1. Passive information collection
1. Concept:
There are two ways to collect information: passive collection and active collection. Passive information collection refers to the use of third-party services to access and understand the target, such as Google search. Active information collection method: through direct access and scanning of websites, the behavior of this kind of traffic flowing through websites, such as: nmap scanning ports.
2. The purpose of passive information collection:
Obtain the information of the target host through open channels, so as not to directly interact with the target system and avoid leaving traces.
3. Scope of information collection:
1. IP address segment;
2. Domain name information;
3. Email address;
4. Document picture data;
5. Company address;
6. Company organizational structure;
7. Contact number, fax number
, etc
.; , The technical framework used by the target system;
10. Public business information;
2. Principle of DNS domain name resolution
1. DNS server overview:
DNS (Domain Name Server, domain name server) is a server that converts domain name (domain name) and its corresponding IP address (IP address). DNS servers are divided into root domain DNS servers and top-level domain name DNS servers. There are 13 DNS servers in the root domain, all of which store the addresses of all top-level domain name servers;
2. Types of domain name records:
1. A record
An A record is the most common and commonly used type of record to specify the relationship between a hostname and an IP (IPv4) address. By adding an A record, the website administrator can bind the domain name with the website server address.
2. AAAA record
As opposed to A records, AAAA records are a type of DNS record used to resolve domain names to IPv6 addresses. Many resolution servers in China do not support the setting of AAAA records. If you want to resolve AAAA records, you need to point the NS records of the domain name to some professional domain name resolution vendors.
3. CNAME record
A CNAME record is also a commonly used record type, which is a mapping from a host name to a host name. If you need to point your domain name to another domain name instead of an IP address, you need to add a CNAME record. CNAME records are often used in business scenarios such as CDN, corporate mailboxes, and global traffic management.
4. NS records
NS records are used to hand over subdomain names to other DNS service providers for resolution. In a sense, NS records are equivalent to setting A records of subdomain name resolution servers, which are used to determine the IP address of the server when resolving requests. Most domain name registrars use their own NS records to resolve users' domain names by default, but users can also set NS records to point to more professional and secure domain name resolution vendors.
5. MX records
MX records are mail exchange records, which are mainly used for mailbox analysis. When sending mail, the mail server is located according to the address suffix of the recipient. The weight of MX records is very important to mail services. When sending mail, the domain name will be analyzed first, the MX records will be searched, and the mail will be sent to the server in order of weight from small to large.
6.TXT record
TXT records are generally used for the identification and description of a certain host name. By setting TXT records, others can contact you more conveniently. In addition, TXT records are often used for SPF anti-spam and DNS verification of SSL certificates.
7. PTR record
The PTR record can be simply understood as the reverse record of the A record, which is used to point an IP address to the corresponding host name, so as to access the domain name through the IP address.
8. SOA records
The SOA record is also called the initial authority record. NS marks multiple resolution servers, and the SOA record is used to indicate which one of the many NS records is the main server. When the domain name to be queried has no domain name resolution cache in all recursive resolution servers, it will go back to the source to request the SOA record of this domain name, and obtain the address that provides authoritative resolution services.
9. SRV record
The SRV record is the service location (SRV) resource record, which is used to define the location of the server that provides a specific service, such as the host (hostname), port (port number), and so on.
10. URL forwarding
URL forwarding is to point the currently visited domain name to another network address, which can be divided into explicit forwarding and implicit forwarding. Explicit URL: When pointing the domain name to another network address, the access domain name will automatically jump to the target URL, and the address bar will display the target website address. Hidden URL: The access domain name jumps to the target website, but the address bar displays the original website address.
3. DNS cache
It is not responsible for resolving domain names, but only caches domain name resolution results.
But in the actual parsing process, not every visit of the client needs to entrust the recursive server to perform iterative query, but first search the DNS cache of the browser itself, if there is, the parsing ends here; if there is no result in the DNS cache, the It will read the HOSTS file in the operating system to find the corresponding mapping relationship. If there is, it will be completed here; if not, it will request the recursive server to perform global recursive query. From this we can see that DNS cache is the first step to obtain domain name resolution records.
