本文介绍几个DNS信息搜集工具的使用方法
0x00 dnsrecon
获取目标域名的 SOA, NS, A, MX , MX , SPF等信息
由该工具的搜集结果我们大致可能知道目标采用了什么邮件服务器、被哪家服务商托管的、A记录对应的服务器地址是多少……
命令
dnsrecon -t std -d zhenrongbao.com
-d, --domain <domain> Target domain.
-t, --type <types> Type of enumeration to perform:
std SOA, NS, A, AAAA, MX and SRV if AXRF on the NS servers fail.// 基本的查询
rvl Reverse lookup of a given CIDR or IP range.
brt Brute force domains and hosts using a given dictionary. // 暴力枚举
srv SRV records.
axfr Test all NS servers for a zone transfer. // 域传送漏洞
goo Perform Google search for subdomains and hosts.
snoop Perform cache snooping against all NS servers for a given domain, testing
all with file containing the domains, file given with -D option.
tld Remove the TLD of given domain and test against all TLDs registered in IANA.
zonewalk Perform a DNSSEC zone walk using NSEC records.
例子
root@Kali:~/dict/dns# dnsrecon -t std -d zhenrongbao.com
[*] Performing General Enumeration of Domain:
[-] DNSSEC is not configured for zhenrongbao.com
[*] SOA vip1.alidns.com 47.88.44.151
[*] SOA vip1.alidns.com 140.205.29.113
[*] SOA vip1.alidns.com 140.205.228.51
******* <省略> *******
[*] A zhenrongbao.com 180.97.161.183
[*] TXT zhenrongbao.com v=spf1 include:spf.mail.qq.com ~all
[*] Enumerating SRV Records
[-] No SRV Records Found for zhenrongbao.com
[*] 0 Records Found
由以上情况我们可以知道目标是被阿里云托管、使用了腾讯邮箱、同时还包括一个A记录,解析到了 180.97.164.183
验证域传送漏洞
root@Kali:~/dict/dns# dnsrecon -t std -d zhenrongbao.com -a
[*] Performing General Enumeration of Domain:
[*] Checking for Zone Transfer for zhenrongbao.com name servers
[*] Resolving SOA Record
[*] SOA vip1.alidns.com 116.211.173.151
[*] SOA vip1.alidns.com 14.1.112.13
[*] SOA vip1.alidns.com 14.1.112.11
[*] Resolving NS Records
[*] NS Servers found:
[*] NS vip2.alidns.com 14.1.112.14
[*] NS vip2.alidns.com 140.205.228.52
[*] NS vip2.alidns.com 140.205.228.54
[*] NS vip2.alidns.com 140.205.29.114
[*] NS vip2.alidns.com 47.88.44.152
[*] NS vip2.alidns.com 106.11.30.114
[*] NS vip2.alidns.com 106.11.41.152
[*] NS vip2.alidns.com 116.211.173.152
[*] NS vip2.alidns.com 116.211.173.154
***** <省略> *****
[*] Trying NS server 116.211.173.154
[-] Zone Transfer Failed for 116.211.173.154!
[-] Port 53 TCP is being filtered
[*]
[*] Trying NS server 140.205.228.53
[-] Zone Transfer Failed for 140.205.228.53!
[-] Port 53 TCP is being filtered
[*]
[*] Trying NS server 140.205.228.54
[-] Zone Transfer Failed for 140.205.228.54!
[-] Port 53 TCP is being filtered
[*]
[*] Trying NS server 106.11.41.151
[-] Zone Transfer Failed for 106.11.41.151!
[-] Port 53 TCP is being filtered
[*]
[*] Trying NS server 106.11.41.152
[-] Zone Transfer Failed for 106.11.41.152!
[-] Port 53 TCP is being filtered
[*]
[*] Trying NS server 47.88.44.152
[-] Zone Transfer Failed for 47.88.44.152!
