1. Clear goals
1. Determine the scope: the scope of the test target, ip, website domain name, internal and external network, and test account.
2. Determination of standards: to what extent can it penetrate, the time it takes, whether it can be modified and submitted, whether it can exploit loopholes, etc.
3. Determine the requirements: web application loopholes, business logic loopholes , staff management authority management loopholes, etc.
2. Information collection
1. Method: active scanner, open search, etc.
2. Open search: Use Baidu search engine to get: background management, unauthorized web pages, sensitive URLs, etc.
3. Basic information: IP, subnet, website domain name, port number.
4. Application information: the application of each port number. Such as web applications, e-mail applications, and so on.
5. System data: OS version
6. Version information: the version of all the detected things.
7. Service information: various information content of message middleware, software information content.
8. Personnel information: information about the person who registered the domain name, the CD of the person who posted in the web application, the name of the manager, etc.
9. Safety protection information content: try to see if the protective equipment can be detected.
3. Vulnerability detection
1. System vulnerabilities: System software fails to repair vulnerabilities in time
2. WebSever vulnerability: WebSever configuration problem
3. Web Application Vulnerabilities: Web Application Development and Design Challenges
4. Other port service vulnerabilities: various 21/8080(st2)/7001/22/3389
5. Communication security: clear text transmission, token transmission in cookie, etc.
4. Vulnerability verification
1. Automated technology verification: Integrating the conclusions provided by automated technology vulnerability scanning tools
2. Manual verification and verification based on published data
3. Experimental verification: build your own simulation environment to carry out verification
4. Login guessing: Sometimes you can try to guess the account password and other related information of the login port
5. Business vulnerability verification: If a business vulnerability is found, it needs to be verified
5. Information Analysis
1. Refinement: Prepare the exp of the system vulnerability detected in the previous step for refinement;
2. Bypass the self-defense mechanism: whether there are network firewalls and other facilities, how to bypass;
3. Customized attack path: the best tool path, based on lack of access, high-authority parts of the internal network, and the ultimate goal;
4. Bypass the inspection system: whether there is an inspection system, traffic management, computer anti-virus software, malicious program inspection, etc.;
5. Offensive coding: coding obtained through experiments, including but not limited to xss coding, sql injection sentences, etc.;
6. Get what you need
1. Obtain internal documents: infrastructure construction (data connection, vpn, router, topology, etc.);
2. Further infiltration: Intranet invasion, sensitive targets;
3. Continuing existence: Generally, we do not need to infiltrate customers. rookit, side door, plus account management methods, garrison skills, etc.;
4. Clear history: clear relevant logs (browsing, actual operation), upload files, etc.;
7. Information collation
1. Special tools for combing and infiltration: sort out the codes, poc, exp, etc. that need to be used in the infiltration link
2. Sort out and obtain information: Sort out all the information collected in the infiltration link
3. Sorting out the system vulnerability information content: sorting out various system vulnerabilities and various sensitive positioning information that appeared during the infiltration process
8. Form a report
1. Sort according to needs: sort out the data according to the scope and situation confirmed with the customer in the first step before, and form the materials into a report
2. Fill in the detailed introduction: It is necessary to analyze the causes of system vulnerabilities, the certification process and the damage caused
3. Remediation proposal: It is necessary to clearly propose an effective and efficient security solution for each problem that arises
1. Clear goals
1. Determine the scope: the scope of the test target, ip, website domain name, internal and external network, and test account.
2. Determination of standards: to what extent can it penetrate, the time it takes, whether it can be modified and submitted, whether it can exploit loopholes, etc.
3. Determine the requirements: web application loopholes, business logic loopholes , staff management authority management loopholes, etc.
2. Information collection
1. Method: active scanner, open search, etc.
2. Open search: Use Baidu search engine to get: background management, unauthorized web pages, sensitive URLs, etc.
3. Basic information: IP, subnet, website domain name, port number.
4. Application information: the application of each port number. Such as web applications, e-mail applications, and so on.
5. System data: OS version
6. Version information: the version of all the detected things.
7. Service information: various information content of message middleware, software information content.
8. Personnel information: information about the person who registered the domain name, the CD of the person who posted in the web application, the name of the manager, etc.
9. Safety protection information content: try to see if the protective equipment can be detected.
3. Vulnerability detection
1. System vulnerabilities: System software fails to repair vulnerabilities in time
2. WebSever vulnerability: WebSever configuration problem
3. Web Application Vulnerabilities: Web Application Development and Design Challenges
4. Other port service vulnerabilities: various 21/8080(st2)/7001/22/3389
5. Communication security: clear text transmission, token transmission in cookie, etc.
4. Vulnerability verification
1. Automated technology verification: Integrating the conclusions provided by automated technology vulnerability scanning tools
2. Manual verification and verification based on published data
3. Experimental verification: build your own simulation environment to carry out verification
4. Login guessing: Sometimes you can try to guess the account password and other related information of the login port
5. Business vulnerability verification: If a business vulnerability is found, it needs to be verified
5. Information Analysis
1. Refinement: Prepare the exp of the system vulnerability detected in the previous step for refinement;
2. Bypass the self-defense mechanism: whether there are network firewalls and other facilities, how to bypass;
3. Customized attack path: the best tool path, based on lack of access, high-authority parts of the internal network, and the ultimate goal;
4. Bypass the inspection system: whether there is an inspection system, traffic management, computer anti-virus software, malicious program inspection, etc.;
5. Offensive coding: coding obtained through experiments, including but not limited to xss coding, sql injection sentences, etc.;
6. Get what you need
1. Obtain internal documents: infrastructure construction (data connection, vpn, router, topology, etc.);
2. Further infiltration: Intranet invasion, sensitive targets;
3. Continuing existence: Generally, we do not need to infiltrate customers. rookit, side door, plus account management methods, garrison skills, etc.;
4. Clear history: clear relevant logs (browsing, actual operation), upload files, etc.;
7. Information collation
1. Special tools for combing and infiltration: sort out the codes, poc, exp, etc. that need to be used in the infiltration link
2. Sort out and obtain information: Sort out all the information collected in the infiltration link
3. Sorting out the system vulnerability information content: sorting out various system vulnerabilities and various sensitive positioning information that appeared during the infiltration process
8. Form a report
1. Sort according to needs: sort out the data according to the scope and situation confirmed with the customer in the first step before, and form the materials into a report
2. Fill in the detailed introduction: It is necessary to analyze the causes of system vulnerabilities, the certification process and the damage caused
3. Remediation proposal: It is necessary to clearly propose an effective and efficient security solution for each problem that arises