Ninety percent of the penetration of a Web application starts with information collection, so information collection is particularly important. The collection of key information can make you more comfortable in later infiltration. If infiltration is like walking through a dark maze, then information collection can help you light up most of the maps in the maze.
There are many points involved in information collection. The software developed this time is mainly aimed at building a Web operating system and developed ports, building a Web Server and its approximate version, and building a Web CMS (some common CMS in China).
To avoid reinventing the wheel, here are some features of some software and ideas during production.
1.Web operating system and development port
The program uses the nmap interface to detect different systems, and uses appropriate detection methods to obtain the operating system version of the current application and the port developed, as well as the fingerprint to determine the service using the port.
2.WebServer type and version
The type of WebServer is actually the top priority in a penetration. Different WebServers have different characteristics, and different versions of the same type have different characteristics. Sometimes, by combining these characteristics, some major vulnerabilities that are easily overlooked can be discovered. There are two detection methods for WebServer.
The first is to detect WebServer by defining two fingerprints based on HTTP header field order and status code. After collecting a large number of web programs of different versions of Nginx, Apache, and IIS in ZoomEye for detection, the following 7 different types were counted. The first column of the table is the request method and HTTP request protocol and version. The second column is the request after the request. The returned HTTP status code is defined. The last row of the table is the sequence of the returned HTTP header fields. The table drawn using a large number of tests encapsulates an HTTP request class through Python’s Socket library to detect the specific type and approximate version of the WebServer.
| Apache/2.X | |
|---|---|
| GET / HTTP/1.1 | 200 OK |
| HEAD / HTTP/1.1 | 200 OK |
| PUT / HTTP/1.1 | 405 Method Not Allowed |
| DELETE / HTTP/1.1 | 405 Method Not Allowed |
| CONNECT / HTTP/1.1 | 400 Bad Request |
| HEAD / 0D9Y/1.1 | 200 OK |
| HEAD / HTTP/3.1 | 200 OK |
| Date, Server, Content-Length, Connection , Content-Type |
| Apache/1.3.X | |
|---|---|
| GET / HTTP/1.1 | 200 OK |
| HEAD / HTTP/1.1 | 200 OK |
| PUT / HTTP/1.1 | 405 Method Not Allowed |
| DELETE / HTTP/1.1 | 405 Method Not Allowed |
| CONNECT / HTTP/1.1 | 400 Bad Request |
| 0D9Y / HTTP/1.1 | 200 OK |
| HEAD / 0D9Y/1.1 | 400 Bad Request |
| HEAD / HTTP/3.1 | 200 OK |
| Date, Server, Content-Length, Connection, Content-Type |
| Nginx/0.7.69-1.3.9 | |
|---|---|
| GET / HTTP/1.1 | 200 OK |
| HEAD / HTTP/1.1 | 200 OK |
| PUT / HTTP/1.1 | 411 Length Required |
| DELETE / HTTP/1.1 | 200 OK /405 Not Allowed / 502 Bad Gateway |
| CONNECT / HTTP/1.1 | 200 OK /405 Not Allowed / 502 Bad Gateway |
| XXX / HTTP/1.1 | Lowercase letters or numbers 200 OK /405 Not Allowed / 502 Bad Gateway uppercase letters have no return information |
| HEAD / 0D9Y/1.1 | No return information |
