information gathering

Domain information collection

whois Inquire about

whois Is a standard Internet Protocol , It can be used to collect network registration information , Registered domain name ,IP Address, etc .

kali Under the whois Inquire about

online whois Inquire about

• Love station network https://whois.aizhan.com/
• Home of stationmaster https://whois.chinaz.com/

Record information inquiry

Website filing is the filing that the owner of the website needs to apply to the relevant national departments according to national laws and regulations ,

• Check the inner eye https://www.tianyancha.com/

• ICP Record query http://www.beianbeian.com/

• Home of stationmaster http://icp.chinaz.com/sina.com

Subdomain information collection

subdomain , That is, the secondary domain name , It is the domain name under the top-level domain name . The website is large , You can start with the sub station .

layer Subdomain excavator violence enumeration

Online tools

• Home of stationmaster http://tool.chinaz.com/subdomain/

• https://phpinfo.me/domain

• https://dns.aizhan.com/

• https://dnsdumpter.com/

Certificate transparency public log enumeration

Certificate transparency （Certificate Transparnecy , CT） It's a certificate authority （CA） A project for , The certificate authority will SSL/TLS Publish the certificate to the public log . One SSL/TLS Certificates usually contain domain names 、 Subdomain name and email address .

• crt.sh https://crt.sh/

• censys https://censys.io/

Search engine enumeration

utilize google Search search sites under specific domain names

“site: baidu.com”

Sensitive information collection

Google Haking

Common grammar

Such as searching the background management page

Port information collection

Port information collection is a very important process , The corresponding service can be identified by scanning the open port of the server , Then look for attack methods for services .

Commonly used tools Nmap, Massan, Royal sword high speed TCP Port scanning tools, etc .

Common ports and descriptions

File sharing service port

Remote connection service port

Web Application service port

Database service port

Mail service port

Network common protocol port

Special service port

fingerprint identification

Don't use fingerprints here to refer to websites CMS The fingerprint , Computer operating system or web The fingerprint of the container , These fingerprints are actually some feature codes or keywords , Such as WordPress in robots.txt Will contain wp-admin, index.php Will contain generator-wordpress 3.xx etc. . Identify the system used by the target , In order to find the vulnerability of the corresponding version to attack .

CMS（Content Managerment System）, Content management system , It's a kind of being in WEB front end （Web The server ） And back office systems or processes （ Content creation 、 edit ） Between the software systems . The creator of the content 、 Editors 、 Publishers use the content management system to submit 、 modify 、 The examination and approval 、 Publish content . I mean “ Content ” May include documents 、 form 、 picture 、 Data in the database or even videos and everything you want to publish to Internet、Intranet as well as Extranet Website information .

common CMS:

1. Enterprise station building system ：MetInfo( Mito )、 Cicada knowledge 、SiteServer CMS（.net platform ） etc. ;
   2.B2C Mall system ： Business school shopex、ecshop、hishop、xpshop etc. ;
   3. Portal station building system ：DedeCMS( DedeCms ,PHP+MYSQL)、 The empire CMS（PHP+mysql）、PHPCMS、 Move easily 、cmstop,dianCMS（ Change point CMS,.net platform ） etc. ;
   4. The blog system ：wordpress、Z-Blog etc. ;
   5. Forum Community ：discuz、phpwind、wecenter etc. ;
   6. Question answering system ：Tipask、whatsns etc. ;
   7. Encyclopedia system ：HDwiki;
   8.B2B Portal system ：destoon、B2Bbuilder、 A friendly neighbor B2B etc. ;
   9. Talent recruitment website system ： The knight CMS、PHP Cloud talent management system ;
   10. Real estate website system ：FangCms etc. ;
   11. Online Education station building system ：kesion( Kexun ,ASP)、EduSoho Online school ;
   12. Movie website system ： Apple cms、ctcms、movcms etc. ;
   13. The system of building novel literature station ：JIEQI CMS;

Tool recommendation : Mitsurugi Web fingerprint identification , Whatweb

Online fingerprint identification website ：

• BugScaner：http://whatweb.bugscaner.com/look/
• The cloud knows the fingerprint ：http://www.yunsee.cn/finger.html
• WhatWeb：https://whatweb.net/

real IP

Through domain name resolution , You can get the website IP, But sometimes it can be parsed IP Not the real server address IP. If the goal is done CDN, that The parsing result may be CDN Node IP Address .

CDN The full name is Content Delivery Network, The content distribution network .CDN It is an intelligent virtual network based on the existing network , Rely on edge servers deployed everywhere , Load balancing through the central platform 、 content distribution 、 Scheduling and other functional modules , Let users get the content they need nearby , Reduce network congestion , Improve user access response speed and hit rate .CDN The key technologies are content storage and distribution technology .

For websites , adopt CDN Acceleration can improve the speed of website access , Because this is a technology that distributes website content to different nodes through caching . When the website has CDN After acceleration , It can often be based on the user's request region , Choose a cache server on the network closest to the user , This can provide users with content services faster , It is no different from directly accessing the source site , This way to shorten the distance from the content network , Technology to achieve accelerated effect . Only when the user has actual data interaction, it will be from the remote Web Server response .

Check whether the target uses CDN

Obtained from different regions IP The address is different , Then it is possible to do CDN, It can be detected through online websites

https://www.17ce.com/

Bypass CDN

• Internal mailbox source . Register through website users or RSS Subscription function , Generally, it is not done here cdn
• Scan website test files . Such as phpinfo、test etc.
• Sub station domain name .
• Foreign agent visits .（http://asm.ca.com/en/ping.php）
• Query domain name resolution record .（https://www.netcraft.com）
• APP Grab the bag
• Bypass CloudFlare CDN Find the real IP.（http://www.crimeflare.us/cfs.html#box）

Sensitive directory information collection

Detecting the directory structure and hidden sensitive files of the target site is an essential content . It is possible to get the background page of the website , File upload page , Even the source code of the website .

Most tools are combined with dictionaries to detect

Commonly used tools ：DirBuster、 Background scan of Royal sword

Online tools ：https://www.webscan.cc/

Reference resources ：《Web Safe attack and defense Penetration test practice guide 》