引言:信息收集 --> 特此整理 (译文扩展整理)
什么是子域名枚举?
子域名枚举是为一个或多个域名查找子域名的过程,它是安全评估和渗透测试前期侦查和信息收集的重要手段。
为什么要子域名枚举?
什么是被动子域名枚举?
更多可阅读:https://blog.csdn.net/www_helloworld_com/article/details/90403233
访问https://crt.sh/,输入子域,例如:example.com
crtsh 也提供了使用https://crt.sh/atom?q={sub-domain}
查询的 RSS 提要
还可以使用PostgreSQL接口来查询数据,shell脚本如下:
#!/bin/sh
# Script by Hanno Bock - https://github.com/hannob/tlshelpers/blob/master/getsubdomain
query="SELECT ci.NAME_VALUE NAME_VALUE FROM certificate_identity ci WHERE ci.NAME_TYPE = 'dNSName' AND reverse(lower(ci.NAME_VALUE)) LIKE reverse(lower('%.$1'));"
echo $query | \
psql -t -h crt.sh -p 5432 -U guest certwatch | \
sed -e 's:^ *::g' -e 's:^*\.::g' -e '/^$/d' | \
sort -u | sed -e 's:*.::g'
无psql命令,使用
sudo apt-get install postgresql-client
安装psql客户端。
https://search.censys.io/certificates?q={sub-domain}
枚举脚本:https://github.com/0xbharath/censys-enumeration
https://github.com/blechschmidt/massdns
Search engines like Google and Bing supports various advanced search operators to refine search queries. These operators are often referred to as “Google dorks
”.
site:{sub-domain}
https://help.bing.microsoft.com/#apex/18/en-US/10001/-1
https://www.sogou.com/
https://www.so.com/
http://www.yahoo.com/
https://www.yandex.ru/
https://www.exalead.com/search
http://www.dogpile.com/
There are a lot of the third party services that will do DNS enumeration on your behalf or they aggregate massive DNS datasets and look through them for sub-domains.
https://www.virustotal.com/gui/domain/{sub-domain}/relations
https://github.com/appsecco/the-art-of-subdomain-enumeration/blob/master/virustotal_subdomain_enum.py
请求头需添加
X-VT-Anti-Abuse-Header
https://github.com/PaulSec/API-dnsdumpster.com
https://searchdns.netcraft.com/?host={sub-domain}
curl -s http://ip-api.com/json/220.181.32.148 | jq -r .as
# install jq: sudo apt-get install jq
whois -h whois.radb.net -- '-i origin AS36459' | grep -Eo "([0-9.]+){4}/[0-9]+" | uniq
nmap脚本查找ASN
https://nmap.org/nsedoc/scripts/targets-asn.html
nmap --script targets-asn --script-args targets-asn.asn=xxxx
The Subject Alternative Name (SAN) is an extension to the X.509 specification that allows to specify additional host names for a single SSL certificate.
sed -ne 's/^\( *\)Subject:/\1/p;/X509v3 Subject Alternative Name/{
N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\1\2\n\1/;ta;p;q; }' < <(
openssl x509 -noout -text -in <(
openssl s_client -ign_eof 2>/dev/null <<<$'HEAD / HTTP/1.0\r\n\r' \
-connect baidu.com:443 ) )
也可以使用python脚本
There are projects that gather Internet wide scan data and make it available to researchers and the security community. The datasets published by this projects are a treasure trove of sub-domain information. Although finding sub-domains in this massive datasets is like finding a needle in the haystack, it is worth the effort.
Following are few public datasets that aggregate information that could be of interest during sub-domain enumeration:
Name | Description | Price |
---|---|---|
Sonar | FDNS, RDNS, UDP, TCP, TLS, HTTP, HTTPS scan data | FREE |
Censys.io | TCP, TLS, HTTP, HTTPS scan data | FREE |
CT | TLS | FREE |
CZDS | DNS zone files for "new" global TLDs | FREE |
ARIN | American IP registry information (ASN, Org, Net, Poc) | FREE |
CAIDA PFX2AS IPv4 | Daily snapshots of ASN to IPv4 mappings | FREE |
CAIDA PFX2AS IPv6 | Daily snapshots of ASN to IPv6 mappings | FREE |
US Gov | US government domain names | FREE |
UK Gov | UK government domain names | FREE |
RIR Delegations | Regional IP allocations | FREE |
PremiumDrops | DNS zone files for com/net/info/org/biz/xxx/sk/us TLDs | $24.95/mo |
WWWS.io | Domains across many TLDs (~198m) | $9/mo |
WhoisXMLAPI.com | New domain whois data | $109/mo |
来源:https://github.com/hdm/inetdata
参考https://github.com/rapid7/sonar/wiki/Forward-DNS
curl -silent https://scans.io/data/rapid7/sonar.fdns_v2/20170417-fdns.json.gz | pigz -dc | grep ".baidu.com" | jq
数据文件很大!
什么是主动子域名枚举?
