域名系统(英文:Domain Name System,缩写:DNS)是互联网的一项服务。它作为将域名和IP地址相互映射的一个分布式数据库,能够使人更方便地访问互联网。DNS使用UDP端口53。当前,对于每一级域名长度的限制是63个字符,域名总长度则不能超过253个字符。DNSRecon由Python开发可以进行一些与域名相关的信息查询操作。
超找ip范围内的域名 rvl: Reverse lookup of a given CIDR or IP range.
┌──(***㉿kali)-[~]
└─$ dnsrecon -r 211.103.171.80-211.103.172.90 -t rvl
[*] Performing Reverse Lookup from 211.103.171.80 to 211.103.172.90
[+] PTR mail.cncard.com 211.103.171.83
[+] PTR mail.fumu.com 211.103.171.92
[+] 2 Records Found
从bing中搜寻子域名
┌──(***㉿kali)-[~]
└─$ dnsrecon -d baidu.com -t bing
[*] bing: baidu.com...
[*] CNAME www.baidu.com www.a.shifen.com
[*] A www.a.shifen.com 110.242.68.3
[*] A www.a.shifen.com 110.242.68.4
[*] CNAME ww.baidu.com ps_other.a.shifen.com
[*] A ps_other.a.shifen.com 110.242.68.66
[*] A home.baidu.com 183.232.232.54
[*] A home.baidu.com 111.206.209.69
[*] A home.baidu.com 180.101.49.156
[*] CNAME hcl.baidu.com hao123.n.shifen.com
[*] A hao123.n.shifen.com 110.242.68.247
[*] CNAME hcl.baidu.com hao123.n.shifen.com
[*] CNAME baike.baidu.com bk.baidu.com
[*] CNAME bk.baidu.com bk.n.shifen.com
[*] A bk.n.shifen.com 111.206.208.228
[*] A bk.n.shifen.com 111.206.208.229
[*] CNAME baike.baidu.com bk.baidu.com
[*] CNAME bk.baidu.com bk.n.shifen.com
[*] CNAME xueshu.baidu.com www.a.shifen.com
[*] A www.a.shifen.com 110.242.68.4
[*] A www.a.shifen.com 110.242.68.3
[*] CNAME ziyuan.baidu.com ziyuan.n.shifen.com
[*] A ziyuan.n.shifen.com 153.3.236.79
[*] A ziyuan.n.shifen.com 112.80.255.152
[*] CNAME star.baidu.com astar.baidu.com
[*] CNAME astar.baidu.com astar.n.shifen.com
[*] A astar.n.shifen.com 110.242.69.223
[*] A bsb.baidu.com 180.101.49.171
[*] A bsb.baidu.com 124.237.176.84
[*] CNAME baijiahao.baidu.com baijiahao.n.shifen.com
[*] A baijiahao.n.shifen.com 111.206.209.3
[*] CNAME cloud.baidu.com bce.baidu.n.shifen.com
[*] A bce.baidu.n.shifen.com 112.80.255.170
[*] A bce.baidu.n.shifen.com 163.177.151.200
[*] CNAME pan.baidu.com yiyun.n.shifen.com
[*] A yiyun.n.shifen.com 110.242.69.43
[*] CNAME pan.baidu.com yiyun.n.shifen.com
[*] CNAME top.baidu.com top.n.shifen.com
[*] A top.n.shifen.com 111.206.209.60
[*] CNAME mobile.baidu.com appc.n.shifen.com
[*] A appc.n.shifen.com 112.80.255.227
[*] A appc.n.shifen.com 110.242.69.12
[*] CNAME mobile.baidu.com appc.n.shifen.com
[*] CNAME union.baidu.com union.e.shifen.com
[*] A union.e.shifen.com 111.206.208.169
[*] CNAME wenku.baidu.com wenku.n.shifen.com
[*] A wenku.n.shifen.com 111.206.210.110
[*] A wenku.n.shifen.com 111.206.210.11
[*] CNAME image.baidu.com image.n.shifen.com
[*] A image.n.shifen.com 110.242.69.132
[*] CNAME fanyi.baidu.com ipv46.fanyi-bfe.n.shifen.com
[*] A ipv46.fanyi-bfe.n.shifen.com 110.242.68.186
[*] CNAME passport.baidu.com passport.n.shifen.com
[*] A passport.n.shifen.com 111.206.208.243
[*] A passport.n.shifen.com 111.206.208.245
[*] CNAME passport.baidu.com passport.n.shifen.com
[*] CNAME mr.baidu.com mbdown.n.shifen.com
[*] A mbdown.n.shifen.com 111.206.209.136
[*] A mbdown.n.shifen.com 110.242.68.155
[*] CNAME zhongbao.baidu.com crowdtestatmp.n.shifen.com
