绕过CDN方法(Bypass CDN method)

CDN全称是Content Delivery Network,即内容分发网络。(CDN是一种网络请求方式)

(逐层访问,访问第一层服务器,没有在访问第二层,在依次找,最后找到web服务器)(web服务器才是最终的服务器)

如果目标使用了CDN,需要绕过CDN来获取真实IP地址

1、内容邮箱源(收集到内部邮箱服务器IP地址)

2、网站phpinfo文件phpinfo.php

3、分站IP地址,查询子域名(CDN很贵,很有可能分站就不再使用CDN)

4、国外访问(https://asm.ca.com/en/ping.php)(外网上有一堆需要好好找找)

5、查询域名解析记录(https://viewdns.info/)

1、nslookup (域名)  win下使用nslookup命令惊醒查询,如果返回了一堆IP,大概率就是用了CDN,都是中间服务器(假的)

2、多地ping查询  使用不同区域ping,查看ping的ip结果是否唯一。若不唯一,则目标可能存在CDN。

网站:https://asm.ca.com/en/ping.php/

http://ping.chinaz.com/

https://ping.aizhan.com/

3、使用网站直接看他有没有用CDN

网站:http://www.cdnplant.com/tools/cdnfinder/

https://www.ipip.net/ip.html

寻找真实IP

1、子域名入手  多数网站主站用了CDN,子域名等不用(CDN很贵)可以直接用子域名入手(反正都是一个大网站上的)方法:subDomainsBrute、Sublist3r、Google hack(谷歌黑客语法)等,利用网站查询:https://dnsbd.io/zh-cn/

2、用web漏洞解决,如xss(后面学)、ssrf(不知道)、命令反弹shell(之前学过,在永恒之蓝那里)等

3、历史DNS记录  查询IP与域名绑定历史记录,可能会发现使用CDN之前的目标IP

查询网站有https://dnsbd.io/zh-cn/

https://x.threatbook.cn/

http://toolbar.netcraft.com/site_report?url=

http://viewdns,info/

http://www.17ce.com/

https://community.riskiq.com/

http://www.crimeflara.com/cfssl.html

4、CDN本身找  社工!!!(我不会)

5、Mx记录或邮件  邮件等信息啥的会直接绕过CDN,在邮件的DNS(应该在F12里)中有相关的真实IP

6、用国外的代理就有可能直接搜到,国内CDN对国外的覆盖面不够广,有可能找到

https://asm.ca.com/en/ping.php

7、利用Zgrab绕CDN找真实IP – Levy’s Blog (levyhsu.com)(这个网站,自己看吧,我看不动了)

8、简单获取CDN背后网站的真实IP – 安全客 – 有思想的安全新媒体 (360.cn)(又是网站,自己看吧)

9、网络空间引擎搜索法  钟馗之眼,fofa、shodan啥的

10、查询https证书??????????这个脑洞有点大啊

https://censys.io/

11、F5 LTM负载均衡解码获取真实内网IP

threathunter.org(自己看去吧)

————————

The full name of CDN is content delivery network, that is, content distribution network. (CDN is a network request mode)

(access layer by layer, access the first layer server, do not access the second layer, look for it in turn, and finally find the web server) (the web server is the final server)

If the target uses a CDN, you need to bypass the CDN to obtain the real IP address

1. Content mailbox source (collected to internal mailbox server IP address)

2、网站phpinfo文件phpinfo.php

3. Sub station IP address, query sub domain name (CDN is very expensive, and it is likely that the sub station will no longer use CDN)

4. Foreign visit( https://asm.ca.com/en/ping.php )(there’s a pile on the Internet that needs to be looked for)

5. Query domain name resolution record( https://viewdns.info/ )

1. NSLOOKUP (domain name) use the NSLOOKUP command to wake up the query under win. If a pile of IP addresses are returned, the CDN is most likely used. They are all intermediate servers (fake)

2. Multiple Ping queries use Ping in different regions to check whether the IP result of Ping is unique. If it is not unique, the target may have a CDN.

网站:https://asm.ca.com/en/ping.php/

http://ping.chinaz.com/

https://ping.aizhan.com/

3. Use the website directly to see if he uses CDN

网站:http://www.cdnplant.com/tools/cdnfinder/

https://www.ipip.net/ip.html

Find real IP

1. Start with subdomain names. Most website masters use CDN. Subdomain names are not needed (CDN is very expensive). You can start with subdomain names directly (they are all on a large website anyway). Methods: subdomainsbrue, sublist3r, Google hack (Google hacker syntax), etc. use the website to query: https://dnsbd.io/zh-cn/

2. Solve web vulnerabilities, such as XSS (learned later), SSRF (don’t know), command rebound shell (learned before, in eternal blue), etc

3. History DNS record query the binding history of IP and domain name, and you may find the target IP before using CDN

Query website has https://dnsbd.io/zh-cn/

https://x.threatbook.cn/

http://toolbar.netcraft.com/site_report?url=

http://viewdns,info/

http://www.17ce.com/

https://community.riskiq.com/

http://www.crimeflara.com/cfssl.html

4. CDN itself looking for social workers!!! (I won’t)

5. MX records, e-mail and other information will directly bypass the CDN, and there are relevant real IP addresses in the DNS of the e-mail (should be in F12)

6. With foreign agents, it is possible to search directly. The coverage of domestic CDN abroad is not wide enough, and it is possible to find

https://asm.ca.com/en/ping.php

7. Use zgrab to find real IP around CDN – Levy’s blog (levy Hsu. Com) (see this website for yourself, I can’t see it)

8. Simply get the real IP of the website behind CDN – Security guest – thoughtful security new media (360. CN) (it’s another website, see for yourself)

9. Cyberspace engine search method Zhong Kui’s eye, fofa, Shodan and so on

10. Query HTTPS certificate?????????? This brain hole is a little big

https://censys.io/

11. F5 LTM load balancing decoding to obtain real intranet IP

threathunter. Org (see for yourself)