3. Use third-party service targets to collect passive information to prevent discovery
3.1 Passive information collection
3.1.1 Overview and purpose of passive information collection
· Information collection methods can be divided into two types: passive and active
? Passive information collection method refers to using third-party services to access and understand the target. (Such as Baidu search, not easy to be discovered by the target)
? Active information collection: through direct access, scanning of the website, and the act of routing traffic through the website. (Such as nmap scanning port, it is easy to be discovered by the target)
· The purpose of passive information collection: to obtain information about the target host through public channels, so as not to interact directly with the target system and avoid leaving traces.
3.2 Information collection DNS
3.2.1 Principle of domain name resolution
1.DNS server overview
? A computer running a DNS server program that stores DNS database information. DNS servers are divided into root domain DNS servers and top-level domain name DNS servers. There are 13 root domain DNS servers, all of which store the addresses of all top-level domain name servers; the top-level domain name servers store the host address registered by each customer.
2.Domain name records
? A Cname NS MX PTR
A record (Address) forward analysis:
? An A record associates a host name (fully qualified domain name FQDN) with an IP address. (The default query type for most client programs).
PTR record (Pointer) reverse analysis
? A PTR record maps an IP address to a host name (Fully Qualified Domain Name (FQDN)). These records are kept in the in-addr.arpa domain.
CNAME record (Canonical Name) alias
? Alias record, also called canonical name (Canonical Name). This type of record allows you to map multiple names to the same computer.
MX records (Mail eXchange)
? The MX record is a mail exchange record, which points to a mail server. When sending mail using the email system, the mail server is located based on the recipient address suffix.
? When there are multiple MX records (that is, multiple mail servers), you need to set a value to determine its priority. Indicate the preferred server by setting a priority number, with lower numbers indicating higher priority.
NS records (Name Server)
? NS (Name Server) record is a domain name server record, also called an authorization server, which is used to define which DNS server resolves the domain name.
3.DNS caching server (not responsible for resolving domains, only caching domain name resolution results)
DNS query process
? 1) Browser cache: When a user accesses a domain name through a browser, the browser will first search its own cache to see if there is an IP address corresponding to the domain name (it will exist if the domain name has been visited before and the cache has not been cleared);
? 2) System cache: When there is no IP corresponding to the domain name in the browser cache, it will automatically check whether the DNS cache of the user’s computer system Hosts file has the IP corresponding to the domain name;
? 3) Router cache: When there is no IP corresponding to the domain name in the browser and system cache, it will be checked in the router cache. The above three steps are all the client’s DNS cache;
? 4) ISP (Internet Service Provider) DNS cache (usually a local DNS server): When the IP address corresponding to the domain name cannot be found on the user client, it will enter the ISP DNS cache for query. For example, if you are using Telecom’s network, you will enter Telecom’s DNS cache server to search;
? 5) Root domain name server: When none of the above is completed, go to the server to query. There are only 13 root domain name servers in the world (1 primary root domain name server and 12 auxiliary root domain name servers). After receiving the request, the root domain name will check the zone file record. If there is no record, it will tell the local DNS server the server IP of the top-level domain name (such as .com) within its jurisdiction.
? 6) Top-level domain name server: After receiving the request, the top-level domain name server checks the zone file record. If there is no record, it tells the local DNS server the IP address of the primary domain name server within its jurisdiction.
? 7) Primary domain name server: After receiving the request, the primary domain name server queries its own cache. If there is no cache, it enters the next-level domain name server to search, and repeats this step until the correct record is found;
? 8) Save the result to the cache: The local domain name server saves the returned result to the cache for next time use, and feeds the result back to the client. The client establishes a connection with the web server through this IP address.
