使用Kali收集信息（热点工具） - Information Gathering（Top Tools）

Info Gathering – Top Tools 信息收集(热点工具)

dmitry
nmap
dnmap-client
dnmap-server
ike-scan
maltegoce
netdiscover
p0f
recon-ng
sparta
zenmap

dmitry 根据域名采集信息

首先看看 dmitry, 收集域名相关信息：

dmitry的使用

深度信息采集工具
Deepmagic Information Gathering Tool
"There be some deep magic going on"

Usage: dmitry [-winsepfb][-t 0-9] [-o %host.txt] host
-o Save output to %host.txt or to file specified by -o file
将采集内容输出到 %host.txt 文件内
-i Perform a whois lookup on the IP address of a host
采集 ip 所有者信息
-w Perform a whois lookup on the domain name of a host
采集域名所有者信息
-n Retrieve Netcraft.com information on a host
-s Perform a search for possible subdomains
采集子域名
-e Perform a search for possible email addresses
采集绑定的 email 信息
-p Perform a TCP port scan on a host
采集机器端口开放情况

- -f Perform a TCP port scan on a host showing output reporting filtered ports
- -b Read in the banner received from the scanned port
- -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )
  \*Requires the -p flagged to be passed

  全部数据采集使用
  dmitry -winsepfb mydomain.com

  采集 whois 数据
  dmitry -w mydomain.com

  采集所有数据，存储到 textfile.txt 文件
  dmitry -winsepo textfile.txt mydomain.com

  采集所有数据，存储到 127.0.0.1.txt 文件，展示 banner 和过滤端口
  dmitry -winsepfbo 127.0.0.1

上面的命令在查看某些项目的时候，会因为国内无法访问 google 而失败。

nmap

nmap 就是 Network Mapper 的缩写，是一个功能非常强大的攻击，用于网络扫描和嗅探。其原理就是通过发送 raw 数据包来检测主机是否在线，检测主机开通的服务，以及系统类型版本，防火墙或者拦截工具等。一般被用作排查网络，主机存活情况以及服务启动情况。

nmap 输出结果是一系列目标主机的嗅探结果，包括端口-协议-服务-服务状态。

服务状态：

Open：目标服务正在监听端口等待连接。
Filtered：防火墙或者其他工具阻塞，无法判断开启关闭状态。
Closed：当前无服务监听，尽管监听可能随时被开启。
Unfiltered：无法判断状态。
Open|Filtered 或者 Closed|Filtered 表面两种状态暂时无法判断。

官方网站地址：https://nmap.org

nmap使用方法

1	nmap -扫描方法 -开关参数目标地址

目标地址

目标地址可以是 hostnames, IP addresses, networks 等等。。
例如: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL inputfilename: 存储目标地址的文件
-iR num: 随机 num 个目标
--exclude host1,host2,host3,...: 排除某些地址
--excludefile hostfile: 排除目标地址的文件

开关参数：嗅探服务器

-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host

扫描技术

-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan

发包说明与扫描顺序

-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>

服务、版本检测

-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)

脚本扫描

-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.

检测主机系统

1
2
3

-O: 检测系统，大写的 o 不是零
--osscan-limit: 精准猜测
--osscan-guess: 大胆猜测

速度与性能

Options which take “time” are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup “size”: Parallel host scan group sizes
--min-parallelism/max-parallelism “numprobes”: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies
probe round trip time.
--max-retries "tries": Caps number of port scan probe retransmissions.
--host-timeout "time": Give up on target after this long
--scan-delay/--max-scan-delay "time": Adjust delay between probes
--min-rate "number": Send packets no slower than "number" per second
--max-rate "number": Send packets no faster than "number" per second

FIREWALL/IDS EVASION AND SPOOFING:
-f; –mtu : fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],…>: Cloak a scan with decoys
-S : Spoof source address
-e : Use specified interface
-g/–source-port : Use given port number
–proxies <url1,[url2],…>: Relay connections through HTTP/SOCKS4 proxies
–data : Append a custom payload to sent packets
–data-string : Append a custom ASCII string to sent packets
–data-length : Append random data to sent packets
–ip-options : Send packets with specified ip options
–ttl : Set IP time-to-live field
–spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
–badsum: Send packets with a bogus TCP/UDP/SCTP checksum

输出控制

-oN/-oX/-oS/-oG "file": Output scan in normal, XML, s|rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA "basename": Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume "filename": Resume an aborted scan
--stylesheet "path/URL": XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output

其他

-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir "dirname": Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.

例子

1
2
3

nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80

更多详细信息参考: https://nmap.org/book/man.html

dnmap

dnmap 是一个 nmap 分布式框架，使用 nmap 命令在 server 端加载配置文件，并且使用 client 并发的执行。

该框架是 C/S 结构. 服务器将要执行的任务分配给客户端执行. 所有逻辑和分析数据保存在服务器. 而 Nmap 执行结构同时保存在客户端和服务器.

一般情况下当有大量目标需要扫面时使用，并且有多个客户端连接到该服务器上才会加速执行。

dnmap_server 服务器

dnmap_server服务器

usage: /usr/bin/dnmap_server -options
options:
-f, --nmap-commands 制定 nmap 配置文件
-p, --port 服务器监听端口
-L, --log-file 日志文件，默认 /var/log/dnmap_server.conf.
-l, --log-level 日志等级，默认 info.
-v, --verbose_level 详细日志等级 1-5. 默认 1. 设置 0 表示静默模式.
-t, --client-timeout 客户端超时时间
-s, --sort 排序: Alias, Commands, UpTime, RunCmdXMin, AvrCmdXMin, Status
-P, --pem-file TLS 连接用的证书，默认当前路径下得 server.pem

dnmap_server 将执行的节点保存到 ‘.dnmaptrace’ 文件中，以便断点继续，如果希望重新开始则删除该文件。

dnmap_client 客户端

dnmap_client

usage: /usr/bin/dnmap_client -options
options:
-s, --server-ip 服务器 IP.
-p, --server-port 服务器端口，默认 46001
-a, --alias 客户端的别名，可选
-d, --debug Debug 模式.
-m, --max-rate 设置最大执行频率，用于减慢执行,例如 --max-rate 20