Preface
In this vast world, there is always a goal that makes your heart beat. When you accidentally meet a mature and steady handsome guy, needless to say, the deer in your heart will definitely start to bump around, and the iceberg that has been frozen for a long time will start to melt.
If you want to catch your little brother, you need to do it step by step. First of all, you need to collect information. You need to know his personal information, such as his name, contact information, preferences, where he works, what industry he is in, or his home address, etc.
Collect domain name information
Usually when we want to know the name of this sweetheart, we have to find a way to get his business card, which usually introduces his name, occupation, unit, and unit address.
Here, perform a whois query on the target to check whether the domain name is registered, the registrar, and DNS. It's like looking at the other person's business card. Here are several ways to get each other’s business cards.
whois query
1. Domain name whois query-Webmaster Home
Domain name Whois query - Webmaster's Home
2. IP138 website
3. Domain name information query-Tencent Cloud
Domain name information query-Tencent Cloud
4、ICANN LOOKUP
Filing information query
1. SEO comprehensive query
Webmaster SEO comprehensive query tool-AiZhan.com
2. ICP filing query-webmaster tools
ICP Filing Inquiry - Webmaster Tools
IP reverse check site
1、Dnslytics
Using Dnslytics to reversely check the IP, you can get the following information:
IP information
Network information
Hosting information
SPAM database lookup
Open TCP/UDP ports
Blocklist lookup
Whois information
Geo information
Country information
Update information
Using Dnslytics to reversely check the domain name, you can get the following information
Domain and Ranking Information
Hosting Information{
A / AAAA Record
NS Record
MX Record
SPF Record
}
Web Information
Whois Information
Related application information
1. Sky Eye Check
2. Qimai data
Find real IP
CDN (content distribution network) is used on some large websites, which can make content transmission faster and more stable. , the CDN system can redirect the user's request to the service node closest to the user in real time based on comprehensive information such as network traffic and the connection and load status of each node, as well as the distance to the user and response time. Generally, CDN hides the real IP of the target server, which also improves security.
Just like when you ask someone for his name, and he tells you a fake name or nickname, it seems that he is not very interested in you. At this time, you don’t even know the real name of your sweetheart, so how can you proceed to the next step? Isn’t that cool? It's cold. Here is how to identify whether the name given to you is real or fake, and how to get the real name if a fake name is given.
How to tell whether to use a CDN
1. Ping the target main domain
Determine whether to use CDN by pinging the target main domain and observing the domain name resolution.
Found that CDN was used.
2、Nslookup
If the resolution results of different DNS are different, it is likely that there is a CDN service.
3. Ping detection platform
Ping Test-Webmaster Tools
Address: Ping servers from multiple locations, website speed test-Webmaster Tools
Common ways to bypass CDN
1. Ping the main domain
Some websites only allow the www domain name to use CDN, and you can remove www under ping.
2. DNS history search
The CDN may have been online for a while after the website was online. You can find the real IP by looking for domain name resolution records. The following introduces several platforms
https://sitereport.netcraft.com/
Global CDN service provider query_Professional and accurate IP library service provider_IPIP
3. Query subdomain name method
Generally, the main site joins the CDN. Many subdomain sites do not join the CDN. They can be obtained through subdomain names. There is a detailed introduction to collecting subdomain names below. Here is an example.
Weibu Online X Intelligence Community-Threat Intelligence Query_Threat Analysis Platform_Open Community
4. Website email header information
For example, in functional scenarios such as email registration, email password retrieval, RSS email subscription, etc., you can send emails to yourself through the website, so that the target can actively expose their real IP, check the email header information, and obtain the real IP of the website.
Note: This must be the target's own mail server, third-party or public mail servers are not useful.
5. Cyberspace Search Engine Law
Through keywords or website domain names, you can find out the included IP. In many cases, what you get is the real IP of the website.
Zhong Kui's Eye: https://www.zoomeye.org
Shodan: https://www.shodan.io
Fofa: https://fofa.so
6. Website vulnerability search
Obtain the real IP through website information leakage such as phpinfo leakage, github information leakage, command execution and other vulnerabilities.
Collect subdomains
We have obtained the address and name before, so let us say our love out loud. If we fail to express our love to our sweetheart, we should not give up. After all, men who are not available are so attractive. If we know his work unit or home address before, we can start with his colleagues or neighbors. This is usually easier to get a man. information to help you understand him more deeply. Maybe you can win over this aloof man with some kind words from your colleagues or neighbors.