3.2.2 DNS information collection-NSLOOKUP
1.Resolve domain name to IP
-- ping command Example: # ping baidu.com [-c] can specify the number of data packets to send -- nslookup command Example: #nslookupbaidu.com [Note] Edit the configuration file through vim /etc/resolv.conf (configure DNS as nameserver 114.114.114.114) Server:DNS server Address:DNS server address Name: resolved domain name Address: resolved IP address
3.2.3 DNS information collection-DIG
--Syntax 1 # dig [options] domain name [-x] can be used to reversely query the domain name corresponding to the IP --Syntax 2 (specify the domain name server for domain name resolution) # dig @DNS server address domain name \t\t --Syntax 3 (query all types of domain name records, only A records are displayed by default) # dig @domain name any
Query DNS server bind version information Purpose: Use version information to find how to exploit related version vulnerabilities # dig txt chaos VERSION.BIND @DNS server
3.2.4 Query the domain name registration information and filing information of the website
--Registration information # whois domain name --Record information http://www.beianbeian.com/ http://icp.beian.miit.gov.cn/ https://www.tianyancha.com/
[Extended] Webmaster’s Home http://whois.chinaz.com/
3.3 Use Maltego to collect subdomain information
? The primary focus of this tool is to analyze real-world relationships between data accessed via the Internet, which includes footprinting the Internet infrastructure and collecting data about the people and organizations that own the network. By using OSINT (Open Source Intelligence) technology, connections between these data are searched by querying whois records, social networks, DNS records, different online APIs, extracting metadata and search engines. The tool will provide extensive graphical layout results, allowing clustering of data to make relationships accurate and instantaneous.
3.3.1 Introduction to subdomain names
? The top-level domain name is the last part of the domain name, that is, the letters after the last dot of the domain name (such as .com).
Common top-level domain names are mainly divided into two categories:
? 1. There are a total of 6 general top-level domain names, including .ac for scientific research institutions; .com for industrial and commercial financial enterprises; .edu for educational institutions; .gov for government departments; and .gov for Internet information. .edu for centers and operations; .org for nonprofits.
? 2. National-level top-level domain names, such as “.cn” represents China and “.uk” represents the United Kingdom.
? Subdomain name (Subdomain Name), any top-level domain name with a prefix is a subdomain name of the top-level domain name, and subdomain names are divided into second-level subdomain names, third-level subdomain names and multi-level subdomain names according to the technology.
3.3.2 Mining subdomain names
1. Subdomain mining tool: Maltego subdomain mining machine
2. Search engine mining: For example, enter site:qq.com in Google
3. Third-party website query: http://tool.chinaz.com/subdomain
? https://dnsdumpster.com/
4. Certificate transparency public log enumeration: https://crt.sh/ http://censys.io/
5. Other paths: https://phpinfo.me/domain
? http://dns.aizhan.com
3.3.3 Use Maltego CE for subdomain mining
Maltego CE official website
https://www.paterva.com/web7/buy/maltego-clients/maltego-ce.php
Register account URL
https://www.paterva.com/web7/community/community.php
Desktop menu search Maltego CE
3.4 Use asset retrieval FOFA search engine to collect information
3.4.1 Introduction to FOFA
? FOFA (cyberspace asset retrieval system) is the world’s most complete IT equipment search engine with more complete data coverage, and has more complete DNA information on global networked IT equipment. Explore global Internet asset information, conduct asset and vulnerability impact scope analysis, application distribution statistics, application popularity situation awareness, etc. Equivalent to shodan, the advantages of FOFA are that it is more localized, has more domain name data, has established the world’s largest asset rule set, and has now updated the function of identifying honeypots.
3.4.2 FOFA basic syntax
? For detailed grammar rules, please refer to the FOFA official website https://FOFA.so/
--1.title website title title="...." //Search from title... --2.body web page content body="...." //Search from content... \t --3.Search by region country="..." //Search for assets in the specified country (code) region="..." //Search for assets in a specified administrative region city="..." //Search for assets in a specified city [Note] 1. You can use "!=" to exclude regions 2. Can be used in combination with logical characters (& amp; & amp; AND, || OR, NOT) \t \t
3.4.3 Search assets by icon
Open the web page–> Check the source code–> Find the < link rel="icon" href…> tag –> in the header
? Through the icon, you can search for all sites that use the same icon, but this icon can be used on any website, so unofficial assets will be collected; some companies or companies will update the corresponding icon, and some assets will not be updated immediately. , resulting in incomplete search.
3.4.4 Query through JavaScript files
Open the webpage–> Check the source code–> Find the