WEB Security-Penetration Testing Technical Manual

Source: Anjie.com-WEB Security-Penetration Testing Technology

Article directory

• Foreword ·        
• 1. What is pandas?
• 2. Usage steps
  • 1. Import the library
  • 2. Read data
• Summarize

---

Preface

        Study and organize this chapter based on the course resources provided by Boss Zhou and Thermue Technology to lay a solid foundation.

---

1. Overview of Penetration Testing

• What is penetration testing?

Penetration testing is an assessment method that evaluates the security of computer network systems         by simulating the attack methods of malicious hackers . This process includes proactive analysis of any weaknesses, technical flaws, or vulnerabilities in the system from a position where an attacker may exist and conditionally proactively exploit security vulnerabilities.

        The difference between testing and hacking lies in the extent of the attack, such as taking down the server of the test site, and secondly, always keep in mind Articles 285 and 286 of the Criminal Law of the People's Republic of China. Don't break the legal red line.

• Penetration testing process

• Information collection (DNS information, routing relationships, emails, phone calls, website owners),
• Target identification (what connected devices are in the network and their communication addresses),
• Service enumeration (finding open ports and services provided on the ports),
• Vulnerability mapping (vulnerabilities discovered manually or with tools),
• Vulnerability exploitation (using vulnerabilities to perform some operations within an acceptable range),
• Privilege escalation (obtaining higher privileges to attempt further attacks and vulnerability discovery),
• Permission maintenance (burying backdoors, retaining administrator accounts, and maintaining testers’ access permissions),
• Documentation reports (submit reports to clients)

---

2. Scanning and information collection

• DNS information collection

        DNS (Domain Name System), here it means domain name resolution. Generally, accessing a website is by accessing the domain name. The domain name can be purchased, but it cannot be used after purchase. If you want others to access it on the public network, Domain name requires domain name resolution on the public network . When parsing, we need some information about the relevant owners, and this information is what we want to collect.

        First, enter the webmaster tool network (tool.chinaz.com), which can query various information about a website. This time we start with the Whois query and query the Whois information of the testfire.net website, as shown in the following figure:

         There is more information after scrolling down, you can check it out by yourself.

        In addition, you can also use special tools, the kali virtual machine, which integrates many penetration testing related tools.

        Download address: www.kali.org

        After successful installation , query through the Whois domain name command on the console .

---

• Subdomain name query

        When a website is built, it may use more than one domain name. Taking Baidu as an example, different modules correspond to different subdomain names.

baidu.com: www.baidu.com image.baidu.com zhidao.baidu.com etc.

         In order to ensure the completeness of the test results, we should try our best to query the subdomain name according to the needs of the customer. Proceed through the following methods:

URL query tool: searchdns.netcraft.com 

PS: Do not enter the www prefix when searching, because the beginning of www is also part of the subdomain name.

For example: testfire.net and so on are the main domain names

Subdomain digger

        Layer subdomain excavator, download according to the following address, unzip it directly and use it.

Link: https://pan.baidu.com/s/19jz0vpeR7D2h2kOr7OQccw Extraction code: xnnj

Enter the domain name you want to query in the domain name on the left, click Start on the right, and query through brute force enumeration .

The principle is to query through a dictionary and search through common prefixes. The dictionary file needs to be enriched by itself to achieve better violent enumeration effect , and is stored in the dic.txt file       in the folder.

If the dictionary is not complete enough, there may be unavailable results.

---

• DNS2IP

        After finding the domain name, we also need the IP address corresponding to the domain name, because the IP address determines the location and access path of the website.

        Query method:

Method 1: Through cmd window

First press the ctrl+R keys, then enter cmd and click Enter, enter the command to ping the domain name :

         This command can not only test whether the computer you are using can communicate with the corresponding address, but also display the IP address of the pinged address.

