Early information collection for Web penetration
I am small white one, the following content is the study notes content, if there is any mistake, also hope to point out.
1. The Whois information
When we are ready to collect information, the first thing we need to know is the domain name of the target station, and then use whoIS query to find the owner of the domain name and registered email address. Here are a few online whois lookup sites: www.whois.com whois.chinaz.com whois.aizhan.com Of course, some domain names have privacy protections to save useful information when we find it.
2. The subdomain
Subdomain query is a query target domain name how many domain names, there are two ways to use: 1) 2) website site:baidu.com online query tool.chinaz.com/subdomain/ browser grammar
3. Target real IP address
There are two situations to find the real IP address of the target website: 1) when our target website does not add CDN, directly ping the domain name in CMD can get the real IP address of the target website; 2) when our target website adds CDN, a. You can find the target station under the secondary domain name IP, to see if it is the IP of the master site, some websites on the same space; B. Run the nslookup -d domain name command to query the historical resolution records. Of course, there is a website that can be searched twice for free: x.htreatbook.cn /
4. Stand by section C
Sidelink means different websites in the same space. When we don’t know how to start the target site, we can try another website in the space. So how to find the sidelink, there are two methods: one is to use Nmap, the other is to use the online website: webscan.cc/
5. Email
If the template is open and the mail server is not open with CDN, we can find the real IP address of the destination through the original mail, and we can also find whether the mail server is disabled to disable the VREY or EXPN command.
6.CMS type (fingerprint identification)
For example, WordPress is a commonly used CMS. There are several ways to find CMS: a.robots. TXT file b. Website path features C. web keywords D. Ulu features
7. Sensitive documents
In the directory of the website, you can look for some sensitive files, such as.git.svn.db_store. These files are likely to leak source code, and www.zip files are likely to be the backup or source code of the whole site
8. Port information
Here, nMAP and MassCAN can be used to scan the open ports of the target station, and different ports correspond to different services.
9. Servers and middleware
Look for the server’s middleware Web containers, such as Apache, Nginx, and IIS, and find their version numbers to see if there are vulnerabilities.
Firewall 10.
Check whether the target station exists a firewall, generally in the cookie returned by the server, such as: Safedog: Asdawasdwa 360 host guard 360: Asdasdad Hsw: DWadwadwa