Python full stack Web security attack and Defense 1. Information collection

Keywords: Google DNS Vmware Python

Article directory

1, Kali virtual machine installation

There are two main steps:
(1) Install virtual machines such as VMware:
For specific installation process, please refer to
(2) To install Kali on VMware:
For specific installation process, please refer to
Or direct reference Complete steps (1) and (2).

2, Domain name introduction

1. Domain name introduction

Domain name is the name of a computer or computer group on the Internet, which is composed of a series of names separated by dots. It is used to identify the electronic orientation of the computer during data transmission.
Browser browsing process:
(1) The client uploads the domain name to the DNS server;
(2) The DNS server returns the IP address corresponding to the specified domain name to the client;
(3) The client accesses the target server according to IP;
(4) The target server returns the access content to the client.
As follows:

Because IP address is not easy to remember and can not display the name and nature of address organization, people have designed a domain name.
And through the Domain Name System (DNS), the domain name and IP address are mapped to each other, making it easier for people to access the Internet without remembering the IP address string that can be read directly by the machine.

2. Domain name query method whois

whois is a database used to query whether a domain name has been registered and the details of the registered domain name (such as domain name owner, domain name registrar, etc.).
Whois information with different domain name suffixes needs to be queried in different whois databases, such as. com's Whois database and. edu's. At present, the websites that provide whois inquiry service in China include wanwang, the home of stationmaster, etc. Whois information of each domain name or IP is saved by the corresponding management organization. For example, whois information of domain names ending in. com is managed by VeriSign, the domain name operator of. com, and the domain name of China's national top-level domain. cn is managed by CNNIC.
The whois query method is as follows:

web interface query

Query through whois command line




3.ICP filing

English full name: Internet Content Provider, Chinese full name: network content provider.
ICP can be understood as a telecom operator providing Internet information services and value-added services to users, and it is a formal operation enterprise or department approved by the competent national department.
The measures for the administration of Internet information services points out that Internet information services can be divided into two categories: operational and non operational. The State implements a licensing system for business Internet information services and a filing system for non business Internet information services. Those who have not obtained permission or fulfilled the filing procedures shall not engage in Internet information services.
Can pass To view the website filing information, an example is as follows

3, Collect subdomain information

1. Domain name and subdomain name

Top level domain names include. com,. net,. org,. cn, etc.
Subdomain name:
All top-level domain names are prefixed with sub domain names of the top-level domain name, and sub domain names are divided into two-level sub domain names, three-level sub domain names and multi-level sub domain names according to the number of technologies.
The collection of subdomain name is due to a large number of protection of a main domain name, the difficulty of mobile phone is relatively large, the difficulty of starting from the secondary domain name is relatively low, and the subdomain name is close to the main domain name and relevant information.

2. Sub domain name mining tool

  • Maltego CE
    Kali comes with it. If you can't receive the verification code when you register your account, you can register in Windows or other platforms, and then log in directly in Kali.
    For the use of Maltego CE, please refer to
    The results framework is shown in the figure below

    The test results of Baidu are as follows
  • wydomain
    GitHub address:
    Download and install commands (in Kali)
git clone
cd wydomain/
cat requirements.txt
pip3 install -r requirements.txt

View parameters:

python -h


usage: [-h] [-t] [-time] [-d] [-f] [-o]

wydomian v 2.0 to bruteforce subdomains of your target domain.

optional arguments:
  -h, --help          show this help message and exit
  -t , --thread       thread count
  -time , --timeout   query timeout
  -d , --domain       domain name
  -f , --file         subdomains dict file name
  -o , --out          result out file


python -d


2020-02-10 10:15:41,739 [INFO] starting bruteforce threading(16) :
2020-02-10 10:15:48,653 [INFO] dns bruteforce subdomains(100) successfully...
2020-02-10 10:15:48,653 [INFO] result save in : /root/wydomain/bruteforce.log

View results:

cat /root/wydomain/bruteforce.log


  • Search engine mining
    For example:
    Enter in Google

Example results:

If you can't access Google, you can also enter it in Baidu

Example results:

4, Port information collection

1. Port introduction

If the IP address is compared to a house, the port is the door to the house. The real house has only a few doors, but an IP address can have 65536 ports.
The port is marked by the port number, which is only an integer and ranges from 0 to 65535.
Each port in the computer represents a service.
Open the command line as administrator in Windows view port to execute:

netstat -anbo


Active connection                                                                                     
  //Protocol local address external address status PID                                         
  TCP                LISTENING       1032              
  TCP                LISTENING       26800             
  TCP                LISTENING       4                 
 //Unable to get ownership information                                                                               
  TCP                LISTENING       19200             
  TCP                LISTENING       19200             
  UDP    [fe80::e908:14c9:dc52:d1d5%5]:2177  *:*                                    4836 
  UDP    [fe80::e908:14c9:dc52:d1d5%5]:52240  *:*                                    7608
  UDP    [fe80::f55a:3b0f:f090:458%14]:1900  *:*                                    7608 
  UDP    [fe80::f55a:3b0f:f090:458%14]:2177  *:*                                    4836 
  UDP    [fe80::f55a:3b0f:f090:458%14]:52242  *:*                                    7608

2. Port information collection

Tools can be used to test the collection of target machine port status.
Tool principle:
Use TCP or UDP and other protocols to send packets with specified flags to the destination port, wait for the destination to return packets, so as to judge the port status.

