Kali下自带工具 denrecon
usage: dnsrecon.py [-h] [-d DOMAIN] [-n NS_SERVER] [-r RANGE] [-D DICTIONARY]
[-f] [-t TYPE] [-a] [-s] [-g] [-b] [-w] [-z]
[--threads THREADS] [--lifetime LIFETIME] [--db DB]
[-x XML] [-c CSV] [-j JSON] [--iw] [-v]
optional arguments:
-h, --help show this help message and exit
-d DOMAIN, --domain DOMAIN
Target domain.
-n NS_SERVER, --name_server NS_SERVER
Domain server to use. If none is given, the SOA of the
target will be used.
-r RANGE, --range RANGE
IP range for reverse lookup brute force in formats
(first-last) or in (range/bitmask).
-D DICTIONARY, --dictionary DICTIONARY
Dictionary file of subdomain and hostnames to use for
brute force. Filter out of brute force domain lookup,
records that resolve to the wildcard defined IP
address when saving records.
-f Filter out of brute force domain lookup, records that
resolve to the wildcard defined IP address when saving
records.
-t TYPE, --type TYPE Type of enumeration to perform.
-a Perform AXFR with standard enumeration.
-s Perform a reverse lookup of IPv4 ranges in the SPF
record with standard enumeration.
-g Perform Google enumeration with standard enumeration.
-b Perform Bing enumeration with standard enumeration.
-w Perform deep whois record analysis and reverse lookup
of IP ranges found through Whois when doing a standard
enumeration.
-z Performs a DNSSEC zone walk with standard enumeration.
--threads THREADS Number of threads to use in reverse lookups, forward
lookups, brute force and SRV record enumeration.
--lifetime LIFETIME Time to wait for a server to response to a query.
--db DB SQLite 3 file to save found records.
-x XML, --xml XML XML file to save found records.
-c CSV, --csv CSV Comma separated value file.
-j JSON, --json JSON JSON file.
--iw Continue brute forcing a domain even if a wildcard
records are discovered.
-v Enable verbose
root@kali:~# dnsrecon -d ky-tech.com.cn -t axfr
[*] Testing NS Servers for Zone Transfer
[*] Checking for Zone Transfer for ky-tech.com.cn name servers
[*] Resolving SOA Record
[+] SOA sztw-vwp-dc01.ky-tech.com.cn 10.31.16.2
[*] Resolving NS Records
[*] NS Servers found:
[*] NS sztw-vwp-dc02.ky-tech.com.cn 10.31.16.3
[*] NS szzb-vwp-dc02.ky-tech.com.cn 10.88.88.209
[*] NS szzb-vwp-dc01.ky-tech.com.cn 10.88.88.208
[*] NS sztw-vwp-dc01.ky-tech.com.cn 10.31.16.2
[*] NS gzty-vwp-dc02.ky-tech.com.cn 10.20.246.13
[*] NS gzty-vwp-dc01.ky-tech.com.cn 10.20.246.12
[*] NS gztx-vwp-dc01.ky-tech.com.cn 10.124.26.2
[*] NS gztx-vwp-dc02.ky-tech.com.cn 10.124.26.3
[*] Removing any duplicate NS server IP Addresses...
[*]
[*] Trying NS server 10.88.88.209
[+] 10.88.88.209 Has port 53 TCP Open
[-] Zone Transfer Failed!
[-] No answer or RRset not for qname
[*]
[*] Trying NS server 10.88.88.208
[+] 10.88.88.208 Has port 53 TCP Open
[-] Zone Transfer Failed!
[-] No answer or RRset not for qname
[*]
[*] Trying NS server 10.124.26.3
[+] 10.124.26.3 Has port 53 TCP Open
[-] Zone Transfer Failed!
[-] No answer or RRset not for qname
[*]
[*] Trying NS server 10.124.26.2
[+] 10.124.26.2 Has port 53 TCP Open
[+] Zone Transfer was successful!!
[*] SOA gztx-vwp-dc0 10.124.26.2
[*] NS szzb-vwp-dc02.ky-tech.com.cn 10.88.88.209
[*] NS szzb-vwp-dc01.ky-tech.com.cn 10.88.88.208
[*] NS sztw-vwp-dc01.ky-tech.com.cn 10.31.16.2
[*] NS gzty-vwp-dc02.ky-tech.com.cn 10.20.246.13
[*] NS gzty-vwp-dc01.ky-tech.com.cn 10.20.246.12
[*] NS gztx-vwp-dc01.ky-tech.com.cn 10.124.26.2
[*] NS gztx-vwp-dc02.ky-tech.com.cn 10.124.26.3
[*] NS sztw-vwp-dc02.ky-tech.com.cn 10.31.16.3
[*] NS gztx-vwp-dc01.ky-tech.com.cn 10.124.26.2
[*] TXT v=spf1 ip4:119.29.126.36 include:spf.ky-tech.com.cn ~all
[*] MX @.ky-tech.com.cn mail 10.124.26.67
中间省略无数个域名信息
[*]
[*] Trying NS server 10.20.246.12
[+] 10.20.246.12 Has port 53 TCP Open
[-] Zone Transfer Failed!
[-] No answer or RRset not for qname
[*]
[*] Trying NS server 10.20.246.13
[+] 10.20.246.13 Has port 53 TCP Open
[-] Zone Transfer Failed!
[-] No answer or RRset not for qname
[*]
[*] Trying NS server 10.31.16.2
[+] 10.31.16.2 Has port 53 TCP Open
[-] Zone Transfer Failed!
[-] No answer or RRset not for qname
[*]
[*] Trying NS server 10.31.16.3
[+] 10.31.16.3 Has port 53 TCP Open
[-] Zone Transfer Failed!
