滲透測試之全方位信息收集神器 instarecon

功能介紹

instarecon將從如下幾個方面展開滲透測試前的信息收集工做

1. DNS (direct, PTR, MX, NS) lookups

包括域名的dns解析結果；

PTR記錄：是電子郵件系統中的郵件交換記錄的一種；另外一種郵件交換記錄是A記錄（在IPv4協議中）或AAAA記錄（在IPv6協議中）。PTR記錄常被用於反向地址解析。

MX記錄：是郵件交換記錄，它指向一個郵件服務器，用於電子郵件系統發郵件時根據 收信人的地址後綴來定位郵件服務器。MX記錄也叫作郵件路由記錄，用戶能夠將該域名下的郵件服務器指向到本身的mail server上，而後便可自行操控全部的郵箱設置。

NS記錄：NS（Name Server）記錄是域名服務器記錄，用來指定該域名由哪一個DNS服務器來進行解析。

2. Whois (domains and IP) lookups

whois是用來查詢域名的IP以及全部者等信息的傳輸協議。簡單說，whois就是一個用來查詢域名是否已經被註冊，以及註冊域名的詳細信息的數據庫（如域名全部人、域名註冊商）。

3. Google dorks in search of subdomains

google搜索引擎記錄的二級域名相關信息

4. Shodan lookups

經過shodan獲取域名相關信息；Shodan真正值得注意的能力就是能找到幾乎全部和互聯網相關聯的東西。而Shodan真正的可怕之處就是這些設備幾乎都沒有安裝安全防護措施，其能夠隨意進入。

5. Reverse DNS lookups on entire CIDRs

dns的方向查詢，即經過指向的ip反查ip相關的域名信息

惟一可能有點缺憾的是沒有加入dns暴力遍歷。

下載

bash➜  tools git:(master) ✗ git clone https://github.com/vergl4s/instarecon.git

接下來須要安裝python的擴展,若是已經安裝的pip則直接安裝：

bashsudo pip install pythonwhois ipwhois ipaddress shodan

若是沒有安裝pip，能夠這樣安裝

shsudo easy_install pip

使用

使用很簡單，給個示例：

$ ./instarecon.py -s <shodan_key> -o ~/Desktop/github.com.csv github.com

跑一下烏雲的信息看看：

[root@localhost instarecon]# python instarecon.py wooyun.org
# InstaRecon v0.1 - by Luis Teixeira (teix.co)
# Scanning 1/1 hosts
# No Shodan key provided

# ____________________ Scanning wooyun.org ____________________ #

# DNS lookups
[*] Domain: wooyun.org

[*] IPs & reverse DNS: 
162.159.208.53
162.159.209.53

# Whois lookups

[*] Whois domain:
Domain Name:WOOYUN.ORG
Domain ID: D159099935-LROR
Creation Date: 2010-05-06T08:50:48Z
Updated Date: 2015-01-07T03:37:41Z
Registry Expiry Date: 2024-05-06T08:50:48Z
Sponsoring Registrar:Hichina Zhicheng Technology Limited (R1373-LROR)
Sponsoring Registrar IANA ID: 420
WHOIS Server: 
Referral URL: 
Domain Status: clientDeleteProhibited -- http://www.icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited -- http://www.icann.org/epp#clientTransferProhibited
Registrant ID:hc556860480-cn
Registrant Name:Fang Xiao Dun
Registrant Organization:Fang Xiao Dun
Registrant Street: Haidian District JuYuan Road 6# 502
Registrant City:Beijing
Registrant State/Province:Beijing
Registrant Postal Code:100080
Registrant Country:CN
Registrant Phone:+86.18610137578
Registrant Phone Ext: 
Registrant Fax: +86.18610137578
Registrant Fax Ext: 
Registrant Email:xssshell@gmail.com
Admin ID:HC-009652962-CN
Admin Name:Fang Xiaodun
Admin Organization:Beijing Bigfish Technology
Admin Street: Haidian District JuYuan Road 6# 502
Admin City:Beijing
Admin State/Province:Beijing
Admin Postal Code:100080
Admin Country:CN
Admin Phone:+86.18610137578
Admin Phone Ext: 
Admin Fax: +86.18610137578
Admin Fax Ext: 
Admin Email:xssshell@gmail.com
Tech ID:HC-844637505-CN
Tech Name:Fang Xiaodun
Tech Organization:Beijing Bigfish Technology
Tech Street: Haidian District JuYuan Road 6# 502
Tech City:Beijing
Tech State/Province:Beijing
Tech Postal Code:100080
Tech Country:CN
Tech Phone:+86.18610137578
Tech Phone Ext: 
Tech Fax: +86.18610137578
Tech Fax Ext: 
Tech Email:xssshell@gmail.com
Name Server:NS1.DNSV2.COM
Name Server:NS2.DNSV2.COM
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
DNSSEC:Unsigned

Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to(a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en.

[*] Whois IP:
asn: 13335
asn_cidr: 162.159.208.0/24
asn_country_code: US
asn_date: 2013-05-23
asn_registry: arin
net 0:
    cidr: 162.158.0.0/15
    range: 162.158.0.0 - 162.159.255.255
    name: CLOUDFLARENET
    description: CloudFlare, Inc.
    handle: NET-162-158-0-0-1

    address: 665 Third Street #207
    city: San Francisco
    state: CA
    postal_code: 94107
    country: US

    abuse_emails: abuse@cloudflare.com
    tech_emails: admin@cloudflare.com

    created: 2013-05-23 00:00:00
    updated: 2013-05-23 00:00:00

# Querying Google for subdomains and Linkedin pages, this might take a while
[-] Error: No subdomains found in Google. If you are scanning a lot, Google might be blocking your requests.

# Reverse DNS lookup on range 162.158.0.0/15
162.159.8.133 - cf-162-159-8-133.cloudflare.com
162.159.9.204 - cf-162-159-9-204.cloudflare.com
162.159.24.5 - dns1.namecheaphosting.com
162.159.24.6 - a.ns.zerigo.net
162.159.24.7 - e.ns.zerigo.net
162.159.24.204 - ns1.proisp.no
162.159.25.5 - dns2.namecheaphosting.com
162.159.25.6 - b.ns.zerigo.net
162.159.25.7 - f.ns.zerigo.net
162.159.25.138 - ns2.proisp.no
162.159.26.6 - c.ns.zerigo.net
162.159.27.6 - d.ns.zerigo.net
# Done

能夠看到烏雲使用的是cloudflare；負責人是fangxiaodun；郵箱是xssshell@gmail.com

來自http://www.codefrom.com/paper/%20%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%...