banner
leaf

leaf

It is better to manage the army than to manage the people. And the enemy.
follow
substack
tg_channel
HomeArchives作品集情报公司研报钱的属性指南针计划友情链接

Ideas and Tools for Information Collection

#情报102
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document discusses strategies and tools for information gathering in penetration testing. It outlines a systematic approach starting from subdomain enumeration to asset identification and fingerprinting, including methods for internal network information collection. Key tools mentioned for automation and asset monitoring include Water Margin, SRC, ARL, Goby, Xray, Nuclei, and fscan. It also highlights various platforms for company asset collection, subdomain enumeration techniques, and the use of certificate transparency for domain information gathering. Additionally, it provides methods to identify and bypass CDN to obtain real IP addresses, including querying subdomain IPs, checking historical DNS records, and leveraging email systems for IP discovery.

Ideas and Tools for Information Gathering#

==========

IMG_20250304_110756

  • Reference Links:

  • Overall Approach:

    • Subdomain -> IP -> Full Ports -> http, https -> Asset Acquisition -> Fingerprinting
    • Mini Programs, Official Accounts, Apps
    • Non-web assets identified through port scanning -> such as databases: first perform bulk weak password detection, then construct a dictionary based on the obtained information for brute-forcing

  • Internal Network Information Gathering Approach (Do not start with fscan scanning)

    • First, on the compromised machine, check the network card information, history command history, netstat port information, arp table, ps processes, configuration files, etc., to collect information about other internal network segments accessible from the compromised machine.
    • Check domain information in threat intelligence communities like Weibu Online.
      • If there is no resolved IP, it may be a domain accessible only from the internal network; try ping the domain on the compromised machine to get the internal network address.
      • If there is an internet-resolved IP, you can also try ping the domain on the compromised machine to get the internal network address.
    • Sometimes, on websites on the internet side, there may be redirects to internal systems, such as OA systems or unified identity authentication systems, which can redirect to the internal network, thereby obtaining internal network address information.
    • Through successful exploitation -> for example, Fanwei -> check the Fanwei configuration files, such as database configuration files; the database system may be on another internal network server, thus confirming the existence of the internal network.
    • More techniques can be found in this article: How to Determine the Existence of an Internal Network

Comprehensive Use of Tools#

Company Name Asset Collection#

Subdomain Collection#

CDN#

CDN Detection#

  • Use different hosts to ping the domain to determine if there is a CDN

image

  • Use nslookup to resolve the domain to determine
    • If the Name field points to something like cname.vercel-dns.com, it indicates that CDN technology is used.
    • 🌰 www.baidu.com, where the Address field points to two different IPs, indicates that www.baidu.com may be using CDN.

image

Bypassing CDN to Obtain Real IP#

  • Resolve subdomain IP

    • Using CDN incurs costs, so many websites only apply CDN acceleration to the main site, while subdomains may not. Subdomains may be on the same server or the same Class C network as the main site, so querying the IP information of subdomains can help determine the real IP information of the main site.

  • Query Historical DNS Records

  • Use foreign hosts to request the domain

    • Some domestic CDN acceleration service providers only apply CDN acceleration to domestic lines, but not to foreign lines, allowing real IP information to be detected through foreign hosts. You can use your own foreign host or select foreign detection nodes from Global Ping Test to determine real IP information.

  • Email Information

    • Email systems are generally internal and not resolved through CDN. By utilizing the target website's email registration, password recovery, or RSS subscription features to send emails, you can check the source of the reply email to obtain the target's real IP.
    • Image from mathwizard

image

  • Information Leakage

    • Utilize sensitive information and files exposed through information leakage (such as phpinfo pages, website source code (backup) files, information leaked on GitHub, etc.) to obtain real IP information.
      • The SERVER_ADDR field of the phpinfo page will display the real IP of the host.

  • Target Website APP Applications

    • If the target website has its own App, you can try to use traffic capture tools like Burp Suite to capture requests from the App, which may reveal the target's real IP.

IP Reverse Lookup for Domain (Side Station Query)#

Fingerprinting#

JS and Interface Information#

APP#

Email Collection#

WAF Detection#

Sensitive Information#

Cloud Storage Engine#

Google Hack Syntax#

  • Backend Address
    • site.com intitle: Management | Backend | Login | Administrator | System | Internal
    • site.com inurl|admin|system|guanli|denglu|manage|admin_login|auth|dev
  • Sensitive Files
    • site.com (filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR --filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype)
  • Test Environment
    • site.com inurl|ceshi
    • site.com intitle: Test
  • Email
    • site.com (intitle:"Outlook Web App" OR intitle:"Email" OR inurl:"email" OR inurl:"webmail")
  • Others
    • site.com inurl|uid=|id=|userid=|token|session
    • site.com intitle.of "server at"
  • Google Syntax Generator

Information Gathering for Penetration Testing#

*   Information Gathering for Penetration Testing
*    Open Source Intelligence Gathering (OSINT)
*    GitHub
*     Whois Query / Registrant Reverse Lookup / Email Reverse Lookup / Related Assets
*     Google Hacking
*     Create Company Password Dictionary
*       Subdomain Acquisition
*     Dictionary List
*     Email List Acquisition
*      Leaked Password Query
*    Collect external information related to the company Open Source Intelligence Gathering (OSINT)
*     GitHub
*    Github_Nuggests (automatically crawls sensitive information leaks on GitHub): https://github.com/az0ne/Github_Nuggests
*    GSIL (can achieve near real-time (within 15 minutes) discovery of leaked information on GitHub): https://github.com/FeeiCN/GSIL
*    x-patrol (Xiaomi team's): https://github.com/MiSecurity/x-patrol  Whois Query / Registrant Reverse Lookup / Email Reverse Lookup / Related Assets  
*   Webmaster Home: http://whois.chinaz.com/?DomainName=target.com&ws=
* Aizhan: https://whois.aizhan.com/target.com/
*   Weibu Online: https://x.threatbook.cn/
*  IP Reverse Lookup: https://dns.aizhan.com/
*  Tianyancha: https://www.tianyancha.com/
*   Huma Check: http://www.whomx.com/
*  Historical Vulnerability Query:
*   Online Query: http://wy.zone.ci/
*   Self-built: https://github.com/hanc00l/wooyun_publi/  Google Hacking
* Create Company Password Dictionary  Dictionary List   passwordlist: https://github.com/lavalamp-/password-lists

 Domain Transfer Vulnerability Linux dig @ns.example.com example=.com AXFR Windows nslookup -type=ns xxx.yyy.cn #Query the DNS server for a certain domain name nslookup #Enter nslookup interactive mode server dns.domian.com #Specify DNS server ls xxx.yyy.cn #List domain information

GitHub#

  • @xxx.com password/secret/credentials/token/config/pass/login/ftp/ssh/pwd
  • @xxx.com security_credentials/connetionstring/JDBC/ssh2_auth_password/send_keys
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.