Information gathering

One 、 Domain name information

1. Whois Inquire about

whois It refers to the information left during domain name registration , For example, leave the administrator's name 、 Phone number 、 mailbox . After knowing the domain name of the target , The first thing we need to do is to get the domain name whois Information , Because the domain name registrant may be the website administrator Manager , You can try social work 、 tricks , Check whether other domain names are registered to expand the scope of attack .

1.1 Check the website

• Love station Tool Network https://whois.aizhan.com

• Home of stationmaster http://whois.chinaz.com

• VirusTotal https://www.virustotal.com

Through these websites, you can query the relevant information of the domain name , Such as domain name service providers 、 Domain name owner , And their email 、 Telephone 、 Address etc. .

With secdriver.com For example ：

Use love station tool network to query the website , Successfully inquired the Registrar of the website 、 Creation time 、 Update time 、 Domain name server and other information .

1.2 kali Tools

Use kali To query the website , The order is as follows ：

whois  domain name 
 example ：whois secdriver.com

2. Record information inquiry

Website filing is in accordance with national laws and regulations , The owner of the website needs to apply to the relevant state departments for filing , This is a kind of website management of the Ministry of information industry of the people's Republic of China , In order to prevent the occurrence of illegal website business activities on the Internet . Mainly for domestic websites , If the website is set up in other countries , There is no need to file .

The following websites are commonly used ：

• ICP Record inquiry network ：http://www.beianbeian.com

• Check the inner eye ：http://www.tianyancha.com

• National Internet security management platform ：http://www.beian.gov.cn/portal/recordQuery

Using the national Internet security management platform, the query results are as follows ：

Two 、 Subdomain information

www.baidu.com

Root domain name com

The main domain name baidu.com

subdomain （baidu.com） www.baidu.com

Subdomain name is also called secondary domain name , It refers to the domain name under the top-level domain name . Suppose our target network is relatively large , It's obviously irrational to start directly from the main domain , Because for a goal of this size , Generally, its main domain is the key protection area , So it's better to enter a sub domain of the target first , Then find a way to detour close to the real goal .

1. ip Inquire about

ping secdriver.com
nslookup secdriver.com

2. Website query

VirusTotal https://www.virustotal.com

fofa https://fofa.info/

Use VirusTotal Inquire about ： Enter the website and click SEARCH-》 Click on RELATIONS View query results

Use fofa Inquire about

 sentence ：domain="secdriver.com"

3. Tool scan

Use Layer Subdomain excavator

3、 ... and 、 Port information

1. Plug in detection

Installation of Firefox browser fofa pro view and shodan plug-in unit

2. Tool scan

2.1 nmap

//  Port information detection 
nmap -sV 192.168.81.148 -p 3389,5985,6588,999,21,80 -A   
//  Scan common ports 
nmap -sT 10.10.1.130 -p 80,89,8000,9090,1433,1521,3306,5432,445,135,443,873,5984,6379,7001,7002,9200,930
0,11211,27017,27018,50000,50070,50030,21,22,23,2601,3389 
//  scanning 127.0.0.1  front 3000 Ports 
nmap -sT 127.0.0.1 -p 1-3000  
//  Before fast scanning 3000 Ports 
nmap -sS 127.0.0.1 -p 1-3000 

2.2 masscan

masscan 47.94.98.63 -p 1-3000 --rate=3000

2.3 Royal sword port scan

Four 、C Section and side station

1. Side station

It refers to other websites deployed on the server

Sidenote means to start with other websites on the same server , Raise the right , And then the server side is turned off , Naturally, the website was terminated

sidenote ： Penetration scheme of different sites on the same server

2. C paragraph

C Paragraph refers to, for example 192.168.1.4,192 yes A paragraph ,168 yes B paragraph ,1 yes C paragraph ,4 yes D paragraph

C Segment sniffer is about taking the same C Server under segment , That is to say D paragraph 1-255 A server in