Online platform
1、IP138
2. Webmaster Tools
Subdomain name query - Webmaster Tools
3、hackertarget
Find DNS Host Records | Subdomain Finder | HackerTarget.com
4、phpinfo
5、dnsdumpster
DNSdumpster.com - dns recon and research, find and lookup dns records
6、zcjun
7、Censys
https://censys.io/certificates?q=
IP reverse check binding domain name website
1、something
Query websites with the same IP, query websites with the same server - Webmaster Tools
2. Love Station
3、webscan.cc
Asset search engine
Personally commonly used ones include Google and FOFA, but you can also use Shodan and zoomeye.
1. Google Grammar
Common grammar
site :指定搜索域名 例如:site:baidu.com
inurl : 指定url中是否存在某些关键字 例如: inurl:.php?id=
intext : 指定网页中是否存在某些关键字 例如:intext:网站管理
filetype : 指定搜索文件类型 例如:filetype:txt
intitle : 指定网页标题是否存在某些关键字 例如:intitle:后台管理
link : 指定网页链接 例如:link:baidu.com 指定与百度做了外链的站点
info : 指定搜索网页信息 info:baidu.com
2. FOFA syntax
You can click Query Syntax on the home page to view it.
Tool enumeration
Commonly used here are sublist3r, OneForAll, and subDomainsBrute.
1、sublist3r
下载地址:https://github.com/aboul3la/Sublist3r
2、OneForAll
下载地址:https://github.com/shmilylty/OneForAll
After the operation is completed, a csv file will be generated
3、subDomainsBrute
下载地址:https://github.com/lijiejie/subDomainsBrute
Use DNS collection
Common DNS records include the following categories:
A记录 IP地址记录,记录一个域名对应的IP地址
AAAA记录 IPv6地址记录,记录一个域名对应的IPv6地址
CNAME记录 别名记录,记录一个主机的别名
MX记录 电子邮件交换记录,记录一个邮件域名对应的IP地址
NS记录 域名服务器记录 ,记录该域名由哪台域名服务器解析
PTR记录 反向记录,也即从IP地址到域名的一条记录
TXT记录 记录域名的相关文本信息
MX记录: 建立电子邮箱服务,将指向邮件服务器地址,需要设置MX记录。建立邮箱时,一般会根据邮箱服务商提供的MX记录填写此记录。
NS record: Domain name resolution server record. If you want to specify a subdomain name server for resolution, you need to set an NS record.
SOA record: SOA is called the starting authority record, NS is used to identify multiple domain name resolution servers, and SOA record is used to determine which one of the many NS records is the main server.
TXT record: Can be filled in arbitrarily or left blank. This item is generally used when making some verification records, such as making SPF (anti-spam) records.
DNS domain transfer vulnerability
1. Principle: DNS servers are divided into: main server, backup server and cache server. To synchronize the database between the primary and secondary servers, you need to use "DNS domain transfer". Domain transfer means that the backup server copies data from the primary server and updates its own database with the obtained data.
If the DNS server is not configured properly, an attacker may obtain all records for a domain. Leaking the entire network topology to potential attackers, including some less secure internal hosts such as test servers. At the same time, hackers can quickly identify all hosts in a specific zone, collect domain information, select attack targets, find unused IP addresses, and bypass network-based access control.
2.
Basic process of DNS domain transfer vulnerability detection
-
nslookup #Enter interactive shell
-
server dns.xx.yy.zz #Set the DNS server to be used for query
-
ls xx.yy.zz #List all domain names in a certain domain
-
exit #Exit
vulnerability detection-no vulnerability exists
Site information collection
Darling, is it easy to flirt with a man now? Next, let’s find out about his hobbies, whether he likes to exercise, go to entertainment venues, or stay at home, where he goes when he goes out to play, what he likes to eat, etc. Be prepared for our next offensive. I don’t believe that we won’t be able to capture my little brother’s heart.
Determine whether the other party is win or Linux
1. TTL value
You can check it through ping, but it may not be very accurate and can be modified. The default Linux is 64 and win is 128
win:
Linux:
2、Nmap
Use command:
nmap -O IP
Port collection
nmap
nmap -sV -p 1-65535 IP # ping目标有回复时
nmap -sV -p 1-65535 -Pn IP # ping目标没有回复时
CMS fingerprint identification
CMS (Content Management System) is used for website content management. By identifying the CMS type, you can check the corresponding vulnerabilities and take down the site.
