信息搜集
- 根据是否与目标主机进行直接交互,信息搜集分为被动信息搜集和主动信息搜集。前者是通过搜索引擎或者社交等方式间接获取目标主机的信息。一般情况下,大部分都是通过被动信息搜集获取信息。
- 信息包括子域名、IP地址、旁站、C段查询、用户邮箱、CMS类型、敏感目录、端口信息、服务器版本以及中间件等。
- 比如中间件nginx存在很多漏洞,解析漏洞,目录跨越漏洞等。
- 以下是通过Wappalyzer插件获取nginx的中间件以及Web框架。
- 以下是通过Wappalyzer插件获取nginx的中间件以及Web框架。
1. DNS解析
DNS(Domain Name System,域名系统)。
- 作用:域名与IP地址的相互转换
- 设计原因:方便用户访问互联网。
1.1 IP查询
IP查询:URL—>IP地址
例子:查询域名www.baidu.com所对应的IP值。
方法1:调用Socket库中gethostbyname()
代码如下:
import socket
ip=socket.gethostbyname('www.baidu.com')
print(ip)
输出结果:
14.215.177.39
方法2:nslookup www.baidu.com
在查询的时候,加上-d参数,即可查询域名的缓存。
方法3:ping www.baidu.com
扫描二维码关注公众号,回复:
13115206 查看本文章
可以通过ping域名的方式,间接获取。
1.2 Whois查询
Whois是用来查询域名的IP以及所有者信息的传输协议。言外之意,可以通过Whois查询来获取注册域名的详细信息(域名是否被注册,域名所有人,域名注册商等)。
Python中的模块python-whois可用于Whois的查询。
- 安装
pip install python-whois
- 查询域名www.baidu.com的注册信息,代码如下:
from whois import whois
data=whois('www.baidu.com')
print(data)
- 输出结果:(以字典的形式返回)
{
"domain_name": [
"BAIDU.COM",
"baidu.com"
],
"registrar": "MarkMonitor, Inc.",
"whois_server": "whois.markmonitor.com",
"referral_url": null,
"updated_date": [
"2019-05-09 04:30:46",
"2019-05-08 20:59:33"
],
"creation_date": [
"1999-10-11 11:05:17",
"1999-10-11 04:05:17"
],
"expiration_date": [
"2026-10-11 11:05:17",
"2026-10-11 00:00:00"
],
"name_servers": [
"NS1.BAIDU.COM",
"NS2.BAIDU.COM",
"NS3.BAIDU.COM",
"NS4.BAIDU.COM",
"NS7.BAIDU.COM",
"ns7.baidu.com",
"ns2.baidu.com",
"ns1.baidu.com",
"ns3.baidu.com",
"ns4.baidu.com"
],
"status": [
"clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited",
"clientTransferProhibited https://icann.org/epp#clientTransferProhibited",
"clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited",
"serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited",
"serverTransferProhibited https://icann.org/epp#serverTransferProhibited",
"serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited",
"clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)",
"clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)",
"clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)",
"serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)",
"serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)",
"serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)"
],
"emails": [
"[email protected]",
"[email protected]"
],
"dnssec": "unsigned",
"name": null,
"org": "Beijing Baidu Netcom Science Technology Co., Ltd.",
"address": null,
"city": null,
"state": "Beijing",
"zipcode": null,
"country": "CN"
}
- 打印出具体信息,比如creation_date。
print("creation_date:",data['creation_date'])
#creation_date: [datetime.datetime(1999, 10, 11, 11, 5, 17), datetime.datetime(1999, 10, 11, 4, 5, 17)]
print(data['creation_date'][0])
#1999-10-11 11:05:17