C paragraph ： Penetration scheme of different servers in the same network segment

3. Check the website online

Same as IP Website query ,C Segment query , On-line C paragraph , Side tools ：https://www.webscan.cc/

You can also use the Yujian port scanning tool to scan C paragraph

5、 ... and 、 catalog information

Sensitive files can be scanned through directory scanning , Background file , Database files and information disclosure files .

dirsearch Common parameters ：

 Common parameters ：
-u  Specify web site 
-e  Parameter specifies the site type  php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, 
tar.gz, bak
-w  Specify dictionary scan 
-t  Specified thread 
-random-agents  Use random UA
python dirsearch -u http:// The target site  -e* ( Website type )

robots agreement

robots.txt

robots.txt It's an agreement , Not an order .robots.txt It is the first file that the search engine should view when visiting the website .robots.txt Files tell the crawler what files can be viewed on the server .

6、 ... and 、 fingerprint identification

stay web In the process of infiltration ,Web Fingerprint identification is an important step in information collection , Through some open source tools 、 Platform or manual inspection CMS The system is public CMS Program or secondary development is crucial , Can accurately obtain CMS type 、Web Service component type and version information can help security engineers quickly and effectively verify known vulnerabilities . During the penetration test of the target , Target cms Is very important information , With a goal cms, You can use related bug To test , Conduct code audit, etc .

1. Recognition mode

1. Website specific files

   Such as /templets/default/style/dedecms.css—dedecms

2. Website unique files md5

   Such as favicon.ico, But the file can be modified to make it inaccurate .

3. Website file naming rules

4. Return the keyword of the header Such as header=“rememberMe=deleteMe”

5. Web keywords

   Such as /data/sessions/index.html——dedecms/data/admin/ver.txt

6. Url features

7. Meta features

8. Script features

9. robots.txt

10. Website path characteristics

11. Website static resources

12. Crawler website directory information

2. The object of fingerprint recognition

1. CMS Information ： Like a big man CMS、 DedeCms 、 The empire CMS、phpcms、ecshop etc. ;

2. The front-end technology ： such as HTML5、jquery、bootstrap、pure、ace etc. ;

3. Web The server ： such as Apache、lighttpd, Nginx, IIS etc. ;

4. application server ： such as Tomcat、Jboss、weblogic、websphere etc. ;

5. development language ： such as PHP、Java、Ruby、Python、C# etc. ;

6. Operating system information ： such as linux、win2008、win7、kali、centos etc. ;

7. CDN Information ： Whether to use CDN, Such as cloudflare、360cdn、365cyd、yunjiasu etc. ;

8. WAF Information ： Whether to use waf, Such as Topsec、safedog、Yundun etc. ;

9. IP And domain name information ：IP And domain name registration information 、 Service provider information, etc ;

10. Port information ： Some software or platforms also detect common ports open to the server .

3. Identification tools

Tools ：whatweb

whatweb  domain name   // Single domain name identification 

whatweb -i target.txt --log-brief=result.txt

Online identification ：

http://whatweb.bugscaner.com/

http://pentest.gdpcisa.org/whatcms

Plug in class ：Wapplyzer

4. CDN distinguish

CDN It's a content distribution network .CDN It is an intelligent virtual network based on the existing network , Rely on edge servers deployed everywhere .

Load balancing content distribution through the central platform , Scheduling and other functional modules , Let users get the content they need nearby , Reduce network congestion , Improve user access response speed and hit rate .

CDN The basic principle is to widely use various cache servers , Distribute these cache servers to areas or networks where users' access is relatively concentrated .

When users visit the website , Use the global load technology to make users' access Point to the nearest working cache server , The cache server responds directly to user requests .

distinguish CDN：

• nslookup

• Multifocal ping Website ：https://ping.chinaz.com/
  https://tools.ipip.net/ping.php

• Online identification ：https://www.cdnplanet.com/tools/cdnfinder