[-] No answer or RRset not for qname
root@kali:~#
============================手工验证方法=============================================
host命令
root@kali:~# host -h
host: illegal option -- h
Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time]
[-R number] [-m flag] hostname [server]
-a is equivalent to -v -t ANY
-c specifies query class for non-IN data
-C compares SOA records on authoritative nameservers
-d is equivalent to -v
-i IP6.INT reverse lookups
-l lists all hosts in a domain, using AXFR
-m set memory debugging flag (trace|record|usage)
-N changes the number of dots allowed before root lookup is done
-r disables recursive processing
-R specifies number of retries for UDP packets
-s a SERVFAIL response should stop query
-t specifies the query type
-T enables TCP/IP mode
-v enables verbose output
-V print version number and exit
-w specifies to wait forever for a reply
-W specifies how long to wait for a reply
-4 use IPv4 query transport only
-6 use IPv6 query transport only
第一步 找到nameserver
host domain
root@kali:~# host ky-tech.com.cn
ky-tech.com.cn has address 10.31.16.2
ky-tech.com.cn has address 10.124.26.2
ky-tech.com.cn has address 10.88.88.208
ky-tech.com.cn has address 10.20.246.13
ky-tech.com.cn has address 10.31.16.3
ky-tech.com.cn has address 10.124.26.3
ky-tech.com.cn has address 10.20.246.12
ky-tech.com.cn has address 10.88.88.209
ky-tech.com.cn mail is handled by 10 mail.ky-tech.com.cn.
第二步 host -l domain nameserver_domain
root@kali:~# host -l ky-tech.com.cn 10.31.16.2
Using domain server:
Name: 10.31.16.2
Address: 10.31.16.2#53
Aliases:
Host ky-tech.com.cn not found: 5(REFUSED)
; Transfer failed.
因为有多个nameserver,并且不是每一个nameserver都可以进行域传送的,所以可以写个脚本批量测试
把nameserver写入txt文件 (此处是以别名的形式,直接写IP也是可以的,别名可通过host ip 获取)
root@kali:~# cat nchost.txt
sztw-vwp-dc02.ky-tech.com.cn
szzb-vwp-dc02.ky-tech.com.cn
szzb-vwp-dc01.ky-tech.com.cn
sztw-vwp-dc01.ky-tech.com.cn
gzty-vwp-dc02.ky-tech.com.cn
gzty-vwp-dc01.ky-tech.com.cn
gztx-vwp-dc01.ky-tech.com.cn
gztx-vwp-dc02.ky-tech.com.cn
root@kali:~# for host in $(cat nchost.txt);do host -l ky-tech.com.cn $host;done
Using domain server:
Name: sztw-vwp-dc02.ky-tech.com.cn
Address: 10.31.16.3#53
Aliases:
Host ky-tech.com.cn not found: 5(REFUSED)
; Transfer failed.
Using domain server:
Name: szzb-vwp-dc02.ky-tech.com.cn
Address: 10.88.88.209#53
Aliases:
Host ky-tech.com.cn not found: 5(REFUSED)
; Transfer failed.
Using domain server:
Name: szzb-vwp-dc01.ky-tech.com.cn
Address: 10.88.88.208#53
Aliases:
Host ky-tech.com.cn not found: 5(REFUSED)
; Transfer failed.
Using domain server:
Name: sztw-vwp-dc01.ky-tech.com.cn
Address: 10.31.16.2#53
Aliases:
Host ky-tech.com.cn not found: 5(REFUSED)
; Transfer failed.
Using domain server:
Name: gzty-vwp-dc02.ky-tech.com.cn
Address: 10.20.246.13#53
Aliases:
Host ky-tech.com.cn not found: 5(REFUSED)
; Transfer failed.
Using domain server:
Name: gzty-vwp-dc01.ky-tech.com.cn
Address: 10.20.246.12#53
Aliases:
Host ky-tech.com.cn not found: 5(REFUSED)
; Transfer failed.
Using domain server:
Name: gztx-vwp-dc01.ky-tech.com.cn
Address: 10.124.26.2#53
Aliases:
ky-tech.com.cn has address 10.31.16.3
ky-tech.com.cn has address 10.20.246.12
ky-tech.com.cn has address 10.88.88.209
ky-tech.com.cn has address 10.88.88.208
ky-tech.com.cn has address 10.124.26.3
ky-tech.com.cn has address 10.31.16.2
ky-tech.com.cn has address 10.124.26.2
ky-tech.com.cn has address 10.20.246.13
ky-tech.com.cn name server szzb-vwp-dc02.ky-tech.com.cn.
ky-tech.com.cn name server szzb-vwp-dc01.ky-tech.com.cn.
ky-tech.com.cn name server sztw-vwp-dc01.ky-tech.com.cn.
ky-tech.com.cn name server gzty-vwp-dc02.ky-tech.com.cn.
ky-tech.com.cn name server gzty-vwp-dc01.ky-tech.com.cn.
ky-tech.com.cn name server gztx-vwp-dc01.ky-tech.com.cn.
ky-tech.com.cn name server gztx-vwp-dc02.ky-tech.com.cn.
ky-tech.com.cn name server sztw-vwp-dc02.ky-tech.com.cn.
中间省略无数个域名信息
Using domain server:
Name: gztx-vwp-dc02.ky-tech.com.cn
Address: 10.124.26.3#53
Aliases:
Host ky-tech.com.cn not found: 5(REFUSED)
; Transfer failed.
root@kali:~#
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2019-5-7 14:22
被云夕阁编辑
,原因:
