资讯专栏INFORMATION COLUMN

渗透测试之全方位信息收集神器 instarecon

DTeam / 2197人阅读

摘要:功能介绍将从以下几个方面展开渗透测试前的信息收集工作包括域名的解析结果记录是电子邮件系统中的邮件交换记录的一种另一种邮件交换记录是记录在协议中或记录在协议中。的方向查询,即通过指向的反查相关的域名信息唯一可能有点缺憾的是没有加入暴力遍历。

功能介绍

instarecon将从以下几个方面展开渗透测试前的信息收集工作

1. DNS (direct, PTR, MX, NS) lookups

包括域名的dns解析结果;

PTR记录:是电子邮件系统中的邮件交换记录的一种;另一种邮件交换记录是A记录(在IPv4协议中)或AAAA记录(在IPv6协议中)。PTR记录常被用于反向地址解析。

MX记录:是邮件交换记录,它指向一个邮件服务器,用于电子邮件系统发邮件时根据 收信人的地址后缀来定位邮件服务器。MX记录也叫做邮件路由记录,用户可以将该域名下的邮件服务器指向到自己的mail server上,然后即可自行操控所有的邮箱设置。

NS记录:NS(Name Server)记录是域名服务器记录,用来指定该域名由哪个DNS服务器来进行解析。

2. Whois (domains and IP) lookups

whois是用来查询域名的IP以及所有者等信息的传输协议。简单说,whois就是一个用来查询域名是否已经被注册,以及注册域名的详细信息的数据库(如域名所有人、域名注册商)。

3. Google dorks in search of subdomains

google搜索引擎记录的二级域名相关信息

4. Shodan lookups

通过shodan获取域名相关信息;Shodan真正值得注意的能力就是能找到几乎所有和互联网相关联的东西。而Shodan真正的可怕之处就是这些设备几乎都没有安装安全防御措施,其可以随意进入。

5. Reverse DNS lookups on entire CIDRs

dns的方向查询,即通过指向的ip反查ip相关的域名信息

唯一可能有点缺憾的是没有加入dns暴力遍历。

下载
bash➜  tools git:(master) ✗ git clone https://github.com/vergl4s/instarecon.git

接下来需要安装python的扩展,如果已经安装的pip则直接安装:

bashsudo pip install pythonwhois ipwhois ipaddress shodan

如果没有安装pip,可以这样安装

shsudo easy_install pip
使用

使用很简单,给个示例:

$ ./instarecon.py -s  -o ~/Desktop/github.com.csv github.com

跑一下乌云的信息看看:

[root@localhost instarecon]# python instarecon.py wooyun.org
# InstaRecon v0.1 - by Luis Teixeira (teix.co)
# Scanning 1/1 hosts
# No Shodan key provided

