一.列舉服務
列舉允許使用者從網路中收集一類的所有相關資訊
1.DNS列舉工具DNSenum功能:
1.通過谷歌或字典猜測可能存在的域名
2.對一個網段進行反向查詢
3.查詢網站的主機地址資訊,域名伺服器和郵件交換記錄
4.在域名伺服器上執行axfr請求,然後通過谷歌指令碼得到擴充套件域名資訊,提取子域名並查詢,最後計算C類地址並執行whois查詢,執行反向查詢,把地址段寫入檔案。
輸入dnsenum –enum benet.com 結果如下:
Smartmatch is experimental at /usr/bin/dnsenum line 698. Smartmatch is experimental at /usr/bin/dnsenum line 698. dnsenum VERSION:1.2.4 Warning: can`t load Net::Whois::IP module, whois queries disabled. Warning: can`t load WWW::Mechanize module, Google scraping desabled.
—– benet.com —–Host`s addresses:__________________
benet.com. 300 IN A 69.172.201.153
Wildcard detection using: axzajtibcbxx_______________________________________
axzajtibcbxx.benet.com. 300 IN A 69.172.201.153
!!!!!!!!!!!!!!!!!!!!!!!!!!!! Wildcards detected, all subdomains will point to the same IP address Omitting results containing 69.172.201.153. Maybe you are using OpenDNS servers.!!!!!!!!!!!!!!!!!!!!!!!!!!!!Name Servers:______________
ns2.uniregistrymarket.link. 60 IN A 176.74.176.175 ns2.uniregistrymarket.link. 60 IN A 176.74.176.176 ns1.uniregistrymarket.link. 60 IN A 64.96.240.54 ns1.uniregistrymarket.link. 60 IN A 64.96.241.73
Mail (MX) Servers:___________________Trying Zone Transfers and getting Bind Versions:_________________________________________________
Trying Zone Transfer for benet.com on ns2.uniregistrymarket.link ... AXFR record query failed: NOTAUTH Trying Zone Transfer for benet.com on ns1.uniregistrymarket.link ... AXFR record query failed: NOTAUTH brute force file not specified, bay.
輸出資訊顯示了DNS服務的詳細資訊。包括主機地址,域名伺服器地址和郵件服務地址。
2.DNS列舉工具fierce
功能:
對子域名進行掃描和收集資訊
使用fierce工具獲取一個目標主機上所有IP地址和主機資訊。執行命令如下
root@kali:~#fierce -dns baidu.com
結果省略
輸出的資訊顯示了baidu.com下所有的子域。
3.SNMP列舉工具Snmpwalk
snmpwalk是一個SNMP應用程式。使用SNMP的GETNEXT請求,查詢指定的所有OID(SNMP協議中的物件標識)樹資訊,並顯示給使用者。
root@kali:~# snmpwalk -c public 192.168.41.138 -v 2c
嘗試失敗。。。
4.SNMP列舉工具Snmpcheck
root@kali:~# snmpcheck -t 192.168.41.138
同樣嘗試失敗。。。
5.SMTP列舉工具smtp-user-enum
root@kali:~# smtp-user-enum -M VRFY -U /tmp/users.txt -t 192.168.41.138
二.測試網路範圍
1.域名查詢工具DMitryDMitry工具是用來查詢IP或WHOIS資訊的。
WHOIS是用來查詢域名是否已經被註冊及已經註冊域名的詳細資訊的資料庫。
root@kali:~# dmitry -wnpb rzchina.net
子網掩碼轉換
root@kali:~# netmask -s rzchina.net
180.178.61.83/255.255.255.255
2.路由跟蹤工具Scapy功能:
互動式生成資料包或資料包集合
對資料包進行操作
傳送資料包
包嗅探
應答和反饋匹配
root@kali:~# scapy WARNING: No route found for IPv6 destination :: (no default route?) INFO: Can`t import python ecdsa lib. Disabled certificate manipulation tools Welcome to Scapy (2.3.3) >>> ans,unans=sr(IP(dst="www.rzchina.net/30",ttl=(1,6))/TCP()) Begin emission: ....................**.**.**.**.**..****..**..............Finished to send 24 packets. .................................................................................................... .................................................................................................................................................................................................Traceback (most recent call last): File "<console>", line 1, in <module> File "/usr/lib/python2.7/dist-packages/scapy/sendrecv.py", line 337, in sr a,b=sndrcv(s,x,*args,**kargs) File "/usr/lib/python2.7/dist-packages/scapy/sendrecv.py", line 137, in sndrcv inp, out, err = select(inmask,[],[], remaintime) error: (4, `Interrupted system call`) >>>
以表的形式檢視資料包傳送情況,執行命令如下所示:
>>ans.make_table(lambda(s,r):(s.dst,s.ttl,r.src))
嘗試失敗。。。
使用scapy檢視TCP路由跟蹤資訊
>>> res,unans=traceroute(["www.google.com","www.kali.org","www.rzchina.net"],dport=[80,443],maxttl=20,retry=-2)
Begin emission:
*.*.*.*.*.*.*.*.*.*.*.*.Finished to send 120 packets.
Begin emission:
Finished to send 108 packets.
Begin emission:
Finished to send 108 packets.
..
Received 26 packets, got 12 answers, remaining 108 packets
180.178.61.83:tcp443 180.178.61.83:tcp80 192.124.249.10:tcp443 192.124.249.10:tcp80 31.13.84.1:tcp443 31.13.84.1:tcp80
1 192.168.1.1 11 192.168.1.1 11 192.168.1.1 11 192.168.1.1 11 192.168.1.1 11 192.168.1.1 11
2 42.198.120.1 11 42.198.120.1 11 42.198.120.1 11 42.198.120.1 11 42.198.120.1 11 42.198.120.1 11
>>>