Passive Information Collection
• publicly available information channels
• no direct interaction with the target system
• Try to avoid leaving traces of everything
• OSINT:
• US military: http: //www.fas.org/irp/doddir/army/atp2-22-9.pdf
• NATO: http: //information-retrieval.info/docs/NATO-OSINT.html
Information collected content
• IP addresses
• Domain Information
• e-mail address
• Document Image Data
• company address
• Organization Structure
• Contact telephone / fax numbers
• staff Name / Position
• technical architecture of the target system
• Public business information
Information purposes
• Use the information describing the target
• Find
• Social engineering attacks
• physical gap
Information collected --DNS
• domain names into IP addresses
• the difference between the domain name and FQDN
• domain records: A, C nmae, NS, MX, ptr
DNS information collected --NSLOOKUP
• nslookup www.sina.com
• server
• type=a、mx、ns、any
• nslookup -type=ns example.com 156.154.70.22
DNS information collected --DIG
• you @ 8.8.8.8 www.sina.com mx
• dig www.sina.com any
• reverse lookup: dig + noall + answer -x 8.8.8.8
• bind version information: dig + noall + answer txt chaos VERSION.BIND @ ns3.dnsv4.com
• DNS Track: dig + trace example.com
• capture compare recursive queries, iterative query process is the difference
DNS zone transfer
• dig @ns1.example.com example.com axfr
• host -T -l sina.com 8.8.8.8
DNS blasting dictionary
• fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist a.txt
• dnsdict6 -d4 -t 16 -x sina.com
• dnsenum -f dnsbig.txt -dnsserver 8.8.8.8 sina.com -o sina.xml
• dnsmap sina.com -w dns.txt
• dnsrecon -d sina.com --lifetime 10 -t brt -D dnsbig.txt
• dnsrecon -t std -d sina.com
DNS registration information
• Whois
• whois -h whois.apnic.net 192.0.43.10
search engine
• Company News
• important employee information
• confidential documents / network topology
• Username Password
• Target system hardware and software technology architecture
SHODAN
• Search for networked devices
• Banner:http、ftp、ssh、telnet
• https://www.shodan.io/
• http://1.179.177.109:81/index.htm
• Common filter:
• net (192.168.20.1)
• city
• country(CN、US)
• port(80、21、22、23)
• the
• Hostname (host or domain name)
GOOGLE Search
• + recharge - pay
• e-commerce company Beijing - Beijing intitle: E-commerce intext: Legal intext: Phone
Beijing company contacts on site • Ali - Beijing site: alibaba.com inurl: contact
• Saipan judicial case of PDF documents --SOX filetype: pdf
• French pay the relevant page --payment site: fr
GOOGLE search - examples
• inurl:"level/15/exec/-/show"
• intitle:"netbotz appliance" "ok"
• inurl /admin/login.php
• inurl:qq.txt
• filetype:xls "username | password“
• inurl:ftp "password" filetype:xls site:baidu.com
• Service.pwd
• http://exploit-db.com/google-dorks
YANDEX
• the world's fourth largest search engine - Russia
• https://www.yandex.com/
RECON-NG
• web frame reconnaissance full-featured
• Python-based development
User Info
• Mail
• theharvester -d sina.com -l 300 -b google
• File
• metagoofil d microsoft.com -t pdf l 200 o test -f 1.html
MELTAGO
• Apply for an account
• Use landing
Other ways
• Social network
• Business Registration
• Newsgroup / Forum
• Recruitment Website
• http://www.archive.org/web/web.php
Personalized password dictionary
• Personal information generated by its own password dictionary
• CUPP——Common User Password Profiler
• git clone https://github.com/Mebus/cupp.git
• python -i cup.py
METADATA
• Exif Image
• Foca
RECON-NG
• Web information search framework
• Command format consistent with msf
• python-based development
• Instructions:
• Module
• Database
• Report
RECON-NG
• Global Options
• USER-AGENT
• Proxy
• Workspace
• Snapshot
• Show schema
• Help
• Query database
• Select * from hosts where host like ‘%baidu.com%’ order by ip_address
RECON-NG
• DNS queries
• Google
• Baidu
• Bing
• Yahoo
• Brute Force
• Resolve IP addresses (database queries)
• Contacts
• Report
• API