不設(shè)置參數(shù)的話，對(duì)方是很容易發(fā)現(xiàn)你用recon-ng對(duì)他進(jìn)行掃描，所以建議還是進(jìn)行設(shè)置，設(shè)置參數(shù)之后掃描會(huì)更加隱蔽
命令：show options

[recon-ng][sina-test] > show optionsName Current Value Required Description---------- ------------- -------- -----------NAMESERVER 8.8.8.8 yes nameserver for DNS interrogationPROXY no proxy server (address:port)THREADS 10 yes number of threads (where applicable)TIMEOUT 10 yes socket timeout (seconds)USER-AGENT Recon-ng/v4 yes user-agent stringVERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug)

要進(jìn)行設(shè)置的參數(shù)信息命令：

set USER-AGENT Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 [recon-ng][sina-test] > set USER-AGENT Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 USER-AGENT => Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 [recon-ng][sina-test] > show optionsName Current Value Required Description---------- ------------- -------- -----------NAMESERVER 8.8.8.8 yes nameserver for DNS interrogationPROXY no proxy server (address:port)THREADS 10 yes number of threads (where applicable)TIMEOUT 10 yes socket timeout (seconds)USER-AGENT Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 yes user-agent stringVERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug)

可以看到對(duì)工作區(qū)參數(shù)中的USER-AGENT這一項(xiàng)進(jìn)行了修改。

4.DNS查詢

通過搜索引擎（google、baidu、bing、yahoo）或者使用 brute force（暴力破解） 去查找主機(jī)記錄。
命令：search <goole/baidu/bing/yahoo/brute>

[recon-ng][sina-test] > search google [*] Searching for 'google'...Recon-----recon/domains-hosts/google_site_apirecon/domains-hosts/google_site_web[recon-ng][sina-test] > search baidu [*] Searching for 'baidu'... [!] No modules found containing 'baidu'.[recon-ng][sina-test] > search bing [*] Searching for 'bing'...Recon-----recon/companies-contacts/bing_linkedin_cacherecon/domains-hosts/bing_domain_apirecon/domains-hosts/bing_domain_webrecon/hosts-hosts/bing_ip[recon-ng][sina-test] > search yahoo [*] Searching for 'yahoo'... [!] No modules found containing 'yahoo'.[recon-ng][sina-test] > search brute [*] Searching for 'brute'...Exploitation------------exploitation/injection/xpath_bruterRecon-----recon/domains-domains/brute_suffixrecon/domains-hosts/brute_hosts

這里會(huì)發(fā)現(xiàn)baidu和yahoo在recon-ng環(huán)境暫時(shí)不能使用。
我在這里使用的是brute模塊。
選擇要使用的模塊，這里我選擇了recon/domains-hosts/brute_hosts模塊。
命令：use 所要使用的模塊

[recon-ng][sina-test] > use recon/domains-hosts/brute_hosts [recon-ng][sina-test][brute_hosts] >

查看該模塊參數(shù)：

[recon-ng][sina-test][brute_hosts] > show optionsName Current Value Required Description-------- ------------- -------- -----------SOURCE default yes source of input (see 'show info' for details)WORDLIST /usr/share/recon-ng/data/hostnames.txt yes path to hostname wordlist

設(shè)置參數(shù)：
命令：set SOURCE 所要發(fā)現(xiàn)的域名

[recon-ng][sina-test][brute_hosts] > set SOURCE sina.com SOURCE => sina.com

運(yùn)行：
命令：run

[recon-ng][sina-test][brute_hosts] > run-------- SINA.COM --------......此處的發(fā)現(xiàn)結(jié)果不予顯示------- SUMMARY ------- [*] 288 total (247 new) hosts found.

查看粗略的表格，會(huì)在終端中顯示出上一步中發(fā)現(xiàn)的IP地址的各項(xiàng)信息：
命令：show hosts

[recon-ng][sina-test][brute_hosts] > show hosts+------------------------------------------------------------------------------------------------------------------+| rowid | host | ip_address | region | country | latitude | longitude | module |+------------------------------------------------------------------------------------------------------------------+......此處發(fā)現(xiàn)結(jié)果不予顯示+------------------------------------------------------------------------------------------------------------------+

查詢工作表模塊當(dāng)前的設(shè)置：
命令：show info

[recon-ng][sina-test][brute_hosts] > show infoName: DNS Hostname Brute ForcerPath: modules/recon/domains-hosts/brute_hosts.pyAuthor: Tim Tomes (@LaNMaSteR53)Description:Brute forces host names using DNS. Updates the 'hosts' table with the results.Options:Name Current Value Required Description-------- ------------- -------- -----------SOURCE sina.com yes source of input (see 'show info' for details)WORDLIST /usr/share/recon-ng/data/hostnames.txt yes path to hostname wordlistSource Options:default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL<string> string representing a single input<path> path to a file containing a list of inputsquery <sql> database query returning one column of inputs

