1.DNS枚舉工具DNSenum
root@kali:~# dnsenum --enum www.cisco.com
Smartmatch is experimental at /usr/bin/dnsenum line 698.
Smartmatch is experimental at /usr/bin/dnsenum line 698.
dnsenum VERSION:1.2.4
Warning: can't load Net::Whois::IP module, whois queries disabled.
Warning: can't load WWW::Mechanize module, Google scraping desabled.
----- www.cisco.com -----
Host's addresses:
__________________
e2867.ca2.s.tl88.net. 19 IN A 221.194.155.132
Name Servers:
______________
Error: can't continue no NS record for www.cisco.com
root@kali:~#
2.DNS枚舉工具fierce
root@kali:~# fierce -dns baidu.com
DNS Servers for baidu.com:
dns.baidu.com
ns2.baidu.com
ns7.baidu.com
ns4.baidu.com
ns3.baidu.com
Trying zone transfer first...
Testing dns.baidu.com
Request timed out or transfer not allowed.
Testing ns2.baidu.com
Request timed out or transfer not allowed.
Testing ns7.baidu.com
Request timed out or transfer not allowed.
Testing ns4.baidu.com
Request timed out or transfer not allowed.
Testing ns3.baidu.com
Request timed out or transfer not allowed.
Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force
Checking for wildcard DNS...
Nope. Good.
Now performing 2280 test(s)...
10.94.49.39 access.baidu.com
182.61.62.50 ad.baidu.com
10.26.109.19 admin.baidu.com
10.42.4.225 ads.baidu.com
157.255.77.113 af.baidu.com
123.125.114.87 af.baidu.com
10.99.87.18 asm.baidu.com
10.143.145.28 backup.baidu.com
10.42.4.177 bugs.baidu.com
10.23.250.58 build.baidu.com
10.180.113.175 cc.baidu.com
10.16.80.154 cc.baidu.com
220.181.107.211 cert.baidu.com
111.206.37.138 cf.baidu.com
10.46.11.136 check.baidu.com
106.120.159.243 ck.baidu.com
10.242.112.16 client.baidu.com
10.26.137.29 com.baidu.com
10.114.40.21 con.baidu.com
39.156.66.150 crm.baidu.com
3.snmpwalk查詢指定的OID值
root@kali:~/kali# snmpwalk -c public 10.10.1.254 -v 1
4.snmpcheck查詢
root@kali:~/kali# snmpcheck -t 10.10.1.254
5.scapy的用法
scapy是一個交互式的路由追蹤工具
root@kali:~/kali# scapy
>>> ans,unans=sr(IP(dst="www.baidu.com/30",ttl=(1,6))/TCP())
Begin emission:
..................................................Finished sending 24 packets.
............................**..............*.*.*..*.*..............................*....***..*..*....*....*...........................*.**.*.*
Received 193 packets, got 20 answers, remaining 0 packets
>>>
>>> ans.make_table(lambda(s,r):(s.dst,s.ttl,r.src))
61.135.169.120 61.135.169.121 61.135.169.122 61.135.169.123
1 10.10.1.254 10.10.1.254 10.10.1.254 10.10.1.254
2 192.168.1.1 192.168.1.1 192.168.1.1 192.168.1.1
3 10.70.0.1 10.70.0.1 10.70.0.1 10.70.0.1
4 123.126.26.49 125.33.187.41 61.148.158.53 124.65.59.49
5 124.65.56.133 123.126.9.138 124.65.63.210 -
6 202.106.227.30 - - -
>>>
6.nmap探測活躍主機
root@kali:~/kali# nmap -sP 123.103.15.129
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-24 23:38 CST
Nmap scan report for 123.103.15.129-BJ-CNC (123.103.15.129)
Host is up (0.0033s latency).
Nmap done: 1 IP address (1 host up) scanned in 6.70 seconds
root@kali:~/kali#
7.nping的用法
nping --tcp -p 80 --flags rst --ttl 2 192.168.1.1
nping --icmp --icmp-type time --delay 500ms 192.168.254.254
nping --echo-server "public" -e wlan0 -vvv
nping --echo-client "public" echo.nmap.org --tcp -p1-1024 --flags ack
8.p0f
一款被動指紋識別軟件
9.netdiscover
掃描局域網中主機的arp
42 Captured ARP Req/Rep packets, from 4 hosts. Total size: 2520
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.10.1.254 0c:4b:54:71:88:b9 11 660 TP-LINK TECHNOLOGIES CO.,LTD.
10.10.1.1 18:31:bf:cc:66:59 24 1440 ASUSTek COMPUTER INC.
0.0.0.0 5c:c3:07:d9:ac:fa 4 240 HUAWEI TECHNOLOGIES CO.,LTD
10.10.1.4 5c:c3:07:d9:ac:fa 3 180 HUAWEI TECHNOLOGIES CO.,LTD
10.shodan工具
www.shodanhq.com