Kali进行web渗透笔记(三)
2016-06-12 00:26
351 查看
Reconnaissance and Profiling the Web Server
include the following tasks:IP adddress,subdomains,whois records,Dns servers,search engines
using google,bing,yahoo,and shodan,archive.org
social networking sites:Facebook,Flick,Instagram,Twitter,Maltego
Determining the physical location of the target using Geo IP database,satelite images from Google Maps and Bing Maps
Spidering the web application and creating sitemaps:Burp Suite,HTTP Track,and ZAP
whois
Identifying hosts using DNS
Zone transfer using dig:
Brute force DNS records using Nmap:it makes use of the dictionary files
vhosts-defaults.lstsnd
vhosts-full.lst,which contain a large list of common hostnames :
nmap --scirpt dns-brute --script-args dns-brute.domain=pentesting-lab.com
The Recon-ng tool-a framework for information gathering:**Recon-ng**uses many different sources to gather data:google,Twitter,and Shodan.
Scanning Phase:
Port scanning
Operating system fingerprinting
Web server version identification
Underlying infrastruture analysis
Application identification
Nmap:
-packet-trace(or Different options for port scan)
packet-trace
Evading firewalls and IPS using Nmap
ACK scan(-sA)
Hardcoded source port in firewall rules(–source-port)
Custom packet size(–data-length)
Custom MTU(–mtu)
MAC address spoofing(–spoof-mac )
Spotting a firewall using back checksum option in Nmap:
--badsum
Identifying the operating system using Nmap:
-o -v(second opinion using a tool such as Amap)
Profiling the server
Application version fingerprinting
The Nmap version scan:
-sV -A
The
--version-traceoption will make Nmap print out debugging information about the version scanning and the underlying tests that run.
The Amap version scan:invoke Amap using the
-bqvoptions,which only report the open ports,print the response received in ASCII,and print some detailed informaiton related to it.
Fingerprinting the web application framework:
The HTTP header
The Whatweb scanner
BlindElephant:conducting a penetration test of a contest management system.
Identifying virtual hosts:When interacting and crafing an attack for the website,it becomes important to identify the type of hosting.If the IP address hosting multiple websites,then you have to include the correct host header value in your attacks or you won’t get the desired results. This could also affect the other websites hosted on that Ip address.Directly attacking with the IP address will have undesirable results and will also affect the scope of the penetration test.
Dns tools such as dig and nslookup can be used to identify domains returning similar IP addersses.
www.my-ip-neighbors.com
The virtual host lookup module in Recon-ng
Identifying load balancers
Cookie-based load balancer
Few other ways to identify a device such as a load balancer are listed as follows:
Analyzing SSL differences
Redicting to a different URL
DNS records for load balancers
Load balancer detector(lbd in Kali Linux)
Web application firewall(WAF) to thwart attacks:Wafw00f in Kali Linux is able to detect whether any WAF device exists in the pa
4000
th.
Scanning web servers for vulnerabilities and misconfigurations.
Identifying HTTP methods using Nmap (DELETE,PUT,TRACE should be disabled on the web server.),
--script=http-methods.nseby default,the script probes the target with a user agent as Mozilla and also **reveals that the packet was generated by the Nmap scripting engine.**And can change the user-agent with the
http.useragentscript argument and hide any Nmap informaiton from being leaked:
nmap --script=http-methods.nse --script-args http.useragent="Scan Done by Penetration testing team" 192.168.1.8
firstly,have to identify what methods are supported by the web server.Using Netcat to open a connection to the web server and query the web server with the
OPTIONSmethod.
Testing web servers using auxiliary modules in Metasploit:
Dir_listing:determine whether target directory browsing enables on it
Dir_scanner
Enum_wayback:
Files_dir:use to scan the server for data leakage vulnerabilities by locating backups of configuration files and source code files.
http_login
robots_txt
webdav_scanner:this module can be used to find out if WebDav is enabled on the server,which basically turns the web server into a file server.
Automating scanning using the WMAP web scanner plugin in metasploit:
define a site:
wmap_site -a <site name/IP address>
identify the site ID:
wmap_site -l
add the weebsite as target:
wmap_target -d 0
look at the modules which tool is going to run
wmap_run -t
start scan
wmap_run -e
Once the test is complete,you can check out the vulnerabilities found using the
vulnscommand
Vulnerability scanning and graphical reports-the skipfish web application scanner.
Spidering web applicaitons
The burp spider
相关文章推荐
- java-WEB中的监听器Lisener
- GUI - Web前端开发框架
- Extjs4.0 最新最全视频教程
- MyEclipse Web Project转Eclipse Dynamic Web Project
- axis备忘
- 创业如何选择WEB开发语言
- Erlang实现的一个Web服务器代码实例
- 防止网页脚本病毒执行的方法-from web
- 自学成才的秘密:115个 web Develop 资源
- 使用批处理修改web打印设置笔记 适用于IE
- Apache Web让JSP“动”起来
- web下载的ActiveX控件自动更新
- 推荐六款WEB上传组件性能测试与比较第1/10页
- 关于三种主流WEB架构的思考
- 使用 Iisext.vbs 列出 Web 服务扩展文件的方法
- 使用 Iisext.vbs 删除 Web 服务扩展文件的方法
- 使用 iisext.vbs 禁用 Web 服务扩展的方法
- 用vbs 实现从剪贴板中抓取一个 URL 然后在浏览器中打开该 Web 站点
- web标准知识——从p开始,循序渐进
- web标准知识――用途相似的标签