Using nmap detection

The nmap symbol is like an eye, called the eye of God.

nmap -A -v -T4


Starting Nmap 7.80 ( ) at 2020-02-10 10:26 CST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:26
Completed NSE at 10:26, 0.00s elapsed
Initiating NSE at 10:26
Completed NSE at 10:26, 0.00s elapsed
Initiating NSE at 10:26
Completed NSE at 10:26, 0.00s elapsed
Initiating Ping Scan at 10:26
Scanning ( [4 ports]
Completed Ping Scan at 10:26, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:26
Completed Parallel DNS resolution of 1 host. at 10:26, 0.01s elapsed
Initiating SYN Stealth Scan at 10:26
Scanning ( [1000 ports]
Discovered open port 443/tcp on
Discovered open port 80/tcp on
Completed SYN Stealth Scan at 10:26, 5.00s elapsed (1000 total ports)

TRACEROUTE (using port 80/tcp)
1   ... 30

NSE: Script Post-scanning.
Initiating NSE at 10:27
Completed NSE at 10:27, 0.00s elapsed
Initiating NSE at 10:27
Completed NSE at 10:27, 0.00s elapsed
Initiating NSE at 10:27
Completed NSE at 10:27, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 44.19 seconds
           Raw packets sent: 2168 (98.008KB) | Rcvd: 5 (208B)

Ports 443 and 80 are open, corresponding to https and http respectively.

Use online website detection

Test example:

This method can't detect the local.

3. Port attack

There are different attack methods for different ports.

Attack method

Defensive measures

  • Turn off unnecessary ports
  • Set up firewall for service port of important business
  • Change user password frequently
  • Frequently update software and patch

5, Collect sensitive information

1. Importance of sensitive information collection

For some good goals of security, it is impossible to complete penetration test directly through technical level.
In this case, search engine can be used to search the association information exposed on the Internet.
For example, database files, SQL injection, server configuration information, even through Git to find site disclosure source code, and Redis unauthorized access, so as to achieve the purpose of penetration test.

2.Google hacking syntax

Google hacking refers to the use of search engines such as Google to search for vulnerabilities of certain network hosts, in order to quickly find vulnerabilities of vulnerable hosts or specific hosts.

Intext: - search for body content e.g. intext: website management
 Intitle: - Search title content such as intitle: background management
 Filetype: - search the specified file format, for example, filetype:txt
 inurl: - search for a specific URL. For example. php?id
 Site: - make a search for a specific site, for example:
 info: - specify search page information, for example:

Enter in Google

Intel background management

As shown in the picture:

Obviously, there are many back office management systems exposed. You can easily click in one to see

Obviously, this is extremely dangerous.
For another example, input in Baidu

intitle background management


Similarly, there are a lot of background management system exposures. Try any one of them to display

Obviously, there is a great threat to network security.
More about Google hacking's syntax, usage and latest news can be found here

3.HTTP response collects server information

The service header and X-Powered-By header in the message that the target responds to in the communication with the target site through HTTP or HTTPS will expose the information of the target serve r and the programming language used. Through these information, we can have targeted exploit attempts.
To get an HTTP response:

Using browser audit tools

Click F12, select Network, and click F5 to refresh, as follows

Obviously, Server middleware is nginx, and X-Powered-By is ThinkPHP, which is a framework of PHP language.

Writing Python scripts (using the requests Library)

Simple test:

import requests

r = requests.get('')


{'Server': 'nginx', 
'Date': 'Mon, 10 Feb 2020 03:08:34 GMT', 
'Content-Type': 'text/html; charset=utf-8', 
'Transfer-Encoding': 'chunked', 
'Connection': 'keep-alive', 
'Vary': 'Accept-Encoding', 
'Expires': 'Thu, 19 Nov 1981 08:52:00 GMT', 
'Pragma': 'no-cache', 
'Cache-control': 'private', 
'X-Powered-By': 'ThinkPHP', 
'Set-Cookie': 'PHPSESSID=v0ee5tiumr3pat5kpnltdvnbh4; path=/, sc__jsluid_h=43c68abd9efb5d2ebed43d88a1ab550c; expires=Mon, 10-Feb-2020 03:18:34 GMT; Max-Age=600, scJSESSIONID=04D2B6C6538CDD8A48003405C29F52B0; expires=Mon, 10-Feb-2020 03:18:34 GMT; Max-Age=600', 
'Content-Encoding': 'gzip'}

As the result of the first method, the Server middleware is nginx, and X-Powered-By is ThinkPHP.

74 original articles published, 350 praised, 90000 visitors+
Private letter follow

Posted by leony on Mon, 10 Feb 2020 04:16:21 -0800