One of the important stages of penetration testing information is collected. As the attacker's party will most of the energy used in the information gathering stage. For enterprise penetration testers, in order to ensure the accuracy and validity of penetration testing, testers need to collect information on all aspects of the target host, the more information available, the penetration test was successful the greater the probability.
Scouting is divided into two types:
Passive Reconnaissance: generally refers to the amount of public information analysis, information includes target information itself, and public online information resources, access to this information is in the test or the attacker does not interact with the target, requests and activities will not be logging can not locate the tester directly. For example, the collection of some significant information on the Internet;
Active surveillance: directly related queries or other interactive activities, such as port scanning objectives, these activities will trigger the alarm system, the targets of attack can obtain an IP address and activity information attacker. Therefore, testers in an active investigation requires additional technical means to ensure that will not be found. Of course, they used to test their business servers.
Penetration testers or attackers generally follow a structured process of collecting information from a wide range of information gathering, to gather specific information on the collective.
Modify the static IP address in Kali Linux system:
root@kali:~# vim /etc/network/interfaces
#跟Linux系统有点不一样,修改这个配置文件
root@kali:~# vim /etc/resolv.conf
#修改DNS配置文件
root@kali:~# service networking restart
#重新启动网络服务
DNS enumeration can collect local DNS service and all related entries, can also help users gather key information about the target tissue, such as user name, computer name and IP address.
DNSenum is a very powerful domain information-gathering tool that can guess the domain name may exist through Google or dictionary file, and perform a reverse lookup segment. It not only can query the host site information, domain name server and mail exchange record.
root@kali:~# dnsenum --enum baidu.com
Use DNSenum tool to check DNS enumeration is that some of the options that can be added:
Fierce tools and DNSenum tool similar in nature, fierce mainly sub-domain scan and collect information.
root@kali:~# fierce -dns baidu.com
SNMP enumeration
Snmpwalk is an SNMP application that uses the SNMP request GETNEXT, queries all the OID (object identifier) specified tree information, and displayed to the user.
First Server To install the SNMP service:
Next Snmpwalk using SNMP enumeration tool
root@kali:~# snmpwalk -v2c -c public 192.168.248.129
#v2c是使用SNMP的第二个版本、public是共同体的名字、然后是SNMP服务器的IP地址
Too many things, cumbersome and difficult to understand, recommended several commonly used commands:
root@kali:~# snmpwalk -v 1 -c public 192.168.248.129 .1.3.6.1.2.1.25.1.5
#获取此Windows操作系统的用户数量
root@kali:~# snmpwalk -v 1 -c public 192.168.248.129 .1.3.6.1.2.1.25.2.2
#获取此Windows系统的总内存大小
root@kali:~# snmpwalk -v 1 -c public 192.168.248.129 .1.3.6.1.2.1.4.20.1.1
#获取此Windows操作系统的所有IP地址
We know the other SNMP enumeration tool:
Snmp-the Check tool allows users to enumerate SNMP devices simultaneously outputs the results more understandable way.
root@kali:~# snmp-check 192.168.248.129 -c public
It's more practical.
Use DMitry tool in Kali Linux to query the IP address or domain name WHOIS information. WHOIS is used to query the repository for more information if the domain name has been registered and has registered the domain name.
root@kali:~# dmitry -wnpb accp.com
As the experiment and is not networked, not all see the details.
View open ports to use: Nmap tool
root@kali:~# nmap 192.168.248.129
Zenmap tool advantages is the use of a graphical user interface,