preface

For every successful penetration, there is a very complete collection of information.

Master said good ah: the breadth of information collection determines the breadth of the attack, the breadth of knowledge determines the depth of the attack.

Information gathering

Information gathering can be viewed in a number of areas:

Companies, subsidiaries, domain names, subdomains, IPV4, IPV6, applets, APPS, PC software, and so on

I mainly work in EDUsrc, and the universities are also counted in the company.

For example, what can we do after we find a university?

Then we can focus on record websites, APPS, small programs, wechat public accounts, and even Weibo,

Twitter sites, turn them into resources we can use.

I usually use small blueprints

In this way, domain name, small program, wechat public number, all in one net, does not feel quite easy?

(Worry about problems, heavy code)

What do we do with domain names?

That is of course blasting level 2 domain, level 3 domain, we can choose OneforALL, validate subdomain, and then use Masscan validate port, but I usually use subdomain harvester (of course layer can also do that)

Here because the tool is not my own, it is not convenient to provide.

He’s going to provide IPV4,IPV6, some domain names, so let’s start with IP

What can we do with IP?

We already know that one IP address belongs to the education network segment. How do we know other IP addresses specifically?

We can locate WHOIS

Whois contains users, mailboxes, and purchased network segments!

That’s right, buy the segment! (A point that is often overlooked)

With this, mom doesn’t have to worry about me missing.

With network segments, we can take the next step

Active information gathering

In active information gathering, we can use some powerful asset mapping tools,

Goby (currently using), asset mapping is quite good, he will have some web services, you can pick up, don’t worry about no banner, sometimes Goby also don’t know! But often the ones that don’t have banners have problems.

Passive information gathering

Passive information gathering is the use of a number of online crawling sites.

Because these grammars are quite many on the net, (individual) do not take specific website to show.

Google hack grammar

Baidu grammar

Fofa grammar

Shodan grammar

The eye of the doors

Micro step online

Google

Let’s start with Google. Google Syntax is something you’re probably familiar with

site:"edu.cn"

Copy the code

The most basic edu suffix.

Inurl: login | admin | manage | member | admin_login | login_admin | system | login | user | main | CMS find text content: Site: domain name intext: management | login user name password | | | | the background verification code | | | system account admin | login | sys | managetem | password | username to find injection points: Site: domain name inurl: aspx | | | JSP PHP asp find upload: site: domain name inurl: file | load | editor | Files to find eweb editor: Site: domain name inurl: ewebeditor | editor | uploadfile | eweb | edit existing database: site: domain name filetype: asp MDB | | # check script type: Site: domain name filetype: asp/aspx/PHP/JSP circuitous strategy invasion: inurl: CMS/data/templates/images/index /Copy the code

A variety of combinations can often send out different charm

Baidu grammar

Not too far from Google Grammar

Fofa grammar

How do you position a school in FOFA?

There are two ways

One is org, one is icon_hash

With all this and still afraid to find assets?

Because a school’s icon_hash is usually several fixed, the search for icon_hash will have different effects.

Here is the icon script (python2)

import mmh3
import requests

response = requests.get('url/favicon.ico',verify=False)
favicon = response.content.encode('base64')
hash = mmh3.hash(favicon)
print hash

Copy the code

So the question is, how do I find org

Different search engines org are slightly different

Fofa org search

org="China Education and Research Network Center"

Copy the code

Of course, it’s all educational, (some companies also have their own organizations).

Shodan grammar

Shodan and Fofa are roughly the same, there’s org and icon,

But org is a little different

org:"China Education and Research Network"
org:"China Education and Research Network Center"

Copy the code

Sometimes the Shodan side will be more segmentalized, a university will have its own organization, a company will have its own organization (see what happens)

The eye of the doors

The advantage of Zhong Kui’s eye is that he will list all the components of the vulnerability, easy to detect

organization:"China Education and Research Network Center"

Copy the code

Micro step online

So forward lookup, what about reverse?

Microstep’s reverse IP lookup domain name is very useful

One university even bound hundreds of domain names to an IP address

It’s time to find the latest domain name discovery date.

360 quake

It feels like a more convenient one to use

First, it can be directly identified in batches, and second, it can be very convenient to identify ICO

It is also convenient to query historical vulnerabilities in vendor identification

China Education Network AND City: "Beijing City"Copy the code

At the same time, the statement is relatively simple

Page JS interface

In JS, there may be a large degree of unauthorized JS interface, causing upload/login/password change etc

At the same time, the use of JS can be traced back to Chrome DevTools in THE JS file to lay a breakpoint, dynamic debugging and dynamic bypass

console yyds

Kunyu

An information gathering tool that includes a number of interfaces, including Zoomeyes, 360Quake

Small program

All right, all right, let’s get back to this

Again, grandpa said, mini program has a P, and that can’t happen

Remember that information gathering we were talking about?

Just check the small program found, there are related server interface to communicate!

Let’s open our Crackminapp

Guide the wechat small program package, reverse the source code, (if necessary, will be dedicated to a how to find/capture the package small program)

There is usually a master URL in app.js

We need to go to each JS page, find the appropriate parameter construction, interface, send packages to see the specific situation

Hey? Did you find it?

App caught

App grab bag is a lot of tricks now, I usually use Charles

Of course, only android 7 below, high version of the words need to learn by yourself ~ Baidu

(If there is one you want to use, it is also to see the situation, I will issue an issue)

Information collection summary

The breadth of information collection determines the breadth of the attack, and the breadth of knowledge determines the depth of the attack.

All of these things can be mixed together to achieve a more perfect result so don’t stop learning