Preface
In this vast world, there is always a goal that makes your heart beat. When you accidentally meet a beautiful woman who is attracted by your heart, needless to say, the little deer in your heart will definitely start to bump around, and the iceberg that has been frozen for a long time will start to melt.
If you want to catch the young lady, you need to do it step by step. First of all, you need to collect information. You need to know his personal information, such as his name, contact information, preferences, where he works, what industry he is in, or his home address, etc.
Collect domain name information
Usually when we want to know the name of this sweetheart, we have to find a way to get his business card, which usually introduces his name, occupation, unit, and unit address.
Here, perform a whois query on the target to check whether the domain name is registered, the registrar, and DNS. It's like looking at the other person's business card. Here are several ways to get each other’s business cards.
whois query
1. Domain name whois query-Webmaster Home
http://whois.chinaz.com/
2. IP138 website
https://site.ip138.com/
3. Domain name information query-Tencent Cloud
https://whois.cloud.tencent.com/
4、ICANN LOOKUP
https://lookup.icann.org/
Filing information query
1. SEO comprehensive query
https://www.aizhan.com/cha/
2. ICP Registration Query-Webmaster Tools
http://icp.chinaz.com/
IP reverse check site
1、Dnslytics
Using Dnslytics to reversely check the IP, you can get the following information:
IP information
Network information
Hosting information
SPAM database lookup
Open TCP/UDP ports
Blocklist lookup
Whois information
Geo information
Country information
Update information
Using Dnslytics to reversely check the domain name, you can get the following information
Domain and Ranking Information
Hosting Information{
A / AAAA Record
NS Record
MX Record
SPF Record
}
Web Information
Whois Information
https://dnslytics.com/
Related application information
1. Sky Eye Check
https://www.tianyancha.com/
2. Qimai data
https://www.qimai.cn/
Find real IP
CDN (content distribution network) is used on some large websites, which can make content transmission faster and more stable. , the CDN system can redirect the user's request to the service node closest to the user in real time based on comprehensive information such as network traffic and the connection and load status of each node, as well as the distance to the user and response time. Generally, CDN hides the real IP of the target server, which also improves security.
Just like when you ask someone for his name, and he tells you a fake name or nickname, it seems that he is not very interested in you. At this time, you don’t even know the real name of your sweetheart, so how can you proceed to the next step? Isn’t that cool? It's cold. Here is how to identify whether the name given to you is real or fake, and how to get the real name if a fake name is given.
How to tell whether to use a CDN
1. Ping the target main domain
Determine whether to use CDN by pinging the target main domain and observing the domain name resolution. 
Found that CDN was used.
2、Nslookup
If the resolution results of different DNS are different, it is likely that there is a CDN service. 
3. Ping detection platform
Ping Detection-Webmaster Tools
Address: http://ping.chinaz.com/
Common ways to bypass CDN
1. Ping the main domain
Some websites only allow the www domain name to use CDN, and you can remove www under ping.
2. DNS history search
The CDN may have been online for a while after the website was online. You can find the real IP by looking for domain name resolution records. The following introduces several platforms
https://sitereport.netcraft.com/
https://viewdns.info/
https://tools.ipip.net/cdn.php
3. How to query subdomain names
Generally, the main site joins the CDN. Many subdomain sites do not join the CDN. They can be obtained through subdomain names. There is a detailed introduction to collecting subdomain names below. Here is an example.
https://x.threatbook.cn/ 
4. Website email header information
For example, in functional scenarios such as email registration, email password retrieval, RSS email subscription, etc., you can send emails to yourself through the website, so that the target can actively expose their real IP, check the email header information, and obtain the real IP of the website.
Note: This must be the target's own mail server, third-party or public mail servers are not useful.
5. Cyberspace Search Engine Law
Through keywords or website domain names, you can find out the included IP. In many cases, what you get is the real IP of the website.
Eye of Zhong Kui: https://www.zoomeye.org
Shodan: https://www.shodan.io
Fofa: https://fofa.so 
6. Website vulnerability search
Obtain the real IP through website information leakage such as phpinfo leakage, github information leakage, command execution and other vulnerabilities.
Collect subdomains
We have obtained the address and name before, so let us say our love out loud. If we fail to confess to our sweetheart, we should not give up. After all, women who are not available like this are so fragrant. If we know his workplace or home address before, we can start with his colleagues or neighbors. This is usually easier to get girls. information to help you understand him more deeply. Maybe I can win over this aloof woman with some kind words from my colleagues or neighbors.
