In the penetration testing process, the target server might have only one domain name. If the target server CDN does not exist, you can directly through some IP and domain name information www.ip138.com get goals.
If there is CDN how to get around, to get the real IP destination server?
1, there is CDN target server
That CDN content distribution network, mainly to solve the problem because the speed performance of the underlying network transmission distance and node caused by different operators. Said simply, is a set of nodes on the docking between the different operators of the cache server, frequently accessed static user data resource (such as a static html, css, js pictures and other files) directly to the cache server node when a user requests again, will be distributed directly to the user from near node server responds to the user, when the user interaction will respond to the actual data from a remote Web server, which can greatly improve the site's response time and user experience.
If the target penetration purchased CDN services can be directly ping the target domain name, but not get the real target Web server, but from our nearest CDN server is a target node, which led to the goal that we can not get the real IP directly segment range.
2, to determine whether the target CDN
Usually by ping primary target domain, the domain name resolved to observe the situation, in order to determine whether the use of a CDN.
You can also (just left a few days before the microblogging TK leader of a corresponding topic) by online sites 17CE (https://www.17ce.com) ping the server operating nationwide multi-region, and then compare each region ping out IP results to see if the IP the same, if we are all the same, most likely CDN does not exist. Most if not quite the same IP or strong regularity, you can try to query the IP ownership, it is determined whether or not there is CDN.
3, bypassing the CDN to find the real IP
In confirming the target did use CDN future, we need to bypass the CDN to find the real IP destination:
- Internal mail source. General e-mail systems in-house, without parsing the CDN, registered by the target Web site user or RSS subscriptions, view the message, look for the message header of the mail server domain name IP, ping the mail server's domain name, you can get targeted real IP (Note that you must target your own mail server, third, or public mail server is not used) /
- Scan site test files, such as phpinfo, test, etc., in order to find the real IP targets.
- Sub-station domain. Many visited the site of the main station will be relatively large, so the main station is linked to the CDN, but could not hang CDN sub-station, sub-station can obtain IP ping through the secondary domain name may occur master and sub-stations are not the same C in the same IP segment, but below the case, in order to determine the real IP out target segment.
- Trips abroad. Domestic CDN often only accelerate access to domestic users, but not necessarily foreign CDN. Therefore, foreign online proxy site https://asm.ca.com/en/ping.php , might get the real IP
- Query parsing record domain name. Perhaps the goal a long time ago and not used CDN.
- If the target site has its own APP, you can try requesting permission to use Fiddler or Burp Suite crawl App to find the real IP target from the inside.
4, verification IP acquired
If Web, the easiest way is to directly verify the attempt to access with IP, take a look at page response is not the same as access to domain names and return or, in the target segment is relatively large, with tools similar Masscan batch the corresponding IP segment All open IP 80,443,8080 port, then try one by one IP access, whether the results observed in response to the target site.