In security testing, information collection is a very important link. The information in this link will affect the subsequent probability of success. The amount of information you have will determine the size of the opportunity to discover vulnerabilities, in other words, whether you can complete the testing task of the target. You can also directly say to everyone: The idea of penetration testing is to start from information collection here, and the gap between you and the bull is also very important.It starts here!
Site Setup Analysis
Build Habits-Directory Sites
The simple understanding is that there are other cms programs on the main site
For example: the top of the student website found a bbs directory through a background scanning probe Click Discovery is a bbs forum website
For example: c:/www/root c:/www/root/bbs
But two websites are two sets of programs, one with a bug in the source code and the other with a disaster, which is equivalent to two sets of bug solutions.
This can be queried by the Directory Scanning Tool. We have two ideas to make this a directory-based site, one is the vulnerability of the main site, the other is the vulnerability of the bbs
Build Habits-Port Sites
Separating websites by ports on the same server can cause security problems for one site and another.
Some sites use other ports instead of the default site 80. You can use the shodan tool to collect ports
Build Habits - Subdomain Site
The two sites may not be on the same server
Reference: If IP addresses are different, it is possible that two sites are not on the same server
Note: Mainstream websites are using this model now, and it is very likely that subdomains and websites are not on the same server.
Set up habits - like domain name sites
Some companies abandon their original domain names and choose other domain names because of business development, but we can still access their old domain names, change their secondary domain names and change their top-level domain names. We can find some breakthroughs through their old domain names.
From a website in the same company
Change based on domain name suffix
Domain name-based changes
For example: Jingdong's website is jd.com, so it is possible that he uses domain names such as jd.net jd.cn. We use social workers to try to get information about his related domain names.
Set up habits - side notes, section c site
Side note: There are multiple sites on the same server, but what you are attacking is that the A site cannot complete the security test for various reasons. Just enter the server by testing the B site and attack the A site for final purpose.
There are multiple site servers
Standalone Site Server
Segment C: There are different websites on different servers. Scanning reveals that the same segment you penetrated tested ultimately took down the server, and then the penetration server was taken down by intranet penetration.
Obtain 101 segment server permissions by querying segments 1-254, and implement the test method of intranet security through the same segment target host of the server to obtain the permissions of the specified network server.
A side note query reveals that two sites on the same server can break through another site.
Build Habits - Build Software Feature Sites
Some websites are built with third-party integrated building tools, such as PHPstudy, Pagoda, etc. The harm of building an integrated environment is to leak detailed version information.
Regular build software has the default account password of the regular database, if the builder does not change it, it will become a breakthrough idea.
Apache/2.4.41(win32)OpenSSL/1.1.1c mod_fcgid/2.3.9a Pagoda (the information is mostly about building software)
Apache/2.4.41(win32)OpenSSL/1.0.2j PHP/5.4.45 Default security settings (/phpmyadmin root/root)
After phpstudy is set up, phpmyadmin is installed on the default site. Some websites are not secure and can enter directly through the user name: root password: root login
WAF Protection Analysis
What is a WAF application?
Web application protection systems (also known as Web site application-level intrusion prevention systems) are divided into hardware and software forms. Firewalls purchased in security company units are hardware, and personal websites and small businesses are software. A wall in security testing.
How to quickly identify WAF?
1. Using the tool wafwoof
Be sure to have a python environment before installing or you won't be able to install it
# unzip wafw00f-master.zip # python3.8 setup.py install # ls -ld wafw00f drwxr-xr-x 6 root root 4096 6 January 1017:22 wafw00f # cd wafw00f #python main.py https://www.hlszsb.com/ [*] Checking https://www.hlszsb.com/ [+] Generic Detection results: [-] No WAF detected by the generic detection [~] Number of requests: 7
2. In some websites, some websites do not make security information, leaving information about waf
3. Use nmap fingerprint detection
nmap --script==http-waf-fingerprint nmap --script=http-waf-detec
C:\Users\admin\Desktop\security\Software\identYwaf-master>python identYwaf.py https://www.manjaro.cn/ __ __ ____ ___ ___ ____ ______ | T T __ __ ____ _____ l j| \ / _]| \ | T| | || T__T T / T| __| | T | \ / [_ | _ Yl_j l_j| ~ || | | |Y o || l_ | | | D YY _]| | | | | |___ || | | || || _| j l | || [_ | | | | | | ! \ / | | || ] |____jl_____jl_____jl__j__j l__j l____/ \_/\_/ l__j__jl__j (1.0.134) [o] initializing handlers... [i] checking hostname 'www.manjaro.cn'... [i] running basic heuristic test... [i] rejected summary: 200 ('<title>����ҳ��</title>') [-] non-blind match: - [i] running payload tests... (45/45) [=] results: '.xx.xxxxx..xxxxxxxx.xxx.x...x.xxx......x..xxx' [=] hardness: hard (60%) [=] blocked categories: SQLi, XSS, XPATHi, XXE, PHPi, PT [=] signature: '90fa:RVZXu261OEhCWapBYKcPk4JzWOpohM4JiUcMr2RXg1uQJbX3uhdOnthtOj+hX7AA16FcPhJOdLoXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTD' [+] blind match: 'Safedog' (100%)
Identify what WAF means for security testing?
If a website uses waf and the Infiltrator doesn't recognize the direct use of the tool to scan, it may cause waf to blacklist your ip address and not access it. While identifying waf depends on specific ways of bypassing WAFS from different manufacturers.