White Hat Learning Record 3 - Information Collection

Others 2021-01-24 22:19:30 views: null

collect message

This article mainly records the relevant knowledge points of information collection

Main methods of information collection

  • Active information collection: By directly accessing the website, operating on the website, scanning the website, etc., all kinds of information collection methods have network traffic passing through the target server.
  • Passive information collection: Based on public channels, such as search engines, obtain information without direct interaction with the target system, and try to avoid leaving traces.

What information to collect

including but not limited to

  • Server information: port, service, IP
  • Website information: server operating system, middleware, database, programming language, sensitive directories and files, side-site query, C segment query
  • Domain name information: whois, record information, subdomain collection
  • Website administrator information: name, title, birthday, contact number, email address

Domain information collection

whois

Whois is a transmission protocol used to query the IP and owner of a domain name. Simply put, whois is a database used to query whether a domain name has been registered and the detailed information of the registered domain name (such as domain name owner, domain name registrar).

whois-query method:

Web interface query: Home of the webmaster

Record information

Frequently Query Website: Webmaster’s Home

Subdomain information collection

Common methods:

  • Search Engine-Google hacking

  • Third-party website query

    https://dnsdumpster.com/
    http://tool.chinaz.com/subdomain

  • Cyberspace Security Search Engine

    Commonly used search engines are: fofa, zoomeye, shodan

  • SSL certificate query

    http://crt.sh/

    http://developers.facebook.com/tools/ct/search/

  • Subnet domain name excavator-layar

  • OneForAll- powerful subdomain collection tool

IP collection

  • IP address reverse check domain name

    https://tools.ipip.net/ipdomain.php

    http://stool.chinaz.com/same

    If the penetration target is a virtual host, then the domain name information retrieved by IP is very valuable, because a physical server may run multiple virtual hosts . These virtual hosts have different domain names, but usually share the same IP address. If you know which websites share this server, it is possible to gain control of the server through vulnerabilities in other websites on this server, and then obtain the permission of the infiltration target in a roundabout way. This technique is also called " side note ".

  • CDN (Content Delivery Network) Content Delivery Network

    Bypass CDN:

    • Foreign visits: CDN service is expensive and may not be used abroad
    • Query the IP of the subnet domain name: The traffic is expensive and the edge business website is not used
    • Mx record mail service: mail service query ip address
    • Historical DNS records: query the IP address of the earliest resolved domain name

Port information collection

  • NMAP

Here are some of the usages of nmap I have recorded: Usage of nmap

Guess you like

Origin blog.csdn.net/yghlqgt/article/details/113001656
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com