| HEAD / HTTP/3.1 | 200 OK |
| Server, Date, Content-Type, Content-Length, Connection |
| Nginx/1.4.0-1.5.4 | |
|---|---|
| GET / HTTP/1.1 | 200 OK |
| HEAD / HTTP/1.1 | 200 OK |
| PUT / HTTP/1.1 | 405 NOT ALLOWED |
| DELETE / HTTP/1.1 | 405 NOT ALLOWED |
| CONNECT / HTTP/1.1 | 405 NOT ALLOWED |
| XXX / HTTP/1.1 | No information is returned for lowercase letters or numbers. Uppercase letters 405 METHOD NOT ALLOWED |
| HEAD / 0D9Y/1.1 | No return information |
| HEAD / HTTP/3.1 | 200 OK |
| Server, Date, Content-Type, Content-Length, Connection |
| Nginx/1.5.5-Now | |
|---|---|
| GET / HTTP/1.1 | 200 OK |
| HEAD / HTTP/1.1 | 200 OK |
| PUT / HTTP/1.1 | 405 Not Allowed |
| DELETE / HTTP/1.1 | 405 Not Allowed |
| CONNECT / HTTP/1.1 | 405 Not Allowed |
| XXX / HTTP/1.1 | Lowercase letters or numbers 400 Bad RequestUppercase letters 405 Not Allowed |
| HEAD / 0D9Y/1.1 | No return information |
| HEAD / HTTP/3.1 | 200 OK |
| Server, Date, Content-Type, Content-Length, Connection |
| Microsoft-IIS/6.0 | |
|---|---|
| GET / HTTP/1.1 | 200 OK |
| HEAD / HTTP/1.1 | 200 OK |
| PUT / HTTP/1.1 | 411 Length Required |
| DELETE / HTTP/1.1 | 501 Not Implemented |
| CONNECT / HTTP/1.1 | 501 Not Implemented |
| XXX / HTTP/1.1 | Lowercase letters or numbers 501 Not Implemented Uppercase letters 501 Not Implemented |
| HEAD / 0D9Y/1.1 | 400 Bad Request |
| HEAD / HTTP/3.1 | 505 HTTP Version Not Supported |
| Connection, Date, Server, Content-Type, Content-Length |
| Microsoft-IIS/7.0-8.5 | |
|---|---|
| GET / HTTP/1.1 | 200 OK |
| HEAD / HTTP/1.1 | 200 OK |
| PUT / HTTP/1.1 | 411 Length Required |
| DELETE / HTTP/1.1 | 405 Method Not Allowed |
| CONNECT / HTTP/1.1 | 405 Method Not Allowed |
| XXX / HTTP/1.1 | Lowercase letters or numbers 405 Method Not Allowed Uppercase letters 405 Method Not Allowed |
| HEAD / 0D9Y/1.1 | 400 Bad Request |
| HEAD / HTTP/3.1 | 505 HTTP Version Not Supported |
| HEAD: Content-Length, Content- Type, Server, Date, Connection |
The second method is a method that you may often use. Check the Server field in the returned HTTP header. However, the Server field can be modified to achieve a blinding effect, so this method is only used as a supplement.
3. CMS type for building Web
Currently, the CMS that the program can quickly and accurately detect include 74CMS, ASPCMS, CMSEASY, DEDECMS, DISCUZ, DRUPAL, ECSHOP, JOOMLA, METINFO, PHPCMS, PHPWIND, WORDPRESS, XYCMS, Z-BLOG and other rapid website building systems. For the collection of CMS fingerprints, we first downloaded the latest versions and some old versions of these CMSs, extracted their directories and files in the directories, then bound the files to their MD5 files, and then searched for this type of Web through ZoomEye. website, successfully access the file and output the md5 matching entries, and then select the ones with the highest matching degree to achieve the purpose of quick matching (as shown below). However, if no matching is successful, you can try exact matching, which is slower, but matches all entries, with a higher success rate, and the program goes down through the directories layer by layer, such as /js/index.js ,/js/jq.js… and other entries, the program will first try to see if the js directory is 404, and then proceed downward in sequence.
