1fy07h 发表于 2024-8-22 19:55:29

信息收集-旅行记(上)


    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">原创:Qftm 合天智汇</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">"<span style="color: black;">仅有</span>不<span style="color: black;">奋斗</span>的黑客,<span style="color: black;">无</span>攻不破的系统"。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">这篇<span style="color: black;">文案</span>《信息收集-旅行记》是笔者几年的经验总结,在SRC漏洞挖掘中,信息收集占很大一部分,能收集到别人收集不到的资产,就能挖到别人挖不到的漏洞。</p>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;">收集域名信息</h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">晓得</span><span style="color: black;">目的</span>域名之后,<span style="color: black;">咱们</span>要做的<span style="color: black;">第1</span>件事情<span style="color: black;">便是</span>获取域名的注册信息,<span style="color: black;">包含</span>该域名的DNS服务器信息和注册人的联系信息等。</p>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;">Whois <span style="color: black;">查找</span></h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Whois 简单<span style="color: black;">来讲</span>,<span style="color: black;">便是</span>一个用来<span style="color: black;">查找</span>域名<span style="color: black;">是不是</span><span style="color: black;">已然</span>被注册,以及注册域名的<span style="color: black;">仔细</span>信息的数据库(如域名所有人、域名注册商、域名注册日期和过期日期、DNS等)。<span style="color: black;">经过</span>域名Whois服务器<span style="color: black;">查找</span>,<span style="color: black;">能够</span><span style="color: black;">查找</span>域名归属者联系方式,以及注册和到期时间。</p>Kali下whois<span style="color: black;">查找</span> https:<span style="color: black;">//</span>www.kali.org<span style="color: black;">/downloads/</span>

    域名Whois<span style="color: black;">查找</span> - 站长之家 http:<span style="color: black;">//</span>whois.chinaz.com/

    Whois 爱站 http:<span style="color: black;">//</span>whois.aizhan.com<span style="color: black;">/ip138 https:/</span><span style="color: black;">/site.ip138.com/Whois Lookup https:/</span><span style="color: black;">/www.whois.net/ICANN Lookup https:/</span><span style="color: black;">/lookup.icann.org/</span>域名信息<span style="color: black;">查找</span> - 腾讯云https:<span style="color: black;">//</span>whois.cloud.tencent.com<span style="color: black;">/domain?domain=nicolasbouliane http:/</span><span style="color: black;">/nicolasbouliane.com/utils/whois/</span>?url=http:<span style="color: black;">//</span>baidu.com新网 whois信息<span style="color: black;">查找</span> http:<span style="color: black;">//</span>whois.xinnet.com<span style="color: black;">/IP WHOIS<span style="color: black;">查找</span> - 站长工具 http:/</span>/tool.chinaz.com/ipwhois/<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/7be85a18d5394dc587532cdfd4580564~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=YfRfINIgFGinfmYQVT0ieOMM4a8%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">Whois网络注册信息探测</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">:</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">http://www.hetianlab.com/expc.do?ec=</p>66a18063-8287-4b7c-9dfd-97faf52282f1(<span style="color: black;">经过</span>本实验的学习,<span style="color: black;">认识</span>Whois的概念,<span style="color: black;">把握</span>Whois网络注册信息探测的目的和技术<span style="color: black;">办法</span>。)复制链接做实验。

    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">备案信息<span style="color: black;">查找</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">国内网站注册需要向国家<span style="color: black;">相关</span><span style="color: black;">分部</span>申请备案,防止网站从事<span style="color: black;">违法</span>活动,而国外网站不需要备案2333。</p>ICP备案<span style="color: black;">查找</span>网 http:<span style="color: black;">//www.beianbeian.com/</span>

    ICP备案<span style="color: black;">查找</span> - 站长工具 http:<span style="color: black;">//icp.chinaz.com/</span>

    SEO综合<span style="color: black;">查找</span> - 爱站 https:<span style="color: black;">//www.aizhan.com/seo/</span>批量<span style="color: black;">查找</span> - 站长工具 http:<span style="color: black;">//icp.chinaz.com/searchs</span>

    工业和信息化部ICP/IP/域名信息备案管理 http:<span style="color: black;">//www.beian.miit.gov.cn/publish/query/indexFirst.action</span>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p26-sign.toutiaoimg.com/pgc-image/ff2542da75b84c9283f423ce854a0f0b~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=Wb0bhDwgtyJLLWzCzJXg7bj3cK8%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;">信用信息<span style="color: black;">查找</span></h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">国家企业信用信息公示系统 </p>http://www.gsxt.gov.cn/index.html
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">全国企业信息<span style="color: black;">查找</span> http://company.xizhi.com/</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">个人信用<span style="color: black;">查找</span>搜索-企业信息<span style="color: black;">查找</span>搜索-统一社会信用代码<span style="color: black;">查找</span>-信用中国 </p>https://www.creditchina.gov.cn/

