Shulou(Shulou.com)05/31 Report--

Today I will show you how to analyze Web penetration information. The content of the article is good. Now I would like to share it with you. Friends who feel in need can understand it. I hope it will be helpful to you. Let's read it along with the editor's ideas.

Information collection mainly collects the configuration information of the server and the sensitive information of the website, including domain name information, sub-domain name information, target website information, real IP of the target website, directory files, open ports and services, middleware information, script language and so on. Combined with the collection experience of various bosses, the rookie summed up eight ways of information collection, there are shortcomings, welcome to give advice, welcome to correct. The personal focus is on handy tools, a pool of IP agents, a powerful daily collection of dictionaries, a clearly visible mind map, and a number of practical experiences.

First, collect domain name information

1.whois query

Whois (pronounced "Who is", not abbreviated), a standard Internet protocol, is a transport protocol used to query the IP and owner of a domain name. To put it simply, it is a database used to query whether the domain name has been registered, as well as the details of the registered domain name (such as domain name owner, domain name registrar).

Query the domain name information through whois. In the early days, most whois queries existed as command line interfaces, but now there are some online query tools with simplified web interface that can query different databases at once. The query tools of the web interface still rely on the whois protocol to send query requests to the server, and the tools of the command line interface are still widely used by system administrators. Whois usually uses port 43 of the TCP protocol. The whois information of each domain name / IP is saved by the corresponding administrative body.

Whois query we mainly focus on the registrant, registrant, mail, DNS parsing server, registrant contact number.

At present, the common query methods are mainly through third-party platforms such as webmaster tools. Of course, you can also query registered domain names from domain name registrars, such as China Wanwang (Aliyun), Western Digital, New Network, Nano, China Resources, three-five Interconnection, New Network Interconnection, American Orange Interconnection, Aiming Network, Yi Ming Network, and so on. You can also inquire through your own registration agency.

The domain name WHOIS information query addresses of major registrars and third-party webmaster tools are as follows:

China Wanwang domain name WHOIS information query address: https://whois.aliyun.com/

Western digital domain name WHOIS information inquiry address: https://whois.west.cn/

New net domain name WHOIS information query address: http://whois.xinnet.com/domain/whois/index.jsp

Nano domain name WHOIS information query address: http://whois.nawang.cn/

Resource domain name WHOIS information query address: https://www.zzy.cn/domain/whois.html

Three-five interconnected domain name WHOIS information query address: https://cp.35.com/chinese/whois.php

New net interconnected domain name WHOIS information query address: http://www.dns.com.cn/show/domain/whois/index.do

Us orange interconnected domain name WHOIS information query address: https://whois.cndns.com/

Aiming domain name WHOIS information inquiry address: https://www.22.cn/domain/

Search address for WHOIS information of renamed domain name: https://whois.ename.net/

The following is the webmaster tool class third-party query address (some website registrant information will be hidden or prompted to contact the domain name registrar to obtain, you can go to who.is to have a look)

Query of Kali: whois-h registers the server address domain name

Webmaster tools-webmaster home domain name WHOIS information query address: http://whois.chinaz.com/

Search address for WHOIS information of Aijian.com domain name: https://whois.aizhan.com/

Tencent Cloud domain name WHOIS information query address: https://whois.cloud.tencent.com/

Foreign who.is: https://who.is/

Micro step: https://x.threatbook.cn/

Virus Total: https://www.virustotal.com

There are also whois queries and some integration tools that come with Kali.

two。 Record information inquiry

According to the national laws and regulations, the website filing information is applied by the website owner to the relevant state departments for the record, which is a way for the Ministry of Information Industry to manage the website in order to prevent illegal website business activities on the Internet. of course, it is mainly aimed at domestic websites.

Record inquiry we are mainly concerned about: unit information such as name, record number, person in charge of the website, legal person, e-mail address, contact number and so on.

The common websites for querying filing information are as follows:

Heavenly eye check: https://www.tianyancha.com/

ICP record Enquiry Network: http://www.beianbeian.com/

National Enterprise Credit Information publicity system: http://www.gsxt.gov.cn/index.html

Filing inquiry of love station: https://icp.aizhan.com

Second collection of subdomain names

The sub-domain name is the second-level domain name, which refers to the domain name under the top-level domain name. The more subdomain names are collected, the more targets we will test, and the greater the chance of successful penetration of the target system. The sub-domain name is a good breakthrough when the main station is unassailable. There are four commonly used methods.

1. Detection tool

There are many detection tools, but the important thing is to improve the dictionary on a daily basis. Strong dictionary is the last word. The common ones are

Layer sub-domain name excavator, subDomainsBrute, K8, orangescan, DNSRecon, Sublist3r, dnsmaper, wydomain and so on. Layer sub-domain name excavator (easy to use and detailed interface), Sublist3r (list domain names found under multiple resources) and subDomainsBrute are recommended. (recursively query multi-level domain names), this kind of tool github has download address and usage.