[*] A crowdtestatmp.n.shifen.com 110.242.69.167
[*] CNAME yun.baidu.com yiyun.n.shifen.com
[*] A yiyun.n.shifen.com 110.242.69.43
[*] CNAME yun.baidu.com yiyun.n.shifen.com
[*] CNAME ai.baidu.com ai.n.shifen.com
[*] A ai.n.shifen.com 110.242.69.34
[*] CNAME www2.baidu.com www2.e.shifen.com
[*] A www2.e.shifen.com 153.3.236.108
[*] CNAME map.baidu.com map.n.shifen.com
[*] A map.n.shifen.com 111.206.208.32
[*] CNAME map.baidu.com map.n.shifen.com
[*] CNAME zhidao.baidu.com iknow.baidu.com
[*] CNAME iknow.baidu.com iknow.n.shifen.com
[*] A iknow.n.shifen.com 111.206.209.78
[*] A iknow.n.shifen.com 111.206.209.79
[*] CNAME maps.baidu.com map.baidu.com
[*] CNAME map.baidu.com map.n.shifen.com
[*] A map.n.shifen.com 111.206.208.32
[*] CNAME maps.baidu.com map.baidu.com
[*] CNAME map.baidu.com map.n.shifen.com
[*] CNAME b2b.baidu.com b2b.e.shifen.com
[*] A b2b.e.shifen.com 111.206.209.93
[*] CNAME b2b.baidu.com b2b.e.shifen.com
[*] CNAME yuedu.baidu.com reading.n.shifen.com
[*] A reading.n.shifen.com 110.242.69.248
[*] CNAME lbsyun.baidu.com lbsyun.map.n.shifen.com
[*] A lbsyun.map.n.shifen.com 111.206.208.72
[*] CNAME lbsyun.baidu.com lbsyun.map.n.shifen.com
[*] CNAME jingyan.baidu.com jingyan.n.shifen.com
[*] A jingyan.n.shifen.com 110.242.69.184
[*] A jingyan.n.shifen.com 111.206.209.109
[*] A jingyan.n.shifen.com 111.206.209.111
[*] CNAME jingyan.baidu.com jingyan.n.shifen.com
[*] CNAME test.baidu.com crowdtestatmp.n.shifen.com
[*] A crowdtestatmp.n.shifen.com 110.242.69.167
[*] CNAME haokan.baidu.com nvideo.n.shifen.com
[*] A nvideo.n.shifen.com 111.206.209.29
[*] CNAME shouji.baidu.com appc.n.shifen.com
[*] A appc.n.shifen.com 110.242.69.12
[*] A appc.n.shifen.com 112.80.255.227
[*] CNAME shouji.baidu.com appc.n.shifen.com
[*] CNAME wan.baidu.com gamenew.n.shifen.com
[*] A gamenew.n.shifen.com 110.242.69.7
[*] A gamenew.n.shifen.com 110.242.69.67
[*] A index.baidu.com 111.206.208.193
[*] A index.baidu.com 220.181.107.164
[*] CNAME cas.baidu.com cas.e.shifen.com
[*] A cas.e.shifen.com 153.3.236.108
[*] CNAME shurufa.baidu.com shurufa.n.shifen.com
[*] A shurufa.n.shifen.com 111.206.209.92
[*] A shurufa.n.shifen.com 112.80.248.251
[*] A shurufa.n.shifen.com 157.255.77.167
[*] CNAME haoma.baidu.com mobsec.n.shifen.com
[*] A mobsec.n.shifen.com 112.80.248.171
[*] CNAME haoma.baidu.com mobsec.n.shifen.com
[*] CNAME naotu.baidu.com sugar.n.shifen.com
[*] A sugar.n.shifen.com 112.80.248.37
[*] CNAME jiameng.baidu.com jiameng.e.shifen.com
[*] A jiameng.e.shifen.com 110.242.68.246
[*] CNAME jiameng.baidu.com jiameng.e.shifen.com
[*] CNAME aiqicha.baidu.com cs.e.shifen.com
[*] A cs.e.shifen.com 110.242.68.102
[*] CNAME hanyu.baidu.com hanyu.a.shifen.com
[*] A hanyu.a.shifen.com 110.242.68.153
[*] CNAME hanyu.baidu.com hanyu.a.shifen.com
[*] CNAME kaifa.baidu.com kaifa.n.shifen.com
[*] A kaifa.n.shifen.com 111.206.208.45
[*] A kaifa.n.shifen.com 157.255.71.62
[*] CNAME p.qiao.baidu.com p.qiao.e.shifen.com
[*] A p.qiao.e.shifen.com 111.206.210.57
[*] A p.qiao.e.shifen.com 111.206.210.56
[+] 130 Records Found
