1. Penetration Process
Refer to http://www.pentest-standard.org/index.php/Main_Page
The penetration testing execution standard consists of seven (7) main sections
- Pre-engagement Interactions
- Intelligence Gathering
- Threat Modeling
- Vulnerability Analysis
- Exploitation
- Post Exploitation
- Reporting
2. Basic Tools
nc & ncat
netcat
tcpdump
- advanced filter
tcpdum -i eth0 -w http.pcap
2.3. Information Collection
被动information collection,不被目标所发现
the information include:
- ip address
- domain name
- email address(private or public email server)
- document and image data
- company address
- enterprise organization structure
- phone number
- staff’s name and position
- technical structure
- open enterprise information
function of information
- descript target
- detection
- social engineering attack
- phycal gap
detailed information collection
3.1 DNS
convert domain name to ip address
URL vs URI
URL
A typical URL could have the form http://www.example.com/index.html, which indicates a protocol (http), a hostname (www.example.com
), and a file name (index.html).
A URL usually consists of the following five components:
- Protocol
- domain(subdomain, domain name)
- path (or pathname)
- hash
- query string.
Protocol is the technology that will be used to transfer the data, usually http or https
Domain is the the domain name, tealium.com for example.
Path relates to the section and page on the site
Hash relates to a section within the page
Query string contains data that is being passed to the page
So if we look at a URL, you can see how it gets broken up:
top-level domain (TLD) google.co.uk
second-level domain (SLD) video.google.co.uk
URI
Every HTTP URL conforms to the syntax of a generic URI. The URI generic syntax consists of a hierarchical sequence of five components:
URI = scheme:[//authority]path[?query][#fragment]
where the authority component divides into three subcomponents:
authority = [userinfo@]host[:port]
Domain Name vs FQDN
A fully qualified domain name (FQDN), sometimes also referred to as an absolute domain name, is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS).
Example
A device with the hostname myhost in the parent domain example.com has the fully qualified domain name myhost.example.com. The FQDN uniquely distinguishes the device from any other hosts called myhost in other domains.
hosting.ionos.ca.
[Host name].[Domain].[TLD].[Root]
www.sina.com & sina.com
fqdn & domain name
.com=>top level domain
DNS Domain Records
Record Name | Description |
---|---|
A and AAAA | These are also called Address Records or sometimes Host Records. A record only resolves to IP addresses. These records point your domain to the IP address of your website or hosting. Let’s say that you own the domain name name.com which is hosted with us and the IP address of your hosting server is 127.0.0.1. Usually you would have two DNS records to point your domain to the hosting that look like this: name.com 127.0.0.1 and *.name.com 127.0.0.1. AAAA Records operate in the exact same way as A records, except they point to an IPv6 address, which look similar to FE80::0202:B3FF:FE1E:8329. |
CAA | A CAA record is a special type of DNS record (think TXT or CERT) that allows domain owners to authorize specific third party vendors to issue SSL certificates on behalf of their domains. This requires CAs to check for the presence of a CAA record and, if one is found, verify that they are authorized prior to issuing certificates for this domain. If a CAA record is not present, the CA can issue a certificate for the domain. |
CERT | CERT resource records are used for storing certificates in DNS. Part of encrypting sensitive content involves verifying the authenticity of the sending and receiving parties. CERT records store and provide that information. |
CNAME | CNAME stands for Canonical Name Record. CName records only resolves to domains and subdomains. A CNAME record points one of your subdomains to a different domain name. A CNAME cannot be set up on your bare domain! You could set up a CNAME record on www.name.com but not on simply name.com. One thing that CNAME records are commonly used for is to direct a part of your site to a site you have set up elsewhere, such as an eCommerce shop or something similar. |
NS | NS records are usually set with your registrar, and are used to delegate a domain or subdomain to a set of name servers. Name servers, such as NS1, hold all the other DNS records for your domain and tell all the other computers connected to the internet what records your domain holds. Setting the NS record is therefore a very important part of getting your domains and servers online. |
