Domain name (subdomain name) collection method of Web penetration

• Personal website :【 Hai Yong 】【 Fishing games 】
• 🤟 Humorous front-end learning courses ：28 Cases interesting learning front end
• Want to find a little partner to learn and communicate together , Please click on 【 Full stack technology exchange group 】
• Free and practical computer related knowledge question bank ： Come in and hang out

Give you Amway a free and practical front-end brush question （ Daquan of facial scriptures ） Website , Click to jump to the website .

Jump straight to the end Participate in comments and send books

It's going on Web Infiltration time , We often need to collect sub domain names . Compared with the main station , The safety of the substation will be worse . Sub domain name collection can be done by hand 、 Tools or analysis of search engines and other methods to achieve . Next, let's see what we can do

1. Subdomain name guessing and test access

This is the simplest and stupid method , about Web Guess the subdomain name , Then go to the browser to check whether it really exists . such as baidu.com, Guess it may have fanyi/tieba/pay/bbs.baidu.com etc. ;csdn.net, Guess the possible subdomains are blog/download/mail/bbs.csdn.net etc. , This method works well for common subdomain names .

2. Search engine instruction query

Search through search engine “site:csdn.net” To search its main domain name csdn.net Subdomains under . There may be many duplicate pages and results when using search engines to find subdomains , We can use the following instructions to make a more accurate search ：

Before using instructions , Let's do some basic settings for the search engine first , Set the search results to display on one page 50 strip ,

• allintext: = Search text , But it does not include page titles and links .
• allinlinks: = Search for links , Text and title are not included .
• related:URL = List and objectives URL Address related web pages . This command is not applicable to some niche websites , Sometimes I can't find anything .
• link:URL = List the general situation of the external chain of a site .
• Use “-” Get rid of the results you don't want to see , Such as sitecsdn.net - blog.csdn.net

3. Inquire about DNS The parsing record of

Query its domain name mx、cname Record , Mainly through nslookup command , Such as ：

nslookup -qt=mx 163.com // Query mailbox server , Its  mx  You can change the following parameters to query 

• A： Address record （Ipv4）
• AAAA： Address record （Ipv6）
• AFSDB Andrew： File system database server records
• ATMA ATM： Address record .
• CNAME： Alias record .
• HINFO： Hardware configuration record , Include CPU、 Operating system information .
• ISDN： The domain name corresponds to ISDN number .
• MB： The server where the specified mailbox is stored .
• MG： Mail group records .
• MINFO： Information record of mail group and mailbox .
• MR： The email record of the change of name .
• MX： Mail server records .
• NS： Name server record .
• PTR： Reverse recording .
• RP：: The person in charge records .
• RT： Route penetration record .
• SRV TCP： Server information records .
• TXT： The text information corresponding to the domain name .
• X25： The domain name corresponds to X.25 Address record .

4. be based on DNS Brute force cracking of queries

At present, there are many open source tools to support sub domain name brute force cracking , By trying the dictionary +“.”+“ The main domain name ” To test , As in the dictionary bbs/admin/manager. Yes baidu.com Try , Will crawl bbs baidu.com、admin baidu.com. manager.baidu.com, By visiting its address , Determine whether it is opened and exists according to the corresponding status keywords .

5. Manual analysis

By looking at the main website home page and related pages , from html Code and links to the place to manually find , As its main domain name or under other domain names crossdomim.xml The file will contain some sub domain information .

Participate in comments and send books

In the future, at least three friends will be selected from the new article review area every week to send books , You can continue to pay attention to me ： Hai Yong

【 Content abstract 】

The enterprise network contains a lot of computing resources 、 Data resources and business system resources , It is the key target of malicious attackers . This book introduces the protocol principle of enterprise network group 、 Domain forest experimental environment and installation process ; Introduce how to efficiently collect effective domain information in the domain , Analyze the attack means against domain network 、 Typical vulnerabilities and corresponding detection and defense means ; This paper introduces the method of making a secure hidden back door in the domain , And introduce the detection methods based on metadata for these domain backdoors .
This book is highly professional , Suitable for having a certain network foundation 、 Programming based 、 Read by professionals on the basis of attack and defense , It can also be used as a teaching book for the major of network security .

JD self purchase link ： 《Kerberos Domain network security from entry to proficiency 》- Jingdong books