本文介绍几个DNS信息搜集工具的使用方法

0x00 dnsrecon

获取目标域名的 SOA, NS, A, MX , MX , SPF等信息

由该工具的搜集结果我们大致可能知道目标采用了什么邮件服务器、被哪家服务商托管的、A记录对应的服务器地址是多少……

命令

dnsrecon -t std -d zhenrongbao.com

-d, --domain      <domain>   Target domain.
-t, --type        <types>    Type of enumeration to perform:
                                std       SOA, NS, A, AAAA, MX and SRV if AXRF on the NS servers fail.// 基本的查询
                                rvl       Reverse lookup of a given CIDR or IP range.
                                brt       Brute force domains and hosts using a given dictionary. // 暴力枚举
                                srv       SRV records.
                                axfr      Test all NS servers for a zone transfer. // 域传送漏洞
                                goo       Perform Google search for subdomains and hosts.
                                snoop     Perform cache snooping against all NS servers for a given domain, testing
                                          all with file containing the domains, file given with -D option.
                                tld       Remove the TLD of given domain and test against all TLDs registered in IANA.
                                zonewalk  Perform a DNSSEC zone walk using NSEC records.

例子

root@Kali:~/dict/dns# dnsrecon -t std -d zhenrongbao.com
[*] Performing General Enumeration of Domain:
[-] DNSSEC is not configured for zhenrongbao.com
[*] 	 SOA vip1.alidns.com 47.88.44.151
[*] 	 SOA vip1.alidns.com 140.205.29.113
[*] 	 SOA vip1.alidns.com 140.205.228.51
         ******* <省略> *******
[*] 	 A zhenrongbao.com 180.97.161.183
[*] 	 TXT zhenrongbao.com v=spf1 include:spf.mail.qq.com ~all
[*] Enumerating SRV Records
[-] No SRV Records Found for zhenrongbao.com
[*] 0 Records Found

由以上情况我们可以知道目标是被阿里云托管、使用了腾讯邮箱、同时还包括一个A记录,解析到了 180.97.164.183

验证域传送漏洞

root@Kali:~/dict/dns# dnsrecon -t std -d zhenrongbao.com -a
[*] Performing General Enumeration of Domain:
[*] Checking for Zone Transfer for zhenrongbao.com name servers
[*] Resolving SOA Record
[*] 	 SOA vip1.alidns.com 116.211.173.151
[*] 	 SOA vip1.alidns.com 14.1.112.13
[*] 	 SOA vip1.alidns.com 14.1.112.11
[*] Resolving NS Records
[*] NS Servers found:
[*] 	NS vip2.alidns.com 14.1.112.14
[*] 	NS vip2.alidns.com 140.205.228.52
[*] 	NS vip2.alidns.com 140.205.228.54
[*] 	NS vip2.alidns.com 140.205.29.114
[*] 	NS vip2.alidns.com 47.88.44.152
[*] 	NS vip2.alidns.com 106.11.30.114
[*] 	NS vip2.alidns.com 106.11.41.152
[*] 	NS vip2.alidns.com 116.211.173.152
[*] 	NS vip2.alidns.com 116.211.173.154
       ***** <省略> *****
[*] Trying NS server 116.211.173.154
[-] Zone Transfer Failed for 116.211.173.154!
[-] Port 53 TCP is being filtered
[*]  
[*] Trying NS server 140.205.228.53
[-] Zone Transfer Failed for 140.205.228.53!
[-] Port 53 TCP is being filtered
[*]  
[*] Trying NS server 140.205.228.54
[-] Zone Transfer Failed for 140.205.228.54!
[-] Port 53 TCP is being filtered
[*]  
[*] Trying NS server 106.11.41.151
[-] Zone Transfer Failed for 106.11.41.151!
[-] Port 53 TCP is being filtered
[*]  
[*] Trying NS server 106.11.41.152
[-] Zone Transfer Failed for 106.11.41.152!
[-] Port 53 TCP is being filtered
[*]  
[*] Trying NS server 47.88.44.152
[-] Zone Transfer Failed for 47.88.44.152!
[-] Port 53 TCP is being filtered

