collect message
This article mainly records the relevant knowledge points of information collection
Main methods of information collection
- Active information collection: By directly accessing the website, operating on the website, scanning the website, etc., all kinds of information collection methods have network traffic passing through the target server.
- Passive information collection: Based on public channels, such as search engines, obtain information without direct interaction with the target system, and try to avoid leaving traces.
What information to collect
including but not limited to
- Server information: port, service, IP
- Website information: server operating system, middleware, database, programming language, sensitive directories and files, side-site query, C segment query
- Domain name information: whois, record information, subdomain collection
- Website administrator information: name, title, birthday, contact number, email address
Domain information collection
whois
Whois is a transmission protocol used to query the IP and owner of a domain name. Simply put, whois is a database used to query whether a domain name has been registered and the detailed information of the registered domain name (such as domain name owner, domain name registrar).
whois-query method:
Web interface query: Home of the webmaster
Record information
Frequently Query Website: Webmaster’s Home
Subdomain information collection
Common methods:
-
Search Engine-Google hacking
-
Third-party website query
https://dnsdumpster.com/
http://tool.chinaz.com/subdomain -
Cyberspace Security Search Engine
Commonly used search engines are: fofa, zoomeye, shodan
-
SSL certificate query
http://crt.sh/
http://developers.facebook.com/tools/ct/search/
-
Subnet domain name excavator-layar
-
OneForAll- powerful subdomain collection tool
IP collection
-
IP address reverse check domain name
https://tools.ipip.net/ipdomain.php
http://stool.chinaz.com/same
If the penetration target is a virtual host, then the domain name information retrieved by IP is very valuable, because a physical server may run multiple virtual hosts . These virtual hosts have different domain names, but usually share the same IP address. If you know which websites share this server, it is possible to gain control of the server through vulnerabilities in other websites on this server, and then obtain the permission of the infiltration target in a roundabout way. This technique is also called " side note ".
-
CDN (Content Delivery Network) Content Delivery Network
Bypass CDN:
- Foreign visits: CDN service is expensive and may not be used abroad
- Query the IP of the subnet domain name: The traffic is expensive and the edge business website is not used
- Mx record mail service: mail service query ip address
- Historical DNS records: query the IP address of the earliest resolved domain name
Port information collection
- NMAP
Here are some of the usages of nmap I have recorded: Usage of nmap