Information collected summary (slowly expand)

collect message

Transverse information collection

Domain information

whois

1. whois role

   whois registrant information may be obtained key information, including registered companies, registered mail, the administrator mailbox, mobile phones and other administrator, the late social worker useful. Meanwhile, the tool can also query other domain name registrant registered the same domain name corresponding NS records, MX records, automatically identify common domestic custodian (million net new network, etc.)

2. Common tools
   • Foreign who.is: https://who.is/
   • Home owners: http://whois.chinaz.com/
   • Love Station: https://whois.aizhan.com/
   • Micro-step: https://x.threatbook.cn/
   • Charles eye in the sky: https://www.tianyancha.com/
   • ICP record query network: http://www.beianbeian.com/
   • State enterprise credit information publicity system: http://www.gsxt.gov.cn/index.html

Subdomain

google hacking

• Some common search syntax
  • intext: Keyword
    • The web page for a keyword as a search condition
  • allintext: Keyword
    • The same function
  • intitle: keyword
    • The title of the page is a keyword as a search condition
  • allintitle: keyword
    • The same function
  • cache: url
    • Search server cached content
  • define: Keyword
    • Custom search keywords
  • filetype:. filename extension
    • Search for specific files
  • info: Keyword
    • Pointing some basic information search site
  • inurl: Keyword
    • Search URl contain keywords.
  • allurl: Keyword
    • More accurate
  • link: Find keywords do link url address
  • site: Returns all of the domain name in the URL address, the topology can be frank website.
  • related:url
    • Search and URL pointing relevant pages.
  • stocks: search for a company in the stock market information
  • author: Author Search newsgroup postings
  • When searching for multiple keywords with spacing between Google. It represents a logical AND operation space
  • Logical NOT operator in Google: AC represents A search has no C.
  • Google precise search with double quotes
  • Google in the wildcard: * indicates a series of characters? Represent a single character
  • Search keyword forces will have in front of the keyword "" + "" No.

search engine

• ZoomEy：https://www.zoomeye.org/

  Zhong Kui Eye Search engines are biased in favor of the web application level search

  • Some doors Eye of the Internet to find common grammar
    • app: nginx component name
    • ver: 1.0 version
    • os: windows operating system
    • country: "China" countries
    • city: "hangzhou" city
    • port: 80 port
    • hostname: google hostname
    • site: thief.one domain
    • desc: nmask description
    • keywords: nmask'blog Keywords
    • service: ftp　　service type
    • ip: 8.8.8.8ip address
    • cidr: 8.8.8.8/24ip addresses

• FoFa：https://fofa.so/

  FoFa search engines tend to search for assets

  • Internet found some common syntax
    • title = "abc" from the title search abc. Example: the title of Beijing website.
    • header = "abc" Searching http header abc. Example: jboss server.
    • body = "abc" Searching for html body of abc. Example: The body contains Hacked by.
    • domain = "qq.com" root domain name search with qq.com website. Example: root domain name is qq.com website.
    • host = ". gov.cn" Search .gov.cn from the url, pay attention to use search as the host name.
    • port = "443" to find the corresponding assets 443 port. Example: port 443 to find the corresponding assets.
    • ip = "1.1.1.1" 1.1.1.1 contains the site from search ip, note the use ip search for the name.
    • protocol = "https" protocol developed search type (valid in the case of open port scans). Example: Query https protocol assets.
    • city ​​= "Beijing" search for specific assets of the city. Example: Search for the specified asset of the city.
    • region = "Zhejiang" assets specified search Administrative Region. Example: Asset search for specific administrative regions.
    • country = "CN" Search designated national asset (coding) is. Example: Search for the specified state assets (encoded).
    • cert = "google.com" search for certificates (https imaps or the like) with google.com assets.