[-] Port 53 TCP is being filtered
dnsrecon -t std -d zhenrongbao.com -t axfr 也可以
DNS枚举
dnsrecon -d <目标域名> - D <字典绝对路径> -t brt
root@Kali:~/dict/dns# dnsrecon -d zhenrongbao.com -D /root/dict/dns/subnames.txt -t brt
[*] Performing host and subdomain brute force against zhenrongbao.com
[*] A www.zhenrongbao.com 180.97.161.183
[*] A cs.zhenrongbao.com 182.92.223.203
[*] A a.zhenrongbao.com 101.201.175.160
[*] A bbs.zhenrongbao.com 182.92.27.109
[*] A static.zhenrongbao.com 101.200.31.82
[*] CNAME s7.zhenrongbao.com s7.zhenrongbao.com.mschcdn.com
[*] CNAME s7.zhenrongbao.com.mschcdn.com s7.zhenrongbao.com.xgslb.net
[*] CNAME s7.zhenrongbao.com.xgslb.net https.xgslb.net
[*] A https.xgslb.net 122.228.85.53
[*] A https.xgslb.net 122.228.115.15
[*] CNAME s6.zhenrongbao.com s6.zhenrongbao.com.w.kunlunpi.com
[*] A s6.zhenrongbao.com.w.kunlunpi.com 122.227.164.191
[*] A s6.zhenrongbao.com.w.kunlunpi.com 122.225.34.236
****** <省略> ******
结果整理
--db <file> 将结果保存到SQLite 3文件
--xml <file> 将结果保存到XML文件
-c, --csv <file> 将结果保存到csv文件
-j, --json <file> 将结果保存到JSON文件
root@Kali:~/dict/dns# dnsrecon -d zhenrongbao.com -D /root/dict/dns/subnames.txt -t brt --xml result.xml
[*] Performing host and subdomain brute force against zhenrongbao.com
[*] A www.zhenrongbao.com 180.97.161.183
[*] A cs.zhenrongbao.com 182.92.223.203
**** <省略> ****
[*] A opencdn.jomodns.com 183.136.200.35
[*] 63 Records Found
[*] Saving records to XML file: result.xml
root@Kali:~/dict/dns#
保存结果:
root@Kali:~# tail -n 10 /usr/share/dnsrecon/result.xml
<record address="101.201.169.129" name="activity.zhenrongbao.com" type="A"/>
<record name="s8.zhenrongbao.com" target="s8.zhenrongbao.com.bsgslb.cn" type="CNAME"/>
<record name="s8.zhenrongbao.com.bsgslb.cn" target="zhenrongbaostatic.oss-cn-beijing.aliyuncs.com" type="CNAME"/>
<record address="59.110.190.174" name="zhenrongbaostatic.oss-cn-beijing.aliyuncs.com" type="A"/>
<record name="s10.zhenrongbao.com" target="s10.zhenrongbao.com.a.bdydns.com" type="CNAME"/>
<record name="s10.zhenrongbao.com.a.bdydns.com" target="opencdn.jomodns.com" type="CNAME"/>
<record address="183.136.200.35" name="opencdn.jomodns.com" type="A"/>
<scaninfo arguments="./dnsrecon.py -d zhenrongbao.com -D /root/dict/dns/subnames.txt -t brt --xml result.xml" time="2017-11-09 15:05:15.485088"/>
<domain domain_name="zhenrongbao.com"/>
</records>
其实还可以保存为sqlite文件,这样数据处理会快一些
0x01 dnswalk
使用区域传送来获取DNS解析,现在已经不常用
root@Kali:~/dict/dns# dnswalk hao123.com.
Checking hao123.com.
