preface
For every successful penetration, there is a very complete collection of information.
Master said good ah: the breadth of information collection determines the breadth of the attack, the breadth of knowledge determines the depth of the attack.
Information gathering
Information gathering can be viewed in a number of areas:
Companies, subsidiaries, domain names, subdomains, IPV4, IPV6, applets, APPS, PC software, and so on
I mainly work in EDUsrc, and the universities are also counted in the company.
For example, what can we do after we find a university?
Then we can focus on record websites, APPS, small programs, wechat public accounts, and even Weibo,
Twitter sites, turn them into resources we can use.
I usually use small blueprints
In this way, domain name, small program, wechat public number, all in one net, does not feel quite easy?
(Worry about problems, heavy code)
What do we do with domain names?
That is of course blasting level 2 domain, level 3 domain, we can choose OneforALL, validate subdomain, and then use Masscan validate port, but I usually use subdomain harvester (of course layer can also do that)
Here because the tool is not my own, it is not convenient to provide.
He’s going to provide IPV4,IPV6, some domain names, so let’s start with IP
What can we do with IP?
We already know that one IP address belongs to the education network segment. How do we know other IP addresses specifically?
We can locate WHOIS
Whois contains users, mailboxes, and purchased network segments!
That’s right, buy the segment! (A point that is often overlooked)
With this, mom doesn’t have to worry about me missing.
With network segments, we can take the next step
Active information gathering
In active information gathering, we can use some powerful asset mapping tools,
Goby (currently using), asset mapping is quite good, he will have some web services, you can pick up, don’t worry about no banner, sometimes Goby also don’t know! But often the ones that don’t have banners have problems.
Passive information gathering
Passive information gathering is the use of a number of online crawling sites.
Because these grammars are quite many on the net, (individual) do not take specific website to show.
Google hack grammar
Baidu grammar
Fofa grammar
Shodan grammar
The eye of the doors
Micro step online
Let’s start with Google. Google Syntax is something you’re probably familiar with
site:"edu.cn"
Copy the code
The most basic edu suffix.
Inurl: login | admin | manage | member | admin_login | login_admin | system | login | user | main | CMS find text content: Site: domain name intext: management | login user name password | | | | the background verification code | | | system account admin | login | sys | managetem | password | username to find injection points: Site: domain name inurl: aspx | | | JSP PHP asp find upload: site: domain name inurl: file | load | editor | Files to find eweb editor: Site: domain name inurl: ewebeditor | editor | uploadfile | eweb | edit existing database: site: domain name filetype: asp MDB | | # check script type: Site: domain name filetype: asp/aspx/PHP/JSP circuitous strategy invasion: inurl: CMS/data/templates/images/index /Copy the code
A variety of combinations can often send out different charm
Baidu grammar
Not too far from Google Grammar
Fofa grammar
How do you position a school in FOFA?
There are two ways
One is org, one is icon_hash
With all this and still afraid to find assets?
Because a school’s icon_hash is usually several fixed, the search for icon_hash will have different effects.
Here is the icon script (python2)
import mmh3
import requests
response = requests.get('url/favicon.ico',verify=False)
favicon = response.content.encode('base64')
hash = mmh3.hash(favicon)
print hash
Copy the code
So the question is, how do I find org
Different search engines org are slightly different
Fofa org search
org="China Education and Research Network Center"
Copy the code
Of course, it’s all educational, (some companies also have their own organizations).
Shodan grammar
Shodan and Fofa are roughly the same, there’s org and icon,
But org is a little different
org:"China Education and Research Network"
org:"China Education and Research Network Center"
Copy the code
Sometimes the Shodan side will be more segmentalized, a university will have its own organization, a company will have its own organization (see what happens)
The eye of the doors
The advantage of Zhong Kui’s eye is that he will list all the components of the vulnerability, easy to detect
organization:"China Education and Research Network Center"
Copy the code
Micro step online
So forward lookup, what about reverse?
Microstep’s reverse IP lookup domain name is very useful
One university even bound hundreds of domain names to an IP address
It’s time to find the latest domain name discovery date.
360 quake
It feels like a more convenient one to use
First, it can be directly identified in batches, and second, it can be very convenient to identify ICO
It is also convenient to query historical vulnerabilities in vendor identification
China Education Network AND City: "Beijing City"Copy the code
At the same time, the statement is relatively simple
Page JS interface
In JS, there may be a large degree of unauthorized JS interface, causing upload/login/password change etc
At the same time, the use of JS can be traced back to Chrome DevTools in THE JS file to lay a breakpoint, dynamic debugging and dynamic bypass
console yyds
Kunyu
An information gathering tool that includes a number of interfaces, including Zoomeyes, 360Quake
Small program
All right, all right, let’s get back to this
Again, grandpa said, mini program has a P, and that can’t happen
Remember that information gathering we were talking about?
Just check the small program found, there are related server interface to communicate!
Let’s open our Crackminapp
Guide the wechat small program package, reverse the source code, (if necessary, will be dedicated to a how to find/capture the package small program)
There is usually a master URL in app.js
We need to go to each JS page, find the appropriate parameter construction, interface, send packages to see the specific situation
Hey? Did you find it?
App caught
App grab bag is a lot of tricks now, I usually use Charles
Of course, only android 7 below, high version of the words need to learn by yourself ~ Baidu
(If there is one you want to use, it is also to see the situation, I will issue an issue)
Information collection summary
The breadth of information collection determines the breadth of the attack, and the breadth of knowledge determines the depth of the attack.
All of these things can be mixed together to achieve a more perfect result so don’t stop learning