• Shodan: Https://Www.Shodan.Io/

  shodan Web search engines tend to search for network equipment and servers

  • Some grammar on the Internet to find ShOdan
    • hostname: search for specific host or domain name, such as hostname: "google"
    • port: port or search for specific services, such as port: "21"
    • country: designated national search, such as country: "CN"
    • city: Search designated cities, such as city: "Hefei"
    • org: search for specific organizations or companies, such as org: "google"
    • isp: Search for the specified ISP providers, such isp: "China Telecom"
    • product: Search for the specified operating system / software / platform, such as product: "Apache httpd"
    • version: Software version search specified, for example, version: "1.6.2"
    • geo: search a specified location, such as geo: "31.8639 , 117.2808"
    • before / after: before and after the time search data included in the specified format dd-mm-yy, for example before: "11-11-15"
    • net: Search specified IP address or subnet, for example, net: "210.45.240.0/24"

DNS lookup

DNS (Domain Name System, DNS), a distributed database as names and IP addresses on the World Wide Web mapped each other, enable the user easier access to the Internet, without having to remember the IP number of strings can be directly read by a machine. A domain name, the domain is finally obtained during the corresponding IP address is called a domain name resolution (or host name resolution)

• Some online dns query tool
  • VirusTotal：https://www.virustotal.com/#/home/search
  • DNSdumpster: https://dnsdumpster.com/

Query-based SSL Certificate

• Addresses some common queries
  • https://crt.sh/
  • https://censys.io/
  • https://developers.facebook.com/tools/ct/
  • https://google.com/transparencyreport/https/ct/

Blasting enumeration

• Online subdomain collection
  • orangescan：https://github.com/0xbug/orangescan
• Offline subdomain collection
  • layer subdomain excavator
    • Used to dig the sub-domain, enter the domain name, you can click Start Query
  • subDomainsBrute
    • Used to dig subdomain, use Python2 run to get a sub-domain text

Social workers information collection

email address

• By collecting documentation and site pages or websites published by collecting and account information at the message board
• By teemo, metago, burpusit, awvs, netspker google grammar or collection
• Search-related QQ group collect employees of social accounts

QQ No.

• A number of social workers QQ: http://www.qqzywang.com/

phone number

All kinds of identity-related information

ID card

Next to the station, C segment information

• Next to the station: a destination site and other sites on the same server.
• Section C: is the target server ip and C are in the same segment of other servers
• Next to the station, C segment common query
  • Use Bing.com, the syntax is: http://cn.bing.com/search?q=ip:111.111.111.111
  • Home owners: http://s.tool.chinaz.com/same
  • Use Google, syntax: site:. 125.125.125 *
  • Use Nmap, Syntax: nmap -p 80,8080 -open ip / 24
  • K8 tools, Sword, polar bears scanners
  • Online: http://www.webscan.cc/

ip information-gathering

Real IP

• CDN Introduction

  CDN stands for Content Delivery Network, ie, content delivery network. Generally only exist in some particularly large amount of users of the site, to solve the bottleneck server performance by this way.

• Analyzing present CDN
  • Whether there is a CDN by Ping judge.
  • By setting agent or use the online site to use Ping ping the server to test different parts of the target. http://ping.chinaz.com/

• Bypassing CDN

  If the target is not used CDN, you can directly use the ping obtain an IP address. Or use online website: http://www.ip138.com/

• If the target using a CDN, CDN bypassing the need to get the real IP address.
  • Internal resource mailbox to collect internal mail server IP address
  • Website phpinfo file phpinfo.php
  • Sub-station IP address, query subdomain CDN expensive, sub-station is likely to no longer use the CDN.
  • Foreign access　https://asm.ca.com/en/ping.php
  • Query DNS records　https://viewdns.info/

• Using the IP address of the Web site is accessed, if shown to be true normal IP address. Otherwise it is not true.

ip stage

• General IP, when we collect subdomain, you probably know the IP segment of the target site.
• Also available through the whois command. That query by China Internet Network Information Center
  • http://ipwhois.cnnic.net.cn/

