Foreword:
The essence of penetration testing is information collection. The breadth of information collection determines the breadth of the attack, and the breadth of knowledge determines the depth of the attack.
Information collection is very important, such as identifying assets, such as which domain names, subdomain names, C segments, side stations, systems, WeChat applets or official accounts, after determining the site or target system, it is a conventional fingerprint identification, such as middleware , website, scan directory, background, determine the function and then analyze what vulnerabilities will exist in each function point, such as a login page, we can consider blasting account password, social worker account password, SQL injection, XSS vulnerability, logic loophole too wait.
In a short period of time, you cannot improve your technology or discover a new idea. At this time, the ability to collect assets is reflected. Information collection is the most difficult, and it is also the most troublesome and time-consuming, and must be paid attention to in real time. one thing.
The most important thing for the red team is to do a good job in information collection. The premise of information collection is to determine the target. Generally speaking, during the HW period, the target may include various industry targets such as finance, government, schools, enterprises, and public security. To fight, relatively speaking, enterprises are easier to fight. The government, finance and other security protections are relatively good, and there are more security equipment, so the first choice is enterprises, followed by schools, followed by government units, etc.
some commonly used websites
Take xxx company as an example, the root domain name: xxx.cn
Information collection can be viewed from multiple fields: companies, subsidiaries, domain names, sub-domain names, IPV4, IPV6, applets, APPs, PC software, etc. You can focus on filing websites, APPs, applets, WeChat official
accounts, and even Weibo.
Here is a little idea, first you can find the official website, use cmd to ping his official website, you can see the IP address, and then you can locate the whois, which includes the user, email, and purchased network segment.
With the network segment, some active information collection can be carried out, and some powerful asset mapping tools can be used. Goby’s asset mapping is still very good, and there will be some web services. Don’t worry about having no banners, which often have problems without banners.
Pay attention to see if there is technical support at the bottom of the website: xxxx | website construction: xxxx and other labels, some website building companies will hang technical support on their own websites for intellectual property protection or to promote their companies to the outside world Many website building companies often use the same set of source codes for a certain type of website, changing the soup without changing the medicine.
1. Organizational ownership structure
After getting the company name, don’t rush to check the record and find the domain name, but first look at the company’s equity structure, because generally a company’s subsidiary company can also be used as a target, but sometimes it is required to hold 50% Shareholding or 100% shareholding, this depends on the actual situation. Common websites for querying the ownership structure of a company organization include Tianyancha, Qichacha, Aiqicha, Xiaolanben, etc.
If there are not many companies with target holdings, you can directly look at the equity penetration chart, which is more intuitive. In addition to equity penetration, you can also view its external investment information. You can find companies with target holdings in these two places
Aiqicha, Tianyancha
https://www.qcc.com/
https://aiqicha.baidu.com/
https://www.tianyancha.com
2. Subdomain query
The first to launch OneForAll, Layer subdomain excavator
If you know the target in advance, you can also collect a wave of subfields in advance, and then when the project is about to start, collect another wave of subfields, compare the results of the two collections, and give priority to new subfields.
Collect as many APIs as possible, fofa can find someone to borrow some APIs, the more the better.
Online subdomain lookup
http://z.zcjun.com/
http://tool.chinaz.com/subdomain
https://dnsdumpster.com
https://phpinfo.me/domain //recommended
OneForAll
https://github.com/shmilylty/OneForAll
Excuting an order:
There are two commonly used options for obtaining subdomain names, one is to use --target to specify a single domain name, and the other is to use --targets to specify a domain name file.
python3 oneforall.py --target example.com run
python3 oneforall.py --targets ./domains.txt run
python3 oneforall.py --target xxx.cn run3. Google Grammar
Quickly find vulnerability syntax such as information leakage and management background exposure, for example:
Google hack实战-搜索敏感文件
filetype:txt 登录
filetype:xls 登录
filetype:doc 登录
site:xxx.com filetype:doc intext:pass
site:xxx.com filetype:xsl intext:pass
site:xxx.com filetype:conf
site:xxx.com filetype:inc
filetype:log iserror.log
Google hack实战-搜索登陆后台
intitle:后台管理
intitle:login
intitle: 后台管理 inurl:admin
intitle:index of /
site:example.com filetype:txt 登录
site:example.com intitle: 后台管理
site:example.com admin
site:example.com login
site:example.com system
site:example.com 管理
site:example.com 登录
site:example.com 内部
site:example.com 系统
site:xxx.com admin
site:xxx.com login
site:xxx.com 管理
site:example.com system
site:example.com 登录
site:example.com 内部
site:example.com 系统
site:example.com filetype:txt 登录
site:example.com intitle:后台管理
inurl:login|admin|manage|member|admin_login|login_admin|system|login|user|main|cms
site:example.com intext:管理|后台|登录|用户名|密码|验证码|系统|账号|admin|login|sys|management|password|username
Google hack实战-搜索中间件
Weblogic
inurl:/console/login/LoginForm.jsp site:domian
inurl:/console/login/LoginForm.jsp intitle:Oracle WebLogin Server site:domain
inurl:/console/login/ intitle:"Oracle WebLogin Server 管理控制台" site:domain
Jboss
inurl:/jmx-console/htmladaptor site:domain
Websphere
inutl:/ibm/console/login.jsp site:domain4. fofa syntax
As a search engine, FOFA needs to be familiar with its query syntax, which is similar to Google syntax. The syntax of FOFA is mainly divided into search fields and operators. All query statements are composed of these two elements. Currently supported search fields include: domain, host, ip, title, server, header, body, port, cert, country, city, os, appserver, middleware, language, tags, user_tag, etc., etc., supported logical operations Symbols include: =, ==, ! =, &&, ||.
