Website Information Collection

Software Security

1.1.1 related knowledge

1. IP Address

An IP address is the identifier of a computer on the Internet. Each computer on the Internet must have its own IP address. A computer can have multiple IP addresses, however, the same IP address cannot be assigned to more than one computer. Whether these addresses are automatically assigned by the Windows system, dynamically allocated through the DHCP service, or static addresses (using the obtained IP addresses ). These rules are stipulated by the IP protocol. Currently, the widely used IP address specification is defined in IPv4 (version 4th of the IP protocol.

2. Some website knowledge

The website mentioned here refers to a Web server, or an HTTP server. It provides services through Hypertext Transfer protocol, and forms webpages Based on hypertext markup language (HTML. Hyper Text transfer protocol is a way of organizing information according to human habits. It uses "hot links" to put different media, films, music, and movies are organized together. Website services include web browsing, Software downloading, online videos, search engines, and e-commerce platforms.

Tip: the website development process is as follows.

First, the webpage designer needs to use the relevant software to compile the webpage, such as using Dreamweaver, FrontPage and other Webpage Design Software. Then, the website, such as IIS and Apache Server, is created by the specialized Web Server software. After all preparations are ready, the website administrator can apply for a domain name from the relevant institution to publish the website.

3. IP Address Allocation

As mentioned above, each computer on the network must have its own IP address. How can we "Conflict" the IP address with other computers? This requires the IP address management organization to manage the IP address in a unified manner and allocate the IP address layer by layer. For example, if the global IP address management organization assigns an IP address segment 1.0.0.0 to China, then the China IP address management organization can divide the IP address segment into lower-level IP address management organizations, such as 1.1.0.0. The IP address is divided layer by layer until the IP address is assigned to each terminal computer.

It should be noted that the following IP addresses do not need to be applied to the relevant IP management organization, but they can only be used by the Intranet, and the same IP address cannot be allocated to different hosts in the same intranet.

10. x
172.16.x.x ~ 172.31.x.x
192.168.x.x

4. Common doscommands

(1) query the local IP address command

Step 1: Enable MS-DOS.

For Windows 9x systems, Select Start> Run and enter the command, as shown in Figure 1-1.

Figure 1-1 For Windows 2000/XP/2003, Select Start> Run and enter the cmd Command, as shown in figure 1-2. Figure 1-2

Step 2: query the local IP address.

For Windows 9x systems, enter the "winipcfg" command and then open window 1-3, as shown in.

Figure 1-3

For Windows 2000/XP/2003, run the ipconfig Command, as shown in figure 1-4.

Figure 1-4

(2) ping command Overview

The ping Command is a commonly used network command by intruders. It applies a management method of the Simple Network Management Protocol ICMP. The purpose is to send a specific form of ICMP packet to request the host's response, then obtain some host attributes. It has some taste of "throwing stones and asking for directions. Although the principle is simple, this command is widely used. With this command, intruders can test whether the target host is active and query the host name of the target host, you can also use ARP commands to query the MAC address of the target host, or even infer the operating system of the target host, or conduct DDoS attacks.

The format of ping command:

Ping [-t] [-a] [-n count] [-l size] [-f] [-I TTL] [-v TOS]
[-R count] [-s count] [[-j host-list] | [-k host-list]
[-W timeout] destination-list

Common parameters:

-T: Continue to ping. use Ctrl? C.
-When ping a, the IP address is converted to the host name.
-N count: the number of ping times.
-I TTL: sets the ICMP packet survival time (the ICMP packet can be uploaded to the nearest node ).

The following are two examples.

Test whether the target host is active.

Command Format: ping the Host IP Address

C:> ping 192.168.245.130
Pinging 192.168.245.130 with 32 bytes of data:
Reply from 192.168.245.130: bytes = 32 time = 10 ms TTL = 1
Reply from 192.168.245.130: bytes = 32 time <10 ms TTL = 1
Reply from 192.168.245.130: bytes = 32 time <10 ms TTL = 1
Reply from 192.168.245.130: bytes = 32 time <10 ms TTL = 1
Ping statistics for 192.168.245.130:
Packets: Sent = 4, stored ED = 4, Lost = 0 <0% lo ss>,
Approximate round trip times in milli-seconds:
Minimum = 0 ms, Maximum = 10 ms, Average = 2 ms

From the returned result "Reply from 192.168.245.130: bytes = 32 time = 10 ms TTL = 1", the target host has a response, indicating that 192.168.245.130 is active. The following result is the opposite:

C:> ping 192.168.245.130
Pinging 192.168.245.130 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.245.130:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss ),
Approximate round trip times in milli-seconds:
Minimum = 0 ms, Maximum = 0 ms, Average = 0 ms

From the returned result "Request timed out.", the target host is not active, that is, the target host is not online or has a network firewall installed. Such a host is not prone to intrusion.

Use the ping command to test the operating system.

Different operating systems have different TTL return values for ping. See table 1-1.

Table 1-1 TTL returned values of different operating systems for ping

Operation System	Default TTL Return Value
UNIX	255
Windows 95	32
For Windows NT/2000/2003	128
Compaq trusted 64 5.0	64

Therefore, intruders can determine the operating system of the Target Based on the TTL return values. For information collection methods of intruders, the network administrator can modify the Registry to change the default TTL return value.

1.1.2 collect basic information

1. Obtain the website IP address from the domain name

For the sake of memory convenience, there is a way to replace the IP address of a website with a domain name. How can an attacker obtain the target IP address when a domain name is known? They can be implemented through the following methods.

(1) Method 1: ping Command Test

Command: ping the domain name.

For example, intruders want to know the IP address of the 163 server, you can type the ping www.163.com command in the MS-DOS, as shown in 1-5.

Figure 1-5

As shown in figure 1-5, the IP address of www.163.com is 202.108.36.153.

(2) Method 2: nslookup command

Take the 163 server as an example and type the nslookup command in the MS-DOS, as shown in 1-6.

Figure 1-6

202 in Figure 1-6. □. □. 6 is the DNS server of the domain in which the local machine is located. After ">" is prompted, type the "www.163.com" command and press enter to obtain the domain name query result, as shown in 1-7.

Figure 1-7

From the analysis of the results returned in Figure 1-7, the IP addresses of the Web server group used by www.163.com are listed below.
The above describes the two basic methods that intruders often use. In addition, some software comes with the IP address translation function, which is simpler and more powerful. From the two methods, we can see that ping