4. DNS query process
A DNS query process, through the 8-step resolution process, the client can successfully access the domain name, but in practical applications, this process is usually very fast;
1) Browser cache: When a user accesses a domain name through a browser, the browser will first check whether there is an IP address corresponding to the domain name in its own cache (if the domain name has been visited before and the cache has not been cleared, it exists);
2 ) System cache: When there is no IP corresponding to the domain name in the browser cache, it will automatically check whether the DNS cache of the hosts file of the user's computer system has the IP corresponding to the domain name; 3) Router cache: When there is no IP corresponding to the domain name in the browser and system cache, it will
enter Check in the router cache, the above three steps are the DNS cache of the client;
4) ISP (Internet Service Provider) DNS cache (usually the local DNS server): When the IP address corresponding to the domain name cannot be found on the user client, it will enter query in the ISP DNS cache. For example, if you are using the Telecom network, you will enter the DNS cache server of Telecom to search;
5) Root domain name server: When none of the above is completed, enter the root server for query. There are only 13 root domain name servers in the world, 1 main root domain name server, and the remaining 12 are auxiliary root domain name servers. The root domain name will check the zone file records after receiving the request, and if there is no top-level domain name (such as .com) server IP within its jurisdiction to tell the local DNS server; 6
) Top-level domain name server: The top-level domain name server checks the zone file after receiving the request If there is no record, tell the local DNS server the IP address of the primary domain name server within its jurisdiction;
7) Primary domain name server: After receiving the request, the primary domain name server queries its own cache, if not, enters the next-level domain name server to search , and repeat this step until the correct record is found;
8) Save the result to the cache: the local domain name server saves the returned result to the cache for the next use, and at the same time feeds back the result to the client, and the client uses this IP address to communicate with The web server establishes the link.
5. DNS query method: recursive query and iterative query
(1) The query from the host to the local domain name server generally adopts recursive query.
(2) The iterative query of the query from the local domain name server to the root domain name server.
Recursion: The client only sends a request once, asking the other party to give the final result.
Iteration: The client sends a request, and if the other party is not authorized to answer, it will return a list of other name servers that can answer the query, and the client will send requests to the returned list until it finds the name that is finally responsible for the domain name that it is checking. server, from which to get the final result.
3. DNS information collection method
1. Resolve the domain name to an IP address
You can use the direct ping method, which is more straightforward; if you want to know Baidu's ip address, the command is as follows: ping www.baidu.com, you can see that Baidu's IP address is: 110.242.68.4 The ping command supports the number of specified packets 
, ping www.baidu.com -c 1 specifies to send a data packet;
2. Use nslookup to view the domain name
nslookup (full name server lookup) is a network tool under the command line interface, it has two modes: interactive & non-interactive, enter the interactive mode directly on the command line interface and press Enter, and the non - nslookupinteractive mode is followed by The domain name or IP address queried above and press Enter. Generally speaking, the non-interactive mode is suitable for simple single queries, and the interactive mode is more suitable if multiple queries are required.
Non-interactive mode: When the nslookup query does not specify parameters, the default query type is A. In non-interactive mode, each query needs to enter complete commands and parameters
Server: 192.168.19.2 Local DNS settings
Address: 192.168.19.2#53Non-authoritative answer:
12306.cn canonical name = 12306.cn.wsglb0.com. #12306.cn domain name alias
Name: 12306.cn.wsglb0.com
Address: 101.28.249.31 #12306.cn resolved IP v4
Name : 12306.cn.wsglb0.com
Address: 2408:871a:a900:6::29 #IP v6 resolved by 12306.cn
Query all: nslookup -query=any 12306.cn
-querytype The utility of and -type is the same, and can be abbreviated as -q and -ty, and the default query type is A if the type is not specified
Interactive mode : Enter nslookup at the command line and press Enter to enter the interactive mode;
You can see that after entering the interactive mode, you can query without entering a complete command, and you can query continuously (friendly reminder Ctrl+Cor Cmd+Cexit)
The topmost Server and Address are the DNS servers queried for this term. You can specify it yourself, or you can default it.
By default, the port of the DNS server is 53.
