Information collection (1) Domain name information collection
What are CDNs?
Content distribution network (CDN): It refers to the enterprise using node server groups distributed in different regions to form a traffic distribution management platform to provide users with distributed content storage and cache services
In the process of penetration testing, it is often encountered that the website has a CDN. CDN is a content distribution network, which mainly solves the problem of low network speed and performance caused by transmission distance and different operator nodes. To put it simply, it is a group of cache servers on the docking points between different operators, which directly cache the static data resources frequently accessed by users on the node servers. When the user requests again, it will be directly distributed to the remote user. The nearest node server responds to the user, and the remote web server responds only when the user has actual data interaction, which can greatly improve the response speed and user experience of the website
Advantages of CDNs
- Improve user access rate and optimize user experience
- Hide the IP of the real server
- Provides WAF function. At present, many CDNs also provide WAF function. Our access requests will first be filtered by CDN nodes. This filtering can effectively detect and monitor attack behaviors such as SQL injection, XSS, Webshell upload, command injection, and malicious scanning. intercept. The CDN node submits the harmless data to the real host server.
Different access methods of CDN
- Traditional access: user access domain name –> resolve server IP –> access target host
- Ordinary CDN: User access domain name –> CDN node –> real server IP –> access target host
- CDN with WAF: User access domain name –> CDN node (cloud WAF) –> real server IP –> access target host
No CDN:
Use CDN service:
So in the penetration test, in order to know the real IP of the website server, we must bypass the CDN to find out the real ip address of the website
How to judge whether the target website uses CDN
1. We can use nslookup to determine whether the target website uses CDN
nslookup www.baidu.com
As shown in the figure above, if there are responses from two or more addresses, it means that the target website is likely to use the CDN service
2. SearchMap judges whether the target uses CDN
searchmap is a comprehensive information collection tool for pre-penetration testing that integrates domain name resolution, IP reverse domain name search, WHOIS query, CDN detection, port scanning, directory scanning, and subdomain mining.
Download address: SearchMap download
After downloading SearchMap, use the following command to install dependencies
python3 -m pip install -r requirements.txt
1. Obtain basic website information
python3 searchmap.py -u https://www.baidu.com
python3 searchmap.py -u 106.53.143.192
2. Implicit port scanning with nmap
python3 searchmap.py -u https://www.baidu.com -p
3. Scan the basic information of the website in batches
python3 searchmap.py -r myurl.txt
4. Use multi-region ping to determine whether the target uses CDN acceleration
python3 searchmap.py -u https://www.baidu.com -n
How to bypass CDN to find real IP
So how do we bypass the CDN to find the real IP during the penetration test?
1. Through domain name resolution records
Point to the server through the domain name resolution records, and you can query the real IP of some websites through the historical domain name resolution records. Some websites did not use CDN technology when they started, and it is likely that they started to use CDN technology in recent years. If you check all the resolution records of these websites, you can even query the domain name resolution records when the website did not use CDN at the beginning, then the address you find out at this time is likely to be the real IP
IP History - ViewDNS.info
Website address:https://viewdns.info/iphistory/
Like us here to query Baidu's domain name resolution records
Baidu's domain name resolution record results are as follows
2. Through the space security search engine
What is a cyberspace search engine? Switches, routers, webcams, private network drives, printers, ATMs, IoT appliances, and more. All these systems and devices are the nodes in the network, which together form the cyberspace. If we want to search these hardware devices on the network directly through the engine, we have a cyberspace search engine.
fofa cyberspace search engine
Website address:https://fofa.info/
A domestically produced cyberspace search engine launched by Baimaohui
For example, if we use a cyberspace search engine to search for the real IP, we can use the serial number of the certificate to search
Let's make a demonstration below:
Let's check the serial number of the Baidu certificate
Copy it down and convert to decimal result
Hexadecimal conversion website:https://tool.lu/hexconvert/
Then use the fofa engine to search for the serial number, and the website that comes out at this time is likely to be some real IP
shodan cyberspace search engine
Website address:https://www.shodan.io/
Intergraph Cyberspace Search Engine
Website address:https://hunter.qianxin.com/
censys cyberspace search engine
Website address:https://search.censys.io/
zoomeye Zhong Kui's eye cyberspace search engine
Website address:https://www.zoomeye.org/
360quake cyberspace search engine
Website address:https://quake.360.cn/quake/