0x01 Information Collection

1. Google Hack

Quickly find information leakage, management background exposure and other vulnerability syntax, such as:

Filetype: TXT Login fileType: XLS login fileType :doc login intitle: background management intitle:login intitle: background management inURL :admin intitle:index of /Copy the code

Find the specified website, plus site:http://example.com, for example:

Site:example.com filetype: TXT login site:example.com intitle: background management site:example.com admin site:example.com login Site:example.com system site:example.com management site:example.com login site:example.com internal site:example.com systemCopy the code

Keywords can be adjusted according to actual conditions. Google and Bing are recommended. If the search content is deleted,Web page snapshotUsually there will still be records.

2. Shodan and Fofa network asset search engines

Search engines such as Shodan, Fofa, ZoomEye, 360Quake and others can be used to search for online devices in cyberspace. They are the security equivalent of Google:

Especially now support icon icon, logo search, that is a convenient than

For example, to retrieve information on an IP, click View Raw Data:

Find the data.0.http.favicon.data field:

Search for the value to query assets based on the enterprise logo:

http.favicon.hash:-1507567067

Copy the code

Shodan chrome is recommended for viewing and using:

https://chrome.google.com/webstore/detail/shodan/jjalcfnidlmpjhdfepjhjbhnhkbgleap

Copy the code

Fofa is a domestic search engine for cyberspace assets, similar to Shodan, with common search syntax:

Title =" ABC "Searches for ABC from the title. Example: Beijing website header=" ABC "in the title search for ABC in the HTTP header. Example: JBoss server body=" ABC "searches for ABC from the HTML body. Example: The body contains Hacked by domain="qq.com". For example: the website whose root domain name is qq.com host=".gov.cn" searches for.gov.cn from the url. Note that host is used in the search. Example: government website, education website port="443" find the asset corresponding to port 443. Example: Find the asset corresponding to port 443...Copy the code

Practical query statement:

Body =" keyword 1" && country=CN&&title=" keyword 2"Copy the code

Can quickly locate the domestic want to search the website information.

3. Subdomain name collection

Recommend a few useful tools:

JSFinder

In the JS file of the website, there will be various helpful content for testing. JSFinder can help us obtain the URL and subdomain information in JS, and expand our penetration scope. Crawls can be divided into ordinary crawls and deep crawls. The deep crawls will dig into the next page to fetch JS, and the time will be longer. The process is as follows:

Sublist3r

Sublist3r is a Python tool designed to enumerate the domain names of web sites using a search engine. Sublist3r currently supports the following search engines: Google, Yahoo, Bing, Baidu and Ask, and will support more search engines in the future. Currently, Sublist3r also obtains subdomain names from Netcraft and DNSdumpster.

Cloud informed

Cloud can collect sub-domain name, IP segment, CMS fingerprint and other information online

0x02 Wechat public account packet capture Skill

The enterprise wechat official account can greatly expand our testing scope. Some links of the official account can be directly copied to the browser to open and then carried out according to the conventional penetration test method. However, the following picture will appear after some links are copied to the browser

For this situation, we can use the android emulator to capture wechat packets and the real machine to capture wechat packets, but both are relatively inconvenient. I would like to share with you the method of directly capturing wechat PC traffic through SocksCap64.

SocksCap64 is a powerful proxy client that supports HTTP/HTTPS, SOckS4/5, TCP, UDP and other protocols. It is often used in Intranet penetration. It can also be used to proxy the traffic of wechat PC client and forward the traffic to BURP for packet capture and analysis.

First, set the listener in burp:

Then in SocksCap64 set the proxy server to the address and port of burp, proxy HTTP:

Test it and see if it succeeds:

Then use SocksCap64 to launch wechat:

Can successfully catch the traffic of wechat PC terminal:

0x03 Login Thread

0x04 SMS & Mail bombing bypassed

In the process of website testing, often in the user registration login mobile phone number/mailbox registration, here may appear SMS & mail vulnerability, such vulnerability testing is more convenient, although some sites have done the protection, but there are also some ways to bypass.

Here is a collection of some of the more popular sites that temporarily receive SMS for testing purposes:

https://www.pdflibr.com/ http://www.z-sms.com/ https://www.receive-sms-online.info/ [domestic] http://www.smszk.com/ [overseas] https://smsnumbersonline.com/ http://receive-sms-online.com/ [foreign] [foreign] https://www.freeonlinephone.org/ [foreign] https://sms-online.co/receive-free-smsCopy the code

In the application of mobile phone number/email and verification code as user login credentials, generally involved site function points mainly include:

Account registration

Verify user identity when the password is set for the first time

To login

To reset your password

Bind mobile phones and email addresses

Modify the binding of mobile phone or email

Free trial/event pick-up/feedback

.

