Penetration information collection steps (simplified version)

First step ： Domain name information collection

1.whois Information Service 、 Record information inquiry

Relevant inquiry address ：

Check the inner eye ：https://www.tianyancha.com/ 
ICP Record inquiry network ：http://www.beianbeian.com/ 
National enterprise credit information publicity system ：http://www.gsxt.gov.cn/index.html 
Love station filing query ：https://icp.aizhan.com

The second step ： Subdomain collection

1. Side station and C Segment online query address ：
http://www.webscan.cc/
https://phpinfo.me/bing.php
2. Use sub domain name excavator and other software

The third step ： Fingerprint identification of websites

1. Website CMS

Relevant inquiry address ：

http://www.yunsee.cn/finger.html
https://whatweb.net/
http://whatweb.bugscaner.com/look/

2. The server (Linux/Windows)
utilize URL Case judgment 、 utilize ping Address determination 、 utilize nmap -O or -A To test

3. Containers (Apache/Nginx/Tomcat/IIS)

4. Script (php/jsp/asp/aspx)  

According to the website URL To judge 、 Using Google grammar ：site:xxx filetype:php 、 According to Firefox To determine

5. database (Mysql(3306)/Oracle(1521)/Accees/Mqlserver(1433))

Step four ： Host scan 、 Port scanning

Nessus The use of scanners
https://blog.csdn.net/qq_36119192/article/details/82852117

The common ones are 135 、137 、138 、139 、445, Vulnerabilities often break out in these ports . Port scanning tools have （Nmap、masscan）

Step five ： Website missed scanning

Use AWVS、Appscan、NESSUSS And so on .

Step six ： Website sensitive directories and files

Use wwwscan、 The imperial sword scans the directory