Article directory
- collect message
-
- Domain name and IP
- OSINT
- CDN
- CDN bypass
- Search engine syntax
- WHOIS
- Port opening status
- Three deployment modes for websites
- Website architecture/server fingerprint/CMS identification
- Collection of registered information assets
- Same IP website
- subdomain
- Websites with the same architecture or source code
- C segment collection
- web cache
- social contact
- Registered website
- default password
- register
- Historical DNS resolution records
- directory blasting
collect message
IP addresses are easier to pen test than domain names
Domain name and IP
Get IP by domain name
ping testfire.net
OSINT
OSINT stands for open source intelligence collection, which refers to the process of sorting out some public data from platforms such as the media, the Internet, and official channels to form systematic intelligence information.
It is divided into two collection methods: active and passive. Passive collection uses third-party platforms to collect information, such as shodan, fofa, censy3, etc. The advantages are low query cost and relatively hidden behavior: while active scanning requires interaction with the target, there is There is a certain risk, but newer and more diverse data can be obtained.
CDN
CDN (Content Delivery Network) is a distributed network system designed to provide efficient and reliable content transmission and distribution services by caching content to multiple servers located around the world.
A CDN works by replicating a website, application, or other online content to server nodes located in various geographical locations. These server nodes are called edge nodes, and they are located at the edge of the network, close to the user's geographical location. When a user requests access to a piece of content, the CDN system automatically selects the nearest edge node to serve the content based on the user's geographical location to reduce latency and increase loading speed .
The role of CDN
1. Improve user access rate and optimize user experience.
2. Hide the IP of the real server.
3. Defense function. Access requests will first be filtered by CDN nodes. This filtering can effectively detect and intercept attacks such as SQL injection, XSS, Webshell upload, command injection, and malicious tracing. The CDN node submits data it considers harmless to the real host server.
How to detect if a CDN exists
Ping from multiple places to see if there are multiple IPs
nslookup www.baidu.com
CDN bypass
https://tools.ipip.net/cdn.php
Ping from multiple places
If the IPs pinged from multiple places are different, it means there is a CDN
Webmaster Tools:
-
https://ping.chinaz.com/
-
https://www.itdog.cn/ping/
Mail Server
Email test (general email systems are internal and have not been parsed by CDN. Through the target website user registration or RSS subscription function, check the email, look for the email server domain name IP in the email header, and ping the domain name of the email server, you can get The real IP of the target (must be the target's own mail server, third-party or public mail servers are useless). In general, by obtaining the IP of the mail server, it is equivalent to the IP of the target server.
In many cases the mail server and web server are on the same host .
foxmall clientFoxmail for Windows
subdomain
Why collect subdomains? Because the first asset we acquire is often a main website, the scope is too small, and it is almost difficult to find loopholes. We need to dig through its subdomain names, because many subdomain names also belong to this manufacturer, and subdomains are generally Security precautions are relatively low, so it is necessary to collect subdomain names and expand the breadth of mining.
Generally, CDN is used for the main website, and subdomain names are not required, so the real IP can be found through subdomain names.
- On the same server as the main domain name.
- In the same network segment as the main domain name
Subdomain name blasting, query subdomain IP address
Subdomain name query website
https://site.ip138.com/
Real IP search
Domain name search IP:
-
https://get-site-ip.com/
-
http://crimeflare.org:82/cfs.html
If the CDN is changed, the historical DNS will be recorded unless the server is changed. The correspondence between domain names and IPs is recorded in the cache on the computer.
Foreign address request
Because many companies do not deploy CDN abroad, it is easy to find his real address if he uses a foreign address to request.
Find old domain names
The website has changed to a new domain name, but the mapping relationship of the old domain name has not been released.
Find associated domain names
.com
.cn
.org
Information leakage/configuration files
- phpinfo.php is executed on the origin server.