Links are as follows:

SubDomainBrute: https://github.com/lijiejie/subDomainsBrute

Sublist3r: https://github.com/aboul3la/Sublist3r

Layer (enhanced version 5. 0): https://pan.baidu.com/s/1Jja4QK5BsAXJ0i0Ax8Ve2Q password: aup5

Https://d.chinacycc.com (recommended by the boss, it is easy to use, but it is charged. )

two。 Search engine

Search engines such as Google, Bing, shodan and Baidu can be used for search query (site:www.xxx.com)

Google search syntax: https://editor.csdn.net/md/?articleId=107244142

Bing search syntax: https://blog.csdn.net/hansel/article/details/53886828

Baidu search syntax: https://www.cnblogs.com/k0xx/p/12794452.html

3. Third-party aggregation application enumeration

Third-party services aggregate a large number of DNS datasets and use them to retrieve subdomains of a given domain name.

(1) VirusTotal: https://www.virustotal.com/#/home/search

(2) DNSdumpster: https://dnsdumpster.com/

4. SSL certificate query

SSL/TLS certificates usually contain domain names, subdomains and e-mail addresses, which are the information we need to obtain. Usually, CT is a project of CA. CA will publish each SSL/TLS certificate to the public log. The easiest way to find the certificate to which the domain name belongs is to use search engine to search some public CT logs.

The main websites are as follows:

(1) https://crt.sh/

(2) https://censys.io/

(3) https://developers.facebook.com/tools/ct/

(4) https://google.com/transparencyreport/https/ct/

5. Online website query (relatively less used)

(1) https://phpinfo.me/domain/( is not accessible)

(2) http://i.links.cn/subdomain/ (not accessible)

(3) http://dns.aizhan.com

(4) http://z.zcjun.com/ (quick response, recommended)

(5) Github search sub-domain name

Three real IP collections

IP addresses are essential in the information collection project. In the domain name collection project, we have collected ip segments. Whois, ping testing, and fingerprint websites can all detect ip addresses, but many target servers have CDN. What is CDN? what if you skip finding the real IP?

The full name of CDN is Content Delivery Network, that is, content delivery network. CDN is an intelligent virtual network based on the existing network. Relying on the edge servers deployed everywhere, through the load balancing, content distribution, scheduling and other functional modules of the central platform, CDN enables users to get the content they need nearby. Only when the actual data exchange will respond from the remote web server, reduce network congestion and improve user access response speed and hit rate. The key technologies of CDN are content storage and distribution technology.

Determine if there is a cdn

(1) it is very simple to use various ping services in multiple places to check whether the corresponding IP address is unique. If it is not unique, it is likely to use CDN. There are many Ping websites:

Http://ping.chinaz.com/

Http://ping.aizhan.com/

(2) nslookup is used for detection. The principle is the same as above. If multiple IP addresses are returned for domain name resolution, CDN is probably used. There are examples of CDN:

Example of no CDN:

There are several ways to bypass cdn. The reference link is as follows: https://www.cnblogs.com/qiudabai/p/9763739.html

One thing to mention is to bypass the title search of the cloud cdn,fofa (check the source code to obtain the title), you can find the ip addresses of many cdn cache servers. Some cdn cache servers are transmitted through regions, and the database is synchronized. If you can access them directly, you can bypass the cloud waf to perform some scanning, injection and other operations.

Here are some C-side, side-by-side scanning websites and tools:

Http://www.webscan.cc/

Https://phpinfo.me/bing.php (may not be accessible)

Artifact: https://github.com/robertdavidgraham/masscan

Royal Sword 1.5: https://download.csdn.net/download/peng119925/10722958

C-side query: IIS PUT Scanner (fast scanning speed, custom port, banner information)

Four-port test

Port testing is carried out on the real IP address corresponding to the website domain name. Many protected websites cannot be scanned and tested for vulnerabilities in large quantities, but websites placed on the cloud can be scanned in large quantities if cdn finds the real website.

Common tools are nmap (powerful), masscan, zmap and Yujian tcp port high-speed scanning tools (faster), as well as some online port scanning. Http://coolaf.com/tool/port, https://tool.lu/portscan/index.html

Refer to God's idea: after collecting the ip corresponding to the subdomain, we can organize it into txt, and then nmap batch port scanning, service burst and vulnerability scanning. The premise is that IP is not blocked, and proxy pool can be used.

Nmap-iL ip.txt-- script=auth,vuln > finalscan.txt scan for common ports and vulnerabilities.

Common port instructions and attack directions are sorted out to a personal blog according to the book web attack and defense: https://blog.csdn.net/qq_32434307/article/details/107248881

5. Website information collection

Website information collection is mainly: operating system, middleware, scripting language, database, server, web container, waf, cdn, cms, historical vulnerabilities, dns zone transmission and so on. You can use the following methods to query.

Common fingerprint tools: Yujian web fingerprint recognition, lightweight web fingerprint recognition, whatweb, etc.

(1) Common website information identification website:

Tidal fingerprint: http://finger.tidesec.net/ (recommended)

Yunzhi (invitation code is needed now): http://www.yunsee.cn/info.html

CMS fingerprint recognition: http://whatweb.bugscaner.com/look/

Third-party historical loopholes: dark Cloud, seebug, CNVD, etc.

