backtrack5学习笔记
backtrack5学习笔记
2012-09-20 10:55:38 我来说两句
收藏我要投稿
一.信息收集
1.DNS 收集
a. Dnnum工具
不去rq,随便拿baidu做示范,只是做例子。。。
命令:root@bt:/pentest/enumeration/dns/dnnum# ./dnnum.pl /doc/571594440.html, ----- /doc/571594440.html, -----
Host's address:
__________________
/doc/571594440.html,
600 IN A 220.181.111.86
/doc/571594440.html,
600 IN A 123.125.114.144
/doc/571594440.html,
600 IN A 220.181.111.85
Name Servers:
______________
/doc/571594440.html, 3742 3 IN A 202.108.22.220
/doc/571594440.html, 8559 9 IN A 220.181.37.10
/doc/571594440.html, 8640 0 IN A 220.181.38.10
/doc/571594440.html, 2629 9 IN A 61.135.165.235
命令:root@bt:/pentest/enumeration/dns/dnnum# ./dnnum.pl - --dnsrver /doc/571594440.html, /doc/571594440.html, -
Brute forcing :
____________________________
/doc/571594440.html, 7200 IN CNAME
/doc/571594440.html, 72
00 IN CNAME
/doc/571594440.html, 600 IN CNAME
/doc/571594440.html, 7200 IN A 10.11.252.74
/doc/571594440.html, 7200 IN CNAME
/doc/571594440.html, 7200 IN CNAME
/doc/571594440.html, 7200 IN A 10.26.137.29
...
...
...
/doc/571594440.html, class C netranges:
_____________________________
61.135.162.0/24
61.135.163.0/24
61.135.165.0/24
61.208.132.0/24
123.125.114.0/24
202.108.22.0/24
220.181.18.0/24
220.181.27.0/24
220.181.37.0/24
220.181.38.0/24
220.181.50.0/24
220.181.111.0/24
b.dnsmap
命令:root@bt:/pentest/enumeration/dns/dnsmap# ./dnsmap /doc/571594440.html, -w -c dongye-baidu.csv
/doc/571594440.html,
IP address #1: 61.135.169.105
IP address #2: 61.135.169.125
/doc/571594440.html,
IP address #1: 172.22.1.96
[+] warning: internal IP address disclod(警告:内部ip)
[+] 165 (sub)domains and 193 IP address(es) found
[+] 75 internal IP address(es) disclod
[+] csv-format results can be found on dongye-baidu.csv
2.路由信息
a. tcptraceroute
root@bt:/# tcptraceroute /doc/571594440.html,
Selected device eth2, address 10.255.253.200, port 34840 for outgoing packets
Tracing the path to /doc/571594440.html, (61.135.169.105) on TCP port 80 (www), 30 hops max
1 10.255.253.1 2.117 ms 1.793 ms 1.867 ms
2 192.168.3.21 24.175 ms 19.071 ms 20.692 ms
3 192.168.99.25 1.656 ms 1.327 ms 1.199 ms
4 192.168.99.33 1.282 ms 0.662 ms 2.943 ms
5 221.212.120.253 1.555 ms 1.488 ms 1.528 ms
6 221.212.26.173 7.441 ms 6.794 ms 6.590 ms
7 221.212.1.221 2.242 ms 2.097 ms 2.574 ms
8 113.4.128.161 4.239 ms 4.384 ms 4.196 ms
9 219.158.21.89 23.750 ms 23.656 ms 23.924 ms
10 124.65.194.30 23.225 ms 23.251 ms 23.037 ms
11 61.148.155.230 23.686 ms 23.858 ms 23.876 ms
12 202.106.43.30 23.886 ms 24.292 ms 23.983 ms
13 * * *
14 61.135.169.105 [open] 26.470 ms 26.066 ms 25.703 ms
传统的traceroute很难穿越,但tcptraceroute很容易穿越防火墙。tcptraceroute 收到SYN、ACK表示端口开放的,收到RST表示端口关闭
b.tctrace先进到目录
root@bt:/pentest/enumeration/irpas# ./tctrace -i eth2 -d /doc/571594440.html, 1(1) [10.255.253.1]
2(1) [192.168.3.21]
3(1) [192.168.99.25]
4(1) [192.168.99.33]
5(1) [221.212.120.253]
6(1) [221.212.26.169]
7(1) [221.212.1.213]
8(1) [113.4.128.161]
9(1) [219.158.21.89]
10(1) [124.65.194.26]
11(1) [61.148.155.226]
12(1) [202.106.48.18]
13(all) Timeout
14(1) [61.135.169.125] (reached; open) 效果是一样的...
3.Maltgo
二.扫描
命令:ifconfig
ifconfig eth0 10.255.253.200 netmask 255.0.0.0
route add default gw 10.255.253.1
看路由表netstat -r
1.arping: arping -c 3 10.255.253.26
2.fping: 使用ICMP ECHO一次请求多个主机。速度快
fping -s -r 1 -g 10.255.253.1 10.255.253.100
3.genlist
genlist -s 10.255.253.\*
4.hping3 -c 2 10.25
5.253.26 自定义抄强大!!
hping3 nd {ip(dadd=10.255.253.26)+icmp(type=8,code=0)}
/doc/571594440.html,scan 10.255.253.26 只是扫描微软的机器,速度很快。
6.nping nping -c 1 --tcp -p 80 --flags syn 10.255.253.26
nping -c 1 --tcp -p 80 --flags ack 10.255.253.26
nping -c 1 --udp -p 80 ack 10.255.253.26
7.onesixtyone是snmp扫描工具,速度快
root@bt:/pentest/enumeration/snmp/onesixtyone/#./onesixtyone - 10.255.253.1
8.protos 探测主机尤其路由开放了什么协议
root@bt:/pentest/enumeration/irpas#./protos i eth2 -d 10.255.253.26 -v
