1.5 Fingerprint recognition
Characteristics of fingerprint identification : lifelong immutability, uniqueness, convenience
The fingerprints discussed in this section refer to fingerprint identification of website CMS, computer operating system, and web container.
Applications generally contain some feature codes in HTML, CSS, and JavaScript . For example, WordPress contains wp-admin in robots.txt and generator=wordpress 3.xx in homepage index.php. This feature is the fingerprint of CMS. , when this information also exists on other websites, the CMS can be quickly identified, so it is called fingerprint recognition.
| Common fingerprint identification objects |
|
| CMS information |
Dahan CMS, Dreamweaver, Empire CMS, phpcms, ecshop, etc. |
| Front-end technology |
HTML5、jquery、bootstrap、pure、ace |
| Web server |
Apache, lighttpd, Nginx, IIS, etc. (supplemented later) |
| application server |
Tomcat、Jboss、weblogin、websphere等 |
| Development language |
PHP、java、Ruby、Python、C# etc |
| Operating system information |
linus、win2k8、win7、kali、centos等 |
| CDN information |
Whether to use CDN, cloudflare, 360cdn, 365cyd, yunjiasu, etc. (supplemented later) |
| WAF information |
Whether to use waf, such as Topscc, Jiasule, Yundun, etc. |
| IP and domain name information |
IP and domain name registration information, service provider information, etc. |
| Port information |
Some software or platforms will also detect common ports opened by the server |
CMS (Content Management System) is also called the entire site system or article system .
Content management system is the new favorite of enterprise informatization construction and e-government. It is also a relatively new market. For content management, the industry does not yet have a unified definition.
We believe that a content management system is a software system located between the WEB front-end (Web server) and the back-end office system or process (content creation, editing).
CMS scanning tool
BugScaner: http;//whatweb.bugscaner.com/look
Yunsee fingerprint: http://www.yunsee.cn/finger.html
WhatWeb: http://whatweb.net/.
Common web servers
Apache (Apache HTTP Server) is an open source web server software from the Apache Software Foundation. It can run on most computer operating systems. Due to itscross-platform and security, it is widely used and is one of the most popular web server software. one
Nginx (pronounced the same as engine x) is aweb serverthat canreverse proxyHTTP, HTTPS, SMTP, POP3, IMAP protocol links, as well as a load balancer and an HTTP cache. Nginx is a performance-oriented server. Compared with Apache and lighttpd, it has the advantages ofless memory and high
IIS is the abbreviation of Internet Information Server, which is the server mainly promoted by Microsoft.
Lighttpd is a German-led open source web server software that has the characteristics of very low memory overhead,low CPU usage, good performance and rich modules.
Tomcat is a core project in the Jakarta project of the Apache Software Foundation. It is jointly developed by Apache, Sun and some companies and individuals. Tomcathas advanced technology, stable performance, and is free. Therefore, it is deeply loved by Java enthusiasts and recognized by some software developers. It has become a popular web application server at present.
1.6 Find the real IP
During the penetration testing process, the target server may only have one domain name, so how to determine the real IP of the target server through this domain name is very important for penetration testing. If the target server does not have a CDN, you can directly obtain some IP and domain name information of the target through www.ip138.com. Here we mainly explain how to bypass the CDN and find the real IP of the target server in the following situations.
1.61. The target server has a CDN
CDN is a content distribution network, which mainly solves the problem of low network speed and performance caused by transmission distance and different operator nodes .
If the penetration target purchases a CDN service, you can directly ping the target's domain name, but what you get is not the real target Web server, but the CDN server of the target node closest to us. This means that we cannot directly get the real information of the target. IP segment range.
1.6.2. Determine whether the target uses CDN
We usually ping the target main domain and observe the resolution of the domain name to determine whether it uses a CDN.