Getting zone transfer of hao123.com. from dns.baidu.com...failed
FAIL: Zone transfer of hao123.com. from dns.baidu.com failed: REFUSED
Getting zone transfer of hao123.com. from ns3.baidu.com...failed
FAIL: Zone transfer of hao123.com. from ns3.baidu.com failed: REFUSED
Getting zone transfer of hao123.com. from ns1.baidu.com...failed
FAIL: Zone transfer of hao123.com. from ns1.baidu.com failed: REFUSED
0x02 dnsenum
暴力枚举子域
root@Kali:~/dict/dns# dnsenum -f subnames.txt aliyun.com
dnsenum.pl VERSION:1.2.3
----- aliyun.com -----
Host's addresses:
__________________
aliyun.com. 46 IN A 140.205.172.20
aliyun.com. 46 IN A 140.205.32.13
aliyun.com. 46 IN A 140.205.34.12
aliyun.com. 46 IN A 140.205.172.21
aliyun.com. 46 IN A 140.205.32.8
aliyun.com. 46 IN A 140.205.230.3
Name Servers:
______________
ns3.aliyun.com. 10799 IN A 106.11.35.29
ns3.aliyun.com. 10799 IN A 106.11.35.30
ns4.aliyun.com. 431981 IN A 42.156.241.248
ns4.aliyun.com. 431981 IN A 140.205.71.248
ns5.aliyun.com. 431999 IN A 140.205.2.187
ns5.aliyun.com. 431999 IN A 198.11.138.248
Mail (MX) Servers:
___________________
mx2.mail.aliyun.com. 429 IN A 140.205.94.14
Trying Zone Transfers and getting Bind Versions: # 自动测试域传送漏洞
_________________________________________________
Trying Zone Transfer for aliyun.com on ns3.aliyun.com ...
AXFR record query failed: no socket TCP[106.11.35.29] Connection timed out
Trying Zone Transfer for aliyun.com on ns4.aliyun.com ...
AXFR record query failed: REFUSED
Brute forcing with subnames.txt: # 开始枚举
_________________________________
www.aliyun.com. 12 IN CNAME www-jp-de-intl-adns.aliyun.com.
www-jp-de-intl-adns.aliyun.com. 12 IN CNAME (
www-jp-de-intl-adns.aliyun.com.gds.alibabadns.com. 83 IN CNAME (
wagbridge.aliyun.com. 270 IN CNAME sh.wagbridge.aliyun.com.
sh.wagbridge.aliyun.com. 293 IN CNAME (
sh.wagbridge.aliyun.com.gds.alibabadns.com. 293 IN A 140.205.32.13
blog.aliyun.com. 1800 IN A 120.55.251.28
cs.aliyun.com. 300 IN CNAME sh.wagbridge.aliyun.com.
sh.wagbridge.aliyun.com. 293 IN CNAME (
sh.wagbridge.aliyun.com.gds.alibabadns.com. 293 IN A 140.205.32.13
my.aliyun.com. 600 IN CNAME cname.yunos.com.
cname.yunos.com. 571 IN CNAME cname.gds.yunos.com.
cname.gds.yunos.com. 196 IN A 140.205.172.1
search.aliyun.com. 300 IN A 100.67.76.19
cn.aliyun.com. 58 IN CNAME wagbridge.aliyun.com.
wagbridge.aliyun.com. 299 IN CNAME sh.wagbridge.aliyun.com.
sh.wagbridge.aliyun.com. 299 IN CNAME (
sh.wagbridge.aliyun.com.gds.alibabadns.com. 299 IN A 140.205.172.20
i.aliyun.com. 147 IN CNAME sh.wagbridge.aliyun.com.
sh.wagbridge.aliyun.com. 300 IN CNAME (
sh.wagbridge.aliyun.com.gds.alibabadns.com. 300 IN A 140.205.172.20
club.aliyun.com. 2 IN CNAME sh.wagbridge.aliyun.aliyun.com.
sh.wagbridge.aliyun.aliyun.com. 207 IN CNAME aliyun-adns.aliyun.com.
aliyun-adns.aliyun.com. 207 IN CNAME (
aliyun-adns.aliyun.com.gds.alibabadns.com. 207 IN A 140.205.135.3
app.aliyun.com. 295 IN CNAME app.aliyun.com.danuoyi.alicdn.com.
