Shulou(Shulou.com)05/31 Report--

Today, the editor will share with you the relevant knowledge about the method of collecting penetration test information. The content is detailed and the logic is clear. I believe most people still know too much about this knowledge, so share this article for your reference. I hope you can get something after reading this article, let's take a look at it.

1 collect subdomain information

The sub-domain name is the second-level domain name, which refers to the top-level domain name. Assuming that the scale of our target network is relatively large, it is obviously unwise to start directly from the main domain, because for a target of this scale, the main domain is generally an area of key protection, so it is better to choose to enter a subdomain of the target. and then find a way to get close to the real target, which is undoubtedly a better choice. So how can you collect as many high-value subdomains of the target as possible?

(1) Sub-domain name detection tool

Layer subdomain excavator, K8 CE wydomainforce Sublist3r dnsmaperrem subDomainsBrutepime

(2) search engine enumeration

You can take advantage of the previous google hacker syntax. For example, you can use "site:baidu.com" to search for Baidu's sub-domain names.

Site: http://baidu.com-www does not contain www

(3) third-party aggregation application enumeration

Many third-party services aggregate a large number of DNS datasets that can be used to retrieve subdomains of a given domain name. As long as you enter the domain name into its search bar, you can retrieve the relevant domain name information.

DNSdumpster website: http://dnsdumpster.com/

(4) Certificate transparency public log enumeration

Certificate Transparency (Certificate Transparency,CT) is a project of the Certificate Authority (CA), which publishes each SSL/TLS certificate to the public log. An SSL/TLS certificate usually contains domain names, subdomains, and e-mail addresses, which are often useful information that attackers want very much. The easiest way to find the certificate of a domain name is to use a search engine to search for some public CT logs.

Crt.sh: http://crt.sh

Censys: https://censys.io

(5) online subdomain blow-up

Subdomain name blasting website https://phpinfo.me/domain

Ip reverse check bound domain name website: http://dns.aizhan.com

2 fingerprint identification

Fingerprint has almost become a synonym for biological characteristics because of its lifelong invariance, uniqueness and convenience. This refers to the website CMS fingerprint identification, computer operating system and Web container fingerprint identification and so on.

In penetration testing, fingerprint identification of the target server is quite necessary, because only by identifying the corresponding Web container or CMS, can we find the vulnerabilities related to it, and then carry out the corresponding penetration operation.

CMS (Content Management System) is also called whole station system or article system. Before 2004, if you want to manage the content of a website, you basically rely on manual maintenance, but in the era of information explosion, it is very difficult to rely entirely on human maintenance. So there is CMS, as long as the opener gives the customer a software package, and the customer installs and configures it, he can update the data regularly to maintain the website, saving a lot of manpower and material resources.

Common CMS includes:

Dedecms (Weaving Dream), Discuz,PHPWEB,PHPWind,PHPCMS,ECShop,Dvbbs,SiteWeaver,ASPCMS, Empire, Zmuri Blogjol WordPress, etc.

Scanning tool:

Yujian web fingerprint identification, whatweb,WebRobo, coconut tree, lightweight web fingerprint identification, etc.

Online inquiry

[BugScaner] [http://whatweb.bugscaner.com/look/]

[Yunzhi fingerprint] [http://www.yunsee.cn/finger.html]

[whatweb] [https://whatweb.net/] [http://whatweb.bugscaner.com/]]

3 Real IP query

During penetration testing, the target server may have only one domain name, so how to determine the real IP of the target server through this domain name is very important for penetration testing. If the target server does not have a CDN

You can query it through the following address, or you can obtain IP and domain name information through nslookup and so on.

Http://www.ip138.com/

What if the target has a CDN server? We need to find the IP of the real server of the target.

1. What is CDN?

CDN is a content distribution network, which mainly solves the problem of low network speed performance caused by transmission distance and different operator nodes. To put it simply, a group of cache servers on the docking nodes between different operators cache the frequently accessed static data resources (html, css, js pictures, videos, sounds, etc.) directly to the node server. when the user requests again, it will be directly distributed to the node server close to the user to respond to the user, and will respond from the remote Web server only when the user has actual data interaction. This can greatly improve the response speed and user experience of the website.

If the target site has a CDN server, the ping domain name does not necessarily get the real Web server of the target, but only the CDN on the nearest node, which makes it impossible for us to get the real IP range of the target.

2.CDN judgment

Ping a URL:

C:\ Users\ 86135 > ping http://www.baidu.com

The Ping http://www.a.shifen.com [14.215.177.39] has 32 bytes of data:

Reply from 14.215.177.39: byte = 32 time = 32ms TTL=1

But obviously, the IP here is the IP of CDN.

