渗透测试 |
您所在的位置:网站首页 › 资产信息资料收集的内容有哪些方法 › 渗透测试 |
渗透测试
|
被动信息收集
一、被动信息收集简介1.被动信息收集2.信息收集的内容3.信息收集的目的
二、被动信息收集方式1.dig:域名解析查询①直接查询②按指定内容查询③查新DNS版本信息④DNS追踪,迭代/递归查询
2.nslookup:诊断DNS基础结构3.whois:注册信息查询4.dnsenum5.fierce①直接查询②字典爆破
三、被动信息收集方式的重点(个人认为)1.进入recon-ng环境2.创建新的工作区3.设置工作区参数4.DNS查询5.解析IP6.生成报告7.查看报告
四、桃花依旧笑春风
一、被动信息收集简介
1.被动信息收集
指通过公开渠道的可获得信息,与目标系统或者主机不产生直接的信息交互,以尽可能避免留下任何痕迹的信息收集方法。 2.信息收集的内容IP地址段 域名信息 邮件地址 文档图片数据 公司地址 公司组织架构 联系电话/传真号码 人员姓名/职务 目标系统使用的技术架构 公开的商用信息 3.信息收集的目的个人认为信息收集是为了获取目标系统的基础架构以及目标主机的ip地址段以及该对象的域名信息,以达到使用所收集的信息去描述目标系统或者主机的目的,并对之后的一些列扫描工作做准备,是渗透测试技术的第一个关键步骤。 二、被动信息收集方式在这里我使用的系统环境是基于kali-linux-2018-W25-amd64的虚拟环境. 1.dig:域名解析查询 ①直接查询命令:dig 所要查询域名 root@yanxiao:~# dig www.sina.com ; DiG 9.11.3-1-Debian www.sina.com ;; global options: +cmd ;; Got answer: ;; ->>HEADERHEADER> Last update of whois database: 2019-06-26T09:02:43Z首次使用recon-ng,可以使用help查看所有可以执行的命令: [recon-ng][default] > help Commands (type [help|?] ): --------------------------------- add Adds records to the database back Exits the current context delete Deletes records from the database exit Exits the framework help Displays this menu keys Manages framework API keys load Loads specified module pdb Starts a Python Debugger session query Queries the database record Records commands to a resource file reload Reloads all modules resource Executes commands from a resource file search Searches available modules set Sets module options shell Executes shell commands show Shows various framework items snapshots Manages workspace snapshots spool Spools output to a file unset Unsets module options use Loads specified module workspaces Manages workspaces查看recon-ng命令的使用方法: [recon-ng][default] > recon-ng -h [*] Command: recon-ng -h usage: recon-ng [-h] [-v] [-w workspace] [-r filename] [--no-check] [--no-analytics] recon-ng - Tim Tomes (@LaNMaSteR53) tjt1980[at]gmail.com optional arguments: -h, --help show this help message and exit -v, --version show program's version number and exit -w workspace load/create a workspace -r filename load commands from a resource file --no-check disable version check --no-analytics disable analytics reporting 2.创建新的工作区这一步相对来说可有可无,但是为了养成良好习惯,在进行不同的案例之前为这个案例单独建一个工作区我个人认为是比较重要的,方便之后的管理以及查询。 命令:workspaces list,显示已存在的工作表 [recon-ng][default] > workspaces list +------------+ | Workspaces | +------------+ | default | | sina | +------------+这里要说明一下,若进入到recon-ng环境中时创建工作表可以用下列命令: 命令:workspaces add 工作区名 [recon-ng][default] > workspaces add sina-test [recon-ng][sina-test] > workspaces list +------------+ | Workspaces | +------------+ | default | | sina-test | | sina | +------------+ #删除工作表 [recon-ng][sina-test] > workspaces delete sina-test [recon-ng][default] > workspaces list +------------+ | Workspaces | +------------+ | default | | sina | +------------+若还是在kali环境下,则使用下列命令直接创建新工作区或者进入已经存在的工作区: 命令:recon-ng -w 工作区名 root@yanxiao:~# recon-ng -w sina-test [recon-ng][sina-test] > workspaces list +------------+ | Workspaces | +------------+ | default | | sina-test | | sina | +------------+ 3.