If you search for a website with background in the title field, you only need to enter title="background" in the input field, and the output result will be the website with the word "background" in the title of the entire network, and you can use the obtained information to continue the penetration attack. Attacks such as password brute force cracking and password retrieval on the background of the website can easily and happily start a simple penetration attack journey, and enterprise users can also use the obtained information to conduct internal weak password investigations, etc., to prevent Before it happens.
搜索 QQ 所有的子域名:domain=“qq.com”
搜索 host 内所有带有 qq.com 的域名:host=“qq.com”
搜索某个 IP 上的相关信息:ip=“58.63.236.248”
搜索全球的 Apache:server=“Apache”
搜索非常火的海康威视:header=“Hikvsion”
假如搜索微博的后台,域名为:weibo.com 并且网页内 body 包含 “后台”:body=“后台”&& domain=“weibo.com”From common syntax:
host=".xxx.edu.cn" && status_code="200"
icon_hash="1574010831"
(body="大学" || body="学院") && tittle="OA"
host=".edu.cn" && title="OA"
host=".edu.cn" && port=7001
region="Jilin" && title="用友nc"
server=weblogic && port=7001
title="目标名称" && region=“xx省”
cert=“目标域名或者证书关键字” && region=“xx省”
((title="目标名称" || host="目标域名")&&country="CN")&®ion!="HK"
5. Side station query
Side stations are multiple websites built on the same server, using the same IP address. When the target website cannot be successfully attacked, if his side station can successfully attack and obtain the corresponding system permissions, this will inevitably affect the security of the target website, because the permissions of the same server have already been obtained.
Online site:
https://chapangzhan.com/
https://ipchaxun.com/
http://stool.chinaz.com/same?s=host
6. Collection of Official Accounts and Service Accounts
1. Sogou search engine
Sogou WeChat Search_Subscription account and exclusive collection of article content, one-search
2. Enterprise check
7. Fingerprint identification
Ehole
https://github.com/EdgeSecurityTeam/EHole
Instructions:
./Ehole-darwin -l url.txt//URL 地址需带上协议,每行一个
./Ehole-darwin -f 192.168.1.1/24 // 支持单 IP 或 IP 段,fofa 识别需要配置 fofa 密钥和邮箱
./Ehole-darwin -l url.txt -json export.json// 结果输出至 export.json 文件online site
http://www.yunsee.cn/info.html Yunsee
http://finger.tidesec.com tide
CMS Type Identification - WhatWeb
http://whatweb.bugscaner.com/look/
kali command:
whatweb --no-errors http://bbs.looyuoms.com/
WAF identification
Tools https://github.com/ekultek/whatwaf
./whatwaf -u host
WAF identification-online tool
8. Collection of sensitive information
For example, if the target is a school, you need to use Baidu, Google to search for hack syntax, and Zero Zero Security [collect mailboxes]. For example, if you want to blast a school's VPN, you can obtain student IDs from these channels. School post bar, school confession wall, looking for lost student card; Google grammar, search for commendation, scholarship, change of major, notice and other keywords, you may get student ID.
You can find a lot of information by using search engines, github and other hosting platforms with some google grammar.
Familiar google hack, Baidu, git, network disk leaks and so on.
Sensitive information needs to be collected in the following aspects:
google hack
github
baidu
zero security
Disclosure of the target person's name/mobile phone/email
For example, if you want to blast the VPN of a certain school, you can obtain the student ID from these methods. School post bar, school confession wall, looking for lost student card; Google grammar, search for commendation, scholarship, change of major, notice and other keywords, you may get student ID.
The password part may be the last six digits of the ID card. You can find the last six digits of the ID card on the Internet to generate a script, generate a dictionary, and then let him run all the time, and wake up the next day to have a look. This is pure luck.
