《BT4 Linux 黑客手册》自学笔记（1）-DNSMap

aber02zzl

0 r( j& z( Q- \7 _# n

DNSmap的BT官方教程，简单翻译了下。

http://www.backtrack-linux.org/forums/old-tutorials-guides/9421-dnsmap-tutorial.html?langid=8

DNSMap Tutorial
8 Z9 S6 a7 [$ c( }0 H% DThis tutorial will show you how to use DNSMap

这个教程告诉你如何使用DNSmap。
7 b" c7 M) n2 D) S7 c8 |( KDisclaimer: This is for educational purposes only not for committing a crime you are  on your own!

声明：这篇文章仅用于教学，请不要用于犯罪啊！

All IP's have been changed.

所有的IP地址都更改过了。
3 k6 y% I# n3 i& _7 U' aBackground: Dnsmap is a small C based tool that perform brute-forcing of domains. The tool can use an internal wordlist, or work with an external dictionary file.

Info: http://ikwt.dyndns.org/ Thissite seems to be down.
6 T' L  a: ^  u' G) l/ O% t4 q# z6 S(Source http://backtrack.offensive-security....p/Tools#dnsmap )

背景知识：DNSmap是一个基于c的小工具，主要用于暴力获取域名。该工具可以使用内在字符串或者外在字典。
5 A' w  f# p- x; G" tOk now to acccess the tool go to  Menu | Backtrack | InformationGathering | DNS| DNSMap

按照上面的发放在BT4中打开
4 j; d1 ~2 _' L4 n! }Ok it will open a shell and show you

代码:

dnsmap - DNS Network Mapper by pagvac

(http://ikwt.com, http://foro.elhacker.net)

Usage: dnsmap <target-domain>[dictionary-file]

Examples:

dnsmap yourtarget.com

dnsmap yourtarget.com yourwordlist.txt

bt dnsmap #

Once you have it open you can check the readme by doing a nano README This will provide lotsmore info.
; B  }5 \2 J6 c" R! ^Be sure to read it there are some limitations when using this tool.

你可以使用nano来查看readme文件获取更多信息并了解相关限制。
: \" p. ?& y9 d9 G9 W: NNext we need to give dnsmap a target to search again we will use http://www.victimluser.com
% ?  p( T* u* f  v# B: s+ cso

下面以http://www.victimluser.com 示范软件用法

代码:

bt dnsmap # victimluser.com

7 ~7 c# |; g. l" R3 e) _

This will return us with:

结果如下：

代码:

dnsmap - DNS Network Mapper by pagvac

(http://ikwt.com, http://foro.elhacker.net)

Searching subhosts on domainvictimluser.com

forum.victimluser.com

IP Address #1:192.168.1.1

mail.victimluser.com

IP Address #1:192.168.1.2

ftp.victimluser.com

IP Address #1:192.168.1.3

pop.victimluser.org

IP Address #1:192.168.1.4

1 u4 w3 \( t! B2 X* ~

Also you can createa wordlist.txt that you can supply at the command line like this

你也可以使用字符串，用法如下：

代码:

bt dnsmap # dnsmap targetdomain.com wordlist.txt

$ P) G' L: G" v1 i' I4 A3 h1 Y- a

This will force dnsmap to use a supplied wordlist to bruteforce subdomains if you do not supply a wordlist then dnsmap
will use the built in one by default.

这回强制DNSmap使用你提供的字符串，否则则使用内置的字符串。
The readme also give links to a few wordlist you can download.
+ E2 k  r% Z6 K% i" P( AHave fun using this tool!

PS：附上DnSmap的官方介绍

dnsmap was originally released back in 2006 and was inspired by the fictional story "The Thief No One Saw" by Paul Craig, which can be found in the book "Stealing the Network - How to 0wn the Box".dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company's IP netblocks, domain names, phone numbers, etc ...Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it's especially useful when other domain enumeration techniques such as zone transfers don't work (I rarely see zone transfers being publicly allowed these days by the way).If you are interested in researching stealth computer intrusion techniques, I suggest reading this excellent (and fun) chapter which you can find for free on the web.I'm happy to say that dnsmap was included in Backtrack 2, 3 and 4 and has been reviewed by the community:

• Backtrack Forums
• Question Defense
• Network World
• Linux Haxor
• Darknet

DNSmap出现在2006年，是受《Stealing the Network - How to 0wn the Box》这本书的启发而成。DNSmap主要被渗透测试人员用于无线安全评估（infrastructure security assessments）过程中的信息收集和枚举。在信息收集过程中，安全咨询人员要探索目标公司的IP地址块，域名，电话号码等等。而亚域名暴力获取（Subdomain brute-forcing）是一个很有用的技术，特别是区域传输煤气作用的时候（顺便说下，现在区域传送几乎不起作用了）。下面是推荐的一本书Stealing the Network - How to 0wn the Box

PS2：DNSmap-bulk可以批量的获取一系列dns和ip
用法如下：
7 P* ~; q9 e# W4 t& Zdnsmap-bulk.sh domains.txt



: ]( ]" K; R2 {

5 m. Z$ a+ q6 n" i

91180

帮顶啊啊 呵呵  沙发

fsqsnk

学学，也了解一下下

aber02zzl

附上在网上搜索到得另一个教程，内容差不多：
Backtrack 4: Information Gathering: DNS: Dnsmap – Subdomain brute-forcing
- B  U6 ]( k7 [; J
Posted by purehate in Security at 9:40 AM
Today I will be reviewing Dnsmap from the Backtrack 4 Distribution. Dnsmap was originally released back in 2006 and has become a standard tool included is every backtrack release. There are other tools which preform the same tasks but I am a firm believer that a pentester/hacker should have the choice of as many tools as possible. My only small issue with this tool is speed, meaning it is not multi threaded however the author says in the readme.txt that he is addressing that issue. Dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target
+ ~7 x( B7 ]; @5 T% C7 g1 Lcompany’s IP netblocks, domain names, phone numbers, etc …

, z" A" z$ a) i
) a. L2 w7 |9 O' `0 \. t) N; RSubdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work.
" x$ c! x6 d" q3 G: I* n. {2 ]; g
Here are some things that Dnsmap can be used for:
0 C3 v. m( w5 M* j( a8 p, {
1. Finding interesting remote access servers (e.g.: https://extranet.example.com)

2. Finding badly configured and/or unpatched servers (e.g.: test.example.com)
3 l' Q2 r8 V- X2 b% N
3. Finding new domain names which will allow you to map non-obvious/hard-to-find netblocks
; ?) y, {6 M3 o8 {- T2 c+ D1 `) y' D
4. Sometimes you find that some bruteforced subdomains resolve to internal IP addresses
(RFC 1918). This is great as sometimes they are real up-to-date “A” records which means
$ _0 B2 A1 |- Q2 w9 sthat it *is* possible to enumerate internal servers of a target organization from the
Internet by only using standard DNS resolving (as oppossed to zone transfers for instance).

5. Discover embedded devices configured using Dynamic DNS services (e.g.: linksys-cam.com).
* @- E1 z4 _' C2 k* sThis method is an alternative to finding devices via Google hacking techniques

