Information collection at the early stage of Penetration Testing

Information collection at the early stage of Penetration Testing

Information collection at the early stage of Penetration Testing

Everything starts with a URL.

Use Google Hacking to view the target website, such as site: www.baidu.com. You can view the main site information, site: baidu.com, and view information about some sub-sites. Get started with a website.

Get website ip information: http://tool.chinaz.com/Same/, query the ip address of the website, you can also get the site information with the same ip address.

Determine whether the ip address is the CDN ip address or the real ip address. If it is a real ip address, you can scan the port to view the open port. If CDN is protected, you need to find the real ip address of the website.

View whois information, http://whois.chinaz.com/, get website registration mailbox, can be used for social engineering or login account.

Obtain the website directory information. Search for Google Hacking, such as site: baidu.com inurl: admin. Use similar syntaxes to obtain sensitive information about the website, including background information, uploading and downloading. For example, inurl: admin, inurl: upload, inurl: download, inurl: login, intitle: "login ". For example, directory traversal, intitle: index.. Here, inurl: login obtains the logon interface of the website. If there is no verification code, there is a threat of brute-force cracking or credential stuffing.

Actively collect information. 1) Use crawlers to obtain the website directory structure. For example, the wvs crawler function obtains the website directory structure. 2) use the directory guessing tool to perform brute force cracking.

Collect passive information and use the burp proxy to perform normal functions on the website, and obtain the website directory and hidden interfaces.

Obtain Server information, view the Server header of Response information, and obtain Server information. For example, Microsoft-IIS/6.0.

Obtain the script information. 1) view the Response header, for example, X-Powered-By: ASP. NET, X-Powered-By: PHP. 2) view Cookie information, such as PHPSESSID, JSESSIONID, and ASPSESSIONID. 3) view file suffixes, such as. asp, aspx,. php,. jsp,. do, and. action.

Obtain the framework information. Obtain the framework information used by the website through the error message or URL structure. Such as ThinkPHP and Struts.

Obtain Application information. For websites built using the open-source website construction system, obtain the used programs and versions