app.aliyun.com.danuoyi.alicdn.com. 60 IN A 122.228.250.235
app.aliyun.com.danuoyi.alicdn.com. 60 IN A 122.228.250.95
app.aliyun.com.danuoyi.alicdn.com. 60 IN A 122.228.250.92
app.aliyun.com.danuoyi.alicdn.com. 60 IN A 122.228.250.234
app.aliyun.com.danuoyi.alicdn.com. 60 IN A 122.228.95.81
**** <省略> ****
常用参数
--subfile <file> 将所有有效子域名写入文件
-t, --timeout <value> 等待超时时间单位:秒
--threads <value> 设置线程
-f, --file <file> 读取域名字典
-r, --recursion 发现NS记录则递归子域
-o --output <file> 输出一个XML文件
0x03 dnstracer
向指定域名服务器发送非递归域名请求。
非递归请求的意思是,如果域名服务器知道,那么它会返回请求数据。
如果域名服务器不知道,它会返回授权域的域名服务器或返回根域名服务器的地址。
-c: 不允许使用本地缓存,默认允许
-C: 启用否定缓存,默认禁用
-o: 启用收到响应的概述,默认禁用
-q <querytype>: 设置请求的DNS查询记录类型, 默认为A记录
-r <retries>: 请求重试次数, 默认为 3 次
-s <server>: 设置一个DNS服务器,默认为本地
-t <maximum timeout>: 超时时间
-v: 查看详细信息
-S <ip address>: 伪造一个源地址.
-4: 使用IPV4
root@Kali:~/dict/dns# dnstracer zhenrongbao.com
Tracing to zhenrongbao.com[a] via 192.168.3.1, maximum of 3 retries
192.168.3.1 (192.168.3.1)
|\___ k.gtld-servers.net [com] (192.52.178.30)
| |\___ vip2.alidns.com [zhenrongbao.com] (47.88.44.152) Got authoritative answer
| |\___ vip2.alidns.com [zhenrongbao.com] (140.205.29.114) Got authoritative answer
| |\___ vip2.alidns.com [zhenrongbao.com] (140.205.228.54) Got authoritative answer
| |\___ vip2.alidns.com [zhenrongbao.com] (140.205.228.52) Got authoritative answer
| |\___ vip2.alidns.com [zhenrongbao.com] (14.1.112.14) Got authoritative answer
| |\___ vip2.alidns.com [zhenrongbao.com] (14.1.112.12) Got authoritative answer
| |\___ vip2.alidns.com [zhenrongbao.com] (121.29.51.154) Got authoritative answer
| |\___ vip2.alidns.com [zhenrongbao.com] (121.29.51.152) Got authoritative answer
| |\___ vip2.alidns.com [zhenrongbao.com] (116.211.173.154) Got authoritative answer
| |\___ vip2.alidns.com [zhenrongbao.com] (116.211.173.152) Got authoritative answer
| |\___ vip2.alidns.com [zhenrongbao.com] (106.11.41.152) Got authoritative answer
**** <省略> ****
0x04 dnsmap
参数详解
-w <wordlist-file> 字典
-r <regular-results-file> 保存为纯文本
-c <csv-results-file> 保存为csv文件
-d <delay-millisecs> 每次请求间隔多少毫秒
-i <ips-to-ignore> 排除误报,绕过IPS
例子
root@Kali:~/dict/dns# dnsmap zhenrongbao.com -w subnames.txt -r ./zhengrongbaoDNSresult.data
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
[+] searching (sub)domains for zhenrongbao.com using subnames.txt
[+] using maximum random delay of 10 millisecond(s) between requests
www.zhenrongbao.com
IP address #1: 180.97.161.183
cs.zhenrongbao.com
IP address #1: 182.92.223.203
a.zhenrongbao.com
IP address #1: 101.201.175.160
bbs.zhenrongbao.com
IP address #1: 182.92.27.109
static.zhenrongbao.com
IP address #1: 101.200.31.82
**** <省略> ****
0x04 一些小技巧
后续总结 …