這一步的作用是為了在當(dāng)前工作區(qū)使用當(dāng)前模塊進(jìn)行繼續(xù)發(fā)現(xiàn)的工作，查詢狀態(tài)之后只需修改需要發(fā)現(xiàn)的域名即可。

5.解析IP

返回工作區(qū)更換模塊：
命令：back

[recon-ng][sina-test][brute_hosts] > back [recon-ng][sina-test] >

尋找解析模塊resolve：
命令：search resolve

[recon-ng][sina-test] > search resolve [*] Searching for 'resolve'...Recon-----recon/hosts-hosts/resolverecon/hosts-hosts/reverse_resolverecon/netblocks-hosts/reverse_resolve

選擇要使用的模塊，我這里選擇的是recon/hosts-hosts/resolve模塊。
命令：use recon/hosts-hosts/resolve

[recon-ng][sina-test] > use recon/hosts-hosts/resolve [recon-ng][sina-test][resolve] >

設(shè)置模塊參數(shù)：

[recon-ng][sina-test][resolve] > show optionsName Current Value Required Description------ ------------- -------- -----------SOURCE default yes source of input (see 'show info' for details)[recon-ng][sina-test][resolve] > set SOURCE query select host from hosts SOURCE => query select host from hosts

這里設(shè)置的是從剛才的DNS查詢中得到的hosts表中進(jìn)行取樣解析。
運(yùn)行：

[recon-ng][sina-test][resolve] > run......此處發(fā)現(xiàn)結(jié)果不予顯示------- SUMMARY ------- [*] 662 total (662 new) hosts found.

6.生成報(bào)告

這一部分內(nèi)容在以后的企業(yè)工作中是必備的一步，客戶最終看到的也是這一部分的內(nèi)容。
先退出解析模塊至工作區(qū)，之后選擇報(bào)告模塊，設(shè)置報(bào)告模塊參數(shù)，話不多說(shuō)，進(jìn)代碼塊QAQ：

[recon-ng][sina-test][resolve] > back[recon-ng][sina-test] > search report [*] Searching for 'report'...Reporting---------reporting/csvreporting/htmlreporting/jsonreporting/listreporting/proxifierreporting/pushpinreporting/xlsxreporting/xml[recon-ng][sina-test] > use reporting/html[recon-ng][sina-test][html] > show optionsName Current Value Required Description-------- ------------- -------- -----------CREATOR yes creator name for the report footerCUSTOMER yes customer name for the report headerFILENAME /root/.recon-ng/workspaces/sina-test/results.html yes path and filename for report outputSANITIZE True yes mask sensitive data in the report[recon-ng][sina-test][html] > set CREATOR yanxiao #設(shè)置創(chuàng)建者 CREATOR => yanxiao [recon-ng][sina-test][html] > ser CUSTOMER SINA.com #設(shè)置目標(biāo)名 [*] Command: ser CUSTOMER SINA.com [recon-ng][sina-test][html] > set FILENAME /root/sina-test.html #設(shè)置html文件路徑 FILENAME => /root/sina-test.html [recon-ng][sina-test][html] > run [*] Report generated at '/root/sina-test.html'.

7.查看報(bào)告

打開瀏覽器，在url一欄搜索剛才所設(shè)置的路徑：

其中的Hosts是可以打開看詳細(xì)信息的，在這里我就不打開看了。

---

至此，被動(dòng)信息收集便告一段落，總結(jié)的不到位或者出現(xiàn)錯(cuò)誤的地方還望CSDN各位前輩批評(píng)指點(diǎn)。

---

四、桃花依舊笑春風(fēng)

這篇文章是繼三月份第一次在CSDN發(fā)表文章以來(lái)第二次繼續(xù)在CSDN這個(gè)平臺(tái)發(fā)表自己的一些所學(xué)所感。之前三月份那一次因?yàn)楦鞣N原因沒能堅(jiān)持下來(lái)，這次呢，既因?yàn)閷W(xué)習(xí)進(jìn)度到了滲透測(cè)試最重要的一部分kali系統(tǒng)以及各種工具的操作，也因?yàn)橄胍栽贑SDN堅(jiān)持寫博客的方法砥礪自己，讓不時(shí)的總結(jié)鞏固所學(xué)的知識(shí)成為一種習(xí)慣，加油！！！愿自己以及諸君不日就可以春風(fēng)得意馬蹄疾，一日看盡長(zhǎng)安花。

總結(jié)

以上是生活随笔為你收集整理的渗透测试---被动信息收集详解的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。