(2) Waf recognition: https://github.com/EnableSecurity/wafw00f

Kali has its own wafw00f, which can be used directly with one command. It is recommended to use it under kali. It is troublesome to use it under windows. A script module to identify waf fingerprints is also included on Nmap.

(3) A Dns zone transmission vulnerability can be found through this vulnerability:

1) the topology of the network and the IP address field in the server set

2) the IP address of the database server, such as the above nwpudb2.nwpu.edu.cn

3) the IP address of the test server, such as test.nwpu.edu.cn

4) VPN server address leakage

5) other sensitive servers

The specific reference links are as follows:

Http://www.lijiejie.com/dns-zone-transfer-1

Https://blog.csdn.net/c465869935/article/details/53444117

6. Collection of sensitive directory files

Detecting web directories and hidden sensitive files in attack and defense testing is a very important environment, from which you can get website background management pages, file upload interface, backup files, WEB-INF, robots, svn and source code.

Mainly through tool scanning, mainly

(1) Royal Sword (there are many enhanced versions of dictionaries on the Internet)

(2) 7kbstorm https://github.com/7kbstorm/7kbscan-WebPathBrute (3) search engines (Google, baidu, bing, etc.), search engines search sensitive files are also more common, generally like this: site:xxx.xxx filetype:xls.

(4) reptiles (AWVS, Burpsuite, polar bear, etc.)

(5) BBscan (script of Boss lijiejie: https://github.com/lijiejie/BBScastorn)

(6) Ling Fengyun search: https://www.lingfengyun.com/ (some users may upload cloud disks and be crawled online)

(7) github search

7 Collection of Social Engineering

Using social engineering for information collection and physical infiltration, in the near future

Qi Anxin's "attacking and defending, protecting Mountains and Rivers" mentions that the collection of social engineering information and physical infiltration is one of their important ways of attack.

Social engineering is a kind of harmful means such as deception and injury through psychological traps such as psychological weakness, instinctive reaction, curiosity, trust and greed of the victim; it is a kind of hacker attack method, which uses deception and other means to win the trust of the other party and obtain confidential information; it is a kind of attack by using the psychological expression of human vulnerability, greed and so on. We can start with social workers and social work library, social workers a company salesperson, business personnel, doormen, front desk staff to obtain personal information, email, telephone, private network address, physical access control; we can deceive sales to get email reply and then get private network IP and server information, we can deceive customer service to apply for reset password, send vpn account, and so on.

We can query some key information through the social work library. For many social work libraries, storage up to T and data volume up to 100 million are small case. The content includes account password, email address, personal information and so on.

How powerful the Internet social work database is, it depends on the quantity and quality of the database. In theory, it has reached a certain amount, and a lot of things can be found out, especially those that basically all websites have a password. As long as one of the databases collected by a social work library has his account password, then the found password can directly log on to the user's other account.

Eight near source information collection

(1) the external wireless network card is mainly used to cooperate with kali to crack the wireless password. Now it is generally solved by grasping the handshake package and then running the packet. It can also be solved by forging SSID phishing, man-in-the-middle attacks, etc., mainly to obtain wireless network password, network segment information, and so on.

(2) Big pineapple can capture the handshake bag and imitate the target AP. Big pineapple can completely imitate the preferred network, so as to achieve man-in-the-middle attack, get the wireless network information we want, and collect information for the target system.

(3) at present, the working frequency of electronic equipment and circuits is increasing, while the working voltage is gradually decreasing, so the sensitivity and vulnerability to electromagnetic pulse (EMP) are also increasing. At the same time, the integrated circuit in the electronic system is more sensitive to the electromagnetic pulse, often a larger electromagnetic pulse will make the integrated block error, and even electronic components fail or burn out, so we can use EMP interference to open part of the electronic access control and electronic password lock. If we can't open the access control with EMP, we still have a way, but we need to get a little closer to the target, find the right opportunity to crack the IC card, or copy the ID card. And then break through the access control to achieve physical attacks and information collection.

(4) of course, we can also obtain fingerprint information through social workers and print a fingerprint film exactly the same as the original fingerprint to break through physical access control, office PC fingerprint identification and so on.

(5) if you have access to the target host, you can connect the keylogger to the host and the keyboard, and configure the connection WI-FI to send the keystroke data back to the remote server in real time.

(6) after entering the office or the intranet, you can secretly install a PacketSquirrel in the intranet. As a man-in-the-middle attack tool, PacketSquirrel can capture data packets from network endpoints and obtain remote access using VPN and reverse shell to collect some information for the target system.

(7) badusb is a kind of HID (man-machine interface) attack, also known as hot-plug attack. Imagine walking to a computer, plugging in a seemingly harmless USB drive, installing a back door, eavesdropping on documents, stealing passwords, and collecting information about the target system.

The above is how to analyze the whole content of Web penetration information, more content related to how to analyze Web penetration information can search the previous articles or browse the following articles to learn ha! I believe the editor will add more knowledge to you. I hope you can support it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.