dnsrecon -t std -d zhenrongbao.com -t axfr 也可以

DNS枚举

dnsrecon -d <目标域名> - D <字典绝对路径> -t brt

root@Kali:~/dict/dns# dnsrecon -d zhenrongbao.com -D /root/dict/dns/subnames.txt -t brt
[*] Performing host and subdomain brute force against zhenrongbao.com
[*] 	 A www.zhenrongbao.com 180.97.161.183
[*] 	 A cs.zhenrongbao.com 182.92.223.203
[*] 	 A a.zhenrongbao.com 101.201.175.160
[*] 	 A bbs.zhenrongbao.com 182.92.27.109
[*] 	 A static.zhenrongbao.com 101.200.31.82
[*] 	 CNAME s7.zhenrongbao.com s7.zhenrongbao.com.mschcdn.com
[*] 	 CNAME s7.zhenrongbao.com.mschcdn.com s7.zhenrongbao.com.xgslb.net
[*] 	 CNAME s7.zhenrongbao.com.xgslb.net https.xgslb.net
[*] 	 A https.xgslb.net 122.228.85.53
[*] 	 A https.xgslb.net 122.228.115.15
[*] 	 CNAME s6.zhenrongbao.com s6.zhenrongbao.com.w.kunlunpi.com
[*] 	 A s6.zhenrongbao.com.w.kunlunpi.com 122.227.164.191
[*] 	 A s6.zhenrongbao.com.w.kunlunpi.com 122.225.34.236
          ****** <省略> ******

结果整理

   --db              <file>     将结果保存到SQLite 3文件
   --xml             <file>     将结果保存到XML文件
   -c, --csv         <file>     将结果保存到csv文件
   -j, --json        <file>     将结果保存到JSON文件
root@Kali:~/dict/dns# dnsrecon -d zhenrongbao.com -D /root/dict/dns/subnames.txt -t brt --xml result.xml
[*] Performing host and subdomain brute force against zhenrongbao.com
[*] 	 A www.zhenrongbao.com 180.97.161.183
[*] 	 A cs.zhenrongbao.com 182.92.223.203
        **** <省略> ****
[*] 	 A opencdn.jomodns.com 183.136.200.35
[*] 63 Records Found
[*] Saving records to XML file: result.xml
root@Kali:~/dict/dns# 

保存结果:

root@Kali:~# tail -n 10 /usr/share/dnsrecon/result.xml 
    <record address="101.201.169.129" name="activity.zhenrongbao.com" type="A"/>
    <record name="s8.zhenrongbao.com" target="s8.zhenrongbao.com.bsgslb.cn" type="CNAME"/>
    <record name="s8.zhenrongbao.com.bsgslb.cn" target="zhenrongbaostatic.oss-cn-beijing.aliyuncs.com" type="CNAME"/>
    <record address="59.110.190.174" name="zhenrongbaostatic.oss-cn-beijing.aliyuncs.com" type="A"/>
    <record name="s10.zhenrongbao.com" target="s10.zhenrongbao.com.a.bdydns.com" type="CNAME"/>
    <record name="s10.zhenrongbao.com.a.bdydns.com" target="opencdn.jomodns.com" type="CNAME"/>
    <record address="183.136.200.35" name="opencdn.jomodns.com" type="A"/>
    <scaninfo arguments="./dnsrecon.py -d zhenrongbao.com -D /root/dict/dns/subnames.txt -t brt --xml result.xml" time="2017-11-09 15:05:15.485088"/>
    <domain domain_name="zhenrongbao.com"/>
</records>

其实还可以保存为sqlite文件,这样数据处理会快一些

0x01 dnswalk

使用区域传送来获取DNS解析,现在已经不常用

root@Kali:~/dict/dns# dnswalk hao123.com.
Checking hao123.com.
Getting zone transfer of hao123.com. from dns.baidu.com...failed
FAIL: Zone transfer of hao123.com. from dns.baidu.com failed: REFUSED
Getting zone transfer of hao123.com. from ns3.baidu.com...failed
FAIL: Zone transfer of hao123.com. from ns3.baidu.com failed: REFUSED
Getting zone transfer of hao123.com. from ns1.baidu.com...failed
FAIL: Zone transfer of hao123.com. from ns1.baidu.com failed: REFUSED

