Kali basic knowledge of Linux infiltration (a): Information collection

Write in front of the nonsense: recently to give some new training, sorting things, not what too high-end content, just a simple collation, I think for small white words also is dry. In the dark cloud water for a few years, not what big God level, the recent cost-of-living tense, now intends to mix points in Freebuf fb currency, subsidy overhead hhhhh the first time on the FB article, the level is limited, write the wrong place also hope to tell me, Daniel do not spray, thank you

What is information collection:

The most important phase is the gathering of information about penetration targets. If useful information is collected, the success of penetration testing can be greatly improved. The gathering of information on the penetration target is generally the analysis of the target system, scanning detection, service enumeration, scanning the other side of the loophole, to find the other system IP, and sometimes penetration testers will also use "social engineering." Penetration testers will do their best to collect the target system's configuration and security defenses, firewalls and so on.

Content Summary

Website and server information

Search engine

Google Hacking

Social networking Sites

Non-disclosure of data by third parties

Website and server information: Whois

WHOIS is a transport protocol used to query the IP of a domain name and the owner of such information. In short, WHOIS is a database (such as the domain owner, domain name registrar) that is used to inquire about whether a domain name has been registered and the details of registering a domain name. In WHOIS queries, registrant names and mailbox information are often useful for testing personal sites, as we can tap into search engines, social networks, and information about many domain owners. And for the station point, the domain owner is often the administrator.

For example, the following Whois www.sysorem.xyz view www.sysorem.xyz This domain name registration information

DNS Server queries

In addition to WHOIS queries, we can also query DNS servers through the host command.

Format:

Host command

[-ACDLRITWV]

[-C Class]

[-N Ndots]

[-T type]

[-W Time]

[-R Number]

[-M flag]

hostname [Server]

Querying a domain name server

You can see that there are 3 DNS servers, respectively:

dns1.hdu.edu.cn

dns2.hdu.edu.cn

dns2.hdu.edu.cn

DNS record type = In the background of IDC after buying the domain name, you can see it by adding a parse record.

For example, query a record, that is, IP,

Domain Name Enumeration

After getting the main domain information, if can get all sub-domain information through the main domain name, and then through the sub-domain name to query its corresponding host IP, so that we can get a more complete information.

With the Fierse tool, you can query the domain Name list: Fierce-dns domainName

In addition to Fierse, DNSDICT6, Dnsenum, and Dnsmap can perform domain name enumeration.

Reverse Address resolution

We often use the DNS server there are two areas, namely "Forward lookup zone" and "Reverse lookup zone", the forward lookup zone is what we commonly referred to as domain name resolution, reverse lookup zone is referred to as the IP reverse resolution, Its function is to obtain the domain name that the IP address points to by querying the PTR record of the IP address.

Because in the domain Name System, an IP address can correspond to multiple domain names, so from the IP to find the domain name, theoretically should traverse the entire domain name tree, but this is not realistic on the Internet. In order to complete the reverse Domain name resolution, the system provides a special domain called the inverse analytic domain in-addr.arpa. this resolves the IP address will be expressed as a domain name can be displayed as a string, the suffix to reverse the resolution domain domain name "in-addr.arpa" end. For example, an IP address: 222.211.233.244, whose reverse domain name is expressed as: 244.233.221.222.in-addr.arpa

Dig: The command format for reverse parsing using dig is:

Dig-x IP @dnsserver #用 dig View Reverse resolution

Online query is also a way http://dns.aizhan.com/

To get complete information, you can try different tools and integrate the results. Many tools are unable to do a reverse query because the domain owner has not added a reverse parsing record.

About DNS zone transfer vulnerabilities

A zone transfer operation refers to a backup server that uses data from the autonomous server to refresh its own zone database. In general, DNS zone transfer operations are only necessary when there is a DNS server for a backup domain in the network, but many DNS servers are incorrectly configured to provide a copy of the zone database to each other whenever a request is made. When a unit does not use the public/private DNS mechanism to split external public DNS information and internal private DNS information, the internal hostname and IP address are exposed to the attacker. It's like sending a unit's internal network complete blueprint or navigation map to someone else.

