#
CDN principle
First of all, in order to obtain the real IP of CDN, we must know the working principle of CDN. Here we will briefly introduce the working model of CDN.
The full name of
CDN is Content Delivery Network (Content Delivery Network), through the acceleration node server all over the network to resist malicious traffic for the website, and forward normal traffic. To put it simply, CDN generally has three functions:
Cross-operator acceleration: Our own website often belongs to only one operator (such as telecommunications), and acceleration nodes are all over each operator, so users of different operators (such as China Unicom) from the website will not be so slow to visit Up.
Cache acceleration: Many static resources and some page updates are relatively slow (such as the home page). At this time, the CDN will cache according to the browser’s max-age and last-modified values and the administrator’s preset values, so Many traffic CDN nodes will not request the website every time, and the CDN node can directly return the hit cache content on its own terms.
Malicious traffic filtering: This is a very important function of CDN, and it is also the reason why many websites use CDN, because CDN can defend us against large-flow attacks and common attacks (such as injection, etc.), and only normal traffic will be forwarded to the website .
#How to judge whether a website uses CDN
Combining the above principles and a principle of CDN, the principle of proximity, it is not difficult to judge. Ping it from multiple locations. If the ip is different, the CDN must be used.
#Get real website address IP
##Method 1: Subdomain Exclusion Method
There are many general subdomains of a website. Here are some ways to get them
Knock Subdomain Scan
https://github.com/guelfoweb/knock
installation
Installation Environment
Python 2.7.6
rely
Dnspython
$ sudo apt-get install python-dnspython
installation
$ git clone https://github.com/guelfoweb/knock.git
$ cd knock
$ nano knockpy/config.json <- set your virustotal API_KEY
$ sudo python setup.py install
Note that I recommend that you use Google DNS: 8.8.8.8 and 8.8.4.4
Knockpy parameters
$ knockpy -h
usage: knockpy [-h] [-v] [-w WORDLIST] [-r] [-c] [-j] domain
positional arguments:
domain The target domain name, such as domain.com
optional arguments:
-h, --help show help information and exit
-v, --version display the project version number and exit
-w WORDLIST specifies the location of the dictionary list file
-r, --resolve resolve IP or domain name
-c, --csv save output in csv format
-j, --json export the complete report in json format
Example:
knockpy domain.com
knockpy domain.com -w wordlist.txt
knockpy -r domain.com or IP
knockpy -c domain.com
knockpy -j domain.com
LINUX installation:
cp blackwidow /usr/bin/blackwidow
cp injectx.py /usr/bin/injectx.py
pip install -r requirements.txt
use:
blackwidow -u https://target.com-crawl target.com domain crawl depth is 3 layers
blackwidow -d target.com -l 5-crawl target.com domain crawl depth is 5 layers
blackwidow -d target.com -l 5 -c'test=test'-crawl target.com domain crawl depth is 5 layers, use cookie'test=test'
blackwidow -d target.com -l 5 -s y-crawl target.com domain crawl depth is 5 layers, and fuzz all OWASP common vulnerability parameters
injectx.py https://test.com/uers.php?user=1&admin=true-fuzz all OWASP common vulnerabilities GET parameters
VirusTotal
Internet Autonomous System Number Subdomain Enumeration
Finding the Internet Autonomous System Number (ASN) can also help us find the network segment belonging to an organization. These network segment information may contain the effective domain name information of the organization
Use the dig or host command to resolve the IP address of a given domain name.
Here is a tool to find ASN by providing IP-https://asn.cymru.com/cgi-bin/whois.cgi
There is also a tool to find ASN by providing a domain name-http://bgp.he.net/
Use nmap: nmap --script targets-asn --script-args targets-asn.asn=37963
Sublist3r
https://github.com/aboul3la/Sublist3r
Short Form Long Form Description
-d --domain Domain name to enumerate subdomains of
-b --bruteforce Enable the subbrute bruteforce module
-p --ports Scan the found subdomains against specific tcp ports
-v --verbose Enable the verbose mode and display results in realtime
-t --threads Number of threads to use for subbrute bruteforce
-e --engines Specify a comma-separated list of search engines
-o --output Save the results to text file
-h --help show the help message and exit
nslookup
Most CDN providers only target the domestic market, and almost do not do CDNs for foreign markets, so there is a high probability that they will directly resolve to the real IP
nslookup www.xxxx.com 8.8.8.8
It’s better not to Google. Many CDN providers use Google DNS as one of the domestic markets, so,,,
Comodo Secure DNS server address:
8.26.56.26
8.20.247.20
DNS.WATCH server address:
84.200.69.80
84.200.70.40
#Norton ConnectSafe not only provides DNS services, but also complete security filtering services. It is divided into three protection strategies: A can expand the rate of malware, phishing and fraudulent websites; B can filter adult websites on the basis of A; C is on A And B can also filter gambling, crime and other websites.
Server address of Norton ConnectSafe policy:
199.85.126.10
199.85.127.10
Norton ConnectSafe Policy B server address:
199.85.126.20
199.85.127.20
Norton ConnectSafe Policy C server address:
199.85.126.30
199.85.127.30
rss subscription
Get real address by mail