MX | MX stands for Mail Exchange. MX record does resolves to text and not IP-records. These records are used to direct emails sent to your domain name to the correct server to then send it to your specific email address. Your email provider will provide you with the necessary MX records for your email. If you have email with Name.com, you can use our DNS Templates to automatically add the right records. Keep in mind that you can only have one set of MX records on your domain. All of your mail needs to be directed to the same place, and will then get sorted from there. This means that you cannot have two separate email providers on one domain. It also means that any email forwarding you set up has to be set up with your email provider, and not on the domain itself. |
PTR | PTR, or Pointer records are usually described as the opposite of an A record. While A records point the domain to an IP address, a PTR record points an IP to a domain. This is commonly used as spam verification with certain email programs to confirm a mailserver is really authorized to use the domain the email is coming from. PTR records usually have to be defined by the owner of the IP address for your server, usually your server hosts. Many hosting companies will set this up for you when you set up a server. |
TXT | TXT just stands for Text. These records do not change anything on your domain, but they can be searched for your domain. These records are commonly used by services such as Google, which will ask you to add a string of characters to a TXT record, so that they can search for the record and verify that you are the domain’s owner/have access to the domain’s DNS records. |
SPF | SPF records are used for email verification, to prevent your domain name from being used by spammers or malicious users. Simply creating an SPF record on your main domain with the content: v=spf1 ip4:11.11.11.11 a -all (replacing 11.11.11.11 with your mailserver’s IP address) will tell email recievers that your mailserver is the only server allowed to send emails from your domain, and all emails recieved from another server are to be rejected or marked as spam. If you have multiple mailservers, you can add another ip4:x.x.x.x after the previous one to allow another IP address. |
root@kali:~# dig +noall +answer google.com NS
google.com. 5 IN NS ns3.google.com.
google.com. 5 IN NS ns2.google.com.
google.com. 5 IN NS ns1.google.com.
google.com. 5 IN NS ns4.google.com.
root@kali:~# dig +noall +answer google.com MX
google.com. 5 IN MX 40 alt3.aspmx.l.google.com.
google.com. 5 IN MX 20 alt1.aspmx.l.google.com.
google.com. 5 IN MX 30 alt2.aspmx.l.google.com.
google.com. 5 IN MX 10 aspmx.l.google.com.
google.com. 5 IN MX 50 alt4.aspmx.l.google.com.
root@kali:~# dig +noall +answer google.com PTR
root@kali:~# dig +noall +answer google.com A
google.com. 5 IN A 172.217.169.78
root@kali:~# dig +noall +answer google.com TXT
google.com. 5 IN TXT "v=spf1 include:_spf.google.com ~all"
google.com. 5 IN TXT "docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e"
google.com. 5 IN TXT "globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8="
google.com. 5 IN TXT "docusign=1b0a6754-49b1-4db5-8540-d2c12664b289"
google.com. 5 IN TXT "facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95"
root@kali:~# dig +noall +answer google.com CAA
google.com. 5 IN CAA 0 issue "pki.goog"
root@kali:~# dig +noall +answer google.com AAAA
google.com. 5 IN AAAA 2a00:1450:4009:819::200e
root@kali:~# dig +noall +answer google.com CERT
root@kali:~# dig +noall +answer google.com CNAME
root@kali:~# dig +noall +answer google.com any
google.com. 148 IN TXT "facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95"
google.com. 148 IN TXT "v=spf1 include:_spf.google.com ~all"
google.com. 148 IN TXT "docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e"
google.com. 148 IN TXT "globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8="
google.com. 148 IN TXT "docusign=1b0a6754-49b1-4db5-8540-d2c12664b289"
google.com. 65 IN AAAA 2a00:1450:4009:819::200e
google.com. 289323 IN NS ns3.google.com.
google.com. 289323 IN NS ns1.google.com.
google.com. 289323 IN NS ns2.google.com.
google.com. 289323 IN NS ns4.google.com.
google.com. 17 IN SOA ns1.google.com. dns-admin.google.com. 287168862 900 900 1800 60
google.com. 135 IN A 172.217.169.78
google.com. 86257 IN CAA 0 issue "pki.goog"
google.com. 306 IN MX 20 alt1.aspmx.l.google.com.
google.com. 306 IN MX 30 alt2.aspmx.l.google.com.
google.com. 306 IN MX 10 aspmx.l.google.com.
google.com. 306 IN MX 50 alt4.aspmx.l.google.com.
google.com. 306 IN MX 40 alt3.aspmx.l.google.com.
How dns works?
DNS Hierachy
DNS Lookup
The 8 steps in a DNS lookup:
- A user types ‘example.com’ into a web browser and the query travels
into the Internet and is received by a DNS recursive resolver. - The resolver then queries a DNS root nameserver (.).