Learn more about the portal, feel the great God wrote pretty clear, you can refer to the next

Service Fingerprint identification

Many sites, may not have custom error messages. Therefore, it is possible to return useful information by randomly entering a nonexistent address on the URL.

By, we know that the site's application was written by PHP, the Web server is apathe/2.2.22, the operating system is windows

Service is judged by port

By scanning the server open port to determine the existence of services on the server, nmap specifically used in the following

It can be seen that the server built HTTP (Web), MSRPC (file sharing), MSSQL database, etc.

Operating system fingerprint identification

Identifying the target host's operating system, first of all, can help us further detect operating system-level vulnerabilities to allow penetration testing from this level. Second, the operating system and the application of the building on the system are generally set up, such as lamp or LNMP. The version of the operating system also helps us to pinpoint the version of the service program or software, such as the general case that IIS on Windows Server 2003 6.0,windows server R2 is powered by IIS7.5.

Banner Crawl

Banner crawl is application fingerprinting rather than operating system fingerprint recognition. Banner information is not the behavior of the operating system itself, it is automatically returned by the application, such as Apathe, Exchange. And many times it does not directly return the operating system information, fortunately, you may see the service program itself version information, and to infer. You can see the FTP server Software for FileZilla and version information

Operating system detection using NMAP

The simplest way to identify the operating system using NMAP is to use the-o parameter

Format Nmap-o URI, you can see that the server operating system is Linux

Operating system probes using p0f

The p0f is a passive probing tool that analyzes network packets to determine the type of operating system. At the same time, P0F is powerful in network analysis, it can be used to analyze NAT, load balance, application agent and so on. The meaning of the following command is to listen for the NIC Eth0 and turn on promiscuous mode. This will listen to every network connection, some of the results are summarized as follows: P0f-i eth0–p

Operating system probes using Xprobe2

Xprobe2 is a software that uses ICMP messages for operating system probing, and the results can be referenced with Nmap. However, the software is currently available in version 2005, which is more accurate for older operating system detection results. Simple usage: xprobe2-v URI (this is usually used in my basic can not sweep anything 233333)

There are many tools for capturing operating system fingerprints, such as Miranda, but many examples.

WAF detection

WAFW00F is a Python script that is extremely useful for detecting whether a network service is in a network application firewall-protected state. Using WAFW00F to detect the presence of a network application firewall between the network server and the network transport can not only develop a test strategy, but also develop advanced technologies that bypass the network application firewall. Simple usage wafw00f URL

You can see that the site is in a WAF protected state

Search engine

Google search technology incorporates advanced search techniques for performing Google's detailed search. In the bottom right corner of Google home page, you can click "Settings", "Advanced Search" for detailed settings

On the Advanced Settings page, you can set the "All words", "exact word or phrase", "contains any of the following words", "does not contain any of the following words", "number range", "language", "Region", "Latest update", "website or domain name", "keyword appears", "Safe Search", "reading Level", "File type", " Use Permissions "and so on, more accurate search

For some well-known reasons, we can not be happy when the science of the Internet, we will use some domestic search engines. The same can be set, but relatively no Google strong.

Penetration testing also has some very useful search engines, such as Shodan (https://www.shodan.io/)

Here is the return result of search sogou.com

Click Details of the first result to view detailed information, including location, server-open ports, and more

In addition to Shodan, of course, but also have to mention that Chong-yu "Zhong Eye", zoomeye minutes of hanging fried days have wood?

Recommended cosine of "Zoomeye advanced Black"

Google hacking

Google is a powerful search engine for ordinary users, and it could be a great hack tool for hackers. Because of Google's powerful search capabilities, hackers can construct special keyword grammars that use Google to search for relevant private information on the Internet. With Google, hackers can even hack a website in a matter of seconds. The process of using Google to search for relevant information and invade is called Google Hack. Here are some commonly used so-called "Google Hacker Grammar."

For example, bulk find the background of the school site to enter the following keywords

site:hdu.edu.cn Intext: Management | backstage | login | user name | password | Authentication Code | system | account | Background Management | background login

Intext: A character in the body content of a Web page as a search condition.