设置工作区参数这里的工作区参数也可以直接跳过不进行设置,不影响结果;不过需要注意的是不设置参数的话,对方是很容易发现你用recon-ng对他进行扫描,所以建议还是进行设置,设置参数之后扫描会更加隐蔽 命令:show options [recon-ng][sina-test] > show options Name Current Value Required Description ---------- ------------- -------- ----------- NAMESERVER 8.8.8.8 yes nameserver for DNS interrogation PROXY no proxy server (address:port) THREADS 10 yes number of threads (where applicable) TIMEOUT 10 yes socket timeout (seconds) USER-AGENT Recon-ng/v4 yes user-agent string VERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug)要进行设置的参数信息命令: set USER-AGENT Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 [recon-ng][sina-test] > set USER-AGENT Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 USER-AGENT => Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 [recon-ng][sina-test] > show options Name Current Value Required Description ---------- ------------- -------- ----------- NAMESERVER 8.8.8.8 yes nameserver for DNS interrogation PROXY no proxy server (address:port) THREADS 10 yes number of threads (where applicable) TIMEOUT 10 yes socket timeout (seconds) USER-AGENT Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 yes user-agent string VERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug)可以看到对工作区参数中的USER-AGENT这一项进行了修改。 4.DNS查询通过搜索引擎(google、baidu、bing、yahoo)或者使用 brute force(暴力破解) 去查找主机记录。 命令:search [recon-ng][sina-test] > search google [*] Searching for 'google'... Recon ----- recon/domains-hosts/google_site_api recon/domains-hosts/google_site_web [recon-ng][sina-test] > search baidu [*] Searching for 'baidu'... [!] No modules found containing 'baidu'. [recon-ng][sina-test] > search bing [*] Searching for 'bing'... Recon ----- recon/companies-contacts/bing_linkedin_cache recon/domains-hosts/bing_domain_api recon/domains-hosts/bing_domain_web recon/hosts-hosts/bing_ip [recon-ng][sina-test] > search yahoo [*] Searching for 'yahoo'... [!] No modules found containing 'yahoo'. [recon-ng][sina-test] > search brute [*] Searching for 'brute'... Exploitation ------------ exploitation/injection/xpath_bruter Recon ----- recon/domains-domains/brute_suffix recon/domains-hosts/brute_hosts这里会发现baidu和yahoo在recon-ng环境暂时不能使用。 我在这里使用的是brute模块。 选择要使用的模块,这里我选择了recon/domains-hosts/brute_hosts模块。 命令:use 所要使用的模块 [recon-ng][sina-test] > use recon/domains-hosts/brute_hosts [recon-ng][sina-test][brute_hosts] >查看该模块参数: [recon-ng][sina-test][brute_hosts] > show options Name Current Value Required Description -------- ------------- -------- ----------- SOURCE default yes source of input (see 'show info' for details) WORDLIST /usr/share/recon-ng/data/hostnames.txt yes path to hostname wordlist设置参数: 命令:set SOURCE 所要发现的域名 [recon-ng][sina-test][brute_hosts] > set SOURCE sina.com SOURCE => sina.com运行: 命令:run [recon-ng][sina-test][brute_hosts] > run -------- SINA.COM -------- ......此处的发现结果不予显示 ------- SUMMARY ------- [*] 288 total (247 new) hosts found.查看粗略的表格,会在终端中显示出上一步中发现的IP地址的各项信息: 命令:show hosts [recon-ng][sina-test][brute_hosts] > show hosts +------------------------------------------------------------------------------------------------------------------+ | rowid | host | ip_address | region | country | latitude | longitude | module | +------------------------------------------------------------------------------------------------------------------+ ......此处发现结果不予显示 +------------------------------------------------------------------------------------------------------------------+查询工作表模块当前的设置: 命令:show info [recon-ng][sina-test][brute_hosts] > show info Name: DNS Hostname Brute Forcer Path: modules/recon/domains-hosts/brute_hosts.py Author: Tim Tomes (@LaNMaSteR53) Description: Brute forces host names using DNS. Updates the 'hosts' table with the results. Options: Name Current Value Required Description -------- ------------- -------- ----------- SOURCE sina.com yes source of input (see 'show info' for details) WORDLIST /usr/share/recon-ng/data/hostnames.txt yes path to hostname wordlist Source Options: default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL string representing a single input path to a file containing a list of inputs query database query returning one column of inputs这一步的作用是为了在当前工作区使用当前模块进行继续发现的工作,查询状态之后只需修改需要发现的域名即可。 5.解析IP返回工作区更换模块: 命令:back [recon-ng][sina-test][brute_hosts] > back [recon-ng][sina-test] >寻找解析模块resolve: 命令:search resolve [recon-ng][sina-test] > search resolve [*] Searching for 'resolve'... Recon ----- recon/hosts-hosts/resolve recon/hosts-hosts/reverse_resolve recon/netblocks-hosts/reverse_resolve选择要使用的模块,我这里选择的是recon/hosts-hosts/resolve模块。 命令:use recon/hosts-hosts/resolve [recon-ng][sina-test] > use recon/hosts-hosts/resolve [recon-ng][sina-test][resolve] >设置模块参数: [recon-ng][sina-test][resolve] > show options Name Current Value Required Description ------ ------------- -------- ----------- SOURCE default yes source of input (see 'show info' for details) [recon-ng][sina-test][resolve] > set SOURCE query select host from hosts SOURCE => query select host from hosts这里设置的是从刚才的DNS查询中得到的hosts表中进行取样解析。 运行: [recon-ng][sina-test][resolve] > run ......此处发现结果不予显示 ------- SUMMARY ------- [*] 662 total (662 new) hosts found. 6.生成报告这一部分内容在以后的企业工作中是必备的一步,客户最终看到的也是这一部分的内容。 先退出解析模块至工作区,之后选择报告模块,设置报告模块参数,话不多说,进代码块QAQ: [recon-ng][sina-test][resolve] > back [recon-ng][sina-test] > search report [*] Searching for 'report'... Reporting --------- reporting/csv reporting/html reporting/json reporting/list reporting/proxifier reporting/pushpin reporting/xlsx reporting/xml [recon-ng][sina-test] > use reporting/html [recon-ng][sina-test][html] > show options Name Current Value Required Description -------- ------------- -------- ----------- CREATOR yes creator name for the report footer CUSTOMER yes customer name for the report header FILENAME /root/.recon-ng/workspaces/sina-test/results.html yes path and filename for report output SANITIZE True yes mask sensitive data in the report [recon-ng][sina-test][html] > set CREATOR yanxiao #设置创建者 CREATOR => yanxiao [recon-ng][sina-test][html] > ser CUSTOMER SINA.com #设置目标名 [*] Command: ser CUSTOMER SINA.com [recon-ng][sina-test][html] > set FILENAME /root/sina-test.html #设置html文件路径 FILENAME => /root/sina-test.html [recon-ng][sina-test][html] > run [*] Report generated at '/root/sina-test.html'. 7.查看报告打开浏览器,在url一栏搜索刚才所设置的路径: 这篇文章是继三月份第一次在CSDN发表文章以来第二次继续在CSDN这个平台发表自己的一些所学所感。之前三月份那一次因为各种原因没能坚持下来,这次呢,既因为学习进度到了渗透测试最重要的一部分kali系统以及各种工具的操作,也因为想以在CSDN坚持写博客的方法砥砺自己,让不时的总结巩固所学的知识成为一种习惯,加油!!!愿自己以及诸君不日就可以春风得意马蹄疾,一日看尽长安花。 |
其中的Hosts是可以打开看详细信息的,在这里我就不打开看了。【本文地址】