Online platform
1、IP138
https://site.ip138.com/
2. Webmaster Tools
http://tool.chinaz.com/subdomain/?domain=
3、hackertarget
https://hackertarget.com/find-dns-host-records/
4、phpinfo
https://phpinfo.me/domain/
5、dnsdumpster
https://dnsdumpster.com/
6、zcjun
http://z.zcjun.com/
7、Censys
https://censys.io/certificates?q=
IP reverse check binding domain name website
1、something
http://s.tool.chinaz.com/same?s=
2. Love Station
https://dns.aizhan.com/
3、webscan.cc
https://www.webscan.cc/
Asset search engine
Personally commonly used ones include Google and FOFA, but you can also use Shodan and zoomeye.
1. Google Grammar
Common grammar
site :指定搜索域名 例如:site:baidu.com
inurl : 指定url中是否存在某些关键字 例如: inurl:.php?id=
intext : 指定网页中是否存在某些关键字 例如:intext:网站管理
filetype : 指定搜索文件类型 例如:filetype:txt
intitle : 指定网页标题是否存在某些关键字 例如:intitle:后台管理
link : 指定网页链接 例如:link:baidu.com 指定与百度做了外链的站点
info : 指定搜索网页信息 info:baidu.com
2. FOFA syntax
You can click Query Syntax on the home page to view it.
Tool enumeration
Commonly used here are sublist3r, OneForAll, and subDomainsBrute.
1、sublist3r
下载地址:https://github.com/aboul3la/Sublist3r
2、OneForAll
下载地址:https://github.com/shmilylty/OneForAll
After the operation is completed, a csv file will be generated
3、subDomainsBrute
下载地址:https://github.com/lijiejie/subDomainsBrute
Use DNS collection
Common DNS records include the following categories:
A记录 IP地址记录,记录一个域名对应的IP地址
AAAA记录 IPv6地址记录,记录一个域名对应的IPv6地址
CNAME记录 别名记录,记录一个主机的别名
MX记录 电子邮件交换记录,记录一个邮件域名对应的IP地址
NS记录 域名服务器记录 ,记录该域名由哪台域名服务器解析
PTR记录 反向记录,也即从IP地址到域名的一条记录
TXT记录 记录域名的相关文本信息
MX记录: 建立电子邮箱服务,将指向邮件服务器地址,需要设置MX记录。建立邮箱时,一般会根据邮箱服务商提供的MX记录填写此记录。
NS record: Domain name resolution server record. If you want to specify a subdomain name server for resolution, you need to set an NS record.
SOA record: SOA is called the starting authority record, NS is used to identify multiple domain name resolution servers, and SOA record is used to determine which one of the many NS records is the main server.
TXT record: Can be filled in arbitrarily or left blank. This item is generally used when making some verification records, such as making SPF (anti-spam) records.
DNS domain transfer vulnerability
1. Principle: DNS servers are divided into: main server, backup server and cache server. To synchronize the database between the primary and secondary servers, you need to use "DNS domain transfer". Domain transfer means that the backup server copies data from the primary server and updates its own database with the obtained data.
If the DNS server is not configured properly, an attacker may obtain all records for a domain. Leaking the entire network topology to potential attackers, including some less secure internal hosts such as test servers. At the same time, hackers can quickly identify all hosts in a specific zone, collect domain information, select attack targets, find unused IP addresses, and bypass network-based access control.
2.
Basic process of DNS domain transfer vulnerability detection
- nslookup #Enter interactive shell
- server dns.xx.yy.zz #Set the DNS server to be used for query
- ls xx.yy.zz #List all domain names in a certain domain
- exit #Exit
vulnerability detection-no vulnerability exists
Site information collection
Darling, is it easy to flirt with girls now? Next, let’s find out about her hobbies, whether she likes to exercise, go to entertainment venues, or stay at home, where she goes when she goes out to play, what she likes to eat, etc. Be prepared for our next offensive. I don’t believe we can’t win the heart of the young lady.
Determine whether the other party is win or Linux
1. TTL value
You can check it through ping, but it may not be very accurate and can be modified. The default value is 64 for Linux and 128 for win
:
Linux:
2. Nmap
Use command:
nmap -O IP
Port collection
nmap
nmap -sV -p 1-65535 IP # ping目标有回复时
nmap -sV -p 1-65535 -Pn IP # ping目标没有回复时
CMS fingerprint identification
CMS (Content Management System) is used for website content management. By identifying the CMS type, you can check the corresponding vulnerabilities and take down the site.
