Comprehensive Red Team Information‑Gathering Guide

Domain – CDN Detection

Determine whether a target domain uses a CDN. Indicators include long ping responses or keywords such as "cdn", "ali", "tencent". Run nslookup; multiple IPs returned suggest CDN usage. Online ping services (e.g., https://ping.chinaz.com/) can confirm CDN presence – a single IP usually means no CDN.

Obtaining the Real IP

After confirming a CDN, bypass it to discover the origin IP. Multi‑location ping services (e.g., https://www.itdog.cn/ping) compare responses from New Zealand, Japan, and Korea; identical IPs across locations likely represent the real server.

Subdomain Real‑IP Discovery

Subdomains often lack CDN protection. Collect subdomains via 360quake, FOFA, or Hunter. Example FOFA query: domain:"baidu.com" Query DNSDB for type A records to retrieve subdomains and IPs: domain:"baidu.com" Additional DNS history services include dnsdb.io, x.threatbook.cn, toolbar.netcraft.com, viewdns.info, and tools.ipip.net.

SecurityTrails – Historical IPs

SecurityTrails provides historical DNS records that may reveal the original IP before CDN deployment. Use the “History Data” section to view past records.

SSL Certificate Method

When a site uses CloudFlare, connecting directly to the IP on port 443 reveals the SSL certificate, which can expose the origin server’s IP. Example: accessing https://136.23.63.44:443 shows the certificate used by xyz123boot.com.

Website Vulnerability Search

Typical findings include sensitive files (e.g., phpinfo), XSS, command execution, SSRF, or obtaining CDN admin credentials to retrieve the real IP from CDN configuration.

Email Subscription Enumeration

Emails sent by the target may contain the server IP in headers. For F5 LTM load balancers, decode the Set‑Cookie value (e.g., BIGipServerpool_8.29_8030=487098378.24095.0000) by converting the first decimal part to hexadecimal and then to dotted decimal to obtain the IP.

Subdomain Collection Tools

SubDomainsBrute – https://github.com/lijiejie/subDomainsBrute

Sublist3r – https://github.com/aboul3la/Sublist3r

OneForAll (certificate transparency) – https://github.com/shmilylty/OneForAll

Hidden Domain Hosts Collision

If an IP returns generic HTTP codes (401/403/404/500) but the domain returns a normal page, binding the host header to the IP can reveal hidden services. Pair collected domains with IP ranges, send HTTP requests, and compare response titles and sizes to discover concealed assets.

IP Reverse Lookup

SearchMap (https://github.com/asaotomo/SearchMap) integrates domain resolution, reverse IP lookup, WHOIS, CDN detection, port scanning, and subdomain discovery. Use it to map an IP to associated domains and then enumerate subdomains.

Port Scanning

Common nmap commands:

nmap -sn -PE -n 192.168.1.1/24 -oX out.xml   # host discovery only

nmap -sS -Pn -p 3389 152.136.248.0          # SYN scan on port 3389

nmap -sS -Pn -p 1-65535 -n <em>ip</em>          # full TCP scan

nmap -sS -sV -p 1-65535 -n <em>ip</em>          # service version detection

Masscan (https://github.com/robertdavidgraham/masscan) offers roughly ten‑times faster scanning than nmap.

Side‑Site (旁站) Scanning

Webscan.cc aggregates sites hosted on the same server, enabling discovery of additional assets once an IP range is identified.

Company Information Queries

Investigate company names via platforms such as AIQicha (https://aiqicha.baidu.com/), Tianyancha, or Fengniao to obtain registration details, personnel, equity structure, product portfolios, trademarks, and related subsidiaries.

Website Fingerprinting

Tools for identifying middleware, frameworks, and languages:

Wappalyzer (Firefox add‑on)

whatweb – e.g., whatweb -v reddit.com TideFinger – http://finger.tidesec.net/ and https://github.com/TideSec/TideFinger

EHole – https://github.com/lemonlove7/EHole_magic

Directory Scanning

Popular scanners:

7kbscan – https://github.com/7kbstorm/7kbscan-WebPathBrute

dirsearch – https://github.com/maurosoria/dirsearch

BBScan – https://github.com/lijiejie/BBScan

dirb – sourceforge project page

JavaScript Information Extraction

Tools to harvest URLs, subdomains, and secrets from JS files:

JSFinder – https://gitee.com/MrWQ1/JSFinder/blob/master/JSFinder.py

LinkFinder – https://github.com/GerbenJavado/LinkFinder

FindSomething – Firefox extension https://github.com/momosecurity/FindSomething

WAF Detection

Use wafw00f (https://github.com/EnableSecurity/wafw00f) to identify web application firewalls.

Overall Workflow

The information‑gathering workflow consists of three prongs: domain analysis (CDN detection, real‑IP discovery, subdomain enumeration), IP investigation (reverse lookup, port scanning, side‑site discovery), and company‑level queries (registration data, personnel, products). The toolbox includes command‑line utilities, online services, and open‑source repositories, enabling systematic expansion of the asset base before deeper scanning such as directory brute‑forcing, fingerprinting, and WAF assessment.