Longitudinal information collected

Port Scan

• nmap scan
  • After nmap scan common port status
    • open: the port is open.
    • closed: port is closed.
    • filtered: Port is firewall IDS / IPS shield can not determine its status.
    • unfiltered: the port is not shielded, but need to further determine whether the open.
    • open | filtered: port is open or masked.
    • closed | filtered: port is closed or masked
  • nmap commonly used commands
    • -A comprehensive scanning, including system detection, version detection, script probe
      • Example: nmap -A 127.0.0.1
    • -e specifies the network interface card scanning which make use
      • Example: nmap -e 127.0.0.1
    • -iL scan the specified file ip
      • Example: nmap -iL 1.txt
    • -iR network scanning
      • Example: -iR number of scan nmap
    • -O scanning probe host operating system
      • Example: nmap -O 127.0.0.1
    • -oN the information written to the specified standard output the scanned file
      • 例： nmap -oN F:\a\test.txt 127.0.0.1
    • -p specifies the port scan
      • Example: nmap -p80,306 127.0.0.1
    • -PO some host closed the ping detection so use this command to skip ping speed up the scanning probe
      • Example: nmap -PO 127.0.0.1
    • -PS open probe target host port, the port can be specified (SYN) separated by a comma
      • Example: nmao -PS80,3306,443 127.0.0.1
    • -PU open probe target host port, the port can be specified (UDP) separated by a comma
      • Example: nmao -PU80,3306,443 127.0.0.1
    • -sA sends an ACK packet to the target host port, if RST packet is received, indicating that the port is not a firewall screen. The only way to determine whether a firewall to block a port
      • Example: nmap -sA 127.0.0.1
    • -sF tcp one kind of scanning, transmits a data packet FIN flag
      • Example: nmap -sF 127.0.0.1
    • -sL only lists each host on the specified network does not send any message to the directory host
    • Example: nmap -sL 127.0.0.1
    • Online case -sn detection network hosts returned to the host ip and MAC address
      • Example: nmap -sn 127.0.0.1
    • What IP protocol -sO probe host support
      • Example: nmap -sO 127.0.0.1
    • -sP send ICMP packets corresponding to the host host side, which hosts the query is alive
      • Example: nmap -sP 127.0.0.1/24
    • -sS use half-open SYN scan (scanning hidden)
      • Example: nmap -sS 127.0.0.1
    • -sT scan opened TCP three-way handshake mode device's TCP port scan
      • 例： nmap -sT 127.0.0.1 == nmap 127.0.0.1
    • -sU scan for open UDP port equipment
      • Example: nmap -sU 127.0.0.1
    • -sV version for scanning the target host and port service version of software running (version detection)
      • Example: nmap -sV 127.0.0.1
    • -sW scan window, draw some port information
      • Example: nmap -sW 127.0.0.1 -p80
    • -v display represents the redundant information to display the details scanned during the scanning process, thus allowing users to understand the current state of scanning
      • Example: nmap -v 127.0.0.1
• Router Scan2.53
  • Plus a range of ip, OnScan

Site Architecture probe

System-level, application-level level

• The system levels, including an operating system, middleware, scripting languages, databases, servers, web container
• Application-level aspects of language development, CMS, Editor
• Query method
  • wappalyzer plugin - Firefox plugin
  • Yun noted: http://www.yunsee.cn/info.html
  • See response packet header
  • CMS fingerprint identification: http://whatweb.bugscaner.com/look/
    • Fingerprint recognition
      • Yun note fingerprint
      • whatweb look is not dedecms, then use the vulnerability to attack cms
      • wappalyer google plugin

WAF detection

Waf also known as Web application firewall, it is a series dedicated to provide protection for a product by executing HTTP / HTTPS security policies for Web applications.

• Some way
  • Hand (malicious data submitted, simple and crude)
  • Kaili tool (WAFW00F, Nmap)
    • There are two scripts Nmap probe WAF
      • One is http-waf-detect.
        • 命令：nmap -p80,443 --script=http-waf-detect ip
      • One is http-waf-fingerprint.
        • 命令：nmap -p80,443 --script=http-waf-fingerprint ip
    • WAFW00F probe WAF
      • Command: wafw00f -a domain name

Sensitive files, directories

• Sensitive files, directories sensitive about the following:
  • Git
  • hg/Mercurial
  • svn/Subversion
  • bzr/Bazaar
  • Cvs
  • WEB-INF leak
  • Backup files leaked, leaked profile
• Sensitive files, directories sensitive excavation tools usually come to rely on the script.
  • Some tools
    • Sword
    • Reptiles (AWVS, Burpsuite, etc.)
    • Search engines (Google, Github, etc.)
    • wwwscan
    • BBscan (a big brother to write python script: https://github.com/lijiejie/BBScan )
    • GSIL (a big brother to write python script: https://github.com/FeeiCN/GSIL )