- The root server then responds to the resolver with the address of a
Top Level Domain (TLD) DNS server (such as .com or .net), which
stores the information for its domains. When searching for
example.com, our request is pointed toward the .com TLD. - The resolver then makes a request to the .com TLD.
- The TLD server then responds with the IP address of the domain’s
nameserver, example.com. - Lastly, the recursive resolver sends a query to the domain’s
nameserver. - The IP address for example.com is then returned to the resolver from
the nameserver. - The DNS resolver then responds to the web browser
with the IP address of the domain requested initially.
Once the 8 steps of the DNS lookup have returned the IP address for example.com, the browser is able to make the request for the web page:
- The browser makes a HTTP request to the IP address.
- The server at that IP returns the webpage to be rendered in the
browser (step 10).
Collect DNS Information
nslookup
> www.sina.com
Server: 192.168.42.2
Address: 192.168.42.2#53
Non-authoritative answer:
www.sina.com canonical name = us.sina.com.cn.
us.sina.com.cn canonical name = wwwus.sina.com.
wwwus.sina.com canonical name = ww1.sinaimg.cn.w.alikunlun.com.
Name: ww1.sinaimg.cn.w.alikunlun.com
Address: 47.246.47.230
Name: ww1.sinaimg.cn.w.alikunlun.com
Address: 47.246.47.224
Name: ww1.sinaimg.cn.w.alikunlun.com
Address: 47.246.47.226
Name: ww1.sinaimg.cn.w.alikunlun.com
Address: 47.246.47.227
Name: ww1.sinaimg.cn.w.alikunlun.com
Address: 47.246.47.231
Name: ww1.sinaimg.cn.w.alikunlun.com
Address: 47.246.47.228
Name: ww1.sinaimg.cn.w.alikunlun.com
Address: 47.246.47.225
Name: ww1.sinaimg.cn.w.alikunlun.com
Address: 47.246.47.229
> set type=ns
> sina.com
Server: 192.168.42.2
Address: 192.168.42.2#53
Non-authoritative answer:
sina.com nameserver = ns3.sina.com.
sina.com nameserver = ns3.sina.com.cn.
sina.com nameserver = ns1.sina.com.
sina.com nameserver = ns4.sina.com.cn.
sina.com nameserver = ns2.sina.com.
sina.com nameserver = ns1.sina.com.cn.
sina.com nameserver = ns4.sina.com.
sina.com nameserver = ns2.sina.com.cn.
Authoritative answers can be found from:
ns4.sina.com.cn internet address = 121.14.1.22
ns1.sina.com.cn internet address = 36.51.252.8
ns2.sina.com.cn internet address = 180.149.138.199
ns3.sina.com.cn internet address = 123.125.29.99
set type=a/ns/ptr/any
set q=a/ns/ptr/any
server 8.8.8.8 //set dns server in nslookup
intelligent dns server, the returned ip of different dns server is different because they are in different region.
if you are in bejing, the ip possibly 1.1.1.1
if you are in token, the ip possibly 1.1.1.2
one command:
nslookup -q=ns sina.com 8.8.4.4
dig
root@kali:~# dig 163.com mx
; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> 163.com mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35521
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 512
;; QUESTION SECTION:
;163.com. IN MX
;; ANSWER SECTION:
163.com. 5 IN MX 50 163mx00.mxmail.netease.com.
163.com. 5 IN MX 10 163mx03.mxmail.netease.com.
163.com. 5 IN MX 10 163mx01.mxmail.netease.com.
163.com. 5 IN MX 10 163mx02.mxmail.netease.com.
;; Query time: 22 msec
;; SERVER: 192.168.42.2#53(192.168.42.2)
;; WHEN: Fri Dec 27 21:19:42 GMT 2019
;; MSG SIZE rcvd: 147
## filter
root@kali:~# dig +noall +answer mail.163.com any
mail.163.com. 316 IN CNAME ntes53.mail.163.com.
## select all records
root@kali:~# dig +noall +answer txt chaos VERSION BIND @ns2.sina.com
dig +trace
root@kali:~# dig +noall +answer +trace www.sina.com
. 5 IN NS f.root-servers.net.
. 5 IN NS g.root-servers.net.
. 5 IN NS h.root-servers.net.
. 5 IN NS i.root-servers.net.
. 5 IN NS a.root-servers.net.
. 5 IN NS j.root-servers.net.
. 5 IN NS k.root-servers.net.