参考与更多
usage: dnsrecon.py [-h] [-d DOMAIN] [-n NS_SERVER] [-r RANGE] [-D DICTIONARY]
[-f] [-a] [-s] [-b] [-y] [-k] [-w] [-z] [--threads THREADS]
[--lifetime LIFETIME] [--tcp] [--db DB] [-x XML] [-c CSV]
[-j JSON] [--iw] [--disable_check_recursion]
[--disable_check_bindversion] [-V] [-v] [-t TYPE]
options:
-h, --help show this help message and exit
-d DOMAIN, --domain DOMAIN
Target domain.
-n NS_SERVER, --name_server NS_SERVER
Domain server to use. If none is given, the SOA of the target will be used. Multiple servers can be specified using a comma separated list.
-r RANGE, --range RANGE
IP range for reverse lookup brute force in formats (first-last) or in (range/bitmask).
-D DICTIONARY, --dictionary DICTIONARY
Dictionary file of subdomain and hostnames to use for brute force. Filter out of brute force domain lookup, records that resolve to the wildcard defined IP address when saving records.
-f Filter out of brute force domain lookup, records that resolve to the wildcard defined IP address when saving records.
-a Perform AXFR with standard enumeration.
-s Perform a reverse lookup of IPv4 ranges in the SPF record with standard enumeration.
-b Perform Bing enumeration with standard enumeration.
-y Perform Yandex enumeration with standard enumeration.
-k Perform crt.sh enumeration with standard enumeration.
-w Perform deep whois record analysis and reverse lookup of IP ranges found through Whois when doing a standard enumeration.
-z Performs a DNSSEC zone walk with standard enumeration.
--threads THREADS Number of threads to use in reverse lookups, forward lookups, brute force and SRV record enumeration.
--lifetime LIFETIME Time to wait for a server to respond to a query. default is 3
--tcp Use TCP protocol to make queries.
--db DB SQLite 3 file to save found records.
-x XML, --xml XML XML file to save found records.
-c CSV, --csv CSV Save output to a comma separated value file.
-j JSON, --json JSON save output to a JSON file.
--iw Continue brute forcing a domain even if a wildcard record is discovered.
--disable_check_recursion
Disables check for recursion on name servers
--disable_check_bindversion
Disables check for BIND version on name servers
-V, --version Show DNSrecon version
-v, --verbose Enable verbose
-t TYPE, --type TYPE Type of enumeration to perform.
Possible types:
std: SOA, NS, A, AAAA, MX and SRV.
rvl: Reverse lookup of a given CIDR or IP range.
brt: Brute force domains and hosts using a given dictionary.
srv: SRV records.
axfr: Test all NS servers for a zone transfer.
bing: Perform Bing search for subdomains and hosts.
yand: Perform Yandex search for subdomains and hosts.
crt: Perform crt.sh search for subdomains and hosts.
snoop: Perform cache snooping against all NS servers for a given domain, testing
all with file containing the domains, file given with -D option.
tld: Remove the TLD of given domain and test against all TLDs registered in IANA.
zonewalk: Perform a DNSSEC zone walk using NSEC records.
DNSRecon实战教程
扫一扫
4882
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
