Friends~Hello everyone
Let’s continue with the content of the previous article. Today, let’s talk about CDN-related issues encountered in information collection.
I don’t know if you have ever encountered such a situation. When we collect information, the easiest way is to reflect the IP address through the domain name. Suddenly I found that the IP address of the sudden response changed when the PING returned packet. It brings some confusion to the little friends who have just started. In fact, this is caused by the use of CDN technology on the website, which causes us to obtain not the real IP address. Then let's go to science first
CDN (Content Delivery Network) is translated as Content Delivery Network. In short, what is his role? The purpose is to allow us to visit the website in different geographical locations and achieve a very fast speed. For example, if we visit the website of Tencent headquarters in Shenzhen in Beijing, if we don’t do CDN, we need to run thousands of kilometers through the Internet. Go to the Tencent server in Shenzhen to fetch the website pages. At this distance, there will be various network devices in the middle to transfer. It is bound to be that some network factors may slow down the visit, which will affect our user experience. Causes a bad experience. Then, if a copy of Shenzhen Tencent’s server is placed on the edge of the network in Beijing, then the distance and transit equipment will not be so much first, and the speed of our website access will also be accelerated, simple In terms of CDN is such a thing.
Then the question comes again, how to bypass CDN when we infiltrate the information collection?
Let's talk about
The first is the problem of CDN acceleration
0x01 verify if CDN exists
method 1
It's very simple. Use various multi-site ping services to check whether the corresponding IP address is unique. If it is not unique, most of the CDNs are used. Multi-site Ping websites include:
Method 2
Use nslookup for detection, the principle is the same as above, if the returned domain name resolution corresponds to multiple IP addresses, most of the CDN is used. Examples of CDN:
Server: public1.114dns.comAddress: 114.114.114.114
Non-authoritative response:
Name: 163.xdwscache.ourglb0.comAddresses: 58.223.164.86
125.75.32.252Aliases: http://www.163.com
Example without CDN:
Server: public1.114dns.comAddress: 114.114.114.114
Non-authoritative response:
Name: xiaix.meAddress: 192.3.168.172
Method 3
Use various tools to help detect whether the target website uses CDN, you can refer to the following websites:
http://www.cdnplanet.com/tools/cdnfinder/
0x02 Bypass CDN to find the real IP of the website
2.1 Query historical DNS records
Check the history records of IP and domain binding. There may be records before CDN is used. Related query websites are:
http://toolbar.netcraft.com/site_report?url=
2.2 Query subdomains
After all, CDN is not cheap, so many webmasters may only make CDNs for the main site or sub-sites with heavy traffic, and many small-site sub-sites are on the same server or in the same section C as the main site. You can assist in finding the real IP of the website by querying the IP corresponding to the subdomain name.
2.3 Exploit website vulnerabilities
There is nothing to say about this, the purpose is to let the target server take the initiative to connect to us, so that we know its real IP, available such as XSS blind typing, command execution rebound shell, SSRF and so on.
2.4 The server's legal services actively connect to us
The same idea as above is to let the server actively connect to us and tell us its IP, but it uses a legitimate service, such as RSS mail subscription. Many websites have their own sendmail, which will send emails to us. At this time, check the email source code. Contains the real IP of the server.
2.5 Use foreign hosts to resolve domain names
Many domestic CDN manufacturers only make domestic lines for various reasons, and there may be almost no foreign lines. At this time, we may use foreign hosts to directly access the real IP.
2.6 Leakage of target sensitive files
Maybe there are some leaked sensitive files on the target server that will tell us the IP of the website, in addition it is a probe such as phpinfo.
2.7 Start with CDN
Whether you use social engineering or other means, you get the account of the target website administrator in the CDN, and you can find the real IP of the website in the CDN configuration.
2.8 Scan the whole network with Zmap
IP2Location query IP address longitude and latitude
https://www.maxmind.com/zh/home
Query physical location via GPS
http://www.gpsspg.com/maps.htm
The above is some knowledge about CDN to share with you. I hope it will be helpful to the friends. See you next time~