. 5 IN NS l.root-servers.net.
. 5 IN NS m.root-servers.net.
. 5 IN NS b.root-servers.net.
. 5 IN NS c.root-servers.net.
. 5 IN NS d.root-servers.net.
. 5 IN NS e.root-servers.net.
;; Received 508 bytes from 192.168.42.2#53(192.168.42.2) in 64 ms
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20200109210000 20191227200000 22545 . abwGQ2NBDaO/Nwjkavto5ozw2s35kV/7sTv7v0SXmfRYcmQJzoNCNffJ vE5d1P/OccJkWeRUX8qdwzuUysXn21iJrjb3EY68PvS7UIsXUzotLMJP LbQF/p5KhM2yfAATak6AqYKH1Mf5S3hiIo23T4dhEldd5gxF8oDG9o7A WKdADQZwXKgo81D5lMMO7pJVua0kdq9Cxzu0etkugstyIsBNUJjf0KFS IH8f6EtEorxiYV3eb6g3ItshCNs6NEdqs1ZkV/iy5j/8PTCd/53Mb/AJ iHgdfAIyrBo2goE+TYQmiAJ90Nk1DIpo8BfrGO1RWRsfJbDO4f5k41i+ x7k0IQ==
;; Received 1172 bytes from 193.0.14.129#53(k.root-servers.net) in 48 ms
sina.com. 172800 IN NS ns1.sina.com.cn.
sina.com. 172800 IN NS ns2.sina.com.cn.
sina.com. 172800 IN NS ns3.sina.com.cn.
sina.com. 172800 IN NS ns1.sina.com.
sina.com. 172800 IN NS ns2.sina.com.
sina.com. 172800 IN NS ns4.sina.com.
sina.com. 172800 IN NS ns3.sina.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20200102054825 20191226043825 12163 com. J8V3FpilA7JdIt7GBym3CCORYjgGlHAazZlLNBiJ0bFa92n4PrX0hPYo oUHtAA4lEaw9eSJjOIVXhnKq9AR7EgQFfMxcT8OvbBVJ4eErF1vBjd1B x4EkZM2IHIVPPv8XlziufAhiSVMnYHcZnuO8BpDaXrasvlW3U9vv/VQU dCs79XwjQR/XkFvJKvldj2EZd3FXLlRDdnwESxhlpLZmIg==
TGAG8VMC6NS5VVK68CIGRJ6Q414N2KB2.com. 86400 IN NSEC3 1 1 0 - TGAH0AN60S9QV48SKDRISMO7ABOHP6BO NS DS RRSIG
TGAG8VMC6NS5VVK68CIGRJ6Q414N2KB2.com. 86400 IN RRSIG NSEC3 8 2 86400 20200103121814 20191227110814 12163 com. h8KaSny+ZmpJ1Lh09PLueCySV6PmxyGprXSMDxx6U3Mi4J9J4b8lGPqu mGRId1+tyYmkr6SCvZ0r2evlznGw08/996IK0KpNu04qtd31Ro2LPsXb xTEU4UJ286MWl9OEwjjDOuuTrduJr1o3d9xPbpVrxoNc9qmBpk+IYsvM ipek0e3lkoTWAROkGKQwkqIoaQeJjxiKABDc23rbI9uYdQ==
;; Received 791 bytes from 192.48.79.30#53(j.gtld-servers.net) in 34 ms
www.sina.com. 60 IN CNAME us.sina.com.cn.
us.sina.com.cn. 60 IN CNAME wwwus.sina.com.
wwwus.sina.com. 60 IN CNAME ww1.sinaimg.cn.w.alikunlun.com.
;; Received 130 bytes from 123.125.29.99#53(ns3.sina.com.cn) in 241 ms
dig axft :full zone transfer
root@kali:~# dig @ns4.sina.com axfr
; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> @ns4.sina.com axfr
; (1 server found)
;; global options: +cmd
;; Query time: 243 msec
;; SERVER: 123.125.29.99#53(123.125.29.99)
;; WHEN: Fri Dec 27 23:38:44 GMT 2019
;; MSG SIZE rcvd: 28
host
- -l lists all hosts in a domain, using AXFR
- -T enables TCP/IP mode
root@kali:~# host -T -l sina.com
Host sina.com not found: 4(NOTIMP)
; Transfer failed.
host directory brute force
root@kali:~# dpkg -L dnsrecon
/.