Common tests and bypasses:

0x05 Logical Vulnerability

With the increasing security awareness of developers and the continuous deployment of protective devices such as IPS/IDS, WAF, and full traffic detection, traditional SQL injection vulnerabilities and command execution vulnerabilities are becoming less and less common or more difficult to exploit (you need to bypass various defense devices). However, service logic vulnerabilities can bypass all traditional security protection devices, and there is no effective defense method at present. At the same time, the business logic is complicated, no matter how senior programmers may dig holes, so as long as the foundation is solid, logical thinking ability is strong, patient and careful, do not miss any step, such loopholes are easier to dig.

1. Modify the overreach of the returned package

Scenario 1: Change the mobile phone number

The modification logic is as follows: Authenticate the original mobile phone number > fill in the new mobile phone number > Submit the modification

If the next step does not verify the success of the previous authentication, a logical defect bypass occurs. For example, when authenticating the original mobile phone number in the first step, enter verification code at will and modify the relevant fields in response package, such as changing 0 to 1 and false to true, so that the verification of the first step can be bypassed and the interface for filling in the new mobile phone number can be entered. If the results of the first step are not verified when submitting the modification in the third step, logic vulnerability will be caused.

Scenario 2: Login Bypass

The authentication of some websites is put in the front end, so you only need to modify the relevant fields in the response package, such as changing 0 to 1 and false to true, to log in to any user account.

2, level overreach

Scenario 1: Traversal ID In some requests, GET or POST has obvious numeric ID parameters (phone number, employee number, bill number, bank card number, order number, and so on), and you can try traversal. If the program does not evaluate the current permissions, horizontal overreach will occur.

Scenario 2: ID replacement If the application hashes or encrypts the user ID and cannot crack the encryption, it cannot traverse the ID to retrieve information about other users. In this case, you can try to register two accounts. By replacing the encrypted values of the two ids, you can determine whether the program has verified the permissions. If not, there will be an overauthorization problem.

3. Vertical overreach

Observe the session field in the cookie and guess the modification. The following information is found: Level =1: admin level=2: VIP user level=3: normal user

Note, this tutorial article is for study and research purposes only. Do not use it for illegal purposes. The relevant rules in SRC should be followed in vulnerability mining.

[100 copies of SRC technical documents]

Dear friends learning network security, in order to help you, I have also sorted out some learning videos, complete kits, emergency response and other comprehensive information documents on the market. I have them here, if you need them [click here to get them].

Safety suggestions:

One, to guard against viruses or Trojan attacks:

1. Install anti-virus software for the computer, scan the system regularly, check and kill viruses;

2. Update virus database and system patch timely;

3. Download software as far as possible to the official website or large software download site, in the installation or open unknown software or documents before antivirus;

4. Do not open unknown web links, especially bad website links, strangers through QQ to their own links, try not to open;

5. When using network communication tools, do not randomly receive files from strangers. If receiving files, you can cancel the function of “Hide known file type extension” to view file types.

6. Strengthen authority management of public disk space, check and kill viruses regularly;

7. Check with anti-virus software before opening the removable memory. You can create a folder named AUtorun. Inf in the removable memory (can prevent the U disk virus start).

8. When the data need to be downloaded from the Internet and other public networks and transferred to the Intranet computer, it can be saved by burning CD.

9. Each account of the computer system should be set up password, delete or disable expired account in time;

10. Regular backup, when severely damaged by the virus can be quickly repaired.

Methods to prevent the theft of QQ, wechat, Weibo and other social platform accounts

1. The account and password should not be the same. Change the password periodically to increase the complexity of the password. Do not directly use your birthday, phone number, ID number and other personal information as the password.

2. The password should be a mixture of uppercase and lowercase letters, digits, and other characters. Increase the password length appropriately and change the password frequently.

3. Different user names and passwords should be set for different network applications.

4. Restart the machine before using the computer in the Internet cafe, alert to be peeked when entering the account password; To prevent your account from being monitored, enter part of your account name and password, and then enter the rest of your account name and password.

5. When dealing on the Internet, you should confirm with the person you are dealing with by phone.

Iii. Precautions for safe use of E-mail

1. Don’t click on links, pictures and files in emails you don’t know about.

2. If you use an email address as a registered user name, you should set a website password that is different from the original email login password.

3. If there is an initial password, change it.

4. Set up appropriate password retrieval prompt questions;

5. Be vigilant when receiving emails related to personal information and money (winning prizes, fundraising, etc.).

Four, phishing site prevention methods

1. Verify the authenticity of the website qualification by querying the website record information;

2. Install safety protection software;

3. To be alert to winning the lottery, modify the online banking password notification email, SMS, do not lightly click on the unknown link without verification;

4. Do not log in personal accounts or conduct financial transactions on public computers such as Internet cafes and hotels.