    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p26-sign.toutiaoimg.com/pgc-image/6296fbbbf1a8453fbe24608a79331cb1~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=AODgnq8qwpx2sG%2Ba24yAXFNNaj8%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;">IP反查站点的站</h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">在线网站</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">Dnslytics</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Dnslytics<span style="color: black;">位置</span>:https://dnslytics.com/</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">利用Dnslytics反查IP<span style="color: black;">能够</span>得到如下信息</p><span style="color: black;">IP</span> <span style="color: black;">information</span>
    <span style="color: black;">Network</span> <span style="color: black;">information</span>
    <span style="color: black;">Hosting</span> <span style="color: black;">information</span>
    <span style="color: black;">SPAM</span> <span style="color: black;">database lookup</span>
    <span style="color: black;">Open</span> <span style="color: black;">TCP/UDP ports</span>
    <span style="color: black;">Blocklist</span> <span style="color: black;">lookup</span>
    <span style="color: black;">Whois</span> <span style="color: black;">information</span>
    <span style="color: black;">Geo</span> <span style="color: black;">information</span>
    <span style="color: black;">Country</span> <span style="color: black;">information</span>
    <span style="color: black;">Update</span> <span style="color: black;">information</span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">利用Dnslytics反查域名<span style="color: black;">能够</span>得到如下信息</p><span style="color: black;">Domain</span> and Ranking InformationHosting
    Information{ <span style="color: black;">A</span>/ AAAA Record NS Record MX Record SPF Record}Web InformationWhois Information<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">浏览器插件</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">经过</span>Google、FireFox等插件的<span style="color: black;">运用</span>,收集域名信息</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">myip.ms</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/01f639420ba544fc891af5c2062e2809~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=4iJuOr4qW6%2FdlqOWKYjEKF2CGns%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/365c4c02e3d14ccd984fee856136b459~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=19r50Q93vwdA6pwhuq%2Fn8SVSSJ4%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/c588e986add34711b11746ff35d68172~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=fUlj%2FYQk%2F9uLO4eYDokPOYHCKw8%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">浏览器插件的<span style="color: black;">运用</span></strong>:</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">http://www.hetianlab.com/expc.do?ec=</p>ECID9d6c0ca797abec2017042513322900001(学习<span style="color: black;">平常</span>浏览器插件的<span style="color: black;">运用</span>。)
    <h2 style="color: black; text-align: left; margin-bottom: 10px;">收集<span style="color: black;">关联</span>应用信息</h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">天眼查 </p>https://www.tianyancha.com/

    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">企查查 https://www.qichacha.com/</p>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">微X</span>公众号&amp;<span style="color: black;">博客</span></h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">天眼查</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">按照</span>前面获取的企业名<span style="color: black;">叫作</span><span style="color: black;">能够</span>获取<span style="color: black;">目的</span>企业的<span style="color: black;">微X</span>公众号、<span style="color: black;">博客</span>、备案站点、软件著作权等信息。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">天眼查-<span style="color: black;">商场</span>安全工具 </p>https://www.tianyancha.com/

    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/889b344009a44ca3b0aeb0af66d02ab6~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=%2Bv1Rcca0sfQ0dKsVi68jXzQVqzg%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">微X</span>公众号</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/0145e1795d97418c855b9963dd8aea85~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=6I4bTfQf8xKBkKgnEmNejSpbtOk%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">博客</span></p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/6eefef09779e49838371cd6a837ae6fe~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=KYmSyrckREb4wigljohNwMPKIgA%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">APP</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">七麦数据</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://www.qimai.cn/</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">经过</span>当前APP<span style="color: black;">查找</span>同<span style="color: black;">研发</span>商应用,得到<span style="color: black;">目的</span>所有APP应用</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/fccddc8c383146178480bbf530fc8c8c~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=27m90%2BeVraOEVMliwJCro4Kn19Q%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">AppStore</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://apps.apple.com/</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">通过当前APP<span style="color: black;">查找</span>同<span style="color: black;">研发</span>商应用,得到<span style="color: black;">目的</span>所有APP应用</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/edc0a648c8954fcb86464f8a07aa5e52~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=tc6H%2BCwPm7k6naJHi%2F6KY%2FHbXzE%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;">收集子域名信息</h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">子域名<span style="color: black;">亦</span><span style="color: black;">便是</span>二级域名,<span style="color: black;">指的是</span>顶级域名下的域名。假设<span style="color: black;">咱们</span>的<span style="color: black;">目的</span>网络规模比<span style="color: black;">很强</span>,直接从主域入手显然是很<span style="color: black;">不睬</span>智的,<span style="color: black;">由于</span><span style="color: black;">针对</span>这种规模的<span style="color: black;">目的</span>,<span style="color: black;">通常</span>其主域都是重点防护区域,<span style="color: black;">因此</span>不如先进入<span style="color: black;">目的</span>的某个子域,<span style="color: black;">而后</span>再想办法迂回接近真正的<span style="color: black;">目的</span>,这无疑是个比较好的<span style="color: black;">选取</span>。<span style="color: black;">那样</span>问题来了,<span style="color: black;">怎么样</span><span style="color: black;">才可</span>尽可能多地搜集<span style="color: black;">目的</span>的高价值子域呢?常用的<span style="color: black;">办法</span>有以下这几种。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在线平台</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">第三方平台<span style="color: black;">查找</span></strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">重点</span>是<span style="color: black;">有些</span>第三方网站和<span style="color: black;">有些</span>博主<span style="color: black;">供给</span>的服务</p>ip138 https:<span style="color: black;">//site.ip138.com/</span>

    站长工具 http:<span style="color: black;">//tool.chinaz.com/subdomain/?domain=</span>

    hackertarget https:<span style="color: black;">//hackertarget.com/find-dns-host-records/</span>

    phpinfo https:<span style="color: black;">//phpinfo.me/domain/</span>

    t1h2ua https:<span style="color: black;">//www.t1h2ua.cn/tools/</span>

    dnsdumpster https:<span style="color: black;">//dnsdumpster.com/</span>

    chinacycc https:<span style="color: black;">//d.chinacycc.com/</span>

    zcjun http:<span style="color: black;">//z.zcjun.com/</span>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;">权重综合<span style="color: black;">查找</span></h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">爱站 </p>https://www.aizhan.com/seo/

    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">站长工具 </p>http://rank.chinaz.com/all/

    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/2320b6b364d14783aab7cfdde84f1422~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=RvLKoYLFkP446VagKN%2FZQHSilnE%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;">全国政府网站基本数据库</h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">http://114.55.181.28/databaseInfo/index</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/9a47f1909d17423197c5fd6618d49666~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=TuNNLJa6q1ZsXl5n0aMzlFi%2BmUc%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;">IP反查绑定域名网站</h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">IP<span style="color: black;">相关</span>域名,大部分网站一个IP多个域名</p><span style="color: black;">http</span>:<span style="color: black;">//s.tool.chinaz.com/same?shttp://dns.aizhan.com/</span>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;">资产搜索引擎</h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">google、shodan、FOFA、zoomeye</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">Google语法<span style="color: black;">查找</span></strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">搜索子域名 "site:xxxxx"</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/255fe2724b184f2abc1c4597a14df006~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=ewAvNZAmYsYy2JIGUyhD5jdSuaE%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <h3 style="color: black; text-align: left; margin-bottom: 10px;">FOFA语法<span style="color: black;">查找</span></h3>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://fofa.so/</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">搜索子域名 "domain:xxxxx"</p><span style="color: black;">domain</span>=<span style="color: black;">"baidu.com"</span>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/e5ee4d45de044f2d935fc3b395be9d51~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=lRw7DeX2IWXaUfDPOySkOefkqFw%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">工具枚举</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">常用子域名工具如下(Github上都可搜到)</p><span style="color: black;">OneForAll</span>Layer
    Sublist3r
    subDomainsBrute
    K8
    wydomain
    dnsmaper
    dnsbrute
    Findomain
    fierce等<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">个人<span style="color: black;">举荐</span>:OneForAll、Layer、Sublist3r、subDomainsBrute</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">OneForAll</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">OneForAll是一款功能强大的子域收集工具,<span style="color: black;">持有</span>多个模块和接口扫描,收集子域信息很全,<span style="color: black;">包含</span>子域、子域IP、子域常用端口、子域Title、子域Banner、子域状态等。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">项目<span style="color: black;">位置</span>:</p>https://github.com/shmilylty/OneForAll

    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">子域名收集:python3 oneforall.py --target=target.com run</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/c6b137413a6145d6a54567b9fadfea9e~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=NTPZuVeTASmwcexHvxQVKu%2F1Xpo%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">Layer</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Layer子域名挖掘机的<span style="color: black;">运用</span><span style="color: black;">办法</span>比较简单,在域名对话框中直接输入域名就<span style="color: black;">能够</span>进行扫描,它的<span style="color: black;">表示</span>界面比较细致,有域名、解析IP、开放端口、Web服务器和网站状态等</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/62f63b96d30d41ec8b3b810aa059cb51~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=ApOPG6CF2vPoGJRkST320Wop8FQ%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">subDomainsBrute</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">subDomainsBrute的特点是<span style="color: black;">能够</span>用小字典递归地<span style="color: black;">发掘</span>三级域名、四级域名,<span style="color: black;">乃至</span>五级域名等<span style="color: black;">不易</span>被探测到的域名。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">项目<span style="color: black;">位置</span>:</p>https://github.com/lijiejie/subDomainsBrute