74cms.txt /templates/default/css/wap.css 50c71ede9badf9417b15a3df09890a50 /templates/default/js/jquery.highlight-3.js 9b9f1ebc7411e9d9cec08031622a645a /templates/default/js/jquery.KinSlideshow.min.js 376a6749c02e3d527cfce83a2e77d568 /templates/tpl_company/default/css/ui-dialog.css 4440728e29e7b41b79f33fb212845b9f ASPCMS.txt /images/qq/qqkf1/default.css 76cb116c87b88929c439a6104bfc9c0f /plug/collect/style.css fa87014850b44b241b14ee993d7ed223 /plug/vote/style.css fa87014850b44b241b14ee993d7ed223 /images/qq/qqkf2/kefu.js 1cdeba13ea60605047e77ce38f2fa77c CmsEasy.txt /js/jquery.min.js 10092eee563dec2dca82b77d2cf5a1ae /common/js/jquery/ui/themes/flora/flora.datepicker.css 670ec3ce24416b0c7a462e39bc39ca1d /common/js/jquery/ui/themes/flora/flora.all.css 7f325a06e7ccf2222c0c4527449c0527 /common/js/jquery/ui/themes/flora/flora.tabs.css 28cddf861963342333a844bac80f2219 dedecms.txt /images/swfupload/plugins/swfupload.swfobject.js 9cf88d567c218192eb26bf3b27763b83 /images/swfupload/plugins/swfupload.cookies.js f6940672b1ef27fccbe5a360d8382b72 /images/swfupload/plugins/swfupload.speed.js d840d5988a2b8b64350faed539041550 /images/swfupload/plugins/swfupload.queue.js 83b614f4e551d5c176833ee44c8f0e01 Discuz.txt /static/image/common/extstyle_none.css 7215ee9c7d9dc229d2921a40e899ec5f /source/admincp/robots.txt 96bbf89620d30c72c1dab0e8b8eca17d /uc_server/robots.txt 15dde9868cbc402f19261bd376496d38 /template/default/common/wysiwyg.css a3ae9afbc98ac594a1ff90f8410b38f3 drupal.txt /themes/seven/ie7.css d408f1a7cfd5ae23bd7817f036e94cea /modules/profile/profile.js 80c518c28630fca61a98d46124210221 /modules/poll/poll-rtl.css 28f82f3171b115e9031c250abee951c0 /modules/dashboard/dashboard.css ac59df14268190ef0ea60e1d7a804fda ECShop.txt /includes/fckeditor/editor/filemanager/browser/default/js/common.js cf81ed7a0668e5eb3b9135bf7eb65b9a /includes/fckeditor/fckeditor.js 5ec5a57d981113875d68d2daa3e01a0d /includes/fckeditor/editor/dtd/fck_xhtml10transitional.js 2eaa9662e59360ed579aa2e422c7aa39 /includes/fckeditor/editor/dialog/common/fck_dialog_common.js 2341d0ae9d63666fbe01469582068419 Joomla.txt /media/system/js/punycode-uncompressed.js 1b6d3b0e700c0a47cd91bbe2a75dcd12 /media/editors/codemirror/mode/jinja2/jinja2.js 7078315f8a3f9181c79d8b969cb10607 /media/editors/codemirror/addon/scroll/simplescrollbars.css 0352ba51fd6a422fe6cc44925e33ad88 /media/editors/codemirror/mode/crystal/crystal.js 37af5605299e885305a5a1f499288d3c MetInfo.txt /public/js/yao.js 858a08c6c59dfa72a33ab3d623e989a5 /public/js/metzoom.js 45af213d8f5dda4746ed101fe5a9dcb9 /public/js/imgdisplay5.js 1c2827d0e79de5bfc1337800c6522f04 /public/js/metzoomHTML.js 060a5e02653a9a34a3bcb24d9f5d38a6
phpcms.txt /statics/js/calendar/calendar-blue.css c0c2286a4460f3b9a870be43923d4395 /robots.txt 7750f62fc14ea34527c09c7694a3d406 /statics/js/calendar/border-radius.css 888d3ead98ff921a09c0365a723339f5 /phpsso_server/statics/js/jquery.min.js 10092eee563dec2dca82b77d2cf5a1ae
phpwind.txt /js/DeployInit.js ed1109ddea65852255c15b543a3ec161 /js/wind_editor.js e624e24a8de77dadff7c768ff7247fd6 /js/Deploy.js f1e394ddf8ae52faf4dc90fdfb5632e4 /js/credit_pop.js f80829a7eaf499dfb4dd3dd145f9ca07
wordpress.txt /wp-includes/js/admin-bar.min.js 5bd4dfd347e0592a6bc8a5b9d6b070fc /wp-includes/js/comment-reply.js d30ad028653d4eac285a1d4d06567bbd /wp-includes/js/tinymce/skins/lightgray/content.inline.min.css 35b20a1298ab637a58ac70fa73df335c /wp-includes/js/media-models.min.js bc01c1de1fdb0176783247e8a754a60b
xycms.txt /system/images/Deepeach_colorPicker.js b2096cbcab653ad132350ef455f10e95 /system/images/menu.js 6b22b5913da498c9194205930fb95922 /system/images/style.css 6bfbaf7c3e740b19e1af6c4b6bb3ffa2 /system/images/common.js 49ed0d60b73129aebf93de5bbc4fd76e
Z-Blog.txt /zb_users/plugin/AppCentre/images/style.css b8e0b269520535b3daf15e7fcc5bd9f9
