Kali Linux 渗透测试之被动信息收集3(Recon-NG框架)
Recon-NG框架
(1)Recon-NG框架简介
- Recon-NG是由python编写的一个开源的Web侦查(信息收集)框架,命令格式与msf一致;
- Recon-NG框架是一个全特性的工具,使用它可以自动的收集信息和网络侦查。可把查询结果结构化存储在其中,有报告模块,把结果导出为报告。下面将介绍使用Recon-NG侦查工具
(2)启动Recon-NG框架
2.1> 启动Recon-NG框架
[email protected]:~# recon-ng
[email protected]:~# recon-ng
_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
/\
/ \\ /\
Sponsored by... /\ /\/ \\V \/\
/ \\/ // \\\\\ \\ \/\
// // BLACK HILLS \/ \\
www.blackhillsinfosec.com
[recon-ng v4.9.2, Tim Tomes (@LaNMaSteR53)]
[77] Recon modules #77个模块
[8] Reporting modules #8个报告模块
[2] Import modules #2个导入模块
[2] Exploitation modules #2个渗透攻击模块
[2] Discovery modules #2个发现模块
[recon-ng][default] > #证明框架启动成功2.2> 进入Recon-NG框架后,可以使用help查看所有可执行的操作;
[recon-ng][default] > help
[recon-ng][default] > help
Commands (type [help|?] <topic>):
---------------------------------
add Adds records to the database #将记录添加到数据库中
back Exits the current context #退出当前上下文
delete Deletes records from the database #一个从数据库中删除记录
exit Exits the framework #退出框架
help Displays this menu #显示帮助信息
keys Manages framework API keys #设置框架API
load Loads specified module #加载指定的模块
pdb Starts a Python Debugger session #启动Python调试器会话
query Queries the database #查询数据库
record Records commands to a resource file #将命令记录到资源文件中
reload Reloads all modules #重新加载所有模块
resource Executes commands from a resource file #从资源文件集中执行命令
search Searches available modules #寻找模块
set Sets module options #设置模块的选项
shell Executes shell commands #执行shell命令
show Shows various framework items #显示各种框架项
snapshots Manages workspace snapshots #管理工作区快照
spool Spools output to a file #输出到一个文件
unset Unsets module options #取消设置的模块选项
use Loads specified module #使用模块
workspaces Manages workspaces #管理工作区间2.3> Recon-NG框架的帮助信息;
[recon-ng][default] > recon-ng -h
[recon-ng][default] > recon-ng -h
[*] Command: recon-ng -h
usage: recon-ng [-h] [-v] [-w workspace] [-r filename] [--no-check]
[--no-analytics]
recon-ng - Tim Tomes (@LaNMaSteR53) tjt1980[at]gmail.com
optional arguments:
-h, --help show this help message and exit #显示帮助消息并退出
-v, --version show program's version number and exit #显示版本号并退出
-w workspace load/create a workspace #设置工作区
-r filename load commands from a resource file #从资源文件加载命令
--no-check disable version check #每次启动不去检查recon-ng版本检查
--no-analytics disable analytics reporting #每次启动不去检查工作报告
2.4>Recon-NG框架自身有数据库,可以将获取到的信息存放到数据库中;使用show schema可以显示Recon-NG框架中数据库的数据结构;(后面会用到hosts表)
[recon-ng][sina] > show schema
[recon-ng][sina] > show schema
+---------------+
| domains |
+---------------+
| domain | TEXT |
| module | TEXT |
+---------------+
......