    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">子域名收集:python subDomainsbrute.py xtarget.com</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">Sublist3r</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Sublist3r<span style="color: black;">亦</span>是一个比较常用的工具, 它能列举多种资源,如在Google、Yahoo、 Bing、 Baidu和Ask等搜索引擎中可查到的子域名,还<span style="color: black;">能够</span>列出Netcraft、VirusTotal、ThreatCrowd、 DNSdumpster、SSL Certificates、和Reverse DNS查到的子域名。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">项目<span style="color: black;">位置</span>:</p>https://github.com/aboul3la/Sublist3r
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">子域名收集:python sublist3r.py -d target.com -b -t 50 -p 80,443,21,22</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/2e6fc871cc3a442782583d29a35cf208~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=VDHsfGFd%2B6eej8xK1qyHt2EYZmk%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;">证书透明度公开日志枚举</h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">证书透明度(Certificate Transparency, CT)是证书授权<span style="color: black;">公司</span>(CA) 的一个项目,证书授权<span style="color: black;">公司</span>会将<span style="color: black;">每一个</span>SSL/TLS证书发布到公共日志中。一个SSL/TLS证书<span style="color: black;">一般</span><span style="color: black;">包括</span>域名、子域名和邮件<span style="color: black;">位置</span>, 这些<span style="color: black;">亦</span>经常<span style="color: black;">作为</span>攻击者非常<span style="color: black;">期盼</span><span style="color: black;">得到</span>的有用信息。<span style="color: black;">查询</span>某个域名所属证书的最简单的<span style="color: black;">办法</span><span style="color: black;">便是</span><span style="color: black;">运用</span>搜索引|擎搜索<span style="color: black;">有些</span>公开的CT日志。</p>
    <h3 style="color: black; text-align: left; margin-bottom: 10px;">在线第三方平台<span style="color: black;">查找</span></h3>crt.sh: https:<span style="color: black;">//crt.sh</span>
    censys: https:<span style="color: black;">//censys.io</span>
    myssl:https:<span style="color: black;">//myssl.com</span><span style="color: black;">crt</span>:
    <span style="color: black;">https</span>:<span style="color: black;">//crt.sh/?q=baidu.com</span>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/6caa109a24e04d76872749c11e7aefe4~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=H94PjSZjeVCKDOM9KSBsYIN9FPs%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/e845c07ae8ec423fb3591a768e07da3b~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=FWAETAmBxhd99f5a492hhDaJmFk%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/f94c82a006774e44a21595c5c1463d74~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=V%2BXaq0g4jJqRWx%2BPX3mGdCIFQCM%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;">工具枚举<span style="color: black;">查找</span></h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">经过</span>工具<span style="color: black;">能够</span>调用各个证书接口进行域名<span style="color: black;">查找</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">常用工具</p><span style="color: black;">Findomain</span>Sublist3r(SSL Certificates)等<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">Findomain</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Findomain不<span style="color: black;">运用</span>子域名寻找的常规<span style="color: black;">办法</span>,而是<span style="color: black;">运用</span>证书透明度日志来<span style="color: black;">查询</span>子域,并且该<span style="color: black;">办法</span>使其工具更加快速和<span style="color: black;">靠谱</span>。该工具<span style="color: black;">运用</span>多个公共API来执行搜索</p>CertspotterCrt.
    shVirustotalSublist3rFacebook **Spyse (CertDB) *BufferoverThreadcrowVirustotal<span style="color: black;">with</span> apikey **<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">项目<span style="color: black;">位置</span>:</p>https://github.com/Edu4rdSHL/findomain

    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">子域名收集:findomain -t target.com</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">运用</span>所有API搜索子域并将数据导出到CSV文件:findomain -t target.com -a -o csv</p>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;">DNS历史解析</h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">dnsdb https://www.dnsdb.io</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">viewdns https://viewdns.info/</p>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;">DNS域传送漏洞</h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">日前</span>来看"DNS域传送漏洞"<span style="color: black;">已然</span>很少了。</p>
    <h3 style="color: black; text-align: left; margin-bottom: 10px;">DNS记录<span style="color: black;">归类</span></h3>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">平常</span>的DNS记录有以下几类:</p>A记录 IP<span style="color: black;">位置</span>记录,记录一个域名对应的IP<span style="color: black;">位置</span>
    AAAA记录 IPv6<span style="color: black;">位置</span>记录,记录一个域名对应的IPv6<span style="color: black;">位置</span><span style="color: black;">CNAME</span>记录 别名记录,记录一个主机的别名
    MX记录 电子邮件交换记录,记录一个邮件域名对应的IP<span style="color: black;">位置</span>
    NS记录 域名服务器记录 ,记录该域名由哪台域名服务器解析
    PTR记录 反向记录,<span style="color: black;">亦</span>即从IP<span style="color: black;">位置</span>到域名的一条记录
    TXT记录 记录域名的<span style="color: black;">关联</span>文本信息<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">DNS信息收集-dnsrecon、fierce和dnsmap:</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">http://www.hetianlab.com/expc.do?ec=</p>ECID172.19.104.182016012111000300001(<span style="color: black;">经过</span>该实验<span style="color: black;">认识</span>dnsrecon、fierce、dnsmap这三个工具的<span style="color: black;">运用</span><span style="color: black;">办法</span>,并<span style="color: black;">运用</span>该工具对DNS服务器进行信息收集整理,<span style="color: black;">认识</span>并<span style="color: black;">熟练</span><span style="color: black;">她们</span>的常用参数<span style="color: black;">道理</span>。)复制链接做实验。
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">DNS注册信息</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Whois<span style="color: black;">查找</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">DNS域传送漏洞原理</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">DNS服务器分为:主服务器、备份服务器和缓存服务器。在主备服务器之间同步数据库,需要<span style="color: black;">运用</span>“DNS域传送”。域传送<span style="color: black;">指的是</span>备份服务器从主服务器拷贝数据,并用得到的数据更新<span style="color: black;">自己</span>数据库。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">若DNS服务器配置<span style="color: black;">欠妥</span>,可能<span style="color: black;">引起</span>攻击者获取某个域的所有记录。<span style="color: black;">导致</span><span style="color: black;">全部</span>网络的拓扑结构<span style="color: black;">泄密</span>给潜在的攻击者,<span style="color: black;">包含</span><span style="color: black;">有些</span>安全性较低的内部主机,如测试服务器。<span style="color: black;">同期</span>,黑客<span style="color: black;">能够</span>快速的判定出某个特定zone的所有主机,收集域信息,<span style="color: black;">选取</span>攻击<span style="color: black;">目的</span>,找出未<span style="color: black;">运用</span>的IP<span style="color: black;">位置</span>,绕过基于网络的<span style="color: black;">拜访</span><span style="color: black;">掌控</span>。</p>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;">DNS域传送漏洞检测</h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">nslookup</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">基本过程</p><span style="color: black;">1</span><span style="color: black;">)</span> <span style="color: black;">nslookup</span> <span style="color: black;">#进入交互式shell</span>
    <span style="color: black;">2</span><span style="color: black;">)</span> <span style="color: black;">server</span> <span style="color: black;">dns.xx.yy.zz</span> <span style="color: black;">#设定<span style="color: black;">查找</span>将要<span style="color: black;">运用</span>的DNS服务器</span>
    <span style="color: black;">3</span><span style="color: black;">)</span> <span style="color: black;">ls</span> <span style="color: black;">xx.yy.zz</span> <span style="color: black;">#列出某个域中的所有域名</span>
    <span style="color: black;">4</span><span style="color: black;">)</span> <span style="color: black;">exit</span> <span style="color: black;">#退出</span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">漏洞检验-不存在漏洞</p><span style="color: black;">&gt;</span> <span style="color: black;">nslookup</span>
    <span style="color: black;">Server:</span> <span style="color: black;">lkwifi.cn</span>
    <span style="color: black;">Address:</span> <span style="color: black;">192.168</span><span style="color: black;">.68</span><span style="color: black;">.1</span>

