Article directory
- 1: Introduction to Information Collection
- Two: the specific content of information collection
-
- (1) Collection of WEB information
-
- 1: Domain name information collection
- 2: whois query
- 3: Real IP information collection
- 4: Information collection of side stations
- 5: Collect host information in segment C
- 6: Port information collection
- 7: APP information collection
- 8: Small program information collection
- 9: Official account information collection
- (2) Collection of server information
1: Introduction to Information Collection
Two: the specific content of information collection
(1) Collection of WEB information
1: Domain name information collection
2: whois query
3: Real IP information collection
4: Information collection of side stations
5: Collect host information in segment C
6: Port information collection
7: APP information collection
8: Small program information collection
9: Official account information collection
(2) Collection of server information
1: Server operating system information collection
2: Collect server middleware version information
3: Fingerprint identification
4: Sensitive Information Collection
1: Introduction to Information Collection
"Sun Tzu's Art of War" wrote: Know yourself and the enemy, and you will never be imperiled in a hundred battles. Information gathering is the first and most critical stage in a cyber attack or penetration test, and it is also the longest time-consuming stage. In other words: The very essence of penetration testing/cyber attacking is information gathering.
Information collection technology is also called RBI technology. Information collection methods are divided into active information collection and dynamic information collection; information collection methods are divided into technical methods and non-technical methods.
Active information collection: Active information collection refers to a method of information collection that directly interacts with the site through direct access, scanning the site, etc. Its advantages are: ① strong pertinence of information acquisition ② high timeliness of information ③ can collect undisclosed sensitive data. Its disadvantages are: ①The information of the information collector is easily exposed, and the risk is high; ②The coverage of information collection is relatively small. Note: Before active information collection, you must hang up the agent. On the one hand, it is to hide yourself, and on the other hand, it is to prevent the ip from being blocked during the test and make it impossible to continue infiltration activities.
Passive information collection: Passive information collection refers to the use of third-party services or tools to collect various types of information (such as domain names, subdomain names, C segments, IPs, etc.) on the target.
Technical method: refers to the use of third-party platforms (such as search engines, cyberspace detection engines, various scanner detection tools, etc.) for information collection.
Non-technical methods: social engineering, etc. (such as phishing, contacting the relevant personnel of the target to obtain the required information, etc.).
Two: the specific content of information collection
(1) Collection of WEB information
1: Collecting domain name information
In actual work, the customer may list the target asset information in detail and give it to the tester, but it may also be faced with the customer giving the target main domain or even the name of the company. At this time, as a penetration tester, you need to pass The main domain or enterprise name is used to collect domain name information.
(1) Conduct target enterprise information inquiry through the enterprise filing system.
①ICP filing query network: https://www.beianx.cn
②Ministry of Industry and Information Technology filing information query system: https://beian.miit.gov.cn
③Internet site information filing platform for public security organs: https://www .beian.gov.cn/portal/registerSystemInfo
(2) Query target enterprise assets through business information query software (including main domain, subdomain, web site, applet, APP, official account, etc.)
①Small blueprint: https:// www.xiaolanben.com
② Qichacha: https://www.qcc.com
③ Aiqicha: https://www.aiqicha.baidu.com
(3) Subdomain information collection: through the Collecting information on subdomains can expand the attack surface and improve the attack success rate.
① Enumeration: Brute force cracking on subdomains through enumeration. Enumeration related tools: layer subdomain excavator
② use search engines to collect subdomain information. Such as: site: baidu.com.
③ Use a spatial search engine to collect subdomain information. Such as: domain="baidu.com". (Spatial search engines include: Fofa, zoomeye, shodan, 360quake, Intergraph, etc.)
④ Use certificates to collect subdomain information https://crt.sh/
⑤ Use aggregation tools: oneforall, subDomainsBrute, etc.
2: whois query
whois is a transmission protocol used to query information such as domain names or IP owners. To put it simply, whois is a query to see if a domain name is registered, and the registrant's information when registering a domain name, such as the domain name registrant's email address, phone number, name, etc. Based on this information, you can try to create a social worker password, or find out more assets, etc., and you can also reverse check the registrant, email, phone number, organization and more domain names, etc.
①Ministry of Industry and Information Technology’s filing information query: https://beian.miit.gov.cn/#/Integrated/recordQuery
②Public Security Recording Network: https://www.beian.gov.cn/portal/registerSystemInfo
③Webmaster’s Home: https ://www.beian.gov.cn/portal/registerSystemInfo
④Aizhan.com: https://whois.aizhan.com/
⑤China Internet Network Information Center: https://webwhois.cnnic.cn/WelcomeServlet
⑥Tencent Cloud: https://whois.cloud.tencent.com/
⑦ Aliyun: https://whois.aliyun.com/
3: Real IP information collection
The real IP refers to the IP address of the target enterprise on the public network. Once you find the real IP, you can access the C segment and port of this IP, which is convenient for further penetration. But some sites are connected to CDN, so they must bypass CDN to obtain real IP. (Note: Generally, the real IP can be accessed through the IP).
