To understand asset collection from the perspective of an attacker, first of all, when an attacker obtains the information of the target unit, he usually adopts the following methods to collect assets:
1. Through the domain name registration query platform, query the domain name registration information of the target unit, and then use technical tools to break the domain name, such as the common subdomain name burst tool.
2. Collect asset information of target units through the asset surveying and mapping platform through grammar.
3. Collect IP information through ISP number (limit the size of the target unit).
4. Collect the IP segment information corresponding to the domain name through a third-party platform for syntax expansion, that is, 1.1.1.1/24 and 1.1.1.1.1/16 for expansion identification.
5. Through the collection of IP and domain names, and then through scanning and detection, HTTP/HHTPS:IP:PORT and subdomain name asset lists are constructed.
6. Through fingerprint recognition tools, the fingerprint information corresponding to the web assets can be quickly utilized.
Simply put, it is an asset list that constitutes a field URL, IP, PORT, Domain, APP (fingerprint), TITLE and other information.
It is relatively easier to construct asset information tables from Party A's perspective and establish asset threat correlation charts than the attacker's perspective. Similar to black and white box testing, Party A's perspective is to manage assets and build threat intelligence networks from the white box perspective.
The application form of the application through the application form, the application form will contain several field units, such as the language used by the application, middleware, server system information, configuration list, and database architecture index.
In fact, it can be simply understood that the application is split into blocks. For example, if the application uses tomcat middleware, you can associate the vulnerability information of the middleware from the cve library and the third-party vulnerability library and so on. Of course, it can also be split more carefully, such as java components (shiro, fastjson, etc.). This forms the component library information of the asset.
There are actually manufacturers doing platforms like this. As long as we enter the intelligence information we collect into this system, we will match the affected business system and manage it efficiently.