Nowadays, some online websites query CMS fingerprint recognition, as follows:
BugScaner: http://whatweb.bugscaner.com/look/Tide
Fingerprint: http://finger.tidesec.net/Cloud
: http:// www.yunsee.cn/info.html
WhatWeb: https://whatweb.net/Yunsee
Fingerprint: http://www.yunsee.cn/finger.html
WhatWeb: https://whatweb.net/
directory scan
1. Yujian Scan
2. dirbuster
First enter the URL to be scanned in the Target URL input box and set the request method during the scanning process to "Auto Switch (HEAD and GET)".
Set up the thread yourself (too large may cause the system to crash)
and select the scan type. If you use a personal dictionary to scan, select the "List based bruteforce" option.
Click "Browse" to load the dictionary.
Standalone "URL Fuzz", select URL fuzz testing (if you don't select this option, use standard mode) and
enter "/{dir}" in URL to fuzz. {dir} here is a variable used to represent each line in the dictionary. {dir} will be replaced by the directory in the dictionary at runtime.
Click "start" to start scanning.
You can also use kali's own
3. dirscan.
Download address: https://github.com/j3ers3/Dirscan
4. dirsearch
Download address: https://github.com/maurosoria/dirsearch
Google Hacking
Its basic syntax is introduced above, and its typical usage is introduced below:
Find the specified backend address
site:xx.com intext:管理 | 后台 | 后台管理 | 登陆 | 登录 | 用户名 | 密码 | 系统 | 账号 | login | system
site:xx.com inurl:login | inurl:admin | inurl:manage | inurl:manager | inurl:admin_login | inurl:system | inurl:backend
site:xx.com intitle:管理 | 后台 | 后台管理 | 登陆 | 登录
Check the file upload vulnerabilities of the specified website
site:xx.com inurl:file
site:xx.com inurl:load
site:xx.com inurl:upload
Inject page
site:xx.com inurl:php?id=
Directory traversal vulnerability
site:xx.com intitle:index.of
SQL error
site:xx.com intext:"sql syntax near" | intext:"syntax error has occurred" | intext:"incorrect syntax near" | intext:"unexpected end of SQL command" | intext:"Warning: mysql_connect()" | intext:”Warning: mysql_query()" | intext:”Warning: pg_connect()"
phpinfo()
site:xx.com ext:php intitle:phpinfo "published by the PHP Group"
Configuration file leaked
site:xx.com ext:.xml | .conf | .cnf | .reg | .inf | .rdp | .cfg | .txt | .ora | .ini
Database file leak
site:xx.com ext:.sql | .dbf | .mdb | .db
Log file leak
site:xx.com ext:.log
Backup and historical file leaks
site:xx.com ext:.bkf | .bkp | .old | .backup | .bak | .swp | .rar | .txt | .zip | .7z | .sql | .tar.gz | .tgz | .tar
Public document leaks
site:xx.com filetype:.doc | .docx | .xls | .xlsx | .ppt | .pptx | .odt | .pdf | .rtf | .sxw | .psw | .csv
Email information
site:xx.com intext:@xx.com
site:xx.com 邮件
site:xx.com email
social work information
site:xx.com intitle:账号 | 密码 | 工号 | 学号
Query which applications the user has registered through some of the user's information (Mail, Name, ID, Tel)
https://www.reg007.com/
Github information leak
Many websites and systems use pop3 and smtp to send emails. Many developers will also put relevant configuration file information on Github due to lack of security awareness. Therefore, if we use Google search syntax at this time, we can put these sensitive The information was found.
site:Github.com smtp
site:Github.com smtp @qq.com
site:Github.com smtp @126.com
site:Github.com smtp @163.com
site:Github.com smtp @sina.com.cn
Database information leakage:
site:Github.com sa password
site:Github.com root password
Summarize
Of course, if you want to win over the young lady, you have to do it step by step. The previous information collection work is very important. From choosing a target at the beginning, to obtaining simple personal information, how to see if the other party is cheating on you, and then if the refusal fails, start with the people around him. It can be said that the collection work plays a crucial role in pursuing success.
It is mainly used for novices to exchange experiences with each other, so that experienced drivers can continue driving.