CDN
1. The day before yesterday, I saw my brother An Heng's face and asked whether to use CDN and CDN bypass (it is too difficult to learn security, the entire Niu Ke.net penetration test will be face to face), I learned it today;
2. Yesterday I did n’t update the notes because I was lazy. I learned about the loopholes commonly used by several editors yesterday, because the versions of those editors are a bit messy and the content is not very important. The teacher said that in actual penetration, as long as you see these editors in mind I can think of this branch of knowledge, I decided to put it first, and then make up when I operate it;
3. Several courses have also been completed recently. Many homework assignments have to be written, and attention should be paid to the time arrangement;
4. Playing the verification code of Alibaba Cloud login aroused my interest today. It is probably the same as scratching the lottery ticket with the mouse, scraping out two chicks, and checking. Many Taobao, including Taobao, have been using this verification code, and it has not changed , Do not know the mystery.
What is CDN
CDN, Baidu Encyclopedia's interpretation is a content distribution network. We can understand it this way: The Internet is very large, and people from all over the world may come to visit when my site is set up, but because the Internet is very large, if you want to visit our site, the delay between our site and our site is very large. The opening of the homepage of the website is very slow, which will directly affect the user's access experience, and the loss of potential customers is therefore not worth it.
The above problems are real in the history of Internet development and need to be solved, so CDN appears. We can think of CDN as a mirror server of our web site. After the site is set up, we only need to point the DNS to modify In one click, all users' access can be directed to the CDN. CDNs are generally available throughout the country, which improves user access speed; and because the attacker does not have a real IP address, even if the CDN is compromised, it will not have any impact on our servers, so CDN solves both access speed and security Questions.
Determine if CDN is used
1. When we are infiltrating, we often encounter CDN. You can determine whether it is a CDN by pinging the domain name
. 2. Or use the k8 c segment side note tool, enter the domain name, prompt acceleration or proxy
3. You can also use cmd The nslookup + domain name is used in the detection. The principle is the same as above. If the returned domain name resolution corresponds to multiple IP addresses, the CDN is mostly used. (But the reason that the name is different from the domain name may also be caused by waf or proxy)
How to find the real IP address of the server
1. Large sites generally have mail, oa, crm and other second-level domain names in addition to the subdomain of www. At this time, we can search the site: XXX.com -www or site: xxx.com mail to search other second-level domain names. The IP addresses corresponding to other secondary domain names are resolved by DNS resolution. Under normal circumstances, www may be hosted elsewhere but the mail server is generally operated and maintained by the enterprise itself.
After obtaining its IP address segment, you can directly access the IP address in the browser address bar or use nmap to scan the entire segment to confirm its real IP address.
2. Confirm the real IP address by multiple pings; the purpose of web site erection is to provide people with access. Sometimes considering the problem of access speed, CDN will be used to increase the access speed. Way to determine the true IP address of its web server.
Multiple ping tools:
http://ping.chinaz.com/
http://ping.aizhan.com/
http://ce.cloud.360.cn/
Bypass CDN mechanism
Domain name history analysis record
(1) View the history records of IP and domain name binding, there may be records before using CDN, related query websites are:
https://dnsdb.io/zh-cn/ ### DNSQuery
https: // x. threatbook.cn/ ### 微 步 在线
https://tools.ipip.net/cdn.php ### CDNQuery IP
http://toolbar.netcraft.com/site_report?url= ### Online domain name information query
http://viewdns.info/ ### DNS, IP and other queries
(2) Using the SecurityTrails platform, an attacker can accurately find the true original IP.
Just enter the domain name of the website in the search field, and then press Enter, then "historical data" can be found in the menu on the left. https://securitytrails.com/domain/domain name / dns In addition to the past DNS records, even the current records may also leak the original server IP. For example, MX records are a common way to find IP. If the website hosts its own mail server on the same server and IP as the web, then the original server IP will be in the MX record.
(3) Watch the ip change
http://toolbar.netcraft.com/site_report?url=www.xxx.com
Query subdomain
(1) Microstep Online (https://x.threatbook.cn/)
(2) Dnsdb query method (https://dnsdb.io/zh-cn/)
(3) Google search Google site: baidu.com -www to view subdomains except www
(4) Various subdomain scanners
(5) Search method of cyberspace engine The
common search methods include the former Zhong Kui's eye, Shodan and Fofa.
Take fofa as an example, just enter: title: "the title keyword of the website" or body: "the body characteristics of the website" to find the IP domain names with these keywords included in fofa, and many times you can get the real IP of the website .
(6) Use SSL certificate to find the real original IP
https://censys.io/certificates?q=parsed.names%3Aoldboyedu.com+and+tags.raw%3Atrusted
oldboyedu.com certificate search query parameter is: parsed.names : Oldboyedu.com
only displays valid certificates. The query parameters are: tags.raw: trusted
Censys will show you all the standard certificates that meet the above search criteria. The above certificates were found in the scan.
To view these search results one by one, an attacker can open a drop-down menu containing multiple tools by clicking "Explore" on the right. What's using this certificate?> IPv4 Hosts
(7) Use foreign hosts to resolve domain names
Many domestic CDN manufacturers only make domestic lines for various reasons, and there may be few lines for foreign countries. At this time, we can obtain real IPs by using direct access from foreign hosts.
(8) Method web site vulnerability search
1) Target sensitive file leakage, for example: probes like phpinfo, "info.php", "phpinfo.php", "test.php", "l.php", GitHub information leak Wait.
2) View the vulnerability scanning alarm information and manually cause page error
3) XSS blind play, command execution rebound shell, SSRF, etc.
4) Whether using social workers or other means, get the account of the target website administrator in the CDN, so as to find the real IP of the website from the CDN configuration.
(9) Method 9: Website email subscriptions to find
RSS email subscriptions. Many websites come with sendmail and will send us an email. At this time, the source code of the email will contain the real IP of the server.
(10): sweep with Zmap whole network
is said to Zmap 44 Fenzhong scanning the entire network, this tool is more used to know the true one stop IP, do not know the true IP to penetrate the sites (or pure IP address database, DotNetscan)
such as To find the real IP of the xiaix.me website, we first obtain the IP segment from apnic, then use Zmap's banner-grab to scan out the port 80 open host for banner capture, and finally write xiaix.me in the Host in http-req.
Like DDoS, lighting CDN traffic will interfere with the normal operation of the website
www.crimeflare.com/cfs.html#box
(11): F5 LTM decoding method
When the server uses F5 LTM for load balancing, the real ip can also be obtained by decoding the set-cookie keyword, for example: packet capture, Set-Cookie: BIGipServerpool_8.29_8030 = 487098378.24095.0000, first put the decimal of the first subsection Take out the number 487098378, then convert it to hexadecimal number 1d08880a, and then take the four digits from back to front, which is 0a.88.08.1d, and finally turn them into decimal numbers 10.136. 8.29, that is, the last real IP
(12), report an error through information or visit the relevant test page
Tips
有的公司申请地址的时候IP地址是连着注册的噢
