DNS 서버를 사용하여 정보 수집

- NS ( Name Server ) 사용하여 정보를 수집하는 대표적인 명령어

dnsenum CMD

dnsmap CMD

dnswalk CMD

- 실습 1

( 원본 운영체제 )

cmd > nslookup www.tistory.com

서버:    pcns.bora.net Address:  61.41.153.2 권한 없는 응답: 이름:    www.tistory.com Address:  211.231.108.151

https://whois.kisa.or.kr/kor/main.jsp  접속해서 211.231.108.151 검색

> KORNET 에 할당받은거 같네요. 하지만 이 IP 주소가 tistory 라는것은 확인할 수 없습니다. 

- 실습 2

dnsenum CMD

( kali ) 

# dnsenum google.com

dnsenum.pl VERSION:1.2.3 -----   google.com   ----- Host's addresses: __________________ google.com.                              265      IN    A        216.58.200.14 Name Servers: ______________ ns1.google.com.                          132138   IN    A        216.239.32.10 ns2.google.com.                          132181   IN    A        216.239.34.10 ns3.google.com.                          327132   IN    A        216.239.36.10 ns4.google.com.                          132194   IN    A        216.239.38.10 Mail (MX) Servers: ___________________ ASPMX.l.google.com.                      84       IN    A        74.125.204.27 alt4.ASPMX.l.google.com.                 1        IN    A        74.125.192.27 ALT2.ASPMX.l.google.com.                 93       IN    A        74.125.202.26 alt3.aspmx.l.google.com.                 42       IN    A        173.194.219.26 alt1.ASPMX.l.google.com.                 220      IN    A        74.125.30.27 Trying Zone Transfers and getting Bind Versions: _________________________________________________ Trying Zone Transfer for google.com on ns3.google.com ...  AXFR record query failed: corrupt packet Trying Zone Transfer for google.com on ns1.google.com ...  AXFR record query failed: corrupt packet Trying Zone Transfer for google.com on ns4.google.com ...  AXFR record query failed: corrupt packet Trying Zone Transfer for google.com on ns2.google.com ...  AXFR record query failed: corrupt packet brute force file not specified, bay.

> Name Server IP들과 Mail Server IP들을 확인 할 수 있습니다. 

# dnsenum --dnsserver 8.8.8.8 --enum --noreverse -f /usr/share/dnsenum/dns.txt google.com

--dnsserver <server>

Use this DNS server for A, NS and MX queries.

  --enum Shortcut option equivalent to --threads 5 -s 15 -w.

 --noreverse Skip the reverse lookup operations.

-f, --file <file> Read subdomains from this file to perform brute force.

....중략.... Google Results: ________________ www.google.com.                          196      IN    A        216.58.197.100 Brute forcing with /usr/share/dnsenum/dns.txt: _______________________________________________ accounts.google.com.                     299      IN    A        216.58.197.109 admin.google.com.                        299      IN    A        172.217.25.14 ads.google.com.                          299      IN    A        172.217.25.14 america.google.com.                      59       IN    CNAME    www3.l.google.com. www3.l.google.com.                       299      IN    A        172.217.25.14 ap.google.com.                           21599    IN    CNAME    www2.l.google.com. www2.l.google.com.                       299      IN    A        172.217.25.4 archive.google.com.                      299      IN    A        172.217.25.14 apps.google.com.                         21599    IN    CNAME    www3.l.google.com. www3.l.google.com.                       299      IN    A        172.217.25.14 asia.google.com.                         299      IN    A        216.58.197.100 blog.google.com.                         59       IN    CNAME    www.blogger.com. www.blogger.com.                         299      IN    CNAME    blogger.l.google.com. blogger.l.google.com.                    299      IN    A        172.217.25.9 d.google.com.                            21599    IN    CNAME    www3.l.google.com. www3.l.google.com.                       299      IN    A        172.217.25.14 directory.google.com.                    3599     IN    CNAME    www3.l.google.com. www3.l.google.com.                       299      IN    A        172.217.25.14 dns.google.com.                          299      IN    A        172.217.25.14 environment.google.com.                  299      IN    A        172.217.25.14 .....중략 .....

