ctf-recon
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCTF Reconnaissance & Enumeration
CTF侦察与枚举
Web Reconnaissance
Web侦察
Initial Checks
初始检查
bash
undefinedbash
undefinedFetch and inspect
获取并检查
curl -v http://target/
curl -s http://target/ | head -100
curl -v http://target/
curl -s http://target/ | head -100
Check common paths
检查常见路径
for path in robots.txt sitemap.xml .env .git/HEAD .well-known/ admin api debug; do
code=$(curl -s -o /dev/null -w "%{http_code}" "http://target/$path")
[ "$code" != "404" ] && echo "[+] /$path -> $code"
done
for path in robots.txt sitemap.xml .env .git/HEAD .well-known/ admin api debug; do
code=$(curl -s -o /dev/null -w "%{http_code}" "http://target/$path")
[ "$code" != "404" ] && echo "[+] /$path -> $code"
done
Response headers
响应头
curl -sI http://target/ | grep -iE "(server|x-|powered|content-type|set-cookie)"
curl -sI http://target/ | grep -iE "(server|x-|powered|content-type|set-cookie)"
View page source for comments, JS, hidden forms
查看页面源代码中的注释、JS、隐藏表单
curl -s http://target/ | grep -iE "(<!--|flag|secret|admin|api|token|password)"
undefinedcurl -s http://target/ | grep -iE "(<!--|flag|secret|admin|api|token|password)"
undefinedTechnology Fingerprinting
技术栈指纹识别
bash
undefinedbash
undefinedServer identification
服务器识别
curl -sI http://target/ | grep -i "server:"
curl -sI http://target/ | grep -i "server:"
X-Powered-By, X-Framework, etc.
X-Powered-By、X-Framework等
Common framework indicators
常见框架标识
curl -s http://target/ | grep -ioE "(react|angular|vue|next|nuxt|flask|django|express|laravel|rails)"
curl -s http://target/ | grep -ioE "(react|angular|vue|next|nuxt|flask|django|express|laravel|rails)"
JavaScript bundles
JavaScript包
curl -s http://target/ | grep -oE 'src="[^"]*.js"' | head -20
curl -s http://target/ | grep -oE 'src="[^"]*.js"' | head -20
Check for source maps
检查源映射
curl -s http://target/main.js.map -o /dev/null -w "%{http_code}"
undefinedcurl -s http://target/main.js.map -o /dev/null -w "%{http_code}"
undefinedDirectory/File Discovery
目录/文件发现
bash
undefinedbash
undefinedCommon wordlist paths
常见字典路径
/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirb/common.txt
/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/common.txt
ffuf for fuzzing
使用ffuzz进行模糊测试
ffuf -u http://target/FUZZ -w wordlist.txt -mc 200,301,302,403
ffuf -u http://target/FUZZ -w wordlist.txt -e .php,.txt,.html,.js,.bak
ffuf -u http://target/FUZZ -w wordlist.txt -mc 200,301,302,403
ffuf -u http://target/FUZZ -w wordlist.txt -e .php,.txt,.html,.js,.bak
gobuster alternative
gobuster替代方案
gobuster dir -u http://target/ -w wordlist.txt
undefinedgobuster dir -u http://target/ -w wordlist.txt
undefinedAPI Enumeration
API枚举
bash
undefinedbash
undefinedCheck common API paths
检查常见API路径
for path in api api/v1 api/v2 graphql api/docs swagger.json openapi.json; do
code=$(curl -s -o /dev/null -w "%{http_code}" "http://target/$path")
[ "$code" != "404" ] && echo "[+] /$path -> $code"
done
for path in api api/v1 api/v2 graphql api/docs swagger.json openapi.json; do
code=$(curl -s -o /dev/null -w "%{http_code}" "http://target/$path")
[ "$code" != "404" ] && echo "[+] /$path -> $code"
done
Extract API endpoints from JS bundles
从JavaScript包中提取API端点
curl -s http://target/static/js/main.js | grep -oE '"/api/[^"]*"' | sort -u
curl -s http://target/static/js/main.js | grep -oE '"/api/[^"]*"' | sort -u
