Basic Process of web penetration testing and information collection

The attack must be purposeful. First, establish why the attack? How to attack? What should I do after it succeeds? What should I do if I find it? What should I do in special circumstances? And so on.
 
Advance steps:
 
During penetration, we step on the attack first, and then launch the attack (Oh, no one is to step on the page first). Then let's talk about the step on the page first.
 
Step-by-Step tools are divided into active and passive methods:
 
1. The so-called initiative is to use scanning tools to actively detect website vulnerabilities and obtain website information.
 
2. passive means to obtain some information about the website under normal access. Of course, passive information cannot be compared with active information.
 
Among them, the tool for passive stepping points, the P0f mentioned in the gray hat (the omnipotent passive operating system fingerprint tool, For details, please refer to the following introduction ). You can access the website normally to obtain information about the operating system of the website.
 
P0f-new remote OS fingerprint passive discriminant tool:
 
P0f can identify the operating system on the host by capturing and analyzing the packets sent by the target host, even if the system is equipped with a firewall with good performance.
 
P0f does not add any direct or indirect network load, no name search, no secret detection, no ARIN query, and nothing. Some experts can also use P0f to check whether a firewall exists on the host, whether there is NAT, and whether there is a Load balancer!
 
P0f is another passive discriminant tool for remote operating systems following Nmap and Xprobe2. It supports:
 
1. Anti-SYN Mode
2. synchronous SYN + ACK Mode
3. Empty connection RST + Mode
4. fragmented ACK Mode
 
P0f has the following features:
 
A. After running the firewall?
B. Whether to run in NAT Mode
C. Whether the Server Load balancer instance is running
D. the start time of the remote system.
E. DSL and ISP information of remote systems
 
Reports with similar output results:
 
192.165.38.73: 20908-OpenBSD 3.0-3.4 (up: 836 hrs)
-> 217.8.32.51: 80 (distance 6, link: GPRS or FreeS/WAN)
 
192.165.38.73: 21154-Linux 2.4/2.6 (NAT !) (Up: 173 hrs)
-> 217.8.32.51: 80 (distance 6, link: GPRS or FreeS/WAN)
 
192.165.38.73: 22003-Windows XP Pro SP1, 2000 SP3 (NAT !)
-> 217.8.32.51: 80 (distance 6, link: GPRS or FreeS/WAN)
 
 
 
(You can select multiple system versions ):
Http://lcamtuf.coredump.cx/p0f.shtml
Other: http://freshmeat.net/projects/p0f/
 
 
 
Many scanning tools, such as Nmap, are available for proactive tracking. Nmap has implicit scanning. I forgot the specific parameters and seldom pay attention to my own security.
 
If necessary, you can download all the website images (I know it is not the website source file). Some unexpected things may be hidden in the comments of some files on the website, there are also CSS files, and some people like to write their own names before CSS files. You can also find the website building system in this way to check whether there are vulnerabilities and launch attacks. You can view the IP address of the website, and then view the physical address. Some websites have mobile phones or phone numbers or physical addresses. You can also view Whois information of the domain name, there will also be a physical address, contact number, mailbox, and so on.
 
In this way, you can determine whether to buy or rent a server or in your own company. If no vulnerability is found on the master site, you can start from the website of the same server (that is, bypass technology ). However, some medium-sized and large company servers are independent, and even the entire C segment is the same. Such sensitive information cannot be ignored. Even the server website artist and producer, as long as they are involved in the website, may become a breakthrough point (those with 0-day overflow, not discussed in this article ).
 
 
Obtain the flag:
 
(The flag indicates the software version of the website)
 
To obtain the flag of the website server software, you can submit the error data to the website, or construct a nonexistent address to view the error information and determine the published version.
 
You can also view the Http header by capturing packets. Of course, there are also many tools automatically obtained.
 
To obtain the FTP Version, you can directly connect to view the default welcome information to view the server version.
 
You can use "nc-nvv ip pory" or "telnet ip port" to obtain Echo information to determine information such as the remote server system and software version.
 
Telnet is a good way to obtain the system information of the target host. You can determine whether the telnet information is a route or a system. Of course, it does not include modifying the banner. However, in linux, there are few telnet users, Because telnet is an insecure protocol.
 
 
Collect information:
 
Information collection is also mentioned above.
 
We can also query the domain name whois of the target website, so that we can obtain some registration information, although it may not be the website administrator. At least we can know the Dns so that we can try to hijack the Dns as needed.
 
(I usually use wvs to scan website vulnerabilities. I forgot to use no in linux. The speed is very slow, but what I got is really good)
 
If you know the physical address of the server or the physical address of the Management phone number, you can go to Google Earth to check the surrounding area; in this way, the chance of conducting telephone social engineering is increased when people are recognized.
 
There is also the source file of the web page that I mentioned at the beginning, and some unexpected things may be found.
 
You can also use Google Hack to obtain more information. If you cannot find the website background or error information, you can try Google Hack.
 
I have the write permission when injecting Mysql into my website, but I have no absolute path. I went to Google "site: domain name error" and other error prompts to find the absolute path and successfully wrote a sentence.
 
Google can also search for website phone numbers or emails to collect sensitive information about website management or company employees, which is of great benefit to social engineering.
 
There are still many ways to collect information, which I will not describe here.
 
 
Sort information:
 
It is necessary to sort the collected information, at least to classify it. It is possible that no benefit will be found during independent penetration.
 
However, it is necessary to organize the information of a large website or team.
 
It's not a day or two to penetrate a large website. After a long time, you may not remember what you recorded in that file. Now you have used it, but cannot be found.
 
This is not the case, so it is necessary to sort the information. Team penetration involves division of labor. The information you get must at least be visible to others. If you do not sort it out, it is inconvenient for others to explain it. No delay is allowed at 1 minute 1 second during the key steps.
Attack:
 
Now, we have made so many preparations and are launching attacks.
 
We have already prepared preparations for website attacks. Does it mean we can win the target? This is impossible!
 
By stepping on the page, the information obtained in the preceding three steps is used to launch attacks.
 
When you know the other party's weak point information and select the appropriate attack method, it is impossible to say that it is clearly an injection vulnerability, you have to let him generate XSS.
 
When you know the website construction system of the other party, you can try to find the corresponding vulnerabilities to launch attacks. You can also find vulnerabilities in the application software of the other party to launch vulnerability attacks ......
 
The attack methods and methods depend on the information you have collected. Therefore, it is very important to step on the attack.