/usr
/usr/bin
/usr/bin/dnsrecon
/usr/share
/usr/share/dnsrecon
/usr/share/dnsrecon/dnsrecon.py
/usr/share/dnsrecon/lib
/usr/share/dnsrecon/lib/__init__.py
/usr/share/dnsrecon/lib/bingenum.py
/usr/share/dnsrecon/lib/crtenum.py
/usr/share/dnsrecon/lib/dnshelper.py
/usr/share/dnsrecon/lib/gooenum.py
/usr/share/dnsrecon/lib/mdnsenum.py
/usr/share/dnsrecon/lib/msf_print.py
/usr/share/dnsrecon/lib/whois.py
/usr/share/dnsrecon/msf_plugin
/usr/share/dnsrecon/msf_plugin/dnsr_import.rb
/usr/share/dnsrecon/namelist.txt
/usr/share/dnsrecon/tools
/usr/share/dnsrecon/tools/parser.py
/usr/share/doc
/usr/share/doc/dnsrecon
/usr/share/doc/dnsrecon/README.md
/usr/share/doc/dnsrecon/changelog.Debian.gz
/usr/share/doc/dnsrecon/changelog.gz
/usr/share/doc/dnsrecon/copyright
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/dnsrecon.1.gz
/usr/share/python
/usr/share/python/runtime.d
/usr/share/python/runtime.d/dnsrecon.rtupdate
root@kali:~# find / -name dns.txt
/usr/share/dnsenum/dns.txt
fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist /usr/share/fierce/hosts.txt
dnsdict6 -d4 -t 16 -x sina.com
dnsenum -f dnsbig.txt -dnsserver 8.8.8.8 sina.com -o sina.xml
dnsmap sina.com -w dns.txt
dnsrecon -d sina.com --lifetime 10 -t brt -D dnsbig.txt
dnsrecon -t std -d sina.com
root@kali:~# dnsrecon -d sina.com -t brt -D /usr/share/dnsrecon/namelist.txt
[*] Performing host and subdomain brute force against sina.com
[*] CNAME ads.sina.com ww1.sinaimg.cn.w.alikunlun.com
[*] A ww1.sinaimg.cn.w.alikunlun.com 47.246.47.228
[*] A ww1.sinaimg.cn.w.alikunlun.com 47.246.47.229
[*] A ww1.sinaimg.cn.w.alikunlun.com 47.246.47.230
[*] A ww1.sinaimg.cn.w.alikunlun.com 47.246.47.231
[*] A ww1.sinaimg.cn.w.alikunlun.com 47.246.47.224
[*] A ww1.sinaimg.cn.w.alikunlun.com 47.246.47.225
[*] A ww1.sinaimg.cn.w.alikunlun.com 47.246.47.226
[*] A ww1.sinaimg.cn.w.alikunlun.com 47.246.47.227
[*] A apple.sina.com 71.5.7.45
[*] CNAME auto.sina.com ww1.sinaimg.cn.w.alikunlun.com
[*] A ww1.sinaimg.cn.w.alikunlun.com 47.246.47.225
[*] A ww1.sinaimg.cn.w.alikunlun.com 47.246.47.226
[*] A ww1.sinaimg.cn.w.alikunlun.com 47.246.47.227
[*] A ww1.sinaimg.cn.w.alikunlun.com 47.246.47.228
[*] A ww1.sinaimg.cn.w.alikunlun.com 47.246.47.229
[*] A ww1.sinaimg.cn.w.alikunlun.com 47.246.47.230
[*] A ww1.sinaimg.cn.w.alikunlun.com 47.246.47.231
[*] A ww1.sinaimg.cn.w.alikunlun.com 47.246.47.224
[*] CNAME auth.sina.com thad-test.sina.com
[*] A thad-test.sina.com 71.5.7.247
[*] A bbs.sina.com 66.102.251.33
^C[-] You have pressed Ctrl-C. Saving found records.
[*] CNAME blog.sina.com blog.sina.com.cn
[*] Waiting for 9 remaining threads to finish.
[*] CNAME blog.sina.com.cn blogx.sina.com.cn
[*] A blogx.sina.com.cn 49.7.37.126
[+] 25 Records Found
collect DNS Enrollment Information using whois
whois
root@kali:~# whois wooyun.org
Domain Name: WOOYUN.ORG
Registry Domain ID: D159099935-LROR
Registrar WHOIS Server: whois.pir.org
Registrar URL: http://whois.pir.org/
Updated Date: 2019-12-13T09:14:59Z
Creation Date: 2010-05-06T08:50:48Z
Registry Expiry Date: 2025-05-06T08:50:48Z
Registrar Registration Expiration Date:
Registrar: Alibaba Cloud Computing (Beijing) Co., Ltd.