Fifth, prevention of social networking site information leakage prevention

1. Use security and privacy Settings on social networking sites to protect sensitive information;

2. Don’t click on unverified links;

3. Post personal information carefully on social networking sites;

4. Register according to your own needs for the site.

Methods to prevent personal information leakage

1. Process sensitive personal information in a physical or logical area with a high security level;

2. Sensitive personal information should be encrypted and stored;

3. Do not use USB flash drive to store interactive sensitive personal information;

4. Try not to save or process sensitive personal information on devices with Internet access;

5. Only transfer personal information to legitimate recipients;

6. Prevent theft and loss of sensitive personal information when taking it out of the company;

7. Encrypt emails and be careful not to send them by mistake;

8. Select a reliable mailing company for parcel delivery and ask for receipt;

9. Avoid sending faxes incorrectly.

10. Paper materials should be destroyed by shredder;

11. Discarded discs, USB disks, computers, etc. should be demagnetized or destroyed completely.

Seven, guard against fake website method

1. Directly enter the URL of the website you want to log in to without using other links.

2. After logging in to the website, check whether the website you log in is consistent with the official website;

3. Log in relevant official websites to identify authenticity;

4. Install protection software and update system patches in time.

5. When receiving email, SMS, telephone and other requests to change the password to the designated web page, or notification of winning and asking to pay taxes and postage before receiving the prize, be sure to be vigilant.

Eight, the protection of online shopping safety methods

1. Verify the authenticity of website qualifications and website contact information, try to well-known authoritative online shopping mall;

2. Try to make transactions through online third-party payment platforms, and avoid direct and private transactions with sellers;

3. Pay attention to the reputation, evaluation and contact information of merchants when shopping;

4. After the completion of the transaction to complete the transaction order and other information;

5. Check the authenticity of the payment website when filling in the payment information;

6. Pay attention to the protection of personal privacy, and be cautious when directly using sensitive information such as personal bank account number, password and certificate number;

7. Don’t believe cheap online ads or click on strange links that you haven’t verified.

Nine, prevention network pyramid selling method

1. Carefully study the business model of relevant start-up and investment projects. No matter what the name, be wary of companies that do not create any wealth but promise “rewards” for their development staff if they pay money to join the club.

2. Overcome greed and don’t dream of getting rich overnight. If you take a chance to participate in it, you will end up with nothing to lose, everything to ruin, and even the road to crime.

How to use Wi-Fi safely

1. Don’t use free Wi-Fi wherever you can find it, use a reliable Wi-Fi access point, and turn off automatic wi-fi on devices like phones and tablets only when needed;

2. Beware of free wi-fi signals in public places, especially those with the same name as wi-fi already open in public places. Avoid bank transfers and payments related to funds when using unfamiliar wireless networks in public places;

3. Modify the default administrator user and password of the wireless router. Set the password of the wireless router at home to be complex and use a strong password, preferably a combination of letters, digits, and special symbols.

4. Power off the wireless router when no one is in use.

Methods to ensure the safety of using smart phones

1. Setting access password for mobile phone is the first line of defense to protect the security of mobile phone, in case the smartphone is lost, criminals may obtain address book, documents and other important information and make use of it;

2. Do not easily open links and files sent by strangers through mobile phones;

3. Set a screen-lock password for your mobile phone and carry it with you;

4. Turn off the geolocation function in QQ, wechat and other applications, and turn on Bluetooth only when needed;

5. Often do backup for mobile phone data;

6. Install security software and scan the mobile phone system frequently;

7. Download mobile application software from authoritative websites and carefully select relevant permissions during installation;

8. Don’t try to hack your own phone to keep your apps secure.

Methods to protect the security of mobile payment

You are advised to bind the mobile payment client to the mobile phone, use a digital certificate, and enable real-name authentication.

It is best to download mobile payment client and online mall application from the official website;

Before using mobile payment services, install special plug-ins for security on the phone as required;

Do not select the “forget password” option when logging in mobile payment apps or online shopping malls.

Check the phone’s task manager regularly to see if there are malicious programs running in the background, and regularly scan the phone’s system with the phone’s security system software;

It is a crime of fraud to ask you to put money into a stranger’s account or secure account for any reason. Don’t be fooled!

13. Identification methods of types of online fraud

1. Use QQ theft number and online game trading fraud, posing as friends to borrow money;

2. Online shopping fraud, collect deposit to cheat money;

3. Online lottery fraud, refers to the use of criminals spread software to the Internet QQ users, mail users, online games users, Taobao users and other users to release lottery tips;

4. “Phishing” scams, which use fraudulent emails and fake Internet sites to obtain financial information and steal money;

Methods for preventing false and harmful information on the Internet

1. Timely report similar rumors;

2. Do not spread rumors, do not believe in rumors, do not spread rumors;

3. Attention should be paid to identify the source and reliability of the information, to obtain information through the third-party trusted website certification;

4. We should pay attention to the information under the guise of “getting rich”, “popularizing science” and “teaching new technology”.

Finally, China is making great efforts to develop network security, and small and medium-sized enterprises in particular need network security talents. Why? Black hat hackers big enterprises dare not penetrate, infiltrate small and medium-sized enterprises to go, so small and medium-sized enterprises need this aspect of talent to defend.