0x02 dnsenum

暴力枚举子域


root@Kali:~/dict/dns# dnsenum -f subnames.txt aliyun.com
dnsenum.pl VERSION:1.2.3

-----   aliyun.com   -----


Host's addresses:
__________________

aliyun.com.                              46       IN    A        140.205.172.20
aliyun.com.                              46       IN    A        140.205.32.13
aliyun.com.                              46       IN    A        140.205.34.12
aliyun.com.                              46       IN    A        140.205.172.21
aliyun.com.                              46       IN    A        140.205.32.8
aliyun.com.                              46       IN    A        140.205.230.3


Name Servers:
______________

ns3.aliyun.com.                          10799    IN    A        106.11.35.29
ns3.aliyun.com.                          10799    IN    A        106.11.35.30
ns4.aliyun.com.                          431981   IN    A        42.156.241.248
ns4.aliyun.com.                          431981   IN    A        140.205.71.248
ns5.aliyun.com.                          431999   IN    A        140.205.2.187
ns5.aliyun.com.                          431999   IN    A        198.11.138.248


Mail (MX) Servers:
___________________

mx2.mail.aliyun.com.                     429      IN    A        140.205.94.14


Trying Zone Transfers and getting Bind Versions:  # 自动测试域传送漏洞
_________________________________________________


Trying Zone Transfer for aliyun.com on ns3.aliyun.com ... 
AXFR record query failed: no socket TCP[106.11.35.29] Connection timed out

Trying Zone Transfer for aliyun.com on ns4.aliyun.com ... 
AXFR record query failed: REFUSED

Brute forcing with subnames.txt:  # 开始枚举
_________________________________

www.aliyun.com.                          12       IN    CNAME    www-jp-de-intl-adns.aliyun.com.
www-jp-de-intl-adns.aliyun.com.          12       IN    CNAME             (
www-jp-de-intl-adns.aliyun.com.gds.alibabadns.com. 83       IN    CNAME             (
wagbridge.aliyun.com.                    270      IN    CNAME    sh.wagbridge.aliyun.com.
sh.wagbridge.aliyun.com.                 293      IN    CNAME             (
sh.wagbridge.aliyun.com.gds.alibabadns.com. 293      IN    A        140.205.32.13
blog.aliyun.com.                         1800     IN    A        120.55.251.28
cs.aliyun.com.                           300      IN    CNAME    sh.wagbridge.aliyun.com.
sh.wagbridge.aliyun.com.                 293      IN    CNAME             (
sh.wagbridge.aliyun.com.gds.alibabadns.com. 293      IN    A        140.205.32.13
my.aliyun.com.                           600      IN    CNAME    cname.yunos.com.
cname.yunos.com.                         571      IN    CNAME    cname.gds.yunos.com.
cname.gds.yunos.com.                     196      IN    A        140.205.172.1
search.aliyun.com.                       300      IN    A        100.67.76.19
cn.aliyun.com.                           58       IN    CNAME    wagbridge.aliyun.com.
wagbridge.aliyun.com.                    299      IN    CNAME    sh.wagbridge.aliyun.com.
sh.wagbridge.aliyun.com.                 299      IN    CNAME             (
sh.wagbridge.aliyun.com.gds.alibabadns.com. 299      IN    A        140.205.172.20
i.aliyun.com.                            147      IN    CNAME    sh.wagbridge.aliyun.com.
sh.wagbridge.aliyun.com.                 300      IN    CNAME             (
sh.wagbridge.aliyun.com.gds.alibabadns.com. 300      IN    A        140.205.172.20
club.aliyun.com.                         2        IN    CNAME    sh.wagbridge.aliyun.aliyun.com.
sh.wagbridge.aliyun.aliyun.com.          207      IN    CNAME    aliyun-adns.aliyun.com.
aliyun-adns.aliyun.com.                  207      IN    CNAME             (
aliyun-adns.aliyun.com.gds.alibabadns.com. 207      IN    A        140.205.135.3
app.aliyun.com.                          295      IN    CNAME    app.aliyun.com.danuoyi.alicdn.com.
app.aliyun.com.danuoyi.alicdn.com.       60       IN    A        122.228.250.235
app.aliyun.com.danuoyi.alicdn.com.       60       IN    A        122.228.250.95
app.aliyun.com.danuoyi.alicdn.com.       60       IN    A        122.228.250.92
app.aliyun.com.danuoyi.alicdn.com.       60       IN    A        122.228.250.234
app.aliyun.com.danuoyi.alicdn.com.       60       IN    A        122.228.95.81