    <span style="color: black;">***</span> <span style="color: black;">lkwifi.cn</span> <span style="color: black;">cant</span> <span style="color: black;">find nslookup:</span> <span style="color: black;">Non-existent</span> <span style="color: black;">domain</span>
    <span style="color: black;">&gt;</span> <span style="color: black;">server</span> <span style="color: black;">ss2.bjfu.edu.cn</span>
    <span style="color: black;">Default Server:</span> <span style="color: black;">ss2.bjfu.edu.cn</span>
    <span style="color: black;">Address:</span> <span style="color: black;">202.204</span><span style="color: black;">.112</span><span style="color: black;">.67</span>

    <span style="color: black;">&gt;</span> <span style="color: black;">ls</span> <span style="color: black;">bjfu.edu.cn</span>
    <span style="color: black;">[ss2.bjfu.edu.cn</span>
    <span style="color: black;">]***</span> <span style="color: black;">Cant</span> <span style="color: black;">list domain bjfu.edu.cn:</span> <span style="color: black;">Query</span> <span style="color: black;">refusedThe</span> <span style="color: black;">DNS</span> <span style="color: black;">server</span> <span style="color: black;">refused</span> <span style="color: black;">to</span> <span style="color: black;">transfer</span> <span style="color: black;">the</span> <span style="color: black;">zone</span> <span style="color: black;">bjfu.edu.cn</span> <span style="color: black;">to</span> <span style="color: black;">your</span> <span style="color: black;">computer.</span> <span style="color: black;">If</span> <span style="color: black;">thisis</span> <span style="color: black;">incorrect,</span> <span style="color: black;">check</span> <span style="color: black;">the</span> <span style="color: black;">zone</span> <span style="color: black;">transfer</span> <span style="color: black;">security</span> <span style="color: black;">settings</span> <span style="color: black;">for</span> <span style="color: black;">bjfu.edu.cn</span> <span style="color: black;">on</span> <span style="color: black;">the</span> <span style="color: black;">DNSserver</span> <span style="color: black;">at</span> <span style="color: black;">IP</span> <span style="color: black;">address</span> <span style="color: black;">202.204</span><span style="color: black;">.112</span><span style="color: black;">.67</span><span style="color: black;">.&gt;</span> <span style="color: black;">exit</span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">漏洞检验-存在漏洞</p>&gt; <span style="color: black;">nslookup</span>
    &gt; <span style="color: black;">server</span> <span style="color: black;">dns1</span><span style="color: black;">.xxx</span><span style="color: black;">.edu</span><span style="color: black;">.cn</span>
    &gt; <span style="color: black;">ls</span> <span style="color: black;">xxx</span><span style="color: black;">.edu</span><span style="color: black;">.cn</span>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/7683bf94462a49b1835d707c1f09c4dc~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=1DU%2Fm%2Bc3%2Fq7o0rl68IoSN02y2eE%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">nmap</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">利用nmap漏洞检测脚本"dns-zone-transfer"进行检测</p>nmap <span style="color: black;">--script dns-zone-transfer</span>
    <span style="color: black;">--script-args dns-zone-transfer.domain=xxx.edu.cn -p 53 -Pn dns.xxx.edu.cn</span><span style="color: black;">--script dns-zone-transfer <span style="color: black;">暗示</span>加载nmap漏洞检测脚本dns-zone-transfer.nse,扩展名.nse可省略 --script-args dns-zone-transfer.domain=xxx.edu.cn 向脚本传递参数,设置列出某个域中的所有域名</span>
    -p 53 设置扫描53端口
    -Pn 设置<span style="color: black;">经过</span>Ping<span style="color: black;">发掘</span>主机<span style="color: black;">是不是</span>存活<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/4715014f8e9248a5ba8fcf45ed0cf197~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=vYTpWYxMVbygWNtv6pe%2BkVdAw3I%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">dig</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">运用</span>说明 dig -h</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">漏洞测试</p><span style="color: black;">dig</span> <span style="color: black;">@dns</span>.xxx.edu.cn axfr xxx.edu.cn<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">axfr 是q-type类型的一种: axfr类型是Authoritative Transfer的缩写,指请求传送某个区域的<span style="color: black;">所有</span>记录。