Article directory
1. Collection of domain name information
1. Through the search engine,
for example, first find a school website inurl:edu.cn,
the website domain name of Peking University https://www.pku.edu.cn/
, then search inurl:pku.edu.cn
to find its other domain name information
Helps us attack when actually infiltrating
2. List some Baidu domain names through the layer subdomain name tool
Two, hosts file
The storage location of the hosts file is C:\Windows\System32\drivers\etc\hosts
is mainly a function of domain name redirection. The host will first analyze the corresponding relationship of the hosts file, and then use the dns server to resolve it.
For example:
visit Baidu now and check the IP
The ip is 14.119.104.189
Now modify the hosts file, resolve www.baidu.com to 1.1.1.1, and then ping, it has changed
3. CDN
That is, the content distribution network. In order to access resources faster, the main server has various nodes, and selects the nearest node according to the location.
We can cooperate to modify the dns server, and the resolved cdn node will change.
For example:
this is the current dns server and the resolved address.
After modification, it will change.
This is a small experiment. In addition, how to judge whether the server has a cdn can use super ping , or a third-party tool, you can also observe whether the domain name is consistent during ping.
1. Determine whether there is a CDN
Super ping, check whether the parsed ip is consistent, similar to this, there are also built-in ping commands, nslookup commands, etc.
2. Bypass CN to find real IP
2.1 Sub-domain name query: Some website main domain names can be used as CDN, but sub-domain names may not be used. Such as www.xueersi.com and xueersi.com are not the same
xueersi.com analysis 
www.xueersi.com analysis
2.2 Mail service query: We may visit others through CND, but we usually do not use CDN when others visit
//
2.3 Foreign address request: If there is no CDN node abroad, we may directly use the original IP
2.4 Legacy files, scan the entire network: fuckcdn, w8 fuckcdn, zmap, etc.
//
2.5 Dark engine search for specific files: https://www.shodan.io/
//
2.6 dns history, measure by volume: CDN nodes have traffic If the upper limit is used up, it will be directly connected to the original machine, which is also a kind of traffic attack
Summarize
Some study records made according to my own situation, I hope I can stick to it.