Basic information collection website
- Domain, subdomain collection
- DNS query ip
- Site owners (whois)
- Contact person in charge
- Based on the CMS website building
1x01 domain subdomain collection
Here, our site-level domain bbskali.cn
, for example, a brief look at the collection site subdomain information. We introduce a few kali comes subdomain query tool here.
Use dnsmap
query subdomains!
dnsmap
Use fierce query subdomain
fierce
Meaning subdomain collected:
assumptions, our master bbskali.cn pass the test, there is no place to start with. But we can win the next master station through loopholes.
ip address lookup
Ip meaning of the query:
through the ip address, we can know the current site when the information which ports, and systems.
One way: using the ping query
as we want to resolve the query www.baidu.com which ip address, execute the command:
Of course, this method opens up for the anti-PING Canadian CDN domain name is invalid.
For CND domain name, we can use the foreign VPS to ping, because most owners only opened the country to accelerate.
Use to get the ip address, we use Nmap scan a wave, you can get ports currently open.
nmap
whois lookup
Here, we can use webmaster tools to obtain information about the current owners. Of course, you can also be performed in kali direct whois
command direct access.
whois
cms inquiry
Method 1: Use cloud learned inquiries
Second way: Using kali tool whatweb
inquiry
cms information
Site Directory reptiles
Through the Web site directory scan, we can get some very important information, such as web login background.
Use dirsearch scan web directory
execute the command
Website background scanning
Of course, you can also use kali own tools dirb
to scan.