</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/6ddf453e6dd24701bf12f4bf12f3faf4~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=dpoQ8%2BTrYxL0%2FPoOXl3pyWcTAug%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">查询</span>真实IP</h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span>挖掘的<span style="color: black;">目的</span>购买了CDN服务,<span style="color: black;">能够</span>直接ping<span style="color: black;">目的</span>的域名,但得到的并非真正的<span style="color: black;">目的</span>Web服务器,只是离<span style="color: black;">咱们</span><span style="color: black;">近期</span>的一台<span style="color: black;">目的</span>节点的CDN服务器,这就<span style="color: black;">引起</span>了<span style="color: black;">咱们</span>没法直接得到<span style="color: black;">目的</span>的真实IP段范围。</p>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;">CDN简介</h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">CDN的全<span style="color: black;">叫作</span>是Content Delivery Network,即内容分发网络。其基本思路是尽可能避开互联网上有可能影响数据传输速度和稳定性的瓶颈和环节,使内容传输的更快、更稳定。<span style="color: black;">经过</span>在网络各处<span style="color: black;">安置</span>节点服务器所<span style="color: black;">形成</span>的在现有的互联网<span style="color: black;">基本</span>之上的一层智能虚拟网络,CDN系统能够实时地<span style="color: black;">按照</span>网络流量和各节点的连接、负载<span style="color: black;">情况</span>以及到用户的距离和响应时间等综合信息将用户的请求重新导向离用户<span style="color: black;">近期</span>的服务节点上。</p>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;">国内外CND</h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">国内<span style="color: black;">平常</span>CDN</p>阿里云
    腾讯云
    百度云
    网宿科技(ChinanNet Center)
    蓝汛
    金山云
    UCloud
    网易云
    世纪互联
    七牛云
    京东云等<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">国外<span style="color: black;">平常</span>CDN</p><span style="color: black;">Akamai</span>(阿卡迈)
    <span style="color: black;">Limelight</span> <span style="color: black;">Networks</span>(简<span style="color: black;">叫作</span>LLNW)
    <span style="color: black;">AWS</span> <span style="color: black;">Cloud</span>(亚马逊)
    <span style="color: black;">Google</span>(谷歌)
    <span style="color: black;">Comcast</span>(康卡斯特)<h2 style="color: black; text-align: left; margin-bottom: 10px;">判断<span style="color: black;">目的</span><span style="color: black;">是不是</span>存在CDN</h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">因为</span>CDN需要代价,<span style="color: black;">通常</span>小企业很大几率不会存在CDN服务。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">假如<span style="color: black;">有些</span>企业存在CDN服务,那该<span style="color: black;">怎样</span>寻找其真实IP呢,往下看,<span style="color: black;">平常</span>几种手法</p>
    <h3 style="color: black; text-align: left; margin-bottom: 10px;">Ping<span style="color: black;">目的</span>主域</h3>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">一般</span><span style="color: black;">经过</span>ping<span style="color: black;">目的</span>主域,观察域名的解析<span style="color: black;">状况</span>,以此来判断其<span style="color: black;">是不是</span><span style="color: black;">运用</span>了CDN</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">对京东和阿里还有一家电器企业进行ping测试,观察域名的解析<span style="color: black;">状况</span>,<span style="color: black;">能够</span>看到京东和阿里都采用了自家CDN,而那个电器企业<span style="color: black;">无</span>CDN服务</p><span style="color: black;">C</span>:\<span style="color: black;">Users</span>\<span style="color: black;">Qftm</span>&gt;<span style="color: black;">ping</span> <span style="color: black;">www</span><span style="color: black;">.jd</span><span style="color: black;">.com</span>
    <span style="color: black;">C</span>:\<span style="color: black;">Users</span>\<span style="color: black;">Qftm</span>&gt;<span style="color: black;">ping</span> <span style="color: black;">www</span><span style="color: black;">.alibaba</span><span style="color: black;">.com</span>
    <span style="color: black;">C</span>:\<span style="color: black;">Users</span>\<span style="color: black;">Qftm</span>&gt;<span style="color: black;">ping</span> <span style="color: black;">www</span><span style="color: black;">.dfle</span><span style="color: black;">.com</span><span style="color: black;">.cn</span>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/327939f9e0ce42e89dc0c1f9c3b6b931~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=k9N4Mh6FqC%2FcI83JfXG1y2914ME%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">Nslookup</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">区别</span>DNS域名解析</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">区别</span>DNS域名解析<span style="color: black;">状况</span>对比,判断其<span style="color: black;">是不是</span><span style="color: black;">运用</span>了CDN</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">区别</span>DNS解析结果若不<span style="color: black;">同样</span>,<span style="color: black;">特别有</span>可能存在CDN服务</p><span style="color: black;">C</span>:\<span style="color: black;">Users</span>\<span style="color: black;">Qftm</span>&gt;<span style="color: black;">nslookup</span> <span style="color: black;">www</span><span style="color: black;">.dfle</span><span style="color: black;">.com</span><span style="color: black;">.cn</span> 8<span style="color: black;">.8</span><span style="color: black;">.8</span><span style="color: black;">.8</span>

