Ideas and Tools for Information Gathering

Ideas and Tools for Information Gathering#

==========

IMG_20250304_110756

Reference Links:
Overall Approach:
- Subdomain -> IP -> Full Ports -> http, https -> Asset Acquisition -> Fingerprinting
- Mini Programs, Official Accounts, APPs
- Non-web assets identified through port recognition -> such as databases: first conduct bulk weak password detection, then construct a dictionary for brute force based on the obtained information
Internal Network Information Gathering Approach (Do not start with fscan scanning)
- First, check the network card information, history command history, netstat port information, arp table, ps processes, configuration files, etc., on the compromised machine to gather information about other internal network segments connected to the controlled machine.
- Check domain information in threat intelligence communities like Weibu Online.
  - If there is no resolved IP, it may be a domain accessible only from the internal network; try ping the domain on the controlled machine to get the internal network address.
  - If there is an internet-resolved IP, you can also try ping the domain on the controlled machine to get the internal network address.
- Sometimes, there are redirects to internal systems on websites from the internet, such as OA systems, unified identity authentication systems; clicking may redirect to the internal network, thus obtaining internal address information.
- Successful exploitation through certain vulnerabilities -> for example, Fanwei -> check the Fanwei configuration files, such as database configuration files; the database system may be on another internal network server, thus confirming the existence of the internal network.
- More techniques can be found in this article: How to Determine the Existence of an Internal Network

Comprehensive Use of Tools#

Company Name Asset Collection#

Tianyancha
Xiaolanben
Aiqicha
Qichacha
Yingtu
360 Threat Intelligence Center
ENScan_GO
- Can query company assets with specified shareholding ratios

Subdomain Collection#

Enumeration, Third-party Aggregation Services
Search Engines
- Google or Baidu site:xxx.com
- fofa domain="xxx.com"
Certificate Transparency Information
- Certificate Transparency (CT) is a public project by Google that aims to correct certificate-based threats by allowing domain owners, CAs, and domain users to audit the issuance and existence of SSL certificates. Because it is an open public framework, anyone can build or access the basic components that drive certificate transparency. CA certificates contain sensitive information such as domain names, subdomains, and email addresses, which pose certain security risks.
- To gather domain information using certificate transparency, CT log search engines are generally used for domain information collection, such as online sites:

CDN#

CDN Judgment#

Use different hosts to ping the domain to determine if there is a CDN
- Ping from Multiple Locations - Webmaster Home
- ipip
- Global Ping Test
- Aizhan Ping Detection
- Use ping domain to determine if there is a CDN
  - Directly use ping domain to check the echo address for judgment, such as the echo cname.vercel-dns.com, which clearly indicates the use of CDN technology.
    - Image from mathwizard

Use nslookup to resolve the domain to determine
- If the Name field points to something like cname.vercel-dns.com, it indicates the use of CDN technology.
- 🌰 www.baidu.com, where the Address field points to two different IPs, indicating that www.baidu.com may be using CDN.

Bypassing CDN to Obtain Real IP#

Resolve subdomain IP
- Using CDN costs money, so many websites only apply CDN acceleration to the main site, while subdomains may not have it. Subdomains may be on the same server or the same C-class network as the main site, so querying the IP information of the subdomain can help determine the real IP information of the main site.
Query historical DNS records
- Querying historical records of DNS and IP bindings may reveal previous real IP information
Use foreign hosts to request the domain
- Some domestic CDN acceleration service providers only apply CDN acceleration to domestic lines, but not to foreign lines. Thus, real IP information can be detected through foreign hosts. You can use your own foreign host or select foreign detection nodes from Global Ping Test to determine real IP information.
Email Information
- Email systems are generally internal and not resolved through CDN. By utilizing the target website's email registration, password recovery, or RSS subscription functionalities to send emails, you can view the source of the received reply email to obtain the target's real IP.
- Image from mathwizard

Information Leakage
- Utilize sensitive information and files exposed through information leakage (e.g., phpinfo pages, website source code (backup) files, information leaked on GitHub, etc.) to obtain real IP information.
  - The SERVER_ADDR field of the phpinfo page will display the real IP of the host.
Target Website APP Application
- If the target website has its own App, you can try using traffic capture tools like Burp Suite to capture requests from the App, which may reveal the target's real IP.

IP Reverse Lookup Domain (Side Station Query)#

360 IP Reverse Lookup
Weibu Online
Webmaster Tools Same IP Website Query
webscan
Yunxi
dnsgrep IP Reverse Lookup
bugscaner IP Reverse Lookup
Bing
- https://cn.bing.com/search?q=ip:x.x.x.x
Fofa
- ip="x.x.x.x"

Fingerprinting#

Browser Plugin: Wappalyzer
Tide - Online Fingerprinting
bugscaner - Online Fingerprinting
EHole - Red Team Key Attack System Fingerprint Detection Tool
Yunxi - Online Fingerprinting
what web - Online Fingerprinting

JS and Interface Information#

JSFinder: https://github.com/Threezh1/JSFinder
URLFinder: https://github.com/pingc0y/URLFinder
- Can be seen as a new version of JSFinder
LinkFinder: https://github.com/GerbenJavado/LinkFinder
Packer-Fuzzer: https://github.com/rtcatc/Packer-Fuzzer (webpack)
Search for Key Interfaces
- config/api
- method:"get"
- http.get("
- method:"post"
- http.post("
- $.ajax
- service.httppost
- service.httpget
- path
- api
- When xxx.js.map file exists
  - Search for the axios keyword to find routes

