By HireHackking in HACKER
· 1 view
What is CDN? Why do you need to bypass it?
The full name of CDN is Content Delivery Network, which is the content distribution network. CDN is an intelligent virtual network built on the basis of the existing network. Relying on edge servers deployed in various places, the central platform's load balancing, content distribution, scheduling and other functional modules enable users to obtain the required content nearby, reduce network congestion, and improve user access response speed and hit rate. The key technologies of CDN include content storage and distribution technology.
Because the site has CND, it is impossible to obtain the real server IP information. The goal of CDN bypassing is to obtain the target's real IP information, so as to facilitate penetration testing.
How to check if the site has CDN
Method 1: ping multiple sites through webmaster tools http://ping.chinaz.com
As follows, we can see that the current site has multiple independent IPs, that is, the IP responses of each region are different.
Method 2: nslookup
Execute the command
nslookup blog.bbskali.cn 
How to bypass
Since you know that the target has applied CND, how can you bypass it? Method 1: Use email
Many websites have a password recovery function or a message reply function. If we retrieve the password through our email address, the verification code will be sent to our email address. Because the email is sent on the target server. Therefore, we can obtain the IP information of the target in the email.
Here is a QQ email address:
Open the received email and click to display the original text of the email.
Method 2: Check the subdomain name
CDN is not cheap. The target website may only have the main website (www.xxx.com) and the sub-site with large traffic (hub.xxx.com) purchased CDN. There may be many small websites (mail.xxx.com) and the former are distributed in the same machine or C segment network segment. In this way, we may guess the real IP of the website.
dnsmap bbskali.cn By collecting subdomain names, we can also get the corresponding IP
Method 3: Find historical analysis records
NS (Name Server) record is a domain name server record, used to specify which DNS server the domain name is resolved.
For example: https://whoisrequest.com/history/(of course there are many such websites) 
Method 4: Use shodan
Shodan Common Syntax
hostname: Search for the specified host or domain name. For example, hostname:'google'port: Search for the specified port or service. For example, port:'21'country: Search for the specified country. For example, country:'CN'city: Search for a specified city. For example, city:'Hefei'org: Search for a designated organization or company. For example, org:'google'isp: Search for the specified ISP vendor. For example, isp:'China Telecom'product: Search for the specified operating system/software/platform. For example, product:'Apache httpd'version: Search for the specified software version. For example, version:'1.6.2'geo: Searches for the specified geographical location, the parameters are latitude and longitude. For example, geo:'31.8639,117.2808'before/after: Search for data before and after the specified inclusion time, in the format dd-mm-yy. For example, before:'11-09-19'net: Search for the specified IP address or subnet. For example, net:'210.45.240.0/24' Method Five: ping via GW server
Due to the cost, many CDNs have enabled domestic acceleration only, not global acceleration. This allows us to ping the target with the help of GW's site and server. You can also get the actual IP of the target.
Recommended Comments