+-------------------+
| hosts |
+-------------------+ #之后会用到数据库中的hosts表
| host | TEXT |
| ip_address | TEXT |
| region | TEXT |
| country | TEXT |
| latitude | TEXT |
| longitude | TEXT |
| module | TEXT |
+-------------------+
+--------------------+
| contacts |
+--------------------+
| first_name | TEXT |
| middle_name | TEXT |
| last_name | TEXT |
| email | TEXT |
| title | TEXT |
| region | TEXT |
| country | TEXT |
| module | TEXT |
+--------------------+
+-----------------+
| credentials |
+-----------------+
| username | TEXT |
| password | TEXT |
| hash | TEXT |
| type | TEXT |
| leak | TEXT |
| module | TEXT |
+-----------------+
+-----------------------------+
| leaks |
+-----------------------------+
| leak_id | TEXT |
| description | TEXT |
| source_refs | TEXT |
| leak_type | TEXT |
| title | TEXT |
| import_date | TEXT |
| leak_date | TEXT |
| attackers | TEXT |
| num_entries | TEXT |
| score | TEXT |
| num_domains_affected | TEXT |
| attack_method | TEXT |
| target_industries | TEXT |
| password_hash | TEXT |
| password_type | TEXT |
| targets | TEXT |
| media_refs | TEXT |
| module | TEXT |
+-----------------------------+
+---------------------+
| pushpins |
+---------------------+
| source | TEXT |
| screen_name | TEXT |
| profile_name | TEXT |
| profile_url | TEXT |
| media_url | TEXT |
| thumb_url | TEXT |
| message | TEXT |
| latitude | TEXT |
| longitude | TEXT |
| time | TEXT |
| module | TEXT |
+---------------------+
+-----------------+
| profiles |
+-----------------+
| username | TEXT |
| resource | TEXT |
| url | TEXT |
| category | TEXT |
| notes | TEXT |
| module | TEXT |
+-----------------+
+--------------------+
| repositories |
+--------------------+
| name | TEXT |
| owner | TEXT |
| description | TEXT |
| resource | TEXT |
| category | TEXT |
| url | TEXT |
| module | TEXT |
+--------------------+
(3) 模块的使用
Recon-NG框架主要是通过使用各种模块,调用命令行的方式去搜索基于web的相关信息;
在如下操作中,将以具体的实例(搜索sina.com域名的主机与IP地址记录)来熟悉各种模块的使用;
3.1> 创建工作区
Recon-Ng有默认的工作区(default),但是为了方便管理和查询,建议去创建每次实验的工作区;
[email protected]:~# recon-ng -w sina
[email protected]:~# recon-ng -w sina #创建工作区
......
[recon-ng][sina] > #直接进入创建的工作区中
[recon-ng][sina] > workspaces list
+------------+
| Workspaces |
+------------+
| sina |
| default |
+------------+3.2> 使用模块进行域名查询
进行域名查询的模块有很多个,每个模块查询的结果可能不同;如下操作主要使用bing_domain_web模块和Brute force模块结合
bing_domain_web模块查询:在查询过程中,Recon-Ng 会向 bing.com网站发送大量的主机名查询;
[recon-ng][sina] > search bing #查找bing相关的模块
[*] Searching for 'bing'...
Recon
-----
recon/companies-contacts/bing_linkedin_cache
recon/domains-hosts/bing_domain_api
recon/domains-hosts/bing_domain_web
recon/hosts-hosts/bing_ip
[recon-ng][sina] > use recon/domains-hosts/bing_domain_web #使用模块进行域名查询
[recon-ng][sina][bing_domain_web] > show options #显示该模块需要设置的选项
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)
[recon-ng][sina][bing_domain_web] > set SOURCE sina.com #设置选项:查询的域名
SOURCE => sina.com
[recon-ng][sina][bing_domain_web] > show info #设置好之后,查看info
Name: Bing Hostname Enumerator
Path: modules/recon/domains-hosts/bing_domain_web.py
Author: Tim Tomes (@LaNMaSteR53)
Description:
Harvests hosts from Bing.com by using the 'site' search operator. Updates the 'hosts' table with the
results.
Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE sina.com yes source of input (see 'show info' for details)
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs
设置好选项之后,就开始执行查询,并将查询的结果保存到数据库的hosts表中;
[recon-ng][sina][bing_domain_web] > run #运行,开始进行查询
--------
SINA.COM
--------
[*] URL: https://www.bing.com/search?first=0&q=domain%3Asina.com
[*] [host] gold.sina.com (<blank>)
[*] [host] ued.sina.com (<blank>)
[*] [host] exmail.sina.com (<blank>)
[*] [host] slide.sports.sina.com (<blank>)
[*] [host] video.sina.com (<blank>)
[*] [host] zt.sina.com (<blank>)
[*] [host] maiche.sina.com (<blank>)
[*] [host] ads.sina.com (<blank>)
[*] [host] travel.sina.com (<blank>)
[*] [host] lymf.sina.com (<blank>)
[*] [host] med.sina.com (<blank>)
[*] [host] hainan.sina.com (<blank>)
[*] [host] finance.sina.com (<blank>)
[*] [host] sifa.sina.com (<blank>)
[*] [host] immigration.sina.com (<blank>)
[*] [host] game.sina.com (<blank>)
[*] [host] slide.fashion.sina.com (<blank>)
[*] [host] slide.ent.sina.com (<blank>)
[*] [host] v*nmail.sina.com (<blank>)
[*] [host] yuqing.sina.com (<blank>)
[*] [host] xwz.sina.com (<blank>)
[*] [host] eva.sina.com (<blank>)
[*] [host] home.games.sina.com (<blank>)
[*] [host] mt.sina.com (<blank>)
[*] [host] mgame.sina.com (<blank>)
[*] Sleeping to avoid lockout... #查询一段时间,就会sleeping一下,避免被锁定
[*] URL: https://www.bing.com/search?first=0&q=domain%3Asina.com+-domain%3Agold.sina.com+-domain%3Aued.sina.com+-domain%3Aexmail.sina.com+-domain%3Aslide.sports.sina.com+-domain%3Avideo.sina.com+-domain%3Azt.sina.com+-domain%3Amaiche.sina.com+-domain%3Aads.sina.com+-domain%3Atravel.sina.com+-domain%3Alymf.sina.com+-domain%3Amed.sina.com+-domain%3Ahainan.sina.com+-domain%3Afinance.sina.com+-domain%3Asifa.sina.com+-domain%3Aimmigration.sina.com+-domain%3Agame.sina.com+-domain%3Aslide.fashion.sina.com+-domain%3Aslide.ent.sina.com+-domain%3Av*nmail.sina.com+-domain%3Ayuqing.sina.com+-domain%3Axwz.sina.com+-domain%3Aeva.sina.com+-domain%3Ahome.games.sina.com+-domain%3Amt.sina.com+-domain%3Amgame.sina.com
[*] [host] yn.house.sina.com (<blank>)
[*] [host] auto.sina.com (<blank>)
[*] [host] gb.nba.sina.com (<blank>)
.......
-------
SUMMARY
-------
[*] 43 total (43 new) hosts found.
3.3> 查询hosts表,查看上述结果;
[recon-ng][sina][bing_domain_web] > show hosts
[recon-ng][sina][bing_domain_web] > show hosts
+---------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | module |
+---------------------------------------------------------------------------------------------------------+
| 1 | gold.sina.com | | | | | | bing_domain_web |
| 2 | ued.sina.com | | | | | | bing_domain_web |
| 3 | exmail.sina.com | | | | | | bing_domain_web |
| 4 | slide.sports.sina.com | | | | | | bing_domain_web |
| 5 | video.sina.com | | | | | | bing_domain_web |
| 6 | zt.sina.com | | | | | | bing_domain_web |
| 7 | maiche.sina.com | | | | | | bing_domain_web |
| 8 | ads.sina.com | | | | | | bing_domain_web |
| 9 | travel.sina.com | | | | | | bing_domain_web |
| 10 | lymf.sina.com | | | | | | bing_domain_web |
| 11 | med.sina.com | | | | | | bing_domain_web |
| 12 | hainan.sina.com | | | | | | bing_domain_web |
| 13 | finance.sina.com | | | | | | bing_domain_web |
| 14 | sifa.sina.com | | | | | | bing_domain_web |
| 15 | immigration.sina.com | | | | | | bing_domain_web |
| 16 | game.sina.com | | | | | | bing_domain_web |
| 17 | slide.fashion.sina.com | | | | | | bing_domain_web |
| 18 | slide.ent.sina.com | | | | | | bing_domain_web |
| 19 | v*nmail.sina.com | | | | | | bing_domain_web |
| 20 | yuqing.sina.com | | | | | | bing_domain_web |
| 21 | xwz.sina.com | | | | | | bing_domain_web |
| 22 | eva.sina.com | | | | | | bing_domain_web |
| 23 | home.games.sina.com | | | | | | bing_domain_web |
| 24 | mt.sina.com | | | | | | bing_domain_web |
| 25 | mgame.sina.com | | | | | | bing_domain_web |
| 26 | yn.house.sina.com | | | | | | bing_domain_web |
| 27 | auto.sina.com | | | | | | bing_domain_web |
| 28 | gb.nba.sina.com | | | | | | bing_domain_web |
| 29 | eds.mail.sina.com | | | | | | bing_domain_web |
| 30 | zb.sina.com | | | | | | bing_domain_web |
| 31 | dwj.sina.com | | | | | | bing_domain_web |
| 32 | sc.sina.com | | | | | | bing_domain_web |
| 33 | weekly.games.sina.com | | | | | | bing_domain_web |
| 34 | opay.sina.com | | | | | | bing_domain_web |
| 35 | m.us.sina.com | | | | | | bing_domain_web |
| 36 | weibous.sina.com | | | | | | bing_domain_web |
| 37 | food.sina.com | | | | | | bing_domain_web |
| 38 | books.sina.com | | | | | | bing_domain_web |
| 39 | dhl.sina.com | | | | | | bing_domain_web |
| 40 | it.mn.sina.com | | | | | | bing_domain_web |
| 41 | english.sina.com | | | | | | bing_domain_web |
| 42 | henan.sina.com | | | | | | bing_domain_web |
| 43 | v.game.sina.com | | | | | | bing_domain_web |
+---------------------------------------------------------------------------------------------------------+
3.4> 再使用Brute force暴力**模块,弥补上面部分没有在搜索引擎中搜索到的域名;使搜索到的结果更加全面;
brute_hosts模块查询:自带字典,也可以替换自带的字典;
[recon-ng][sina][bing_domain_web] > search brute
[*] Searching for 'brute'...