APP#

Email Collection#

EmailAll

WAF Identification#

Sensitive Information#

Cloud Storage Engine#

Google Hack Syntax#

Backend Address
- site.com intitle: management | backend | login | administrator | system | internal
- site.com inurl|admin|system|guanli|denglu|manage|admin_login|auth|dev
Sensitive Files
- site.com (filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR --filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype OR filetype)
Testing Environment
- site.com inurl|ceshi
- site.com intitle: Test
Email
- site.com (intitle:"Outlook Web App" OR intitle:"Email" OR inurl:"email" OR inurl:"webmail")
Others
- site.com inurl|uid=|id=|userid=|token|session
- site.com intitle.of "server at"
Google Syntax Generator
- Online Version: http://www.php1nf0.top/google/google.php
- Offline Version: Get it here

Information Gathering for Penetration Testing#

*   Information Gathering for Penetration Testing
*    Open Source Intelligence Information Gathering (OSINT)
*    github
*     whois query / registrant reverse lookup / email reverse lookup / related assets
*     google hacking
*     Create Company Password Dictionary
*       Subdomain Acquisition
*     Dictionary List
*     Email List Acquisition
*      Leaked Password Query
*    Collect external information related to the company Open Source Intelligence Information Gathering (OSINT)
*     github
*    Github_Nuggests (automatically crawls sensitive information leaks on Github): https://github.com/az0ne/Github_Nuggests
*    GSIL (can achieve near real-time (within 15 minutes) discovery of leaked information on Github): https://github.com/FeeiCN/GSIL
*    x-patrol (Xiaomi team's): https://github.com/MiSecurity/x-patrol  whois query / registrant reverse lookup / email reverse lookup / related assets  
*   Webmaster Home: http://whois.chinaz.com/?DomainName=target.com&ws=
*   Aizhan: https://whois.aizhan.com/target.com/
*   Weibu Online: https://x.threatbook.cn/
*  IP Reverse Lookup: https://dns.aizhan.com/
*  Tianyancha: https://www.tianyancha.com/
*   Huma Check: http://www.whomx.com/
*  Historical Vulnerability Query:
*   Online Query: http://wy.zone.ci/
*   Self-built: https://github.com/hanc00l/wooyun_publi/  google hacking
* Create Company Password Dictionary  Dictionary List   passwordlist: https://github.com/lavalamp-/password-lists

 Piggy Dictionary: https://pan.baidu.com/s/1dFJyedzBlasting_dictionary (sharing and collecting various dictionaries, including weak passwords, common passwords, directory brute force, database brute force, editor brute force, backend brute force, etc.)  For specific vendors, focus on constructing dictionaries related to vendor domains ['%pwd%123','%user%123','%user%521','%user%2017','%pwd%321','%pwd%521','%user%321','%pwd%123!','%pwd%123!@#','%pwd%1234','%user%2016','%user%123$%^','%user%123!@#','%pwd%2016','%pwd%2017','%pwd%1!','%pwd%2@','%pwd%3#','%pwd%123#@!','%pwd%12345','%pwd%123$%^','%pwd%!@#456','%pwd%123qwe','%pwd%qwe123','%pwd%qwe','%pwd%123456','%user%123#@!','%user%!@#456','%user%1234','%user%12345','%user%123456','%user%123!']
Password Generation  GenpAss (Chinese-style weak password generator: https://github.com/RicterZ/genpAss/
 passmaker (customizable password dictionary generator): https://github.com/bit4woo/passmaker
 pydictor (powerful password generator): https://github.com/LandGrey/pydictor
Email List Acquisition  theHarvester: https://github.com/laramies/theHarvester *  After obtaining an email, export the address book  LinkedInt: https://github.com/mdsecactivebreach/LinkedInt
 Mailget: https://github.com/Ridter/Mailget
Leaked Password Query  ghostproject: https://ghostproject.fr/
 pwndb: https://pwndb2am4tzkvold.onion.to/
Collect external information related to the company Subdomain Acquisition

 Layer Subdomain Excavator 4.2 Commemorative Edition   subDomainsBrute: https://github.com/lijiejie/subDomainsBrute

 wydomain: https://github.com/ring04h/wydomain
 Sublist3r: https://github.com/aboul3la/Sublist3r
 site.com: https://www.google.com  Github Code Repository

 Capture and analyze request return values (redirects/file uploads/app/api interfaces, etc.)

 Webmaster Helper links and other online query websites

 Domain Transfer Vulnerability Linux dig @ns.example.com example=.com AXFR Windows nslookup -type=ns xxx.yyy.cn #Query the DNS server for a certain domain name nslookup #Enter nslookup interactive mode server dns.domian.com #Specify DNS server ls xxx.yyy.cn #List domain information

 GetDomainsBySSL.py: https://note.youdao.com/ynoteshare1/index.html?id=247d97fc1d98b122ef9804906356d47a&type=note#/
 censys.io Certificate: https://censys.io/certificates?q=target.com  crt.sh
Certificate Query: https://crt.sh/?q=%25.target.com
 shadon: https://www.shodan.io/
 zoomeye: https://www.zoomeye.org/  fofa: https://fofa.so/
 censys: https://censys.io/
 dnsdb.io: https://dnsdb.io/zh-cn/search?q=target.com
 api.hackertarget.com: http://api.hackertarget.com/reversedns/?q=target.com
 community.riskiq.com: https://community.riskiq.com/Search/target.com
 subdomain3: https://github.com/yanxiu0614/subdomain3
 FuzzDomain: https://github.com/Chora10/FuzzDomain  dnsdumpster.com: https://dnsdumpster.com/
 phpinfo.me: https://phpinfo.me/domain/
 DNS Open Data Interface: https://dns.bufferover.run/dns?q=baidu.com

Github#

@xxx.com password/secret/credentials/token/config/pass/login/ftp/ssh/pwd
@xxx.com security_credentials/connetionstring/JDBC/ssh2_auth_password/send_keys