Non-authoritative answer (Non-authoritative answer) means that the answer comes from the cache of other servers, not the authoritative 12306 server. The cache will be updated regularly according to the value of ttl (Time to Live).
3. DNS information collection-DIG
Function: A tool for querying DNS including NS records, A records, MX records and other related information.
Syntax: dig (option) domain name to be queried
@<DNS server address>: specify the domain name server for domain name resolution;
@<server address>: Specify the domain name server for domain name resolution;
-b<ip address>: When the host has multiple IP addresses, specify which IP address of the machine is used to send domain name query requests to the domain name server; -f<file
name >: Specifies dig to run in batch mode, and the specified file stores the DNS task information that requires batch query; -P
: specifies the port number used by the domain name server;
-t<type>: specifies the DNS data type to be queried ;
-x<IP address>: perform reverse domain name query;
-4: use IPv4;
-6: use IPv6;
-h: display command help information.
Host: specify the domain name host to be queried;
Query Type: specify the type of DNS query;
Query Class: specify the class of querying DNS;
Query Option: specify the query option.
- The default output information of the dig command can be divided into 5 parts.
- The first part shows the version of the dig command and the arguments entered.
- The second part shows some technical details returned by the service, the more important one is status. If the value of status is NOERROR, it means that the query ends successfully.
- The "QUESTION SECTION" in the third section shows the domain name we want to query.
- The "ANSWER SECTION" in the fourth part is the result of the query.
- The fifth part is some statistical information of this query, such as how long it took, which DNS server was queried, when the query was made, and so on.
any #Display all types of domain name records. By default only A records are displayed
Use the -x parameter IP to check the domain name
root@xuegod53:~# dig -x 114.114.114.114
4. Query the domain name registration information and filing information of the website
1. Whois query method: Web interface query and Whois command query;
(1) Query through the Web interface:
here are just two examples, but there are actually many.
Alibaba Cloud: https://whois.aliyun.com/
Webmaster's Home: http://whois.chinaz.com/
(2), Whois command query
root@xuegod53:~# whois xuegod.cn
2. Filing information query
(1), Web interface query:
http://icp.chinaz.com/
(2), Tianyancha
https://www.tianyancha.com/
5. Use Maltego to collect subdomain information
1. Subdomain introduction:
The top-level domain name is the last part of the domain name, that is, the letter after the last point of the domain name. For example, in the domain name http://example.com, the top-level domain name is .com (or .COM), and capitalization is considered the same.
Common top-level domains are mainly divided into two categories:
2. Top-level domain name introduction:
The common top-level category domain names are: .com for industrial and commercial financial enterprises; .edu for educational institutions; .gov for government departments; .net for Internet information centers and operation centers; org.org.
Country and regional top-level domains, such as ".cn" represent China, ".uk" represent the United Kingdom, etc. Geographic top-level domains are generally managed by each country or region. Subdomain Name, any top-level domain name with a prefix is a subdomain name of the top-level domain name, and subdomain names are divided into second-level subdomain names, third-level subdomain names and multi-level subdomain names according to the number of technologies.
3. Discover the importance of subdomains
A subdomain is a second-level domain name or a multi-level domain name of a main domain. If the main domain cannot be taken directly under strict defense measures, then a roundabout tactic can be used to take down the subdomain and then get infinitely close to the main domain.
For example: The main domain of www.xxxxx.com has no loopholes, and the protection measures are strict. The second-level domain name edu.xxxxx.com has
loopholes, and the protection measures are loose.
4. Subdomain Mining Method
1. Subdomain mining tool: Maltego subdomain mining machine.
Register on the Maltego official website first, because the tool cannot be used normally without logging in. Students need to use gmail
or 163 to register.
Register account URL: https://www.paterva.com/web7/community/community.php
Account registration is successful:
Open maltego in KALI, just use the free version;
2. Search engine mining such as: Enter site:qq.com in Google
3. Third-party website query: http://tool.chinaz.com/subdomain, https://dnsdumpster.com/
4. Certificate transparency public log For example: https://crt.sh/, http://censys.io/
5. Other ways: https://phpinfo.me/domain, http://dns.aizhan.com