Nowadays, some online websites query CMS fingerprint recognition, as follows: BugScaner
: http://whatweb.bugscaner.com/look/TideFinger TideFinger TideFinger TideFinger Yunxi: yunsee.cn-2.0 WhatWeb: https ://whatweb.net/Yunsee fingerprint: yunsee.cn-2.0 WhatWeb: https://whatweb.net/
directory scan
1. Yujian scan
2、working
First enter the URL to be scanned in the Target URL input box and set the request method during the scanning process to "Auto Switch (HEAD and GET)".
Set up the thread yourself (too large may cause the system to crash)
and select the scan type. If you use a personal dictionary to scan, select the "List based bruteforce" option.
Click "Browse" to load the dictionary.
Standalone "URL Fuzz", select URL fuzz testing (if you don't select this option, use standard mode) and
enter "/{dir}" in URL to fuzz. {dir} here is a variable used to represent each line in the dictionary. {dir} will be replaced by the directory in the dictionary at runtime.
Click "start" to start scanning
You can also use the one that comes with kali
3、dirscan
Download address: https://github.com/j3ers3/Dirscan
4、dirsearch
Download address: https://github.com/maurosoria/dirsearch
Google Hacking
Its basic syntax is introduced above, and its typical usage is introduced below:
Find the specified backend address
site:xx.com intext:管理 | 后台 | 后台管理 | 登陆 | 登录 | 用户名 | 密码 | 系统 | 账号 | login | system
site:xx.com inurl:login | inurl:admin | inurl:manage | inurl:manager | inurl:admin_login | inurl:system | inurl:backend
site:xx.com intitle:管理 | 后台 | 后台管理 | 登陆 | 登录
Check the file upload vulnerabilities of the specified website
site:xx.com inurl:file
site:xx.com inurl:load
site:xx.com inurl:upload
Inject page
site:xx.com inurl:php?id=
Directory traversal vulnerability
site:xx.com intitle:index.of
SQL error
site:xx.com intext:"sql syntax near" | intext:"syntax error has occurred" | intext:"incorrect syntax near" | intext:"unexpected end of SQL command" | intext:"Warning: mysql_connect()" | intext:”Warning: mysql_query()" | intext:”Warning: pg_connect()"
phpinfo()
site:xx.com ext:php intitle:phpinfo "published by the PHP Group"
Configuration file leaked
site:xx.com ext:.xml | .conf | .cnf | .reg | .inf | .rdp | .cfg | .txt | .ora | .ini
Database file leak
site:xx.com ext:.sql | .dbf | .mdb | .db
Log file leak
site:xx.com ext:.log
Backup and historical file leaks
site:xx.com ext:.bkf | .bkp | .old | .backup | .bak | .swp | .rar | .txt | .zip | .7z | .sql | .tar.gz | .tgz | .tar
Public document leaks
site:xx.com filetype:.doc | .docx | .xls | .xlsx | .ppt | .pptx | .odt | .pdf | .rtf | .sxw | .psw | .csv
Email information
site:xx.com intext:@xx.com
site:xx.com 邮件
site:xx.com email
social work information
site:xx.com intitle:账号 | 密码 | 工号 | 学号
Use some of the user's information (Mail, Name, ID, Tel) to query which applications the user has registered for and
which websites you have registered for? Find out with just one search - REG007
Github information leak
Many websites and systems use pop3 and smtp to send emails. Many developers will also put relevant configuration file information on Github due to lack of security awareness. Therefore, if we use Google search syntax at this time, we can put these sensitive The information was found.
site:Github.com smtp
site:Github.com smtp @qq.com
site:Github.com smtp @126.com
site:Github.com smtp @163.com
site:Github.com smtp @sina.com.cn
Database information leakage:
site:Github.com sa password
site:Github.com root password
Summarize
Of course, if you want to win over the little brother, you have to do it step by step. The previous information collection work is very important. From choosing a target at the beginning, to obtaining simple personal information, how to see if the other party is cheating on you, and then if the refusal fails, start with the people around him. It can be said that the collection work plays a crucial role in pursuing success.
It is mainly used for novices to exchange experiences with each other, so that experienced drivers can continue driving.
=================================================================
Note: The technology is only for learning and exchange, and does not spread any malicious intent.
Source of the article: Freebuf-kn, Fr's Han Chapter (Part 1) - Information Collection on Web Penetration - FreeBuf Network Security Industry Portal