collect message
The whole point of the domain information analysis
sensitive directory Google hacker
port scan acquisition URL
information analysis section next to the station C
Domain information
Ip collected correspondence: Related corresponding domain name ip. Tools: nslookup
subdomain collection: Tools: Layer, subDomainsBrute
WHOIS (registrant) query information
based on the known reverse lookup domain name, the registrant analyze this domain, email, and telephone.
Tools: Love station network, webmaster tools, micro-step Online
Sensitive directory
Collecting direction: robots.txt (can see this site is what CMS), back catalog, the installation package (there may be packaged source code), upload directory, mysql management interface, the installation page, phpinfo, editor, iis short file
common tools
dictionaries blasting: Sword, DirBuster, wwwscan, iis_shortname_scanner and other
spiders crawling: crawling choppers, webrobot, burp and other
port scan: nmap, portscan, ntscan, telnet
Next to the station C segment
Next stop: a server with other sites on the
C segment: the other servers in the same network segment
commonly used tools
web: K8 next to the station, Sword 1.5
port: portscan
Analysis of the entire station
Server Type: Server platform, version, and so
websites container: building site server components such as: iis, Apache, nginx, tomcat
script types: ASP, PHP, JSP, aspx and other
database types: access, sqlserver, mysql, oracle , postgresql and other
CMS type
WAF: web application level firewall
Google hacker
intext: Find a site that contains a Web page xx keyword
intitle: search for a title
filetype: search for a file type
inurl: Find a website url in a field with the
site: Finding information in a certain domain name
Find background
1. weak passwords default background: admin, admin / login.asp, manage , login.sap etc.
2. Check the Web links: In general, the site's home page has something to log management, but some administrators may be removed
3 View site image properties
4. Check the Web site management system used to determine the background
5. use the tool to find: wwwscan, Sword
help 6.robots.txt of: robots.txt file tells the spider on the server what kind of document can be viewed
7.googleHacker
if the site is 8. View editors are the default background
9. the use of short file
10.sqlmap --sql-shell load_file ( 'd : /wwroot/index.php');
CDN Workaround
CDN: the equivalent of a middleman, your nearest proxy server to share the workload of the server you want to access.
How to determine the site has no CDN (
Super ping: to enter the URL in Webmaster Tools ping, ping out if ip is an address, there is no CDN,
if there is a headset == 1. Find a second-level domain (with Layer)
2. Let server actively contract to you (e-mail)
3. leaking sensitive documents
4. historical Analysis query ip)
access to bypass the CDN: modify the hosts file
Common Vulnerability Analysis Tool
nmap, awvs, appscan, burpsuite, netsparker, jsky, safe3wvs, coconut, M7lrv
NMAP: Host probing, port scans, service version of the scanner, the host system fingerprint identification, password cracking, vulnerability detection, create a scan script
host detection:
Scan a single host : nmap 192.168.1.2
scan an entire subnet: nmap 192.168.1.1/24
scan multiple objectives: 192.168.1.2 192.168.1.5 nmap
target within a range of scan: nmap 192.168.1.1-100
If you have an ip address list, this is saved as a txt file, and nmap scan of all hosts in this txt in the same directory: nmap -iL the Target.txt
, with nmap -sL 192.168.1.1/24 If you want to see a list of all your scanned
scan in addition to over-all subnet hosts one of the ip: nmap 192.168.1.1/24 -exclude 192.168.1.1
scanning in addition to a document in the ip subnet host: nmap 192.168.1.1/24 -excludefile xxx.txt (xxx .txt files will be excluded from scanning the host)
NMAP port scanning
-F -v nmap.org -sT nmap
-F: Scan 100 is most likely to open ports
-v: get scanned information
-sT: uses TCP scanning, can not write, is used by default TCP scan
- P: designated port to scan
the scan port status
open port is enabled, data may reach the host, a program monitoring port
closed port is closed, the data which reaches the host, no program monitoring port
filtered data does not reach the host, the result returned is empty, data filtering firewall ids or
unfiltered: data reach the host, but does not recognize the current status of the port
Open / filtered: port no return value, mainly in udp, ip, fin, null and xmass scans
closed / filtered: only It occurred in ip, id, idle scan
TCP scan (-sT)
Features: particularly fast scanning speed, high accuracy, does not require the permission of the operator, but easily firewall and ids (intrusion prevention system) found
operating principle: connection to information by establishing a TCP three-way handshake transmitting
1.client sends the SYN
2. returned from the server SYN / ACK, indicates that the port opening
3. the client returns ACK, indicates that the connection has been established
4. client disconnects active
SYN scan (-sS)
This is one in a sly way to scan, because the client and server in the SYN scan does not form a three-way handshake, it did not establish a normal TCP connection, and therefore not to be recorded and firewall logs, generally do not leave any traces on the target host, but this scan is need root privileges
to use UDP Ping probe host: nmap -PU 192.168.1.0/24
service version detection: nmap -sV 192.168.1.1
accurately confirm the port running services: nmap -sV --script unusual -port 192.168.1.1
to detect the target host operating system
192.168.1.19 nmap -O
nmap -A 192.168.1.19
export the scan results -ON
-oX export the scan result xml format
Firewall avoid bypassing
-f slice bypass
-D bait is used covert scanning
nmap -D 1.1.1.1,222.222.222.222 www.cracer.com
-source Source Port Port-spoofing