Registrar IANA ID: 420
Registrar Abuse Contact Email: DomainAbuse@service.aliyun.com
Registrar Abuse Contact Phone: +86.95187
Reseller:
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant Organization: Fang Xiao Dun
Registrant State/Province: Beijing
Registrant Country: CN
Name Server: NS1.DNSV2.COM
Name Server: NS2.DNSV2.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/)
>>> Last update of WHOIS database: 2019-12-28T00:05:40Z <<<
For more information on Whois status codes, please visit https://icann.org/epp
Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.
domain register by provider
Search Engine
-
</li> <li> <a href="https://www.google.com">google</a> </li>
shodan
- country: filters results by two letter country code
- hostname: filters results by specified text in the hostname or domain
- net: filter results by a specific IP range or subnet
- os: search for specific operating systems
- port: narrow the search for specific services
banners that include the Last-modified line do not require any authentication (at least not initially)
The “default password” search locates servers that have those words in the banner
search examples
200 OK Apache os:"windows" port:80 country:CN city:beijing
cisco last-modified www-authenticate
cisco net:“216.219.143.0/24”
Apache city:“San Francisco” port:“8080” product:“Apache Tomcat/Coyote JSP engine”
google search examples(Refer to https://www.exploit-db.com/google-hacking-database
)
- inurl:“level/15/exec/-/show”
- intitle:“netbotz appliance” “ok”
- inurl /admin/login.php
- inurl:qq.txt
- filetype:xls "username | password“
- inurl:ftp “password” filetype:xls site:baidu.com
- Service.pwd
theHarvester
Download
git clone https://github.com/laramies/theHarvester.git
root@kali:~/Downloads/theHarvester# ./theHarvester.py -d apple.com -b google -l 200
*******************************************************************
* _ _ _ *
* | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| _ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
* \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
* *
* theHarvester 3.1.1dev3 *
* Coded by Christian Martorella *
* Edge-Security Research *
* cmartorella@edge-security.com *
* *
*******************************************************************
[*] Target: apple.com
[*] Searching Google.
Searching 0 results.
Searching 100 results.
Searching 200 results.
[*] No IPs found.
[*] No emails found.
[*] Hosts found: 3
---------------------
itunes.apple.com:104.127.28.49
support.apple.com:104.127.43.217
www.apple.com:23.63.86.162
ProxyChains
- redirect connections through proxy servers
proxychains ./theHarvester.py -d apple.com -b google -l 200
metagoofil
metagoofil -d microsoft.com -t pdf -l 200 -o test -f 1.html
root@kali:~# metagoofil -d microsoft.com -t pdf -l 200
[+] Adding -w for you
[*] Downloaded files will be saved here: /root
[*] Searching for 200 .pdf files and waiting 30.0 seconds between searches
[+] Downloading file - [1184410 bytes] https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE36wcE
[+] Downloading file - [1640606 bytes] https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IVVh
[+] Downloading file - [1602516 bytes] http://nds1.webapps.microsoft.com/phones/files/guides/Nokia_6500_classic_UG_en.pdf
[+] Downloading file - [1211189 bytes] http://nds1.webapps.microsoft.com/phones/files/guides/Nokia_6060_UG_ro.pdf
[+] Downloading file - [2374403 bytes] http://nds1.webapps.microsoft.com/phones/files/guides/Nokia_N72-5_UG_sv.pdf
[+] Downloading file - [4819020 bytes] https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IO4V
[+] Downloading file - [1071276 bytes] http://nds1.webapps.microsoft.com/phones/files/guides/Nokia_6070_UG_es.pdf
[+] Downloading file - [254781 bytes] http://nds1.webapps.microsoft.com/phones/files/guides/Nokia_1662_UG_es.pdf
[+] Downloading file - [11486417 bytes] http://research.microsoft.com/~hoppe/apptexsyn.pdf
[+] Downloading file - [2485320 bytes] http://research.microsoft.com/~hoppe/pm.pdf
[+] Downloading file - [5803049 bytes] http://research.microsoft.com/~hoppe/edgetrav.pdf
KeyboardInterrupt