    <span style="color: black;">C</span>:\<span style="color: black;">Users</span>\<span style="color: black;">Qftm</span>&gt;<span style="color: black;">nslookup</span> <span style="color: black;">www</span><span style="color: black;">.dfle</span><span style="color: black;">.com</span><span style="color: black;">.cn</span> 114<span style="color: black;">.114</span><span style="color: black;">.114</span><span style="color: black;">.114</span>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/58cd82741cab491a983f263f1b6929c9~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=R%2BeYk%2FcbkpEL2wYriNXITP6zN6A%3D" style="width: 50%; margin-bottom: 20px;"></div>λ <span style="color: black;">Qftm</span> &gt;&gt;&gt;: <span style="color: black;">nslookup</span> <span style="color: black;">www</span><span style="color: black;">.baidu</span><span style="color: black;">.com</span> 8<span style="color: black;">.8</span><span style="color: black;">.8</span><span style="color: black;">.8</span>
    λ <span style="color: black;">Qftm</span> &gt;&gt;&gt;: <span style="color: black;">nslookup</span> <span style="color: black;">www</span><span style="color: black;">.baidu</span><span style="color: black;">.com</span> 114<span style="color: black;">.114</span><span style="color: black;">.114</span><span style="color: black;">.114</span>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/393758de6e744a12b772ad189de59217~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=yLfbErFO8LH0dXCR4hz7kSEfQ6U%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">nslookup默认解析</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">若解析结果有多个,<span style="color: black;">特别有</span>可能存在CDN,相反,若解析结果有一个,可能不存在CDN(<span style="color: black;">不可</span>肯定)</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/d098500f17194aa8a514b75254e82130~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=Y4fvMSiOo13Okrbi8MBnkAcq%2F2c%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">全国Ping</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">利用全国多地区的ping服务器操作,<span style="color: black;">而后</span>对比<span style="color: black;">每一个</span>地区ping出的IP结果,查看这些IP<span style="color: black;">是不是</span>一致, <span style="color: black;">倘若</span>都是<span style="color: black;">同样</span>的,极有可能不存在CDN。<span style="color: black;">倘若</span>IP大多不太<span style="color: black;">同样</span><span style="color: black;">或</span>规律性很强,<span style="color: black;">能够</span>尝试查询这些IP的归属地,判断<span style="color: black;">是不是</span>存在CDN。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在线网址</p>Ping检测-站长工具 http:<span style="color: black;">//ping.chinaz.com/</span>

    <span style="color: black;">17</span>CE https:<span style="color: black;">//www.17ce.com/</span>

    ipip https:<span style="color: black;">//tools.ipip.net/newping.php (支持国内、国外)</span>站长工具<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">测试<span style="color: black;">目的</span>:www.jd.com</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1a57c390bc9e4de4b2bb2470b9aa450d~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=%2Fi2kQ1agm2%2FEyzO7In%2FezwRuuw0%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">17CE</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">测试<span style="color: black;">目的</span>:www.baidu.com</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/f5c77a7650e04e6693d9f5f0c4cf760a~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=%2FXIWGbUgEsLkaxDBg5LIxbP%2BGUk%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">IPIP</strong></p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/aa51923ecc6b445288c5ccbe17adae5f~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=nW6aex89sx6dFcfYCMGjc0YTBv8%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">工具<span style="color: black;">查找</span></strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这儿</span>工具只能<span style="color: black;">做为</span>辅助,有<span style="color: black;">必定</span>误报的概率,只能<span style="color: black;">做为</span>参考</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">Cdnplanet</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">cdnplanet </p>https://www.cdnplanet.com/tools/cdnfinder/ (<span style="color: black;">查找</span>可能比较慢)

    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/6d24bf749013499b8ebe482fbaa75cb2~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=iO9SPyoY91DEuRpvmb6Yeh118JU%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;">绕过CDN<span style="color: black;">查询</span>真实IP</h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在确认了<span style="color: black;">目的</span>确实用了CDN以后,就需要绕过CDN寻找<span style="color: black;">目的</span>的真实IP,下面介绍<span style="color: black;">有些</span>常规的<span style="color: black;">办法</span>。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">内部邮箱源</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">通常</span>的邮件系统都在内部,<span style="color: black;">无</span>经过CDN的解析,<span style="color: black;">经过</span>利用<span style="color: black;">目的</span>网站的邮箱注册、找回<span style="color: black;">秘码</span><span style="color: black;">或</span>RSS订阅等功能,查看邮件、寻找邮件头中的邮件服务器域名IP,ping这个邮件服务器的域名,就<span style="color: black;">能够</span><span style="color: black;">得到</span><span style="color: black;">目的</span>的真实IP。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">重视</span>:必须是目标自己的邮件服务器,第三方或公共邮件服务器是<span style="color: black;">无</span>用的。</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p26-sign.toutiaoimg.com/pgc-image/dc597b673a65422b8607c9c1bdec974a~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=5zyfb2YpJFlxvry5W5YEBqhli24%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">国外请求</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">非常多</span>时候国内的CDN对国外得覆盖面并不是很广,故此<span style="color: black;">能够</span>利用此特点进行探测。<span style="color: black;">经过</span>国外代理<span style="color: black;">拜访</span>就能查看真实IP了,<span style="color: black;">或</span><span style="color: black;">经过</span>国外的DNS解析,可能就能得到真实的IP。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">国际Ping</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">国际ping测试站点</p><span style="color: black;">ipip</span>https://tools.ipip.net/newping.phpASM https://asm.ca.com/en/ping.php<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">测试站点:www.yeah.net</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/d22ae5d747534ddeac1fc8566892cfca~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=L7TGbao9Cxq1uOXnkQdChsKBVn4%3D" style="width: 50%; margin-bottom: 20px;"></div>国外DNS解析<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">世界各地DNS服务器<span style="color: black;">位置</span>大全:</p>http://www.ab173.com/dns/dns_world.php

