collect message
When I realized the importance of information gathering penetration testing, when listening to a lesson for my own to sort out ideas, but also allows me to find myself so important step I missed something, every time I collect information new knowledge will be supplemented finishing.
classification:
* 主动信息收集
* 被动信息收集
Vulnerability Mining
When we do web penetration time, first determine a good goal, that is what we got to do is first of its domain name?
Find the corresponding domain name ip : If there is CDN should find how to get around is really ip?
For example, you can start according to the subdomain; three ways:
1. Google search syntax;
2.layer tools crawling;
3. python command-line tool;
Whois information of domain name : Love station network, home owners
, including sub-domain information-gathering
Sensitive information collection:
such sensitive directory:
a robots.txt, back catalog, the installation package (packaged website, backup, install files), upload directory,
MySQL management interface, the installation page, phpinfo (), editor, IIS file security page : install.php and so on;
The whole point of the analysis:
the type of server (platform version) : Operating system Windows / Linux (which determine the methods and tools)
script types : PHP / ASP / ASPX / JSP
1. directly from the page
2.dirbuster
3. search engine syntax (filetpye )
database type : MySQL / access / SQL server /
oracle / db2 / postgresql / website container : IIS, apache, ngnix, tomcat, etc. whatweb \ nmap tool
CMS type (keyword readme.txt bottom information) weaving dreams, Empire, dizcuz, wordpress, aspcms and other
tools: Sword web fingerprinting, whatweb and other
protective cases : waf web application level firewall (how to bypass?)
Background site directory
dictionaries blasting (kaili) dirb http: // ip target
Sword background and other tools;
Next to the station and c segment
master bad invasion - to find other web- scored webshell- on the same server to get control of the server - then won the master webshell
next station : a server with other sites
paragraph (c) : the same network segment other servers
Common tools:
Web >> K8 next station, Sword 1.5
port >> portscan
Vulnerability mining
system host: Nessus \ openvas \ Xscan
Web Vulnerability: AWVS \ OWASP ZIP \ WPSCAN
Common tools
dictionaries blasting >> Sword, dirbuster, wwwscan, IIS_shortname_scanner such as
spider crawling >> choppers, webrobot, burp and other
port scanning Metasploit >>, nmap
nmap -O target IP detection system type
nmap -sV detection target IP Type of Service - sT -sU and other
open close open close filtered masked firewall \ IDS \ IPS, etc., can not determine the status of
unfiltered not masked
commonly used ports
21/22/29 file sharing ports
22/23/3389 remote port
80/443/8080 web application port
7001/7002 container is WebLogic
3306 MySQL
1443 MSSQL
1521 Oracle
6379 Redis
25/110/143 (the IMAP)
53 is the DNS
67/68 spoofing hijacking the HDCP
