Information Collection (Information Gathering), information collection refers to a variety of ways to obtain the required information, in whole penetration test session, information is collected throughout the infiltration process is the most important part, information collected may occupy the entire 80% penetration testing about the workload, the same as if to gather more information for the penetration of late work is very helpful, this chapter will be gathering information for a Web site to serve as study notes included.
General information collection
Whois query: Use this command to query the domain name registration information, Kali system is installed by default in the command.
root@kali:~# whois baidu.com
Domain Name: BAIDU.COM
Registry Domain ID: 11181110_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2019-05-09T04:30:46Z
Creation Date: 1999-10-11T11:05:17Z
Registry Expiry Date: 2026-10-11T11:05:17Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Use nslookup: The use of set type to specify the type of query records, usually types (A, NS, MX).
root@kali:~# nslookup
> set type=MX
> baidu.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
baidu.com mail exchanger = 20 mx50.baidu.com.
baidu.com mail exchanger = 20 mx1.baidu.com.
baidu.com mail exchanger = 20 jpmx.baidu.com.
baidu.com mail exchanger = 10 mx.maillb.baidu.com.
baidu.com mail exchanger = 15 mx.n.shifen.com.
dig authoritative answer: use nslook query result is non-authoritative answer, if you need authoritative answers can use this command.
root@kali:~# dig baidu.com
; <<>> DiG 9.11.5-P1-1-Debian <<>> baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6638
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;baidu.com. IN A
;; ANSWER SECTION:
baidu.com. 480 IN A 220.181.38.148
baidu.com. 480 IN A 39.156.69.79
;; Query time: 5 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: 六 8月 24 08:04:48 CST 2019
;; MSG SIZE rcvd: 70
Data collected through the website: the following few pages can complete the query task, domestic recommend ip138.com
https://site.ip138.com/
http://dns.bugscaner.com/
https://www.ipaddress.com
https://www.ip-adress.com/ip-address
https://tools.ipip.net/ipdomain.php
http://ip.tool.chinaz.com
http://www.yunsee.cn
Subdomain Mining: Mining subdomain exists, such as excavators Baidu search, a lot.
http://z.zcjun.com/
http://sbd.ximcx.cn/
http://tool.chinaz.com/subdomain
Website Certificate query: Query certificate issued by the site.
https://crt.sh/
https://transparencyreport.google.com/https/certificates
https://censys.io/
https://asn.cymru.com/cgi-bin/whois.cgi