Yuuki

Yuuki's Blog

Hacker. Code Enthusiast.
github
bilibili
twitter
Home归档作品集

Collecting Root Domain Assets through HTTP Features

#Root domain#Recon87
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The preface discusses the information gathering phase of penetration testing, focusing on collecting root domain names of target companies. Methods include using HTTP features, FOFA and Shodan search engines, and analyzing digital certificates. The importance of handling collected information carefully is emphasized. The roles of fields in digital certificates such as Issuer, Subject, Organization, and CommonName are explained. The Content-Security-Policy-Report-Only header and NS servers are also discussed as potential sources of root domain names. Tools like HackerTarget Find Shared DNS Servers can be used to query NS servers for internal domain names.

Preface#

During the information gathering phase of penetration testing, it is common to collect the root domain names of the target company. Registered domain names can be obtained through ICP filing number reverse lookup and Whois data query, while unregistered domain names have some special collection methods.

Collecting the root domain name assets of the target through HTTP characteristics is one of the methods. We can use security search engines like FOFA and Shodan to discover some root domain names related to the target company.

It should be noted that the root domain name assets collected through these methods may not belong to the testing target. These methods are only optional extensions. When using these methods, the collected information should be handled with caution.

Certificate#

FOFA Syntax

cert.subject.org="target" && is_domain=true

Demo Example

20240415_011618

In digital certificates, the fields such as Issuer, Subject, Organization, and CommonName play important roles:

  • Issuer: The issuer field identifies the entity that has signed and issued the certificate. The issuer field must contain a non-empty distinguished name (DN).
  • Subject: The subject field identifies the entity associated with the public key stored in the subject public key field. The subject name can be carried in the subject field and/or the subjectAltName extension.
  • Organization (O): The organization name identifies the organization or company that holds the certificate.
  • CommonName (CN): The common name, for individuals, may be a personal name, and for server certificates, it is usually a domain name.

HTTP Headers#

The Content-Security-Policy-Report-Only header can provide information about how a website handles cross-origin requests, but it may not directly provide detailed information about the root domain of the company.

Through Content-Security-Policy-Report-Only, some root domain names related to the target company can be collected.

FOFA Syntax

host="target.com" && header="Content-Security-Policy-Report-Only"

Demo Example

20240415_010719

Similar headers include Content-Security-Policy, Set-Cookie, etc., where root domain names related to the target company may also appear.

NS Servers#

In some cases, internal domain names of a company only need to be accessible to internal personnel. This can be achieved by using self-built DNS servers.

Although we cannot directly access the internally built NS servers of a company, we can query NS server data that has appeared in the past through existing data.

The HackerTarget Find Shared DNS Servers tool can be used to achieve this.

Before querying the company's NS servers, you need to obtain the IP or hostname of the NS servers by querying the NS servers of the domain.

$ nslookup -type=ns qq.com
  qq.com	nameserver = ns1.qq.com.
  qq.com	nameserver = ns2.qq.com.
  qq.com	nameserver = ns4.qq.com.
  qq.com	nameserver = ns3.qq.com.

20240415_012958

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.