For example, in Google Input: intext: Hangzhou Electric. Will return all pages containing "Hangzhou electric" in the body part of the page

Allintext: The use method is similar to Intext.

Intitle: Search the page title for the character we are looking for.

For example, search: intitle: Hangzhou Electric. The page that contains "hang electric" in all page headings will be returned. Similarly allintitle: similar to intitle.

Cache: Search Google for some content caching, sometimes you can find some good things.

Define: Search for the definition of a word, such as search: define: Hangzhou Electric, will return the definition of "Hangzhou electric".

filetype: Search for a file of the developed type, for example: Filetype:doc. All file URLs ending in doc will be returned.

Info: Find some basic information about the specified site.

Inurl: Searches for the characters we specify are present in the URL.

For example, input: Inurl:admin, will return n a connection similar to this: Http://xxx/admin,

Commonly used to find URLs for common vulnerabilities, injection points, administrator logins

Allinurl: Also similar to Inurl, you can specify multiple characters.

Linkurl: For example, search: inurl:hdu.edu.cn can return all and hdu.edu.cn URLs that have been linked.

Site: Searches for the specified domain name, such as site:hdu.edu.cn. All URLs related to hdu.edu.cn will be returned.

There are also some * characters

+ Google may ignore the list of words such as query scope

-Ignore a word

~ Word of consent

. A single wildcard character

* wildcard character, which can represent multiple letters

"" Exact query

The actual operation needs to be combined according to the situation, the following list of commonly used:

Intext:to Parent Directory

inurl:upload.php

Intitle:powered by xxx

Index Of/upload

Filetype:txt

Inurl:robots.txt

Index OF/PASSWD

Site:xxx.com filetype:mdb|ini|php|asp|jsp

.... ....

Social networking Sites

Social networking sites are often the place where we have the most public information, such as QQ, QQ space, Circle of friends, Weibo, etc. Information can be obtained by name, age, birthdays, constellations, hobbies, photos, interpersonal relationships, even mailboxes, cell phones, residential addresses, identity cards and other privacy, sensitive information. There are also job search sites that are often the worst places to leak information. The use of this information can always be a surprise.

For example, look at a sister, see her space is very friend circle, basically can know her life law can touch very clear, what she looks like, what she likes, what the girlfriends have, where to play, and sometimes can figure out what she is doing at this moment. The type of the input name of the circle of friends, most of the girls will enter their own name birthday and so on.

Since there is a fancy sister, then spend half a day to understand the sister.

Supplemented by some of the necessary social work tools,

Finally, you get the following carelessly:

Recommend a book "The Art of Deception", in the infiltration of actual combat, we can get information from the administrator through the means of social engineering, such as QQ number, mailbox, commonly used passwords and so on. For example, you can try to login to a website domain name registration platform, directly modify the domain name resolution (personal experience), may be able to achieve the effect of paralysis of the entire network services ...

Maltego: Social worker artifact: Maltego is a tool for collecting, organizing, and visualizing information from the Internet. It collects information about an individual's online data – including email addresses, blogs, friends on Facebook, hobbies, locations, job descriptions, and can be presented in a more useful and comprehensive form.

But this might be a little better for foreign countries.

Non-disclosure of data by third parties

"Social Work Pool" is a structured database of all aspects of data accumulated during attacks using social engineering. There's a lot of information in this database, and you can even find a record of each person's behavior, such as hotel room records, personal ID, name and phone number.

For example, query a QQ number old password. Findmima.com (to climb the wall)

The group relationship of a QQ number

The following data can be queried by a Social Work library website

Through these databases may be able to find the QQ password, email password and so on information, so in some cases can help to guess the information of the administrator. The first part is written here, and the back will bring new content, please pay attention.

Reference

Https://github.com/sysorem/Kali-Linux-Pentest-Basic

* Original SYSOREM, reprint please indicate from Freebuf hack with geek (freebuf.com)

Kali basic knowledge of Linux infiltration (i): Information collection