Maltego
Archive
search historical information of some websites in www.archive.org/web/web.php
Common User Passwords Profiler (CUPP)
generate password using personal information
- https://github.com/Mebus/cupp
git clone https://github.com/Mebus/cupp.git python cup.py -i
exif or Foca
search exif informatin of images
RECON-NG
Based on Python, Full feature web reconnaissance framework, this tool can collection dns, email, …
similar to msf in terms of command style
methods:- module
- database
- report
[recon-ng][sina] > marketplace search google [recon-ng][sina] > marketplace install google_site_web [recon-ng][sina][google_site_web] > modules load google_web_site [recon-ng][sina][google_site_web] > options list Name Current Value Required Description ------ ------------- -------- ----------- SOURCE sina.com yes source of input (see 'show info' for details) [recon-ng][sina][google_site_web] > options set SOURCE sina.com [recon-ng][sina][google_site_web] > run [recon-ng][sina] > show hosts +------------------------------------------------------------------------------------------------------------+ | rowid | host | ip_address | region | country | latitude | longitude | module | +------------------------------------------------------------------------------------------------------------+ | 1 | blog.sina.com | | | | | | google_site_web | | 2 | exmail.sina.com | | | | | | google_site_web | | 3 | fj.sina.com | | | | | | google_site_web | | 4 | www.sina.com | | | | | | google_site_web | | 5 | ent.sina.com | | | | | | google_site_web | | 6 | auto.sina.com | | | | | | google_site_web | | 7 | ir.sina.com | | | | | | google_site_web | | 8 | english.sina.com | | | | | | google_site_web | | 9 | mail.sina.com | | | | | | google_site_web | | 10 | yuqing.sina.com | | | | | | google_site_web | | 11 | news.sina.com | | | | | | google_site_web | | 12 | m.us.sina.com | | | | | | google_site_web | | 13 | home.sina.com | | | | | | google_site_web | | 14 | mall.sina.com | | | | | | google_site_web | | 15 | sh.sina.com | | | | | | google_site_web | | 16 | weibo.sina.com | | | | | | google_site_web | | 17 | hb.sina.com | | | | | | google_site_web | | 18 | travel.sina.com | | | | | | google_site_web | | 19 | match.sina.com | | | | | | google_site_web | | 20 | 3g.sina.com | | | | | | google_site_web | | 21 | t.sina.com | | | | | | google_site_web | | 22 | ipop.sina.com | | | | | | google_site_web | | 23 | wyq.sina.com | | | | | | google_site_web | | 24 | deals.sina.com | | | | | | google_site_web | | 25 | echineselearning.sina.com | | | | | | google_site_web | | 26 | med.sina.com | | | | | | google_site_web | | 27 | dailynews.sina.com | | | | | | google_site_web | | 28 | caitong.sina.com | | | | | | google_site_web | | 29 | finance.sina.com | | | | | | google_site_web | | 30 | chinanews.sina.com | | | | | | google_site_web | | 31 | eva.sina.com | | | | | | google_site_web | | 32 | henan.sina.com | | | | | | google_site_web | | 33 | magazine.sina.com | | | | | | google_site_web | | 34 | wanwan.sina.com | | | | | | google_site_web | | 35 | zt.sina.com | | | | | | google_site_web | | 36 | mil.firefox.sina.com | | | | | | google_site_web | | 37 | yn.house.sina.com | | | | | | google_site_web | | 38 | t.us.sina.com | | | | | | google_site_web | | 39 | vip.sina.com | | | | | | google_site_web | | 40 | house.sina.com | | | | | | google_site_web | | 41 | mt.sina.com | | | | | | google_site_web | | 42 | mediakit.sina.com | | | | | | google_site_web | | 43 | books.sina.com | | | | | | google_site_web | | 44 | redirect.sina.com | | | | | | google_site_web | | 45 | financenews.sina.com | | | | | | google_site_web | | 46 | sichuan.sina.com | | | | | | google_site_web | | 47 | immigration.sina.com | | | | | | google_site_web | | 48 | guahao.health.sina.com | | | | | | google_site_web | | 49 | fujian.sina.com | | | | | | google_site_web | | 50 | sc.sina.com | | | | | | google_site_web | | 51 | slide.sports.sina.com | | | | | | google_site_web | +------------------------------------------------------------------------------------------------------------+ [*] 51 rows returned