歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux基礎 >> 關於Linux

KailLinux滲透測試教程之Recon-NG框架

Kail Linux滲透測試教程之Recon-NG框架

信息收集

信息收集是網絡攻擊最重要的階段之一。要想進行滲透攻擊,就需要收集目標的各類信息。收集到的信息越多,攻擊成功的概率也就越大。本章將介紹信息收集的相關工具。

Recon-NG框架

Recon-NG是由python編寫的一個開源的Web偵查(信息收集)框架。Recon-ng框架是一個強大的工具,使用它可以自動的收集信息和網絡偵查。下面將介紹使用Recon-NG偵查工具。
啟動Recon-NG框架,執行命令如下所示:

root@kali:~# recon-ng

 

_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/

_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/

_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/

_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/

_/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/

 

+---------------------------------------------------------------------------+

| _ ___ _ __ |

| |_)| _ _|_ |_|.|| _ | _ |_ _ _ _ _ _|_o _ _ (_ _ _ _o_|_ |

| |_)|(_|(_|\ | ||||_\ _|_| || (_)| |||(_| | |(_)| | __)(/_(_|_|| | | \/ |

| / |

| Consulting | Research | Development | Training |

| http://www.blackhillsinfosec.com |

+---------------------------------------------------------------------------+

[recon-ng v4.1.4, Tim Tomes (@LaNMaSteR53)]

[56] Recon modules

[5] Reporting modules

[2] Exploitation modules

[2] Discovery modules

[1] Import modules

[recon-ng][default] >

以上輸出信息顯示了Recon-NG框架的基本信息。例如在Recon-NG框架下,包括56個偵查模塊、5個報告模塊、2個滲透攻擊模塊、2個發現模塊和1個導入模塊。看到[recon-ng][default] >提示符,表示成功登錄Recon-NG框架。現在,就可以在[recon-ng][default] >提示符後面執行各種操作命令了。

首次使用Recon-NG框架之前,可以使用help命令查看所有可執行的命令。如下所示:

[recon-ng][default] > help

Commands (type [help|?] ):

---------------------------------

add Adds records to the database

back Exits current prompt level

del Deletes records from the database

exit Exits current prompt level

help Displays this menu

keys Manages framework API keys

load Loads specified module

pdb Starts a Python Debugger session

query Queries the database

record Records commands to a resource file

reload Reloads all modules

resource Executes commands from a resource file

search Searches available modules

set Sets module options

shell Executes shell commands

show Shows various framework items

spool Spools output to a file

unset Unsets module options

use Loads specified module

workspaces Manages workspaces

以上輸出信息顯示了在Recon-NG框架中可運行的命令。該框架和Metasploit框架類似,同樣也支持很多模塊。此時,可以使用show modules命令查看所有有效的模塊列表。執行命令如下所示:

[recon-ng][default] > show modules

Discovery

---------

discovery/info_disclosure/cache_snoop

discovery/info_disclosure/interesting_files

Exploitation

------------

exploitation/injection/command_injector

exploitation/injection/xpath_bruter

Import

------

import/csv_file

Recon

-----

recon/companies-contacts/facebook

recon/companies-contacts/jigsaw

recon/companies-contacts/jigsaw/point_usage

recon/companies-contacts/jigsaw/purchase_contact

recon/companies-contacts/jigsaw/search_contacts

recon/companies-contacts/linkedin_auth

recon/contacts-contacts/mangle

recon/contacts-contacts/namechk

recon/contacts-contacts/rapportive

recon/contacts-creds/haveibeenpwned

……

recon/hosts-hosts/bing_ip

recon/hosts-hosts/ip_neighbor

recon/hosts-hosts/ipinfodb

recon/hosts-hosts/resolve

recon/hosts-hosts/reverse_resolve

recon/locations-locations/geocode

recon/locations-locations/reverse_geocode

recon/locations-pushpins/flickr

recon/locations-pushpins/picasa

recon/locations-pushpins/shodan

recon/locations-pushpins/twitter

recon/locations-pushpins/youtube

recon/netblocks-hosts/reverse_resolve

recon/netblocks-hosts/shodan_net

recon/netblocks-ports/census_2012

Reporting

---------

reporting/csv

reporting/html

reporting/list

reporting/pushpin

reporting/xml

[recon-ng][default] >

從輸出的信息中,可以看到顯示了五部分。每部分包括的模塊數,在啟動Recon-NG框架後可以看到。用戶可以使用不同的模塊,進行各種的信息收集。

【實例3-1】使用recon/domains-hosts/baidu_site模塊,枚舉baidu網站的子域。具體操作步驟如下所示:

(1)使用recon/domains-hosts/baidu_site模塊。執行命令如下所示:

[recon-ng][default] > use recon/domains-hosts/baidu_site

(2)查看該模塊下可配置選項參數。執行命令如下所示:

[recon-ng][default][baidu_site] > show options

Name Current Value Req Description

-------------- ---------------------- --------- --------------------------------------------------------

SOURCE default yes source of input (see 'show info' for details)

[recon-ng][default][baidu_site] >

從輸出的信息中,可以看到有一個選項需要配置。

(3)配置SOURCE選項參數。執行命令如下所示:

[recon-ng][default][baidu_site] > set SOURCE baidu.com

SOURCE => baidu.com

從輸出的信息中,可以看到SOURCE選項參數已經設置為baidu.com。

(4)啟動信息收集。執行命令如下所示:

[recon-ng][default][baidu_site] > run

---------

BAIDU.COM

---------

[*] URL: http://www.baidu.com/s?pn=0&wd=site%3Abaidu.com

[*] map.baidu.com

[*] 123.baidu.com

[*] jingyan.baidu.com

[*] top.baidu.com

[*] www.baidu.com

[*] hi.baidu.com

[*] video.baidu.com

[*] pan.baidu.com

[*] zhidao.baidu.com

[*] Sleeping to avoid lockout...

-------

SUMMARY

-------

[*] 9 total (2 new) items found.

從輸出的信息中,可以看到找到9個子域。枚舉到的所有數據將被連接到Recon-NG放置的數據庫中。這時候,用戶可以創建一個報告查看被連接的數據。

【實例3-2】查看獲取的數據。具體操作步驟如下所示:

(1)選擇reporting/csv模塊,執行命令如下所示:

[recon-ng][default] > use reporting/csv

(2)創建報告。執行命令如下所示:

[recon-ng][default][csv] > run

[*] 9 records added to '/root/.recon-ng/workspaces/default/results.csv'.

從輸出的信息可以看到,枚舉到的9個記錄已被添加到/root/.recon-ng/workspaces/default/results.csv文件中。打開該文件,如圖3.1所示。

\

圖3.1 results.csv文件

(3)從該界面可以看到,枚舉到的所有子域。

用戶也可以使用Dmitry命令,查詢關於網站的信息。下面將介紹Dmitry命令的使用。

查看Dmitry命令的幫助信息。執行命令如下所示:

root@kali:~# dmitry -h

Deepmagic Information Gathering Tool

"There be some deep magic going on"

dmitry: invalid option -- 'h'

Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host

-o Save output to %host.txt or to file specified by -o file

-i Perform a whois lookup on the IP address of a host

-w Perform a whois lookup on the domain name of a host

-n Retrieve Netcraft.com information on a host

-s Perform a search for possible subdomains

-e Perform a search for possible email addresses

-p Perform a TCP port scan on a host

* -f Perform a TCP port scan on a host showing output reporting filtered ports

* -b Read in the banner received from the scanned port

* -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )

*Requires the -p flagged to be passed

以上信息顯示了dmitry命令的語法格式和所有可用參數。下面使用dmitry命令的-s選項,查詢合理的子域。執行命令如下所示:

root@kali:~# dmitry -s google.com

Deepmagic Information Gathering Tool

"There be some deep magic going on"

HostIP:173.194.127.71

HostName:google.com

Gathered Subdomain information for google.com

---------------------------------

Searching Google.com:80...

HostName:www.google.com

HostIP:173.194.127.51

Searching Altavista.com:80...

Found 1 possible subdomain(s) for host google.com, Searched 0 pages containing 0 results

All scans completed, exiting

從輸出的信息中,可以看到搜索到一個子域。該子域名為www.google.com,IP地址為173.194.127.51。該命令默認是從google.com網站搜索,如果不能連接google.com網站的話,執行以上命令將會出現Unable to connect: Socket Connect Error錯誤信息。

Copyright © Linux教程網 All Rights Reserved