kali 子域名搜集工具学习记录

# fierce

主要是对子域名进行扫描和收集信息，并且它还可以测试区域传送漏洞。

kali 2022.1 apt-get 安装的fierce并没有 -dns参数，需要手动下载,下载后有个fierce.pl 文件

下载地址

安装后，用perl fierce.pl -h 可以看到下面的信息，多出来了-dns

└─$ perl fierce.pl -h |more
fierce.pl (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/

    Usage: perl fierce.pl [-dns example.com] [OPTIONS]

Overview:
    Fierce is a semi-lightweight scanner that helps locate non-contiguous
    IP space and hostnames against specified domains.  It's really meant
    as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all
    of those require that you already know what IP space you are looking
    for.  This does not perform exploitation and does not scan the whole
    internet indiscriminately.  It is meant specifically to locate likely
    targets both inside and outside a corporate network.  Because it uses
    DNS primarily you will often find mis-configured networks that leak
    internal address space. That's especially useful in targeted malware.

Options:
    -connect    Attempt to make http connections to any non RFC1918
        (public) addresses.  This will output the return headers but
        be warned, this could take a long time against a company with
        many targets, depending on network/machine lag.  I wouldn't
        recommend doing this unless it's a small company or you have a
        lot of free time on your hands (could take hours-days).
        Inside the file specified the text "Host:\n" will be replaced
        by the host specified. Usage:

    perl fierce.pl -dns example.com -connect headers.txt

    -delay        The number of seconds to wait between lookups.
    -dns        The domain you would like scanned.
    -dnsfile      Use DNS servers provided by a file (one per line) for
                reverse lookups (brute force).
    -dnsserver    Use a particular DNS server for reverse lookups
        (probably should be the DNS server of the target).  Fierce
        uses your DNS server for the initial SOA query and then uses
        the target's DNS server for all additional queries by default.
    -file        A file you would like to output to be logged to.
    -fulloutput    When combined with -connect this will output everything
        the webserver sends back, not just the HTTP headers.
    -help        This screen.
    -nopattern    Don't use a search pattern when looking for nearby
        hosts.  Instead dump everything.  This is really noisy but
        is useful for finding other domains that spammers might be
        using.  It will also give you lots of false positives,
        especially on large domains.

但是，-domain 有没有了，所以最好两个版本都保留，为了方便使用可以做个软连接.

# dnsenum

dnsenum <域名>

-f <file>

主机地址信息、域名服务器、mx reccord(交换记录),在域名上执行axfr请求

# dnswalk <域名>

判断域名所对应的服务器是否存在DNS Zone transfers漏洞

# amass

amass -enum -d <域名> ## 枚举和网络映射

amass -enum -passive -d <域名> -src ## 枚举并显示来源

amass enum -share -d