GraphQL introspection
GraphQL自省
curl -s http://target/graphql -H "Content-Type: application/json"
-d '{"query":"{__schema{types{name fields{name}}}}"}'
-d '{"query":"{__schema{types{name fields{name}}}}"}'
undefinedcurl -s http://target/graphql -H "Content-Type: application/json"
-d '{"query":"{__schema{types{name fields{name}}}}"}'
-d '{"query":"{__schema{types{name fields{name}}}}"}'
undefinedNetwork Reconnaissance
网络侦察
Port Scanning
端口扫描
bash
undefinedbash
undefinedQuick TCP scan
快速TCP扫描
nmap -sV -sC -T4 target
nmap -sV -sC -T4 target
All ports
全端口扫描
nmap -p- -T4 target
nmap -p- -T4 target
UDP scan (slow but important)
UDP扫描(速度慢但重要)
nmap -sU --top-ports 20 target
nmap -sU --top-ports 20 target
Service version detection
服务版本检测
nmap -sV -p PORT target
undefinednmap -sV -p PORT target
undefinedService Interaction
服务交互
bash
undefinedbash
undefinedBanner grabbing
横幅抓取
nc -v target port
echo "" | nc -w3 target port
nc -v target port
echo "" | nc -w3 target port
SSL/TLS info
SSL/TLS信息
openssl s_client -connect target:443 </dev/null 2>/dev/null | openssl x509 -noout -text
openssl s_client -connect target:443 </dev/null 2>/dev/null | openssl x509 -noout -text
DNS
DNS查询
dig target ANY
dig -t txt target
dig axfr @ns.target target # Zone transfer attempt
undefineddig target ANY
dig -t txt target
dig axfr @ns.target target # 尝试区域传输
undefinedSource Code Reconnaissance
源代码侦察
Git Exposure
Git仓库暴露检查
bash
undefinedbash
undefinedCheck for exposed .git
检查是否暴露.git目录
curl -s http://target/.git/HEAD
curl -s http://target/.git/config
curl -s http://target/.git/HEAD
curl -s http://target/.git/config
Dump with git-dumper
使用git-dumper导出仓库
git-dumper http://target/.git/ ./dumped-repo
git-dumper http://target/.git/ ./dumped-repo
Extract from downloaded .git
从下载的.git目录中提取信息
cd dumped-repo && git log --all --oneline
git diff HEAD5..HEAD
git log --all --diff-filter=D --name-only # Deleted files
git show HEAD3:secret.txt # Recover deleted files
undefinedcd dumped-repo && git log --all --oneline
git diff HEAD5..HEAD
git log --all --diff-filter=D --name-only # 查看已删除文件
git show HEAD3:secret.txt # 恢复已删除文件
undefinedBackup File Discovery
备份文件发现
bash
undefinedbash
undefinedCommon backup extensions
常见备份扩展名
for ext in .bak .old .orig .save .swp ~; do
curl -s -o /dev/null -w "%{http_code}" "http://target/index.php${ext}"
done
for ext in .bak .old .orig .save .swp ~; do
curl -s -o /dev/null -w "%{http_code}" "http://target/index.php${ext}"
done
Editor backups
编辑器备份文件
curl -s http://target/.index.php.swp # vim swap
curl -s http://target/index.php~ # emacs backup
undefinedcurl -s http://target/.index.php.swp # vim交换文件
curl -s http://target/index.php~ # emacs备份文件
undefinedCTF-Specific Patterns
CTF特定模式
- Challenge description is ALWAYS a hint — read every word
- Challenge title often reveals the technique (e.g., "Inject" = injection, "Token" = JWT)
- Points/difficulty indicate expected complexity
- If a port is unusual, try connecting with nc first to see the banner
- Multiple open ports often means chaining vulnerabilities across services
- Always check for custom HTTP headers in responses (X-Flag, X-Hint, etc.)
- 挑战描述永远是提示——逐字阅读每一个内容
- 挑战标题通常会揭示所用技术(例如:“Inject”代表注入,“Token”代表JWT)
- 分数/难度表明预期的复杂度
- 如果端口不常见,先尝试用nc连接查看横幅
- 多个开放端口通常意味着需要跨服务串联漏洞
- 务必检查响应中的自定义HTTP头(如X-Flag、X-Hint等)