-
Web page source code
- It is possible that there is a link address in the code
-
front-end code
- It is possible that there is a link address in the code
-
Shodan/fofa/zoomeye
Website vulnerabilities
SSRF
command execution
SQL injection
DNS records, certificates
- By looking at the certificate next to the https URL, you can find the relevant subdomain.
- https://crt.sh/
- Censys queries SSL certificate to find real IP
https://search.censys.io/
Censys is an internet search engine and security analysis platform designed to help users discover and understand devices, services and vulnerabilities on the web. It actively scans and collects Internet data worldwide and provides it to users for search and analysis.
Domain name history
m.baidu.com The m. here is for mobile phones, but the domain name is different.
Search engine syntax
Google hacking: You can find special pages
site: # 限制搜索范围为某一网站,例如:site:baidu.com "admin" 可以搜索baidu.com网站上包含关键词“admin”的页面。
inurl: # 限制关键字出现在网址的某个部分,例如:inurl:php?id= 可以搜索网址中包含php?id=的页面。
intitle: # 限制关键字出现在页面标题中,例如:intitle:index of / 定位网站目录索引页面。
filetype: # 限制搜索特定文件类型,例如:filetype:pdf site:example.com 可以搜索example.com网站上的pdf文件。
cache: # 查看Google对某个页面的快照,例如:cache:example.com 查看Google对example.com的快照。
site
-
Find the subdomain name, for example: site.baidu.com
-
Limited location
- site.tw site.jp
more info
-
https://ght.se7ensec.cn/#
-
https://github.com/KOrz3n/GoogleHacking-Page
WHOIS
Domain name Whois query - Webmaster's Home (chinaz.com)
Whois information of a domain name can provide the following functions:
-
Confirm basic information such as the domain name's owner, registrar, registration date, and expiration date.
-
Understanding the registration history of a domain name is very helpful in determining the credibility and reputation of a domain name.
-
Determine whether a domain name is being used and how it is used, and whether it involves abuse, fraud, etc.
You can obtain your own domain name information through whois information, and promptly check whether the domain name is about to expire to avoid the impact of domain name expiration.
https://viewdns.info/
Port opening status
Nmap
Nmap is a network port scanning software, used to scan open network ports of computers on the Internet. Determine which services are running on which connection ports and infer which operating system the computer is running.
-sS: # 进行TCP SYN(半开放式)扫描。这是一种常用的扫描方式,通过发送TCP SYN包,判断目标主机的端口是否开放。
-sT: # 进行TCP连接扫描。这种扫描方式也是基于TCP,通过建立TCP连接,判断目标主机的端口是否开放。
-sU: # 进行UDP扫描,UDP是一种无连接的协议,因此不能像TCP一样建立连接来确定目标主机的端口是否开放。这种扫描方式需要发送UDP数据包,通过响应的数据包判断端口是否开放。
-o: # 进行操作系统信息探测。通过使用不同的特征扫描目标主机,判断其使用的操作系统。
-p: # 指定瑞口扫描范围。可以指定端口范围、单个端口或多个离散的端口。
-A: # 激活“操作系统指纹识别”、“版本检测”、“脚本扫描”等高级扫描选项。
-sV: # 进行服务版本检测。这种扫描方式可以探测出目标主机运行的具体服务以及其版本号。
-T: # 设置扫描速度。可以设置不同的速度等级,以适应不同的扫描环境。速度级别从0到5,级别越高,扫描速度越快,但也越容易被防火墙拦截
Three deployment modes for websites
The main domain name and sub-domain name
a.com 1.a.com: switch to different domain names and switch to different websites
Directory
a.com/admin/: Switch between different directories to switch between websites
Port
a.com:8080: Domain name plus different port numbers to achieve different page display
Website architecture/server fingerprint/CMS identification
Web page source code
request header response header
Website bottom, top, upper left corner and upper right corner
Website error message
Domain name install
CMS vulnerability
CMS website template
- https://github.com/s7ckTeam/Glass
- https://github.com/EdgeSecurityTeam/EHole
Positioning version corresponding to known vulnerability check
CMS unknown vulnerability mining
Shows the technologies used by the website
-
Firefox plugin Wappalyzer
-
https://whatcms.org/
-
https://builtwith.com/
Collection of registered information assets
Collection of registered information assets
-
Webmaster's Home: https://icp.chinaz.com
-
Tianyancha: https://www.tianyancha.com/
-
Qichacha: Qichacha
-
Ai Qi Cha: Ai Qi Cha
-
ICP registration inquiry website: http://www.beianbeian.com/
-
Aizhan registration inquiry: https://icp.aizhan.com/
-
Domain name assistant registration information query: http://cha.fute.com/index
Same IP website
IP reverse check
During the penetration test, it was discovered that multiple websites were bound under the same IP, and the asset form provided by the customer was this IP, which proved that all domain names were within the scope of the test.