# ____________________ Scanning wooyun.org ____________________ #

# DNS lookups
[*] Domain: wooyun.org

[*] IPs & reverse DNS: 
162.159.208.53
162.159.209.53

# Whois lookups

[*] Whois domain:
Domain Name:WOOYUN.ORG
Domain ID: D159099935-LROR
Creation Date: 2010-05-06T08:50:48Z
Updated Date: 2015-01-07T03:37:41Z
Registry Expiry Date: 2024-05-06T08:50:48Z
Sponsoring Registrar:Hichina Zhicheng Technology Limited (R1373-LROR)
Sponsoring Registrar IANA ID: 420
WHOIS Server: 
Referral URL: 
Domain Status: clientDeleteProhibited -- http://www.icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited -- http://www.icann.org/epp#clientTransferProhibited
Registrant ID:hc556860480-cn
Registrant Name:Fang Xiao Dun
Registrant Organization:Fang Xiao Dun
Registrant Street: Haidian District JuYuan Road 6# 502
Registrant City:Beijing
Registrant State/Province:Beijing
Registrant Postal Code:100080
Registrant Country:CN
Registrant Phone:+86.18610137578
Registrant Phone Ext: 
Registrant Fax: +86.18610137578
Registrant Fax Ext: 
Registrant Email:xssshell@gmail.com
Admin ID:HC-009652962-CN
Admin Name:Fang Xiaodun
Admin Organization:Beijing Bigfish Technology
Admin Street: Haidian District JuYuan Road 6# 502
Admin City:Beijing
Admin State/Province:Beijing
Admin Postal Code:100080
Admin Country:CN
Admin Phone:+86.18610137578
Admin Phone Ext: 
Admin Fax: +86.18610137578
Admin Fax Ext: 
Admin Email:xssshell@gmail.com
Tech ID:HC-844637505-CN
Tech Name:Fang Xiaodun
Tech Organization:Beijing Bigfish Technology
Tech Street: Haidian District JuYuan Road 6# 502
Tech City:Beijing
Tech State/Province:Beijing
Tech Postal Code:100080
Tech Country:CN
Tech Phone:+86.18610137578
Tech Phone Ext: 
Tech Fax: +86.18610137578
Tech Fax Ext: 
Tech Email:xssshell@gmail.com
Name Server:NS1.DNSV2.COM
Name Server:NS2.DNSV2.COM
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
DNSSEC:Unsigned

Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to(a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient"s own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en.

[*] Whois IP:
asn: 13335
asn_cidr: 162.159.208.0/24
asn_country_code: US
asn_date: 2013-05-23
asn_registry: arin
net 0:
    cidr: 162.158.0.0/15
    range: 162.158.0.0 - 162.159.255.255
    name: CLOUDFLARENET
    description: CloudFlare, Inc.
    handle: NET-162-158-0-0-1

    address: 665 Third Street #207
    city: San Francisco
    state: CA
    postal_code: 94107
    country: US

    abuse_emails: abuse@cloudflare.com
    tech_emails: admin@cloudflare.com

    created: 2013-05-23 00:00:00
    updated: 2013-05-23 00:00:00

# Querying Google for subdomains and Linkedin pages, this might take a while
[-] Error: No subdomains found in Google. If you are scanning a lot, Google might be blocking your requests.

# Reverse DNS lookup on range 162.158.0.0/15
162.159.8.133 - cf-162-159-8-133.cloudflare.com
162.159.9.204 - cf-162-159-9-204.cloudflare.com
162.159.24.5 - dns1.namecheaphosting.com
162.159.24.6 - a.ns.zerigo.net
162.159.24.7 - e.ns.zerigo.net
162.159.24.204 - ns1.proisp.no
162.159.25.5 - dns2.namecheaphosting.com
162.159.25.6 - b.ns.zerigo.net
162.159.25.7 - f.ns.zerigo.net
162.159.25.138 - ns2.proisp.no
162.159.26.6 - c.ns.zerigo.net
162.159.27.6 - d.ns.zerigo.net
# Done

可以看到乌云使用的是cloudflare;负责人是fangxiaodun;邮箱是xssshell@gmail.com

  

来自http://www.codefrom.com/paper/%20%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%...

文章版权归作者所有,未经允许请勿转载,若此文章存在违规行为,您可以联系管理员删除。

转载请注明本文地址:https://www.ucloud.cn/yun/37536.html

相关文章

  • 渗透测试方位信息收集神器 instarecon

    摘要:功能介绍将从以下几个方面展开渗透测试前的信息收集工作包括域名的解析结果记录是电子邮件系统中的邮件交换记录的一种另一种邮件交换记录是记录在协议中或记录在协议中。的方向查询,即通过指向的反查相关的域名信息唯一可能有点缺憾的是没有加入暴力遍历。 功能介绍 instarecon将从以下几个方面展开渗透测试前的信息收集工作 1. DNS (direct, PTR, MX, NS) looku...

    MingjunYang 评论0 收藏0

发表评论

0条评论

DTeam

|高级讲师

TA的文章

阅读更多
最新活动
阅读需要支付1元查看
<