We can use multiple ping tools to determine:

Use the online website 17CE to operate ping servers in multiple regions of the country, and then compare the ip results of ping in each region to see if these ip are consistent. If they are all the same, it is very likely that there is no CDN. If most of the ip are different or regular, you can try to query the belonging place of these ip to determine whether there is a CDN.

Using nslookup for detection, the principle is the same as above. If the returned domain name resolution corresponds to multiple IP addresses, it is likely to use CDN.

Experience: if there are two or three, and these addresses are different operators in the same region, it is very likely that these addresses are the egress addresses of the server. In the internal network, the server is mapped for Internet access through the NAT of different operators, and several different operators can be used for load balancing and hot backup at the same time. If there are multiple ip addresses, and these ip addresses are distributed in different regions, it is almost certain that CDN has been adopted. )

1. There are examples of CDN:

Nslookup http://www.163.com

Name: http://163.xdwscache.ourglb0.com

Addresses: 58.223.164.86

125.75.32.252

two。 Example of no CDN:

Nslookup http://xiaix.me

Address: 192.3.168.172

0.0.0.0 255.255.255.255

Use a variety of online tools to help detect whether the target site uses CDN

Http://www.cdnplanet.com/tools/cdnfinder/

Http://www.ipip.net/ip.html

3. Bypass CDN

Query subdomains:

In many cases, only the primary station uses the CDN, and the secondary site does not, so we can directly query the IP of the sub-station. For the search method of the sub-station, see below. We can also use the search engine to enter site: http://baidu.com or inurl: http://baidu.com to search the subdomain name of http://baidu.com

Foreign visit

1. Some domestic CDN services are only for domestic use, and CDN is rarely used for foreign visits. So we can query the domain name through the unpopular DNS abroad. For example, nslookup http://xxx.com 199.89.126.10

C:\ Users\ asus\ Desktop > nslookup http://hi-ourlife.com 199.89.126.10

Name: http://hi-ourlife.com

Address: 45.64.65.85

two。 Foreign agency website App Synthetic Monitor (https://asm.ca.com/en/ping.php)

Historical analytical record

The IP used before the IP address of CDN is the real IP.

Https://toolbar.netcraft.com/site_report?url=www.baidu.com

Query email

Many servers come with mail-sending capabilities that can be used to get real IP. Let the site take the initiative to send mail, and then right-click to query the source code, you can get the real IP.

Request to grab App

If the target network station has its own App, you can try to grab the App request using fiddler or Burp Suite, and find the real ip of the target from it.

4 verify IP

After we find the real IP of the target, how can we verify its authenticity?

1. Access the IP address directly to see if the response page is the same as the domain name returned.

two。 When the target segment is relatively large, batch scan all the open ports 80,443,8080 IP in the corresponding IP segment with the help of Masscan-like tools, and then try ip access one by one to see if the corresponding site is the target site.

5 whole station analysis

Server type (Linux/Windows)

The server information includes the operating system used by the server: Linux or Windows. Now more than 90% of the operating systems of enterprise website servers use the Linux operating system. Once you know the operating system of the server, you also need to know the specific version of the operating system used. Because many lower versions of the operating system have known vulnerabilities.

1. The easiest way to determine whether it is Linux or Windows is to detect it through ping. The TTL value of Windows is generally 128 and 64 for Linux. So those greater than 100 must be Windows, and dozens of them must be Linux.

2.Windows is case-insensitive and Linux is case-sensitive.

If http://www.xxxx.com/index.php and http://www.xxxx.com/index.phP open it, it means it's Windows.

To determine the specific version of the target website server, you can use nmap to scan,-O and-A parameters can be scanned.

Website Container (Apache/Nginx/Tomcat/IIS)

Once we know this information, we need to know what type of web server the site uses: Apache, Nginx, Tomcat, or IIS. Once we know what type of web server it is, we also need to explore the specific version of the web server. For example, Ngnix version > K8 side Station, Royal Sword 1.5

Port > > portscan

11 Host scan and port information (please refer to:)

In the penetration test, the collection of port information is a very important process. By scanning the open port of the server and judging the service that exists on the server from that port, we can prescribe the right remedy to the case and facilitate us to infiltrate the target server.

So in the process of collecting port penetration information, we need to pay attention to the default port of common applications and the services running on the port. The most common scanning tools are NMAP, stateless port scanning tool Masscan, ZMap and Yujian high-speed TCP port scanning tool.

Common ports and their descriptions, as well as a summary of attack methods:

File sharing service port

Remote connection service port

Web Application Service Port

Database service port

Mail service port

Common network protocol ports

Special service port number

These are all the contents of this article entitled "what is the method of collecting Penetration Test Information?" Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.