3.1 summary

⽹ Network reconnaissance needs reconnaissance ⽬ Basic information of the subject

• Static information
  All kinds of contact information , Including name, 、 mailbox 、 Phone number, etc
  DNS、Web The server
  Where the host is located ⽹ Collaterals ,IP Address
  ⽹ Network topology
• Dynamic information
  ⽬ Mark whether the host is powered on
  ⽬ Check whether the host has installed the software you are interested in
  ⽬ Mark the type of operating system installed on the host
  ⽬ Mark whether there is a security vulnerability on the host ⽤ To attack
• other ⼀ Be sure to ⽹ Collateral attack produces ⽣ do ⽤ Information about .

⽹ Network information collection ⽅ Law

• ⽹ Luo stampede ： The attacker's response to ⽬ Mark in ⾏ information gathering , understand ⽬ The underlying ⽹ Network environment and information security . Prepare for attack . Specific contents ⻅ ⽹ Network detection often ⽤ Of ⼿ Paragraph and ⽅ Law .
• ⽹ Network scanning ： Race seconds ⽬ mark ⽹ Collateral , Find as many connections as possible ⽬ mark . Before going into ⼀ Step probe to get the type 、 Existing security weaknesses and other information .
• ⽹ Check ： For known weaknesses , For the identified services ⾏ More targeted exploration , Find what can really be attacked ⼊⼝, And the key data that may be needed during the attack . be relative to ⽹ Network scanning , More detailed , The scope is more ⼩.

3.2 Network reconnaissance methods

• Search engine information collection
• Whois Inquire about
• DNS Information Service
• ⽹ Network topology discovery
• benefit ⽤ social contact ⽹ Get information online
• other ⽅ Law
  • social ⼯ Cheng Xue
  • garbage
  • Look up web Site

3.2.1 Search engine information collection

Baidu often uses advanced grammar

• site:[ Domain ] – site:zhihu.com
  Returns search results related to a specific domain .
• link:[Web⻚⾯] – link:www.csdn.net
  Give and specify web⻚⾯ Linked sites . May leak ⽬ Business relationship of target site
• Intitle:[ Conditions ]
  ⽤ The search title contains a specific search ⽂ Ben's ⻚⾯
• intext:[ Conditions ]
  ⽤ In search of ⽂ Contains specific searches ⽂ Ben's ⻚⾯
• related:[ Site ]
  Display with specific retrieval ⻚⾯ Related ( similar ) Of web⻚⾯
• filetype:[ suffix ]
  ⽤ For finding specific types of ⽂ Pieces of
• cache:[⻚⾯] – cache:www.csdn.net lookup csdn.net Was recently Baidu bot grabbing ⻚⾯ Show me ⾃ On Baidu Snapshot ⻚⾯ Content . For finding recently removed or currently unavailable ⽤ Of ⻚⾯ when ⾮ There is often ⽤.
• Not
  Filter Web⻚⾯ Specific conditions contained in
• Plus
  tell Baidu This keyword should not be filtered out

Shodan and ZoomEye The basic characteristics of
Be able to connect ⽹ Search the host 、 The server 、 camera 、 Devices like printers and routers
Search for ：⽹ Network devices 、⽹ Contact services 、⽹ Collateral system 、banner Information
Search format ：A B C fiter:value filter:value filter:value

Zoomeye And Shodan The difference between ：
Shodan Mainly for device fingerprints , That is, for some specific ends ⼝ Returned after communication banner Information into ⾏ Collection and indexing
Zoomeye In addition to detecting device fingerprints , Detection is also enhanced for some services .⽐ Such as Web Detailed analysis of services .

ping、nslookup、tracert(tracerout)

Traceroute ：⽹ Network fault diagnosis and acquisition ⽹ Network topology ⼯ have .
nslookup: Inquire about DNS The record of , Check whether domain name resolution is normal , stay ⽹ When the network fails ⽤ To diagnose ⽹ The problem of network . Query the domain name IP Address
ping： testing ⽹ Network connectivity .

3.4 Network reconnaissance and defense

• Defense search engine reconnaissance
  • Yes ⼰⽅ Of web Site content construction ⽴ Strict information disclosure strategy . Determine which sensitive data and information should not be in Web Appear on the site . But also for the staff ⼯ Into the ⾏ train , Ask them not to be on newsgroups or BBS Publish sensitive information on .
  • Ask search engines to remove what they do not expect to be made public web⻚⾯ Indexes ,
• defense Whois Inquire about
  • Guarantee Whois There is no record in that can be used by an attacker additionally ⽤ Information about . Such as the administrator's account name .
  • But also for the staff ⼯ Into the ⾏ train , prevent ⽌ They fall into society ⼯ The trap of Engineering .
• defense DNS scout
  • Concept supplement ： Zone transfer ：DNS The server replicates the database ⽂ Piece in ⾏ Sync . For those with this function DNS The server , Attackers can use this DNS Server as a springboard , obtain ⽬ Target host information .
  • Avoid passage DNS Divulge additional information . for example ： The domain name should not disclose the operating system of the computer ,⽤ Transit information .
  • send ⽤DNS Separation technology , stay ⼏ platform DNS Distributed storage on the server DNS Information , Make internal and external ⽤ Household emissary ⽤ Different DNS service .
  • Limit DNS Zone transfer . send ⽤ prevent ⽕ Wall configuration filter rules , So that only a few known AIDS are allowed DNS The server enters ⾏ Zone transfer .
• Defense society ⼯ Engineering attacks and garbage retrieval
  • Trainer ⼯ Safety awareness . For computer configuration 、⼝ Make phone inquiries of sensitive information such as , Without confirming his identity , Do not disclose the relevant information technology department ⻔ Encountered modification permission 、 Reset password and other requests , Need to be right ⻬ Into the ⾏⼆ Secondary identity authentication . Special emphasis on caller ID technology , You can't just rely on caller ID to confirm ⽅ identity .
  • send ⽤ Paper shredder, CD shredder and other equipment . For waste equipment and paper with sensitive information , All need to be crushed or incinerated .