Shulou(Shulou.com)06/01 Report--

This article mainly introduces the relevant knowledge of "what is the site information in WEB security penetration testing". The editor shows you the operation process through an actual case, the operation method is simple and fast, and it is practical. I hope this article "what is the site information in WEB security penetration testing" can help you solve the problem.

Site information

● judges the website operating system

Linux is case sensitive

Windows is case insensitive

● traces sensitive files

Robots.txt

Crossdomain.xml

Sitemap.xml

Xx.tar.gz

Xx.bak

● determines the language used by the website

Such as PHP / Java / Python, etc.

Look for suffixes, such as php/asp/jsp

● front-end framework

Such as jQuery / BootStrap / Vue / React / Angular, etc.

View the source code

● intermediate server

Such as Apache / Nginx / IIS, etc.

View information in header

Judge according to the error information

Judging by the default page

● Web Container Server

Such as Tomcat / Jboss / Weblogic, etc.

● backend framework

According to Cookie,

Judge according to the hash value of resources such as CSS / pictures

Judge based on URL routing (e.g. wp-admin)

Judge according to the keywords in the web page

According to the X-Powered-By in the response header

● CDN Information

The common ones are Cloudflare and yunjiasu

● detects whether there is WAF, and if so, what type

There is WAF, find a way to bypass it.

No, move on to the next step.

● scans sensitive directories for information leaks

Try several url before scanning, and check the reaction artificially.

● uses crawlers to crawl website information

After ● gets some information, through the directory name, file name and file extension, know the website developer's naming ideas, determine its naming rules, and speculate more directories and file names.

2.3

Port information

2.3.1. Common ports and their vulnerabilities

● FTP 21

Default username password anonymous:anonymous

Brute force to crack the password

The back door of a certain version of VSFTP

● SSH 22

Brute force to crack the password

● Telent 23

Brute force to crack the password

● SMTP 25

The sender can be forged without authentication.

● DNS 53 UDP

Test domain delivery vulnerabilities

SPF / DMARC Check

DDoS (DNS Query Flood / DNS rebound)

● SMB 137/139/445

Unauthorized access

Weak password

● SNMP 161

Public weak password

● LDAP 389

Anonymous access

Inject

● Rsync 873

Arbitrary file read and write

● RPC 1025

NFS anonymous access

● MSSQL 1433

Weak password

● Java RMI 1099

RCE

● Oracle 1521

Weak password

● NFS 2049

Improper permission setting

● ZooKeeper 2181

No identity authentication

● MySQL 3306

Weak password

● RDP 3389

Weak password

● Postgres 5432

Weak password

● CouchDB 5984

Unauthorized access

● Redis 6379

No password or weak password

● Elasticsearch 9200

Code execution

● Memcached 11211

Unauthorized access

● MongoDB 27017

No password or weak password

● Hadoop 50070

In addition to the possible problems listed above, if the services exposed on the public network are not the latest version, there may be public loopholes.

2.3.2. Common port scanning methods

2.3.2.1. Full scan

The scanning host attempts to establish a regular connection with a port of the target host using a three-way handshake. if the connection is successfully established, the port is open, otherwise it is closed. Full scan is easy to implement and can be done with low permissions. But there will be a large number of obvious records in the traffic log.

2.3.2.2. Half scan

In half-scan, only SYN segments are sent. If the reply is RST, the port is closed, and if the reply is SYN/ACK, the port is listening. However, this approach requires higher permissions, and some firewalls have begun to deal with this scanning method.

2.3.2.3. FIN scanning

FIN scan sends a FIN packet to the target. If it is an open port, it will return a RST packet, while a closed port will not return a packet. You can judge whether the port is open by this way. This method is not in the state of the TCP three-way handshake, so it is not recorded and is more hidden than the SYN scan.

2.3.3. Web service

● Jenkins

Unauthorized access

● Gitlab

Corresponding version CVE

● Zabbix

Improper permission setting

2.3.4. Batch search

● Censys

● Shodan

● ZoomEye

2.4

Search information collection

2.4.1. Search engine utilization

Proper use of search engines (Google/Bing/Yahoo/Baidu, etc.) can get more information about the target site.

Common search techniques are:

● site:www.agesec.com

Return all the contents of this target site crawled by search engines.

● site:www.agesec.com keyword

Return to all the pages containing this keyword crawled by the search engine for this target site.

Here you can set the keywords to the website background, management background, password modification, password recovery and so on.

● site:www.ageec.com inurl:admin.php

Return to all the pages that contain admin.php in the address of the target site, and you can use admin.php/manage.php or other keywords to find key functional pages.

● link:www.agesec.com

Return to all pages that contain links to the target site, including their developers' personal blogs, development logs, or third-party companies, partners, etc. that open the site.

● related:www.agesec.com

Return all pages that are "similar" to the target site, which may contain some general program information, etc.

● intitle: "500 Internal Server Error"server at"

Search for the page that went wrong.

● inurl: "nph-proxy.cgi"Start browsing"

Find the proxy server.

In addition to the above keywords, there are allintile, allinurl, allintext, inanchor, cache and so on.

There are some other tips.

● queries are not case sensitive

● * stands for a word

● defaults to and

● OR or | represents logic or

Mandatory query followed by + table for ● words

Quotation marks in ● can prevent common words from being ignored

● parentheses will be ignored

The snapshot of the search engine often contains some key information, such as the program error information may reveal the specific path of the website, or some test information for testing will be saved in some snapshots, for example, when a website has developed a background function module, permission authentication has not been added to all pages, so the snapshot is taken by the search engine, even if the website later added permission authentication. However, this information is still retained in the snapshots of the search engine.

There are also special site snapshots that provide snapshot capabilities, such as Wayback Machine and Archive.org.

2.5

Information collection of target personnel

For the information collection of people, consider the collection and analysis of the target important personnel, organizational structure, and social relations. Among them, the important personnel mainly refer to the personal computers of senior executives, system administrators, operation and maintenance, financial, personnel and business personnel.

The easiest entry point is the website, which may contain information about the development, management and maintenance of the website. The names and email addresses and other contact information of all developers and maintenance personnel that may be obtained from the website contact function and from the comments in the code.

After obtaining this information, we can further find all the information related to the target site posted by these people on the Internet in websites such as Github/Linkedin, analyze and find useful information.

In addition, the obtained mailbox can be used to burst the password to obtain the corresponding password.

This is the end of the content about "what is the site information in the WEB security penetration test". Thank you for your reading. If you want to know more about the industry, you can follow the industry information channel. The editor will update different knowledge points for you every day.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.