If the asset given by the customer is a domain name, then if there are other websites under the IP corresponding to this domain name, these websites will not be within the scope of the test.
subdomain
go buster
fofa: FOFA cyberspace mapping system
By looking at the certificate next to the https URL, you can find the relevant subdomain.
Websites with the same architecture or source code
If Company A’s website is difficult to break, but it is found that Company A’s website is provided by Company B, and Company B’s business is to write business templates for other companies, then we can break through from Company B and find the website of Company B. Template for auditing.
C segment collection
Side site: It is another website on the same server as the target website.
Side note: By invading a side site with poor security, you can later obtain the permissions of the target server by escalating privileges across directories and other means.
Tools: K8_C segment annotation tool, WebRobot, Yujian, Mingxiaozi...
C segment: Each IP has four segments ABCD, which means it is a server in segment D 1-255, and then use tools to sniff and capture the service. For example, the devices in 192.168.3.0-255 are all in the same segment c.
C-segment intrusion: The target IP is 192.168.1.128. You can invade any machine at 192.168.1.*, and then use some hacking tools to sniff and obtain various information transmitted on the network.
Tools:Cain、Sniffit、Snoop、Tcpdump、Dsniff …
http://www.cz88.net/
webfinder
WebFinder is a tool or service used to find websites, domain names, and related information on the Internet. It provides a simple interface that allows users to enter keywords, domain names, or other query criteria to quickly search and discover related websites.
Through WebFinder, you can do the following:
- Domain name search: Enter a domain name, and WebFinder will return information related to the domain name, including DNS records, IP addresses, WHOIS information, etc. This is very helpful for understanding the basic situation of a website.
- Keyword search: Enter a keyword or phrase, and WebFinder will search the Internet for websites related to that keyword. It helps you discover websites related to a specific topic or area for further research and information gathering.
- Website classification: WebFinder can organize and display websites according to different categories. You can select specific website categories such as News, Business, Technology, Arts, etc. to find the types of websites that interest you.
- Similar website recommendations: When you visit a specific website, WebFinder can recommend other websites that are similar or related to that website. This can help you expand your browsing scope and discover more similar resources and content.
web cache
http://www.cachedpages.com/
social contact
QQ, weibo, Alipay, Maimai, Xianyu, short video, Renren, Tieba, forum
External network information, twitter, ins, fb, etc.
Registered website
https://www.reg007.com/
default password
https://default-password.info/
http://routerpasswords.com
register
http://24mail.chacuo.net/enus
Historical DNS resolution records
● https://x.threatbook.cn/ Weibu Online
● https://tools.ipip.net/cdn.php
● https://dnsdb.io/zh-cn/
directory blasting
The customer's consent must be obtained as it will affect the business.
dirsearch -u 目标url
dirsearch -e php,html,js -u url
dirsearch -e php,html,js -u url -w 字典文件
dirsearch -e php,html,js -u url -r #递归扫描
dirsearch -e php,html,js -u url -r -R 3 #设置最大递归深度
dirsearch -e php,html,js,bak,zip,tgz,txt -u url -t 30 #设置线程
dirsearch -e asp,aspx,htm,js -u url -X php,jsp,jspx #排除扩展