    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">测试站点:www.yeah.net</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">美国加利福尼亚州山景市谷歌<span style="color: black;">机构</span>DNS服务器: 8.8.4.4</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/e0c6849d4aaa4a838e4dca5f9e7ee4ad~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=GkyFjuJF4e4oyTOmE3GQuR5fCF0%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <h3 style="color: black; text-align: left; margin-bottom: 10px;">分站域名&amp;C段<span style="color: black;">查找</span></h3>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">非常多</span>网站主站的<span style="color: black;">拜访</span>量会比<span style="color: black;">很强</span>,<span style="color: black;">因此</span>主站都是挂CDN的,<span style="color: black;">然则</span>分站可能<span style="color: black;">无</span>挂CDN,<span style="color: black;">能够</span><span style="color: black;">经过</span>ping二级域名获取分站IP, 可能会<span style="color: black;">显现</span>分站和主站不是同一个IP但在同一个C段下面的<span style="color: black;">状况</span>,从而能判断出<span style="color: black;">目的</span>的真实IP段。</p>分站域名<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">详细</span>见上面<strong style="color: blue;">&lt;收集子域名信息&gt;</strong>部分</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/2e76e52473104409b0389a96d7dc73e7~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=wjCJ97s2EkzmYtl4vNZCXddABGQ%3D" style="width: 50%; margin-bottom: 20px;"></div>C段<span style="color: black;">查找</span>在线<span style="color: black;">查找</span>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p26-sign.toutiaoimg.com/pgc-image/cb90da0edb384d148b8df5e4b0af3866~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=jupIq4u7CgLnCstmmF074BlpwHY%3D" style="width: 50%; margin-bottom: 20px;"></div>工具<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">K8_C段旁注工具6.0、nmap、IISPutScanner、小米范WEB<span style="color: black;">查询</span>器 等</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">小米范WEB<span style="color: black;">查询</span>器:</p>http://pan.baidu.com/s/1pLjaQKF

    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/e528e3387aa7423fb76129506a186a30~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=5OINejUAd4ROoVBDMBDqYjK0sfA%3D" style="width: 50%; margin-bottom: 20px;"></div>网络资产搜索引擎<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Fofa、Shodan、ZoomEye</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">利用这些网络空间资产搜索引擎来搜索暴露在外的端口信息</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">利用语法搜索C段信息</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/b60060b148de4fbe9ddef7800881335e~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=jgPVHwGoe814syGGqRqU16Z0Uzs%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <h3 style="color: black; text-align: left; margin-bottom: 10px;">网站漏洞</h3>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">经过</span>网站的信息<span style="color: black;">泄密</span>如phpinfo<span style="color: black;">泄密</span>,github信息<span style="color: black;">泄密</span>,命令执行等漏洞获取真实ip。</p><span style="color: black;">有些</span>测试文件<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">phpinfo、test等</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/fca37132f92d4ca887801bf152295ce0~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=FUEd8FfXhhXO%2B6vcAjpre9I8aIU%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">SSRF漏洞</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">服务器主动向外发起连接,找到真实IP<span style="color: black;">位置</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">查找</span>域名解析记录</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">通常</span>网站从<span style="color: black;">安排</span><span style="color: black;">起始</span>到<span style="color: black;">运用</span>cdn都有一个过程,周期<span style="color: black;">倘若</span>较长的话 则<span style="color: black;">能够</span><span style="color: black;">经过</span>这类历史解析记录<span style="color: black;">查找</span>等方式获取源站ip,查看IP与域名绑定的历史记录,可能会存在<span style="color: black;">运用</span>CDN前的记录。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在线网站<span style="color: black;">查找</span></p>dnsdb https:<span style="color: black;">//www.dnsdb.io</span>

    NETCRAFT https:<span style="color: black;">//sitereport.netcraft.com/?url=</span>

    viewdns https:<span style="color: black;">//viewdns.info</span>

    <span style="color: black;">/threatbook https:/</span><span style="color: black;">/x.threatbook.cn/</span>

    securitytrails https:<span style="color: black;">//securitytrails.com/</span>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/cebf24dc96ca4f1a8f4d9dbad1fa9b49~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1724894838&amp;x-signature=JT%2F5JsQool43Uz2V8Vc6nEak8nE%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <h3 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">目的</span>网站APP应用</h3>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span><span style="color: black;">目的</span>网站有自己的App,<span style="color: black;">能够</span>尝试利用Fiddler或Burp Suite抓取App的请求,从里面找到<span style="color: black;">目的</span>的真实IP。</p>
    <h3 style="color: black; text-align: left; margin-bottom: 10px;">网络空间引擎搜索</h3>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">shodan、FOFA、zoomeye</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">声明:笔者初衷用于分享与普及网络知识,若读者<span style="color: black;">因此呢</span>作出任何<span style="color: black;">害处</span>网络安全<span style="color: black;">行径</span>后果自负,与合天智汇及原作者无关!</p>




页: [1]
查看完整版本: 信息收集-旅行记(上)