(1) Step 1: First determine whether the site uses CDN technology
1): Use different hosts to PING the domain name
① Webmaster Tools: http://ping.chinaz.com
② Aizhan.com: https://ping.aizhan .com
③https://asm.ca.com/en/ping.php
2): Use the nslookup command such as: nslookup baidu.com
Note: Use the nslookup command to analyze the domain name. If multiple IP addresses are found, there is a CDN ; Conversely, if only one IP address appears, there is no CDN.
(2) The second step: Bypassing the CDN
①By querying the subdomain name. Reason: CDN acceleration requires a certain fee. Many sites only implement CDN acceleration for the main site, and do not perform CDN acceleration for subdomains. However, the subdomain name and the main website may be in the same server or the same segment C. By detecting the subdomain name, the information of the subdomain name can be collected, and the IP address of the subdomain name can be queried to assist in judging the IP information of the main website.
②Query historical DNS resolution records. It is possible to discover the previous real IP by querying the historical records of DNS binding to IP.
I: DNSdb: https://dnsdb.io/zh-cn/
II: Weibu Online: https://x.threatbook.cn
III: 360 Threat Intelligence Center: https://ti.360.net/#/ home page
IV: Query Network: https://site.ip138.com
V: https://tools.ipip.net/cdn.php
③ Use foreign hosts to analyze domain names. Reason: Some domestic CDN acceleration service providers only perform CDN acceleration for domestic lines, but not for foreign lines, so the real IP information can be detected through foreign hosts.
④Bypass through site vulnerabilities.
⑤ Obtain IP information through email information. Reason: The IP information of the mail server will be recorded in the mail information.
4: Information collection of side stations
Side stations refer to different sites on the same server as the attack target. In the case that the attack target site has no vulnerabilities, you can attack the other site by finding the vulnerabilities of the other site, and then obtain the highest authority of the server by escalating the privilege, and then achieve the attack target.
(1) Ways to find side stations
① Webmaster tool: https://stool.chinaz.com/same
② Query through search engines
③ Query using spatial search engines
5: Collection of host information in segment C
The segment C refers to other servers or hosts in the same intranet segment. Each IP has four segments ABCD, such as 192.168.0.1, segment A is 192, segment B is 168, segment C is 0, and segment D is 1. Then the IP address in the same segment C as this IP address is 192.168.0.0 ~~ 192.168.0.255.
(1) Ways to query segment C
①Use Nmap tool to scan
②Use search engine to search segment C information
③Use spatial search engine to query segment C information
6: Port information collection
Port (Port) can be considered as the exit of communication between the device and the outside world, and different ports correspond to different services. There are 0 ~~ 65535 ports on the computer. When the commonly used ports 80 and 443 cannot be attacked, you can pass the port test to scan other ports to achieve penetration.
(1) Port information collection method
① use Nmap tool
② use Yujian port scanning tool
7: Collection of APP information
In the era of the explosion of mobile applications, APP is an important asset of the enterprise, and its information collection is also crucial in the penetration testing work.
① Use commercial information search platforms such as Xiaolanben, Aiqicha, and Qichacha to collect information.
②Mobile commercial product analysis platform through Qimai Data: https://www.qimai.cn
8: Small program information collection
① Use commercial information search platforms such as Xiaolanben, Aiqicha, and Qichacha to collect information.
9: Collect information from public accounts
① Sogou WeChat public account search platform: https://weixin.sogou.com/
(2): Server information collection
1: Server operating system information collection
① Use the PING protocol to check the TTL value. Such as: ping baidu.com or ping IP address. Reason: By default, the TTL value of the Linux system is 64 or 255, the TTL value of the Windows NT/2000/XP system is 128, the TTL value of the Windows 98 system is 32, and the TTL value of the UNIX host is 255. (Note: Because the range of TTL value is 0 ~~ 255, and can be modified, it is not fixed)
②Enter case input judgment for the domain name. Reason: Windows operating system: case insensitive; Linux operating system: case sensitive.
③Port judgment: If port 22 is opened, it means Linux system.
④ Use the Nmap tool
2: Collect server middleware version information
① Let the webpage report an error and check the error information. Reason: Some sites disable the function of echoing server middleware version information.
② Grab the site response packet and check the server field information.
3: Fingerprint recognition
For the understanding of site fingerprints, you can refer to the concept of human fingerprints. Everyone's fingerprints are unique. Fingerprints are collected when applying for personal ID cards, and then personal information can be quickly matched and identified. WEB applications also have their own fingerprints. . The main manifestations are: site-specific files, MD5, file naming rules, keywords returned to headers, keywords on web pages, and so on.
①Yunsee: http://www.yunsee.cn/finger.html
②Weibu Online: https://x.threatbook.cn/
③Tools: Webfinger, whatweb, cmseek, etc.
4: Sensitive information collection
(1) Site vulnerability information collection
Use the vulnerability scanning tool to scan the site for vulnerabilities, or query the site's historical vulnerability information through the vulnerability database.
(2) Site directory scanning
Through directory scanning, you can find out how many directories and how many pages exist in the target site, and detect the overall structure of the site. It can also scan sensitive information of the site, hidden directories and APIs, code warehouses, backup files, background files, database files, etc.
(3) Site JS code information collection
There may be a large amount of sensitive information in JS source code files, including API, business logic vulnerability information, site passwords, and so on.