Exploitation
------------
exploitation/injection/xpath_bruter
Recon
-----
recon/domains-domains/brute_suffix
recon/domains-hosts/brute_hosts
[recon-ng][sina][bing_domain_web] > userecon/domains-hosts/brute_hosts
[*] Command: userecon/domains-hosts/brute_hosts
/bin/sh: 1: userecon/domains-hosts/brute_hosts: not found
[recon-ng][sina][bing_domain_web] > use recon/domains-hosts/brute_hosts
[recon-ng][sina][brute_hosts] > show options
Name Current Value Required Description
-------- ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)
WORDLIST /usr/share/recon-ng/data/hostnames.txt yes path to hostname wordlist
[recon-ng][sina][brute_hosts] > set SOURCE sina.com
SOURCE => sina.com
[recon-ng][sina][brute_hosts] > run
--------
SINA.COM
--------
[*] No Wildcard DNS entry found.
[*] 0.sina.com => No record found.
[*] 11.sina.com => No record found.
[*] 1.sina.com => No record found.
[*] 13.sina.com => No record found.
[*] 17.sina.com => No record found.
[*] 03.sina.com => No record found.
[*] 14.sina.com => No record found.
[*] 16.sina.com => No record found.
[*] 15.sina.com => No record found.
[*] 10.sina.com => No record found.
[*] 19.sina.com => No record found.
[*] 20.sina.com => No record found.
[*] 3com.sina.com => No record found.
[*] 12.sina.com => No record found.
[*] 6.sina.com => No record found.
....... #由于字典过大,省略很多信息
[*] cust22.sina.com => Request timed out.
^C[*] cust22.sina.com => No record found. #字典才搜索到c开头的信息,还有很多的信息;
-------
SUMMARY
-------
[*] 54 total (49 new) hosts found. #在之前搜索的基础上,又发现了49个新的主机记录
3.5> 再次查询hosts表,查看上述结果;
[recon-ng][sina][brute_hosts] > show hosts
+---------------------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | module |
+---------------------------------------------------------------------------------------------------------------------+
| 1 | gold.sina.com | | | | | | bing_domain_web |
| 2 | ued.sina.com | | | | | | bing_domain_web |
| 3 | exmail.sina.com | | | | | | bing_domain_web |
| 4 | slide.sports.sina.com | | | | | | bing_domain_web |
| 5 | video.sina.com | | | | | | bing_domain_web |
| 6 | zt.sina.com | | | | | | bing_domain_web |
| 7 | maiche.sina.com | | | | | | bing_domain_web |
| 8 | ads.sina.com | | | | | | bing_domain_web |
| 9 | travel.sina.com | | | | | | bing_domain_web |
| 10 | lymf.sina.com | | | | | | bing_domain_web |
| 11 | med.sina.com | | | | | | bing_domain_web |
| 12 | hainan.sina.com | | | | | | bing_domain_web |
| 13 | finance.sina.com | | | | | | bing_domain_web |
| 14 | sifa.sina.com | | | | | | bing_domain_web |
| 15 | immigration.sina.com | | | | | | bing_domain_web |
| 16 | game.sina.com | | | | | | bing_domain_web |
| 17 | slide.fashion.sina.com | | | | | | bing_domain_web |
| 18 | slide.ent.sina.com | | | | | | bing_domain_web |
| 19 | v*nmail.sina.com | | | | | | bing_domain_web |
| 20 | yuqing.sina.com | | | | | | bing_domain_web |
| 21 | xwz.sina.com | | | | | | bing_domain_web |
| 22 | eva.sina.com | | | | | | bing_domain_web |
| 23 | home.games.sina.com | | | | | | bing_domain_web |