You can also use the online website 17CE ( https://www.17ce.com ) to perform ping server operations in multiple regions across the country, and then compare the IP results pinged from each region to see if the IPs are consistent. If they are all the same, it is extremely likely that It's possible that a CDN doesn't exist. If the IPs are too large and inconsistent or have strong regularity, you can try to query the locations of these IPs to determine whether there is a CDN.
Method 1. Use the ping command
Use various ping services from multiple places to check whether the corresponding IP address is unique. If not, it is likely that a CDN URL is used.
Ping servers from multiple locations, website speed test - Webmaster Tools
Website Speed Test Tool_Super Ping_Multiple Location Ping Detection-AiZhan.com
Method 2. Use nslookup command
Use nslookup to test. The principle is the same as above. If the returned domain name resolution corresponds to multiple IP addresses, it is likely that a CDN is used.
1.6.3. Bypass CDN to find real IP
After determining the target and using CDN, you need to bypass the CDN to find the real IP of the target.
Some common methods
Internal mailbox source . Generally, mailboxes are internal and have not been parsed by CDN. Through the target website user registration or RSS subscription function, you can check the mailbox, find the mail server domain name IP in the mail header, and ping the mail server domain name, you can get the real IP of the target.
Scan website testing tool . Such as phpinfo, text, etc., to find the real IP
Branch domain name . Many website homepages have a large number of visits, so the main site is linked to a CDN, but the sub-site may not be linked to a CDN. You can obtain the sub-site IP by pinging the secondary domain name. It may happen that the sub-site and the main site are not the same IP but Under the same C segment, the real IP segment of the target host can be determined.
Visit abroad . Domestic CDNs often only accelerate access for domestic users, but foreign CDNs may not. Therefore, you may get the real IPby accessing the foreign online proxy website APP Synthetic Monitor ( https://as,.ca.com/en/ping.png )
Query the resolution record of the domain name . Maybe the target host has not used CDN a long time ago, so you can observe the IP history of the domain name through the website NETCRAFT ( https://www.netcraft.com ), and you can also roughly analyze the real IP segment of the target.
If the target website has its own APP, you can try to use Fiddler or Burp Suite to capture the App's request and find the target's real IP from it.
Bypass CloudFlare CDN to find real IP . Many websites now use the CDN service provided by CloudFlare. After determining that the target website uses CDN, you can first try toauthenticate CloudFlare customer websites through the online website Cloud Flare ( http;//www.crimeflare.us/cfs.html#box ). IP query
1.7 Collect sensitive directory files
In penetration testing, detecting the Web directory structure and hidden sensitive files is an essential link, from which you can obtain the website’s backend management page, file upload page, and even scan the website’s source code.
Website directory scanning tool
dirb , wwwscan, DirBuster in Kali ( written based on java, need to be installed under the java running environment JRE ), Spinder.py (lightweight and fast single file directory background scanning), Sensitivefilescan (lightweight and fast single file directory background scanning) , Weakfilescan (lightweight and fast single file directory background scanning)
Dirb URL, Dirl URL dictionary, Yujian background scanning collector's edition
Set the thread value , it is recommended to be between 20-30 . If it is too large, it may cause the system to crash.
Select the scan type, and if scanning with a personal dictionary, select the "List based brute force" option.
Click "Browse" to select a dictionary. You can choose the dictionary that comes with the tool or your own dictionary.
Select "URL Fuzz" mode in Select starting options to scan. Please note when setting up fuzzing , enter "\{dir})" in URL to fuzz. (dir) here is a variable used to represent each row in the dictionary
If the target of your scan is http://wwwxxx.com/admin/ , then you need to fill in "/admin/{dir}" in the URL to fuzz, which means you can splice whatever you want before and after "{dir}" directory or suffix, for example, entering ":/admin/{dir}php" means scanning all php files in the admin directory.
In addition, readers can also use many online tool stations, and the results are quite good. Here is one recommended: WebScan ( http://www.webscan.ce/ ).
Common sensitive documents
Robots.txt
Stored in the root directory of the website , it is used to tell search engines which pages can be crawled and which pages cannot be crawled.