Web information collection

Web information collection

1. whois query

• whois.chinaz.com
• whois.aizhan.com
• whois.aliyun.com

2. Identification of the server operating system

• Preliminary judgment can be made by TTL value

• Via the nmap tool

  nmap -O xxx.xxx.xxx.xxx

• Is the file path case sensitive?

  windows server path case insensitive

  Linux server paths are case sensitive

3. Server reinforcement

• Modify the default TTL value

  Windows：cmd--->gredit--->HKEY_LOCAL_MACHINE--->SYSTEM--->CurrentControlSet--->Services--->Tcpip--->Parameters--->DefaultTTL

  Linux: /proc/sys/net/ipv4/ip_default_ttl (temporary modification, shutdown will restore the default TTL)

  ​ /etc/sysctl.conf can be verified with sysctl -p after adding net.ipv4.ip_default_ttl=xxx (permanent)

4. Service version identification

1. Keywords in traffic packets

2. servers-db

3. error display

   solution:

   Apache：conf--->extra--->httpd-default.conf--->ServerTokens Prod

   ​ServerSignature off

5. Common combinations:

• Linux+Apache+PHP+MySQL
• Linux+Nginx+PHP+MySQL
• Windows+IIS+ASP+SQL server
• Linux+Tomcat+JSP+MySQL
• Linux+Tomcat+JSP+Oracle

6. Fingerprint recognition

1. unique file
2. Unique MD5
3. file naming convention
4. return header keyword
5. web page keywords

Online tools:

List of cms that has been recognized, cms recognition, source code recognition, online tools --BugScaner

yunsee.cn-2.0

Other tools:

whatweb

cmseek

7. Sensitive path identification

.git, .svn files can restore the source code through GitHack

python .\GitHack.py http://xxxxx/.git/

8. Collection of historical vulnerability information

foreign:

Exploit Database - Exploits for Penetration Testers, Researchers, and Ethical Hackers

Vulners - Vulnerability DataBase

domestic:

https://www.cnvd.org.cn

Alibaba Cloud Vulnerability Library

Vulnerability library:

Home- Baige Library

http://wiki.peiqi.tech

WooYun Knowledge Base