8 z0 J. B# f6 W9 LBruteforcing can be done either with dnsmap’s built-in wordlist or a user-supplied wordlist. Results can be saved in CSV and human-readable format for further processing. dnsmap does NOT require root privileges to be run.
' Q! z; N8 B- ?5 q/ }
" T6 c& J( @# |0 H+ O7 oMost of the preceding information came from the README.txt that the author supplied with the tool, I didn’t think there was any reason to rewrite it all and reinvent the wheel. I will just be showing you a sample session of how I would use Dnsmap in a penetration test.
3 W  [: U- o! n5 r3 p8 P6 t, n
First lets check out the usage:
* M9 p$ T1 H$ t% _. |# S
root@666:/pentest/enumeration/dns/dnsmap# ./dnsmap
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
" ?8 z9 w# g/ t# J  O; l9 @* n- w$ Y, R
usage: dnsmap <target-domain> [options]
options:
-w <wordlist-file>
9 B0 Q+ R  @. l" N! T# A-r <regular-results-file>
4 ~! X0 ~- Q$ U0 N: U, ^8 }! d-c <csv-results-file>
-d <delay-millisecs>
0 a, f1 l- Z, }" s0 P' A-i <ips-to-ignore> (useful if you're obtaining false positives)
0 W9 `* O  @( {6 L4 m) {
  @6 x: C' m; k7 X: V* Ge.g.:
dnsmap target-domain.foo
5 B9 V- {* F" Q" A, @dnsmap target-domain.foo -w yourwordlist.txt -r /tmp/domainbf_results.txt
dnsmap target-fomain.foo -r /tmp/ -d 3000
' ]. @) |% y9 J4 L( adnsmap target-fomain.foo -r ./domainbf_results.txt
Pretty simple tool so lets show a example session:

  H  ]" I2 q3 h9 w* vroot@666:/pentest/enumeration/dns/dnsmap# ./dnsmap cnn.com -r results.txt
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)

. j& u6 F$ T4 D  S; n9 H. l[+] searching (sub)domains for cnn.com using built-in wordlist
$ R) |* ^: F: g! s5 j- m* s5 f[+] using maximum random delay of 10 millisecond(s) between requests

a.cnn.com
' f/ j9 |( o; s3 JIP address #1: 8.15.7.123
IP address #2: 63.251.179.23
# A- \: a9 |9 D
aa.cnn.com
IP address #1: 8.15.7.123
IP address #2: 63.251.179.23

ab.cnn.com
: Q. R6 ~, p! L8 s( ~IP address #1: 8.15.7.123
IP address #2: 63.251.179.23

ac.cnn.com
IP address #1: 8.15.7.123
IP address #2: 63.251.179.23

; C, ], H( U4 H6 M5 o% Xaccess.cnn.com
4 l; Z( M* N( t- RIP address #1: 64.20.247.69
6 K; H( K" @  a0 x6 ?5 _
  q+ J9 N; M# I1 e; {6 `8 @  V- Oaccounting.cnn.com
0 u) U. Y2 O/ U- qIP address #1: 8.15.7.123
# W8 j; X  y; ^) }% j) [9 A5 qIP address #2: 63.251.179.23

accounts.cnn.com
6 _/ f) W+ }% E) g! GIP address #1: 8.15.7.123
" E# \% ~0 m2 ^6 v* V/ @! g3 WIP address #2: 63.251.179.23
! Q5 V6 ~7 L! H. u0 ^6 Q0 ?2 e* RWhat we are doing here is attempting to bruteforce all of the subdomains of cnn.com and saving them to a file called results.txt. I have truncated the output since its very long.
9 r0 a0 S) m0 L+ r3 y0 {
If you have a custom wordlist of subdomains you can use that as well simply by specifying the -w argument and then the path to the wordlist.
' i" R% [" J5 H  G9 O6 t, ]% L
Once Dnsmap has completed its run we can look in the file and see all the subdomains and IPs in the list:
8 V7 `5 D7 q, K; W5 D
8 z+ k/ o" |( w* f4 x- `3 l5 t  r. groot@666:/pentest/enumeration/dns/dnsmap# head results.txt
/ ?; ]- x8 C: Y$ _6 M! g! c9 ]) ja.cnn.com
IP address #1: 8.15.7.123
5 f, }9 G1 Y2 YIP address #2: 63.251.179.23
& ^% N% V/ ^/ [' T
$ f9 J* l. _( ~' m( q* }aa.cnn.com
IP address #1: 8.15.7.123
9 Z  `. K* _0 `2 P+ b% b4 kIP address #2: 63.251.179.23
) p- z# s: @9 r9 c( ~
7 ^2 q1 h( J- c0 p4 Kab.cnn.com
IP address #1: 8.15.7.123
Now, for you this may be a good format but what I want is a list of IPs to add to my list of possible targets when I move on to a more active scanning phase of the pentest.
8 e; |+ e8 C7 ~2 }/ X# R, r
So lets apply a little bashfoo to clean up this list:
$ x! f+ d9 k! a
root@666:/pentest/enumeration/dns/dnsmap# cat results.txt | sed '/^$/d' | sed '/cnn.com/d' | cut -d ':' -f 2 | sort -u | sed '$d' > ips.txt
And now we have a nice tidy list of IP addresses for the next phase of our attack:

root@666:/pentest/enumeration/dns/dnsmap# cat ips.txt
2 \6 I' v8 y: W7 M4 k1 B 1.1.1.1
127.0.0.1
! }. J, s3 M* ?2 b6 L$ b& g 157.166.173.183
& `5 Z" z5 Z: l, }" G 157.166.217.28
157.166.224.104
157.166.224.105
, B# ^% Z2 X8 ]6 x 157.166.224.111
4 |& h2 n) u# e! G2 O3 }3 y* A4 \ 157.166.224.164
157.166.224.172
$ l& K7 b+ e  ? 157.166.224.184
157.166.224.186
157.166.224.25
157.166.224.26
& }2 B5 E3 }! Z* H5 K 157.166.226.104
157.166.226.105
157.166.226.111
; M! Y5 k% w. z) A0 D0 R# E2 j% I 157.166.226.164
157.166.226.184
( S8 P* B, @: c' i 157.166.226.186
157.166.226.25
3 P) o4 p4 d1 G: w' i2 M5 X4 H; G  ^' _ 157.166.226.26
6 ?& T  Y; |$ f) E9 @ 157.166.236.106
157.166.255.172
157.166.255.18
) Z4 V! J- {! C% V! ^ 157.166.255.19
157.166.255.22
157.166.255.23
4 ^7 k" I+ G" L5 A 205.188.146.88
207.25.71.114
/ ]" z' J7 j5 n7 e7 e2 m 207.25.71.230
9 E) h6 V, x$ w" g 207.25.71.91
) E: U. U# X2 }/ r+ S; ?% k1 l 207.25.71.97
207.25.79.134
% Y8 Y# b" s4 Y8 ` 207.25.79.135
6.9.6.9
63.251.179.23
7 U9 J4 o" _6 Z# T/ {8 ^: n 64.20.247.69
64.236.16.20
0 s; [1 u- Z5 b" h# x0 C3 p 64.236.17.108
64.236.18.7
7 U7 T$ W$ _2 O; a- u7 f/ {) I 64.236.22.11
' |; s8 O7 A7 s" W9 `, { 64.236.22.12
+ e9 m( \! R$ P6 _, O' h+ j 64.236.24.12
0 x; ~" m$ F$ W) z" y. G0 K 64.236.24.4
4 `+ |) {& B- _/ Y" y, x# p 64.236.26.21
64.236.29.11
0 M1 Q$ ~4 l2 K6 A 64.236.29.12
66.9.53.137
* P7 n' e, U7 p/ m( y 8.15.7.123
) E/ Y, H/ r4 ?; A2 OThere is also a script to bruteforce a list of domains if you are looking at a very large attack surface:

2 u+ N3 k. `, o# P# Q# `0 j3 A; @; rusage: dnsmap-bulk.sh <domains-file> [results-path]
e.g.:
1 q, ?" N5 a5 \0 j) b$ X8 Z$ s1 rdnsmap-bulk.sh domains.txt
dnsmap-bulk.sh domains.txt /tmp/
! p- F8 d8 b" ~$ l! S8 Y9 lI hope this review of dnsmap is helpful and I would like to give a big thanks to GNUCitizen for Dnsmap and all the rest of the stuff they do for the opensource community.

285858363

楼主很给力啊！！强大，嘿嘿我这里还有更强大的来看看吧！

lin227768

学习学习

非洲黑人tel

看不懂哦.......