安装
aptitude install python-dnspython
git clone https://github.com/TheRook/subbrute.git
cd subbrute
make
安装
aptitude install dnsrecon # kali
# or python3.6+
git clone https://github.com/darkoperator/dnsrecon.git
cd dnsrecon
pip install -r requirements.txt
# 暴力破解
python3.7 dnsrecon.py -d baidu.com -D wordlist.txt -t brt
# DNS
python3.7 dnsrecon.py -t snoop -D wordlist.txt -n 1.1.1.1
# 1.1.1.1 是目标的NS server地址
其他参数选项:
--threads 8
# 线程-n nsserver.com
# 使用自定义的解析服务器--db
: SQLite 3 文件--xml
: XML 文件--json
: JSON 文件--csv
: CSV 文件Permutation scanning is another interesting technique to identify sub-domains. In this technique, we identify new sub-domains using permutations, alterations and mutations of already known domains/sub-domains.
GitHub - infosec-au/altdns: Generates permutations, alterations and mutations of subdomains and then resolves them
安装
#Version: Python2
pip install py-altdns
altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt
区域传输是一种 DNS 事务,其中 DNS 服务器将其区域文件的全部或部分副本传递给另一台 DNS 服务器。
dig +multi AXFR @ns_server target.com
更多参考:
Record | Purpose |
---|---|
RRSIG | Contains a cryptographic signature. |
NSEC and NSEC3 | For explicit denial-of-existence of a DNS record |
DNSKEY | Contains a public signing key |
DS | Contains the hash of a DNSKEY record |
更多详细内容:https://appsecco.com/books/subdomain-enumeration/active_techniques/zone_walking.html
CNAME 代表规范名称。CNAME 记录可用于将一个名称别名为另一个名称。CNAME 记录将具有主机名的值。有时,CNAME 会显示组织的子域或显示有关在域上运行的服务类型的信息。
参考:OSINT Through Sender Policy Framework (SPF) Records | Rapid7 Blog
很少有安全头暴露子域名信息。
CSP定义的Content-Security-Policy
请求头字段,它允许您创建可信内容来源的白名单,并指示浏览器仅执行或呈现来自这些来源的资源。所以基本上,Content-Security-Policy
标头将列出我们作为攻击者可能感兴趣的一堆来源(域)。有不推荐使用的 CSP 标头形式,它们是 X-Content-Security-Policy
和X-Webkit-CSP
脚本工具:https://github.com/0xbharath/domains-from-csp
https://github.com/shmilylty/OneForAll
安装
git clone https://github.com/shmilylty/OneForAll.git
cd OneForAll/
python3 -m pip install -U pip setuptools wheel -i https://mirrors.aliyun.com/pypi/simple/
pip3 install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
python3 oneforall.py --help
使用
python3 oneforall.py --target example.com run
python3 oneforall.py --targets ./example.txt run
https://github.com/aboul3la/Sublist3r
安装
git clone https://github.com/aboul3la/Sublist3r.git
cd Subllist3r
pip3 install -r requirements.txt
使用
python3 sublist3r.py -d target.com -o $outfile
# 暴力破解
python3 sublist3r.py -b -d target.com -o $outfile
其他选项:
-p 80,443
# 仅显示开放80,443端口的域名-e google,yahoo,virustotal
# 仅使用google,yahoo,virustotal枚举子域名https://github.com/OJ/gobuster
安装
git clone https://github.com/OJ/gobuster.git
cd gobuster/
go get && go build
go install
简单使用
gobuster -m dns -u target.com -w $wordlist
https://github.com/OWASP/Amass
安装
sudo snap install amass
简单使用
amass enum -d example.com
https://github.com/subfinder/subfinder
VirusTotal, PassiveTotal, SecurityTrails, Censys, Riddler, Shodan, Bruteforce
安装:https://github.com/projectdiscovery/subfinder/releases/tag/v2.4.8
./subfinder -d target.com -o $outfile
https://github.com/laramies/theHarvester
安装
#kali
#or
$ ~ > git clone https://github.com/laramies/theHarvester
$ ~ > cd theHarvester
If developing do:
$ ~ > python3 -m pip install -r requirements/dev.txt
Else:
$ ~ > python3 -m pip install -r requirements/base.txt
$ ~ > python3 theHarvester.py -h
使用:
theharvester -d target.com -b all
https://github.com/Screetsec/Sudomy
./sudomy -d target.com -dP -eP -rS -cF -pS -tO -gW --httpx --dnsprobe -aI webanalyze -sS
https://github.com/guelfoweb/knock
apt-get install python-dnspython
git clone https://github.com/guelfoweb/knock.git
cd knock
nano knockpy/config.json # <- 设置你的virustotal API_KEY
python setup.py install
knockpy target.com
knockpy target.com -w $wordlist
https://github.com/evilsocket/dnssearch
https://github.com/rbsec/dnscan
集成Sublist3r, Knock, Subbrute, Massdns, Recon-ng, Amass & SubFinder
https://github.com/cakinney/domained
https://github.com/lijiejie/subDomainsBrute
https://github.com/bit4woo/teemo