**** <省略> ****

常用参数

  --subfile <file>	将所有有效子域名写入文件
  -t, --timeout <value>	等待超时时间单位:秒
  --threads <value>	设置线程
  -f, --file <file>	读取域名字典
  -r, --recursion	发现NS记录则递归子域
  -o --output <file> 输出一个XML文件

0x03 dnstracer

向指定域名服务器发送非递归域名请求。

非递归请求的意思是,如果域名服务器知道,那么它会返回请求数据。

如果域名服务器不知道,它会返回授权域的域名服务器或返回根域名服务器的地址。

	-c: 不允许使用本地缓存,默认允许 
	-C: 启用否定缓存,默认禁用
	-o: 启用收到响应的概述,默认禁用
	-q <querytype>: 设置请求的DNS查询记录类型, 默认为A记录
	-r <retries>: 请求重试次数, 默认为 3 次
	-s <server>: 设置一个DNS服务器,默认为本地
	-t <maximum timeout>: 超时时间
	-v: 查看详细信息
	-S <ip address>: 伪造一个源地址.
	-4: 使用IPV4
root@Kali:~/dict/dns# dnstracer zhenrongbao.com
Tracing to zhenrongbao.com[a] via 192.168.3.1, maximum of 3 retries
192.168.3.1 (192.168.3.1) 
 |\___ k.gtld-servers.net [com] (192.52.178.30) 
 |     |\___ vip2.alidns.com [zhenrongbao.com] (47.88.44.152) Got authoritative answer 
 |     |\___ vip2.alidns.com [zhenrongbao.com] (140.205.29.114) Got authoritative answer 
 |     |\___ vip2.alidns.com [zhenrongbao.com] (140.205.228.54) Got authoritative answer 
 |     |\___ vip2.alidns.com [zhenrongbao.com] (140.205.228.52) Got authoritative answer 
 |     |\___ vip2.alidns.com [zhenrongbao.com] (14.1.112.14) Got authoritative answer 
 |     |\___ vip2.alidns.com [zhenrongbao.com] (14.1.112.12) Got authoritative answer 
 |     |\___ vip2.alidns.com [zhenrongbao.com] (121.29.51.154) Got authoritative answer 
 |     |\___ vip2.alidns.com [zhenrongbao.com] (121.29.51.152) Got authoritative answer 
 |     |\___ vip2.alidns.com [zhenrongbao.com] (116.211.173.154) Got authoritative answer 
 |     |\___ vip2.alidns.com [zhenrongbao.com] (116.211.173.152) Got authoritative answer 
 |     |\___ vip2.alidns.com [zhenrongbao.com] (106.11.41.152) Got authoritative answer 
 **** <省略> ****

0x04 dnsmap

参数详解

-w <wordlist-file> 字典
-r <regular-results-file> 保存为纯文本
-c <csv-results-file> 保存为csv文件
-d <delay-millisecs>  每次请求间隔多少毫秒
-i <ips-to-ignore> 排除误报,绕过IPS

例子

root@Kali:~/dict/dns# dnsmap zhenrongbao.com -w subnames.txt -r ./zhengrongbaoDNSresult.data
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)

[+] searching (sub)domains for zhenrongbao.com using subnames.txt
[+] using maximum random delay of 10 millisecond(s) between requests

www.zhenrongbao.com
IP address #1: 180.97.161.183

cs.zhenrongbao.com
IP address #1: 182.92.223.203

a.zhenrongbao.com
IP address #1: 101.201.175.160

bbs.zhenrongbao.com
IP address #1: 182.92.27.109

static.zhenrongbao.com
IP address #1: 101.200.31.82
**** <省略> ****

0x04 一些小技巧

后续总结 …