Method 2: Webmaster Tools

(         Webmaster Tools - Webmaster Home ) Click ping detection in the popular tools in the URL , or you can directly enter multiple locations to ping the server - Website Speed ​​Test - Webmaster Tools

 

The ping of the webmaster tool will be tested through different lines, and the response speed can also be queried.

Method 3: Query the kali virtual machine :

        Similar to method one:

        And the method of nslookup domain name :

        In addition, there is a method of dig domain name : not only the IP address corresponding to the domain name will be displayed, but also the subdomain name will be displayed.

        And the dig command can specify a server to resolve domain names. When a certain website is relatively large, the same content is usually deployed to different servers as mirrors. This not only ensures that if one server fails, other servers can still function. Access can also be achieved through different geographical locations of the server so that users in different geographical locations can obtain faster access speeds.

        Therefore, during testing, different addresses can be obtained by specifying different servers for parsing.

        The specific methods are:

dig @服务器地址 域名
dig @8.8.8.8 www.testfire.net

         In addition, there is also the dnsenum command to obtain the IP address corresponding to the domain name and display all servers that have been forwarded during the entire access process.

---

• nmap scan

Nmap is integrated in the kali virtual machine. Enter nume -sP IP address         in the cmd window :

nmap -sP 192.168.9.179
此处是自己物理机的地址

        Compared with the ping command, both can display whether the ping can be successful and some basic information. nmap not only corresponds to one machine, it can scan the entire local area network . When we do penetration testing, we may find a certain server. If there is a vulnerability, then we can control the server, and the server may be in a LAN, which generally has other devices. It is easier for devices to communicate with each other in LAN than on the public network, so when a certain machine in the LAN When a server is compromised, an attacker may attack other devices on the LAN through the server, which may result in one server taking down a LAN.

        So as penetration testers, we should discover this potential threat in advance. Then we need to know in advance what devices exist on the LAN where the server being tested is located. At this time, we use the variant of the nmap command .

查询局域网的设备
nmap -sP 192.168.9.0/24
24表示子网掩码，表示192.168.9前三位固定，而最后一位不固定并依次测试。

        It can be found in this command that there are several devices corresponding to the network, and the security risks of the corresponding devices are generally related to the services of the devices, and the services are related to the corresponding ports, so we can use nmap to scan the corresponding open ports.

扫描局域网对应设备开放的端口
nmap 192.168.9.0/24

        It will display different ports corresponding to different devices. For example, port 445 is a port with mixed reputation. With it, we can easily access various shared folders or shared printers in the LAN , but it is precisely because of it that hackers They have an opportunity to take advantage of it. They can secretly share your hard drive through this port, and even delete your hard drive silently.

        And port 3389 can control the remote desktop, which may cause the desktop to be hacked without knowing it.

        As well as some other instructions, I found an article by a big guy, which is very comprehensive and detailed. I will add it here: nmap scan port command explains network security of Linux network detection in detail_Courageous Steak's Blog-CSDN Blog_nmap Scan port command

---

• Web vulnerability scanning

        Using the tool Acunetix Web Vulnerabillity Scanner (AWVS)

        Link: https://pan.baidu.com/s/1mH0SOaDeElZ_NTuK2NSArw Extraction code: zgqq

        After unzipping on Windows, copy the awvs installation package to the root directory of the kali system.

3. SQL injection

• The principles of SQL injection and universal password

        Aston

1. Import the library

The code is as follows (example):

import numpy as np
import pandas as pd
import matplotlib.pyplot as plt
import seaborn as sns
import warnings
warnings.filterwarnings('ignore')
import  ssl
ssl._create_default_https_context = ssl._create_unverified_context

2. Read data

The code is as follows (example):

data = pd.read_csv(
    'https://labfile.oss.aliyuncs.com/courses/1283/adult.data.csv')
print(data.head())

The data requested by the url network used here.

---

Summarize

Tip: Here is a summary of the article:
For example: The above is what we will talk about today. This article only briefly introduces the use of pandas, and pandas provides a large number of functions and methods that allow us to process data quickly and conveniently.