In fact, there are many tips for information collection. It is actually a kind of liberation to write some of your usual collection skills into your own program, and the efficiency will be greatly improved. If you have any tips, please let me know privately and I will write them out for you in a while and add them to my program.
You can download the software by clicking here
As long as you like my article today, my private network security learning materials will be shared with you for free. Come and see what is available.
Network security learning resource sharing:
Finally, I would like to share with you a complete set of network security learning materials that I have studied myself. I hope it will be helpful to friends who want to learn network security!
Getting Started with Zero Basics
For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. It can be said to be the most scientific and systematic learning route. It will be no problem for everyone to follow this general direction.
[Click to receive] CSDN gift package: “Hacker & Network Security Introduction & Advanced Learning Resource Package” free sharing
1. Learning roadmap
There are a lot of things to learn about attack and defense. I have written down the specific things you need to learn in the road map above. If you can finish them, you will have no problem taking on private work.
2. Video tutorial
Although there are many learning resources on the Internet, they are basically incomplete. This is an Internet security video tutorial I recorded myself. I have accompanying video explanations for every knowledge point in the roadmap above. [Click to get the video tutorial]
I also compiled the technical documents myself, including my experience and technical points in participating in large-scale network security operations, CTF, and digging SRC vulnerabilities. There are also more than 200 e-books [Click to receive technical documents]
(They are all packaged into one piece and cannot be expanded one by one. There are more than 300 episodes in total)
3. Technical documents and e-books
I also compiled the technical documents myself, including my experience and technical points in participating in large-scale network security operations, CTF and digging SRC vulnerabilities. There are also more than 200 e-books [click to receive the book]
4. Toolkit, interview questions and source code
“If you want to do your job well, you must first sharpen your tools.” I have summarized dozens of the most popular hacking tools for everyone. The scope of coverage mainly focuses on information collection, Android hacking tools, automation tools, phishing, etc. Interested students should not miss it.
Finally, here are the interview questions about network security that I have compiled over the past few years. If you are looking for a job in network security, they will definitely help you a lot.
These questions are often encountered when interviewing Sangfor, Qi Anxin, Tencent or other major companies. If you have good questions or good insights, please share them.
Reference analysis: Sangfor official website, Qi’anxin official website, Freebuf, csdn, etc.
Content features: Clear organization and graphical representation to make it easier to understand.
Summary of content: Including intranet, operating system, protocol, penetration testing, security service, vulnerability, injection, XSS, CSRF, SSRF, file upload, file download, file inclusion, XXE, logical vulnerability, tools, SQLmap, NMAP, BP, MSF…
Due to limited space, only part of the information is displayed. You need to click on the link below to obtain it.
CSDN gift package: “Hacker &Network Security Introduction &Advanced Learning Resource Package” free sharing
