Web information collection
1. whois query
- whois.chinaz.com
- whois.aizhan.com
- whois.aliyun.com
2. Identification of the server operating system
-
Preliminary judgment can be made by TTL value
-
Via the nmap tool
nmap -O xxx.xxx.xxx.xxx
-
Is the file path case sensitive?
windows server path case insensitive
Linux server paths are case sensitive
3. Server reinforcement
-
Modify the default TTL value
Windows:cmd--->gredit--->HKEY_LOCAL_MACHINE--->SYSTEM--->CurrentControlSet--->Services--->Tcpip--->Parameters--->DefaultTTL
Linux: /proc/sys/net/ipv4/ip_default_ttl (temporary modification, shutdown will restore the default TTL)
/etc/sysctl.conf can be verified with sysctl -p after adding net.ipv4.ip_default_ttl=xxx (permanent)
4. Service version identification
-
Keywords in traffic packets
-
servers-db
-
error display
solution:
Apache:conf--->extra--->httpd-default.conf--->ServerTokens Prod
ServerSignature off
5. Common combinations:
- Linux+Apache+PHP+MySQL
- Linux+Nginx+PHP+MySQL
- Windows+IIS+ASP+SQL server
- Linux+Tomcat+JSP+MySQL
- Linux+Tomcat+JSP+Oracle
6. Fingerprint recognition
- unique file
- Unique MD5
- file naming convention
- return header keyword
- web page keywords
Online tools:
Other tools:
whatweb
cmseek
7. Sensitive path identification
.git, .svn files can restore the source code through GitHack
python .\GitHack.py http://xxxxx/.git/
8. Collection of historical vulnerability information
foreign:
Exploit Database - Exploits for Penetration Testers, Researchers, and Ethical Hackers
Vulners - Vulnerability DataBase
domestic:
Alibaba Cloud Vulnerability Library
Vulnerability library: