Kali system -- host, dig, dnsenum, imtry for DNS collection and analysis

host Tools

1>Host The instruction provides a simple DNS The function of parsing . Use the name normally to IP Parsing , When the instruction does not have any parameters and options , It will output a simple summary with command line parameters and options .

A name is a domain name that can be resolved , It can also be dotted decimal IPV4 Addresses or colon delimited IPV6 The address of , By default , You can also perform a reverse parsing function ,DNS The server has both a name and IP Address ,host Queries can replace them , Or it can be listed in /etc/resolv.conf In the document

2> The specific use ：

-a  Show detailed DNS Information ;
-c< type >  Specify the query type , The default value is “IN“;
-C  Query the complete SOA Record ;
-r  When querying domain names , Do not use recursive queries ;
-t< type >  Specify the domain name information type of the query ;
-v  Show the details of instruction execution ;
-w  If the domain name server does not give an answer , Always waiting , Until the DNS server answers ;
-W< Time >  Specify the maximum time for domain name query , If the domain name server does not give a response within the specified time , Then exit the command ;
-4  Use IPv4;
-6  Use IPv6.

3> The specific methods ：
The use of dns The server /etc/resolv.conf In file

Test Baidu

Use custom dns The server

Show detailed records

dig

1>dig（ Domain information searcher ） A command is a command used to ask DNS Flexible tools for DNS . It performs DNS Search for , Displays the replies returned from the requested domain name server . Most of the DNS Administrator utilization dig As DNS Fault diagnosis of the problem , Because it's flexible 、 Easy to use 、 Clear output .

Although usually dig Use command line arguments , But it can also read search requests from files in batch mode . Unlike earlier versions ,dig Of BIND9 Implementation allows multiple queries to be issued from the command line . Unless told to request a specific domain name server ,dig Will try /etc/resolv.conf All servers listed in . When no command line parameters or options are specified ,dig Will be right “.”（ root ） perform NS Inquire about .

2> Command options

dns Details of different records ：
https://www.cnblogs.com/momenglin/p/8556079.html

3>

dnsenum

1>dnsenum Is a very powerful domain name information collection tool , It is the participation of Backtack Designed by the programmer of the development project , Designer's name Fillp(barbsie) Waeythens , The developer is a master web Security personnel for penetration testing , Also on DNS I have rich experience in information collection

dnsenum The goal of is to do everything possible to collect information about a domain , It can go through Google Or the dictionary file guesses the possible domain name , And reverse query a network segment .

It can query the host address information of the website host 、 Domain name server 、MX record（ Function exchange record ）, Execute on the domain name server axfr request , And pass Google The script gets the extended domain name information , Extract the subdomain name and query , Calculation C Class address and execute Whois Inquire about , Execute reverse query , Write the address segment to a file

2> Command options

 usage ：dnsenum    [ Options ]    [ domain name ]. notes ："-" and "--" The difference between ,"-" Use option shorthand ,"--" Use the option write all .


 Options 	 explain 
 General options 
--dnsserver    <server>	 Specify domain name server , Example ：
dnsenum  --dnsserver   114.114.114.114   baidu.com

--enum	 Shortcut options , amount to "--threads 5 -s 15 -w", Option description subsequent description 
-h    --help
 Display help information 
--noreverse	 Skip reverse query operation 
--nocolor	 No color output 
--private	 Show and in "domain_ips.txt" Save private at the end of the file ips
--subfile <file>	 Write all valid subdomain names to the specified file 
-t, --timeout <value>
tcp perhaps udp Connection timeout for , The default is 10s（ Time unit ： second ）
--threads <value>	 Number of query threads 
-v, --verbose	 Show all progress and error messages 
 Other common options 
-o --output <file>	 Output options , Save the output information to the specified file 
-e, --exclude    <regexp>	 Reverse Query options , Exclude from the reverse query results that match the regular expression PTR Record , Very useful for troubleshooting invalid hosts 
-w, --whois	 In a C Segment network address range provided whois Inquire about 
 For other options not described, please enter ：dnsenum    -h Inquire about .

3>

dmitry

1> function ：
according to IP（ Or domain name ） To query the target host Whois Information
stay Netcraft.com Mining host information on the web site
Find the subdomain used in the target domain
Find the e-mail address of the target domain
Probe for open ports on the target host 、 Shielded ports and closed ports

2>
3>