Passive information collection
- Publicly available information
- No direct interaction with the target system
- Try to avoid leaving all traces
Information collection
- IP address segment
- Domain information
- E-
mail address You can locate the mail server of the target system through the e-mail address, and see if he builds a mail server by himself or a public mail server. - Document picture data
There are many companies that will make their public information into promotional pages, pictures, etc., often these pictures may leak data. - company address
- Organization Structure
- Contact phone / fax number
- Staff Name / Title
- Technical architecture used by the target system
- Public business information
Use of information:
- Describe the target with information: build the target system through information
- Discovery: discover which systems, open services, etc. are the targets
- Social engineering needs to be attacked
- Physical notch
Information Collection-DNS
Generally speaking, the only information obtained is the domain name, and all subsequent information must be collected based on the domain name itself.
The domain name needs to be resolved into an IP address.
The difference between a domain name and a fully qualified domain name (FQDN):
eg: sina.com is a domain name, and www.sina.com is a fully qualified domain name.
www.sina.com is just a host record under sina.com.
Domain name record:
A: Host record
C name: Alias record
NS: Each domain name has a domain name server, one or several domain name resolution for this domain, the domain name server address is defined and registered through the NS record in DNS.
MX: Each domain also has its own mail server, and the mail server will record the mail exchange for the mail server address MX.
ptr: Reverse domain name resolution. To reverse the domain name resolution by ip address, records are also required for resolution.
spf record: the function is anti-spam; it also resolves an ip address into a domain name in reverse.
It is very important to set up anti-spam. Reverse domain name resolution. When anti-spam is turned on and the server receives an email, it will perform a reverse query on the source IP address of the email. If the domain name matches the ip, the domain name The ip address is the domain name and ip address of the email you sent me, which means that the email is sent from a correct mail server. If it does not match, it is a fake domain name email. If you spoof the domain name, you can reject it. Direct judgment is a spam.
DNS resolution process:
A DNS server is called a cached DNS server. It does not include any cached DNS server records, that is, it does not know what the IP address corresponding to any domain name is. After receiving the domain name, he makes further domain queries. If the user visits "www.sina.com." And the DNS server does not know, he will ask the root domain server. The root domain server does not know, but will return to the DNS server his next level of information: the domain name server address of the .com domain That is, the NS record. At this time, DNS will access the .com server, and the .com domain name server does not know. He will return the IP address of the domain name server "sina.com" to the DNS server. The server, he knows the result, will return to the DNS server, the local cache DNS server will cache a copy locally after getting the result, save a ttl generation time, when the ttl time elapses, he will delete this record, If there are other computers accessing, he sees the local cache, and he will directly return the information. After the client gets the real ip of "www.sina.com", it will send a request to the web server of "www.sina.com" through the super ip through routing.
There is a problem with the graph. The recursive query is on the left and the iterative query should be on the right.
Information collection-NSLOOKUP tool
nslookup domain name
Data resolution:
server: the currently used domain name resolution server, which is the local cache server. It
means that www.sina.com is not an A record or a host record. It does not resolve the domain name to the corresponding ip address, it is a c name recording. He will parse www.sina.com into us.sina.com.cn, the following figure is the process of manual step by step analysis.
type = a / mx / ns / any, type can be directly written as q, that is, q = a / mx / ns / any
You can query the mx records through the sieving filter:
Application of server parameters:
You can switch to other DNS domain name resolution servers.
Depending on the network environment of the end user, the query results returned by DNS may be different. Let your traffic happen as much as possible on the local network and reduce the traffic on the backbone network.
The above commands can also be entered in one command line.
eg:
nslookup -q=any 163.com
nslookup -q=any 163.com 8.8.8.8