| 24 | mt.sina.com | | | | | | bing_domain_web |
| 25 | mgame.sina.com | | | | | | bing_domain_web |
| 26 | yn.house.sina.com | | | | | | bing_domain_web |
| 27 | auto.sina.com | | | | | | bing_domain_web |
| 28 | gb.nba.sina.com | | | | | | bing_domain_web |
| 29 | eds.mail.sina.com | | | | | | bing_domain_web |
| 30 | zb.sina.com | | | | | | bing_domain_web |
| 31 | dwj.sina.com | | | | | | bing_domain_web |
| 32 | sc.sina.com | | | | | | bing_domain_web |
| 33 | weekly.games.sina.com | | | | | | bing_domain_web |
| 34 | opay.sina.com | | | | | | bing_domain_web |
| 35 | m.us.sina.com | | | | | | bing_domain_web |
| 36 | weibous.sina.com | | | | | | bing_domain_web |
| 37 | food.sina.com | | | | | | bing_domain_web |
| 38 | books.sina.com | | | | | | bing_domain_web |
| 39 | dhl.sina.com | | | | | | bing_domain_web |
| 40 | it.mn.sina.com | | | | | | bing_domain_web |
| 41 | english.sina.com | | | | | | bing_domain_web |
| 42 | henan.sina.com | | | | | | bing_domain_web |
| 43 | v.game.sina.com | | | | | | bing_domain_web |
| 44 | ww1.sinaimg.cn.w.alikunlun.com | | | | | | brute_hosts |
| 45 | ads.sina.com | 111.7.187.234 | | | | | brute_hosts |
| 46 | ads.sina.com | 111.6.92.168 | | | | | brute_hosts |
| 47 | ads.sina.com | 111.6.92.165 | | | | | brute_hosts |
| 48 | ads.sina.com | 111.6.92.163 | | | | | brute_hosts |
| 49 | ads.sina.com | 111.6.92.167 | | | | | brute_hosts |
| 50 | ads.sina.com | 111.7.187.219 | | | | | brute_hosts |
| 51 | ads.sina.com | 111.7.187.235 | | | | | brute_hosts |
| 52 | ads.sina.com | 111.6.92.166 | | | | | brute_hosts |
| 53 | ads.sina.com | 111.7.187.216 | | | | | brute_hosts |
| 54 | ads.sina.com | 111.6.92.164 | | | | | brute_hosts |
| 55 | ads.sina.com | 111.7.187.217 | | | | | brute_hosts |
| 56 | ads.sina.com | 111.6.92.129 | | | | | brute_hosts |
| 57 | ads.sina.com | 111.7.187.218 | | | | | brute_hosts |
| 58 | ads.sina.com | 111.7.187.220 | | | | | brute_hosts |
| 59 | ads.sina.com | 111.7.187.215 | | | | | brute_hosts |
| 60 | ads.sina.com | 111.6.92.169 | | | | | brute_hosts |
| 61 | apple.sina.com | 71.5.7.45 | | | | | brute_hosts |
| 62 | xczspool.grid.sinaedge.com | | | | | | brute_hosts |
| 63 | auto.sina.com | 183.232.24.222 | | | | | brute_hosts |
| 64 | auto.sina.com | 112.25.53.229 | | | | | brute_hosts |
| 65 | thad-test.sina.com | | | | | | brute_hosts |
| 66 | auth.sina.com | | | | | | brute_hosts |
| 67 | auth.sina.com | 71.5.7.247 | | | | | brute_hosts |
| 68 | bbs.sina.com | 10.10.10.10 | | | | | brute_hosts |
| 69 | blog.sina.com.cn | | | | | | brute_hosts |
| 70 | blog.sina.com | | | | | | brute_hosts |
| 71 | blogx.sina.com.cn | | | | | | brute_hosts |
| 72 | blog.sina.com | 49.7.37.126 | | | | | brute_hosts |
| 73 | calendar.sina.com | 71.5.7.99 | | | | | brute_hosts |
| 74 | careers.sina.com | 71.5.7.240 | | | | | brute_hosts |
| 75 | spit.sina.com | | | | | | brute_hosts |
| 76 | chat.sina.com | | | | | | brute_hosts |
| 77 | chat.sina.com | 71.5.7.171 | | | | | brute_hosts |
| 78 | checkpoint.sina.com | 71.5.7.98 | | | | | brute_hosts |
