(7) Web security | penetration testing | how does network security determine whether CND exists, and how to bypass CND to find the real IP

CDN The full name is Content Delivery Network, The content distribution network .CDN It is an intelligent virtual network based on the existing network , Rely on edge servers deployed everywhere , Load balancing through the central platform 、 content distribution 、 Scheduling and other functional modules , Let users get the content they need nearby , Reduce network congestion , Improve user access response speed and hit rate .

The above comes from ：CDN_ Baidu Encyclopedia (baidu.com)

Personally feel cdn In short ： Through the nearby temporary storage of information CDN Node sends information to users

cdn Will hide the server's real ip Address , Unable to penetrate the operating system of the target website ,cdn The site is virtual , Have the same website architecture , And cdn The server can interact with the site server , therefore sql The mining of injection and other vulnerabilities is not greatly affected .

Through the tool ping, Look at the display ip Is the address unique , If it's not the only one , Then these ip The address is CDN The address of

Using tools ：

IP/IPv6 Inquire about , Server address query - Webmaster Tools (chinaz.com)

baidu.com Of ping testing _ Website speed measurement tool _ Multi location ping testing - Love station network (aizhan.com)

( Take Baidu for example )

You can see it in many places ip Address , It can be determined that this is its CDN node

There is also a tool to check authenticity ip：

Get Site Ip (get-site-ip.com) 

But you can't determine this with tools ip Is it true

If you are not at ease, you can also use manual search , Combined with practice , Analyze the location of the company and ip Continue to analyze the location  

When some websites register , Will pass email authentication , Or send an email message , At this time, analyze the... In the email data ip Address , The first ip It was sent by Tencent as a transit

Subdomain query ：
Because some main stations do CDN Service and the sub station didn't do CDN service

Subdomain excavator ：

link ：https://pan.baidu.com/s/1otbSIrRVIYotbB3VVeCSlw 
Extraction code ：hj12

Mail service query ：
Most mailboxes are accessed by insiders , And the number of visits is generally not very large , So I don't usually do CDN.

Foreign address request ：
CDN Generally, it is arranged nearby according to the user group

example ： The users of a website are all in China , For economic reasons , Then the website administrator will not be deployed abroad CDN node , Visiting abroad may directly access the truth IP. Choose more unpopular countries to visit , If IP All the same , It's probably true ip.

（ This will use related tools ）

Legacy documents ：
example ：php Of phpinfo.php, You may see the truth IP

Scan the whole network ：
May get all IP, And then analyze it
Dark engine search ： May get google Specific search for
fofa、shodan、 To listen attentively 、zoomeye、censys

（ We should conduct an artificial analysis by ourselves ）

Specific documents dns Historical record ：
The website may not have CDN, So through the search of the new website CDN Historical record , You may find what was resolved at that time IP, This IP It may be the reality of the current website IP.

Look at ：
One CDN Node traffic, such as 1G, So many people visit , Run out of wandering , After that, it may be true IP 了 .（ Also known as traffic exhaustion attack ）.
real IP After obtaining the address, the binding points to the address change local HOSTS Parse point to file