> 앞서 실행해본 것보다 더 많은 정보들을 출력한다. 

[참고] dig 명령어

# dig @8.8.8.8 google.com ANY

.....중략.....  ;; ANSWER SECTION: google.com. 299 IN A 172.217.25.14 google.com. 299 IN AAAA 2404:6800:4005:809::200e google.com. 599 IN MX 10 aspmx.l.google.com. google.com. 599 IN MX 30 alt2.aspmx.l.google.com. google.com. 599 IN MX 40 alt3.aspmx.l.google.com. google.com. 21599 IN CAA 0 issue "pki.goog" google.com. 59 IN SOA ns3.google.com. dns-admin.google.com. 174433365 900 900 1800 60 google.com. 599 IN MX 50 alt4.aspmx.l.google.com. google.com. 21599 IN NS ns3.google.com. google.com. 21599 IN NS ns2.google.com. google.com. 599 IN MX 20 alt1.aspmx.l.google.com. google.com. 3599 IN TXT "v=spf1 include:_spf.google.com ~all" google.com. 21599 IN NS ns4.google.com. google.com. 21599 IN NS ns1.google.com. ...... 중략 .....

> DNS 서버 설정 할때 많이 봤던거 같은 느낌이네요 ( zone 파일 )

- 실습 3 

dnsmap CMD

> 서브 도메인을 찾을 때 사용합니다. 

# dnsmap google.com

dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org) [+] searching (sub)domains for google.com using built-in wordlist [+] using maximum random delay of 10 millisecond(s) between requests accounts.google.com IPv6 address #1: 2404:6800:4005:808::200d accounts.google.com IP address #1: 216.58.221.141 admin.google.com IPv6 address #1: 2404:6800:4005:80b::200e admin.google.com IP address #1: 216.58.200.14 ai.google.com IPv6 address #1: 2404:6800:4005:801::200e ai.google.com IP address #1: 216.58.200.14 ap.google.com IPv6 address #1: 2404:6800:4005:806::2004 ap.google.com IP address #1: 216.58.197.100 billing.google.com IPv6 address #1: 2404:6800:4005:80b::200e billing.google.com IP address #1: 216.58.221.142 blog.google.com IPv6 address #1: 2404:6800:4005:806::2009 ...... 중략 .....

> 사전 파일에 있는 문자열과 도메인을 비교한다. 

> 검색할 도메인의 종류에 따라 오랜 시간이 걸릴 수 있다. 

[ 참고 ] 네트워크 토폴로지를 그려주는 툴 

SolarWins ( http://www.solarwinds.com/network-topology-mapper )

- 실습 4

theharvester

> 타겟 조직에 속한 구성원의 정보를 수집할 수 있습니다. 

- 보통 한국 사이트들은 잘 검색이 되지 않습니다. 

# theharvester -d tistory.com -l 500 -b google

-d: Domain to search or company name

-b: data source: google, googleCSE, bing, bingapi, pgp

                        linkedin, google-profiles, people123, jigsaw, 

                        twitter, googleplus, all

-l: Limit the number of results to work with(bing goes from 50 to 50 results,

******************************************************************* *                                                                 * * | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  * * | __| '_ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| * * | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    * *  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    * *                                                                 * * TheHarvester Ver. 2.7                                           * * Coded by Christian Martorella                                   * * Edge-Security Research                                          * * cmartorella@edge-security.com                                   * ******************************************************************* [-] Searching in Google: Searching 0 results... Searching 100 results... Searching 200 results... Searching 300 results... Searching 400 results... Searching 500 results... [+] Emails found: ------------------ id@tistory.com [+] Hosts found in search engines: ------------------------------------ [-] Resolving hostnames IPs...  ... 중략 .....

> id를 찾지 못한 것으로 보입니다.