9. Port scanning
Generally, the more common ones may be nmap and masscan, sharing a nmap command to quickly scan all ports.
nmap -sS -Pn -n --open --min-hostgroup 4 --min-parallelism 1024 --host-timeout 30 -T4 -v -p 1-65535 -iL ip.txt -oX output.xml
However, in addition to these methods, fscan can actually be used to scan ports on the external network, and the speed is faster.
For example, use fscan to only scan ports, not to scan for vulnerabilities
fscan -hf hosts.txt --nopoc -t 100The default thread of fscan is 600, because the thread of 600 for external network scanning is relatively large, so set 100 here, if the scanning result is not ideal, the thread can be set smaller.
10. Directory acquisition
The more commonly used tools for directory scanning are dirsearch, dirmap
dirmap focuses more on FFUZ, but whether it is directory scanning or FFUZ, the result of scanning is in the dictionary, a dictionary with more than 4k stars on Github:
https://github.com/TheKingOfDuck/fuzzDicts
11. Email address acquisition
http://www.skymem.info/
https://github.com/laramies/theHarvester
https://github.com/bit4woo/teemo
12.JSFinder
In the JS file of the website, there will be various content that is helpful for testing.
Address: https://github.com/Threezh1/JSFinder
JSFinder is a tool used to quickly extract URLs and subdomains from js files of websites.
JSFinder获取URL和子域名的方式:
python JSFinder.py -u http://www.xx.com
深入一层页面爬取JS,时间会消耗的更长,获取的信息也会更多。建议使用-ou 和 -os来指定保存URL和子域名的文件名。
python JSFinder.py -u https://baidu.com -d
python JSFinder.py -u https://baidu.com -d -ou url.txt -os sub.txt
13. Social Engineering
Social engineering is a non-technical penetration method to obtain information through interpersonal communication. Unfortunately, this approach is very effective and applied with great efficiency. In fact, social engineering is already one of the biggest threats to corporate security. The most obvious difference between the narrow sense and the broad sense of social engineering is whether it will interact with the victim. In a broad sense, it is a targeted attack on a single or multiple targets.
Common social
workers The three magic weapons of social workers: phishing, phone phishing, and disguised simulation
Three magic weapons in a narrow sense: Google, Social Work Library, QQ
Classification of social workers: hackers, penetration testing, JD, GOV, internal employees of the company, deceiving personnel, headhunting, sales people, ordinary people.
Ways of Information Leakage
During online registration, spam websites are hacked (the server or database is attacked), and hackers obtain information. The
insiders of the website sell the information, and then obtain the information
. The communication is intercepted. Intercepting
credential stuffing, for example, when you registered on this website A, you used a password, and you also use this password on website B. If you know the password of website A, you can also use this password to log in to website B. This is social engineering of credential
stuffing Four stages of attack
Research: Information collection (WEB, media, trash can, physical), determine and study the target
Hook: Establish the first conversation with the target (HOOK, set off)
Act: Establish trust with the target and obtain information
Exit: No
Common information about leaving the attack scene that arouses the target’s suspicion
Real name, gender, date of birth, ID number, ID home address, public security bureau where ID card is located, express delivery address, general activity range, QQ number, mobile phone number, email address, bank Card number (bank where the bank is opened), information of mutual friends, Alipay, Tieba, Baidu, Weibo, Liepin, 58, Tongcheng, Netdisk, WeChat, common ID, education (minor/junior/high/university/resume), goals Personality detailed analysis, commonly used passwords, photo EXIF information.
Common information systems that can be obtained
include TravelSky system, Spring Airlines system, 12306 system, the websites of the three major operators, the national population basic information resource database, the national motor vehicle/driver information resource database, major express delivery systems (exceeding authority), national entry and exit Personnel resource library, enterprise-related systems, information resource library, etc.
14. Collection of device information
If you get a firewall or router device and can configure vpn, it is equivalent to getting the key of the intranet. You only need to be able to access the intranet, even if the intranet penetrates, so before hvv starts, you will There are many teams that collect these devices, and if the password is weak, they will directly change the password.
If you can get the VPN of some government units, it will be more comfortable, because there is a high probability that you can enter the government affairs outer ring network. This network is the external network IP, but the external network cannot be accessed. It is the government affairs internal network and external A layer of network between the Internet, there are also many good things in it, but in recent years, there have been more attacks, and the assets inside are also more and more protected.
So you need to collect the syntax of some devices, for example:
app="HUAWEI-Home-Gateway-HG659"
title="Web user login"
app="Ruijie-EG易网关"For the account passwords of these devices, you can go directly to Baidu, or you can directly search for the device names on this website, most of them have them.
https://www.shentoushi.top/av/