| 79 | classifieds.sina.com | | | | | | brute_hosts |
| 80 | classifieds.sina.com | 71.5.7.171 | | | | | brute_hosts |
| 81 | client.sina.com | 66.102.251.24 | | | | | brute_hosts |
| 82 | ww7.sina.com | | | | | | brute_hosts |
| 83 | club.sina.com | | | | | | brute_hosts |
| 84 | club.sina.com | 71.5.7.191 | | | | | brute_hosts |
| 85 | cn.sina.com | 209.66.98.24 | | | | | brute_hosts |
| 86 | commerce.sina.com | 71.5.7.170 | | | | | brute_hosts |
| 87 | theone.sina.com.cn | | | | | | brute_hosts |
| 88 | corp.sina.com | | | | | | brute_hosts |
| 89 | corp.sina.com | 123.126.53.69 | | | | | brute_hosts |
| 90 | cs.sina.com | | | | | | brute_hosts |
| 91 | cs.sina.com | 71.5.7.171 | | | | | brute_hosts |
| 92 | content.sina.com | 71.5.7.194 | | | | | brute_hosts |
+---------------------------------------------------------------------------------------------------------------------+
[*] 92 rows returned
3.6> 解析域名对应的IP地址
[recon-ng][sina][brute_hosts] > search resolve
[*] Searching for 'resolve'...
Recon
-----
recon/hosts-hosts/resolve
recon/hosts-hosts/reverse_resolve
recon/netblocks-hosts/reverse_resolve
[recon-ng][sina][brute_hosts] > use recon/hosts-hosts/resolve
[recon-ng][sina][resolve] > show options
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)
[recon-ng][sina][resolve] > set SOURCE query select host from hosts
SOURCE => query select host from hosts
[recon-ng][sina][resolve] > run
[*] gold.sina.com => 121.40.176.71
[*] ued.sina.com => 220.181.136.144
[*] exmail.sina.com => 202.108.35.23
[*] slide.sports.sina.com => 66.102.251.24
[*] video.sina.com => 10.10.10.10
[*] zt.sina.com => 123.125.29.117
[*] maiche.sina.com => 39.156.6.98
[*] ads.sina.com => 111.7.187.235
[*] ads.sina.com => 117.157.232.165
[*] ads.sina.com => 111.7.187.220
[*] ads.sina.com => 111.7.187.216
[*] ads.sina.com => 111.6.92.163
[*] ads.sina.com => 111.7.187.219
[*] ads.sina.com => 111.7.187.217
[*] ads.sina.com => 111.7.187.234
[*] ads.sina.com => 111.6.92.129
......
-------
SUMMARY
-------
[*] 223 total (223 new) hosts found.
#搜索出223条记录,是因为一个主机记录可以对应多个IP地址,实现负载均衡
3.7> 将解析出来的结果导出为报告;
[recon-ng][sina][resolve] > search report
[*] Searching for 'report'...
Reporting
---------
reporting/csv
reporting/html
reporting/json
reporting/list
reporting/proxifier
reporting/pushpin
reporting/xlsx
reporting/xml
[recon-ng][sina][resolve] > use reporting/html
[recon-ng][sina][html] > show options
Name Current Value Required Description
-------- ------------- -------- -----------
CREATOR yes creator name for the report footer
CUSTOMER yes customer name for the report header
FILENAME /root/.recon-ng/workspaces/sina/results.html yes path and filename for report output
SANITIZE True yes mask sensitive data in the report
[recon-ng][sina][html] > set CREATOR sina...
CREATOR => sina...
[recon-ng][sina][html] > set CUSTOMER scan_sina.com
CUSTOMER => scan_sina.com
[recon-ng][sina][html] > set FILENAME /root/sina.com
FILENAME => /root/sina.com
[recon-ng][sina][html] > run
[*] Report generated at '/root/sina.com'.
3.8> 查看导出的报告;