magana game da amfani kayan aiki ga pentesters. A cikin sabon labarin za mu dubi kayan aiki don nazarin tsaro na aikace-aikacen yanar gizo.
Abokin aikinmu Na riga na yi wani abu kamar wannan kimanin shekaru bakwai da suka gabata. Yana da ban sha'awa don ganin irin kayan aikin da suka riƙe da ƙarfafa matsayinsu, kuma waɗanne ne suka ɓace a bango kuma yanzu ba a yi amfani da su ba.
Lura cewa wannan kuma ya haɗa da Burp Suite, amma za a sami wani keɓaɓɓen bugu game da shi da kuma plugins masu amfani.
Abubuwan:
tara
- kayan aikin Go don bincike da ƙididdige wuraren yanki na DNS da taswirar hanyar sadarwar waje. Amass wani shiri ne na OWASP da aka ƙera don nuna yadda ƙungiyoyi a Intanet suke kama da na waje. Amass yana samun sunaye na yanki ta hanyoyi daban-daban; kayan aikin yana amfani da ƙididdige ƙididdiga na reshen yanki da buɗaɗɗen bincike.
Don gano sassan cibiyar sadarwa masu haɗin kai da lambobi masu zaman kansu, Amass yana amfani da adiresoshin IP da aka samu yayin aiki. Ana amfani da duk bayanan da aka samo don gina taswirar hanyar sadarwa.
Sakamakon:
- Dabarun tattara bayanai sun haɗa da:
* DNS - binciken ƙamus na ƙananan yanki, bruteforce subdomains, bincike mai wayo ta amfani da maye gurbi dangane da wuraren da aka samo, juyar da tambayoyin DNS da bincika sabar DNS inda zai yiwu a yi buƙatar canja wurin yanki (AXFR);* Binciken tushen tushe - Tambayi, Baidu, Bing, CommonCrawl, DNSDB, DNSDumpster, DNSTable, Dogpile, Exalead, FindSubdomains, Google, IPv4Info, Netcraft, PTRArchive, Riddler, SiteDossier, BarazanaCrowd, VirusTotal, Yahoo;
* Bincika bayanan takaddun shaida na TLS - Censys, CertDB, CertSpotter, Crtsh, Amincewa;
* Amfani da injin bincike APIs - BinaryEdge, BufferOver, CIRCL, HackerTarget, PassiveTotal, Robtex, TsaroTrails, Shodan, Twitter, Umbrella, URLScan;
* Bincika wuraren ajiyar gidan yanar gizon Intanet: ArchiveIt, ArchiveToday, Arquivo, LoCArchive, OpenUKArchive, UKGovArchive, Wayback;
- Haɗin kai tare da Maltego;
- Yana ba da cikakkiyar ɗaukar hoto na aikin neman yanki na DNS.
Fursunoni:
- Yi hankali da amass.netdomains - zai yi ƙoƙarin tuntuɓar kowane adireshin IP a cikin kayan aikin da aka gano kuma ya sami sunayen yanki daga sake duba DNS da takaddun shaida na TLS. Wannan dabara ce ta "babban martaba", tana iya bayyana ayyukan sirrinku a cikin ƙungiyar da ake bincike.
- Babban amfani da ƙwaƙwalwar ajiya, zai iya cinye har zuwa 2 GB na RAM a cikin saitunan daban-daban, wanda ba zai ba ku damar gudanar da wannan kayan aiki a cikin gajimare a kan VDS mai arha ba.
Altdns
- kayan aikin Python don tattara ƙamus don ƙididdige yanki na DNS. Yana ba ku damar ƙirƙira bambance-bambancen yanki da yawa ta amfani da maye gurbi da maye gurbi. Don wannan, ana amfani da kalmomin da galibi ana samun su a cikin ƙananan yankuna (misali: gwaji, dev, staging), duk maye gurbi da ƙetare ana amfani da su zuwa ga wuraren da aka riga aka sani, waɗanda za a iya ƙaddamar da su zuwa shigar da Altdns. Fitowar shine jerin bambance-bambancen yanki na yanki waɗanda za su iya wanzuwa, kuma wannan jerin za a iya amfani da su daga baya don ƙarfin hali na DNS.
Sakamakon:
- Yana aiki da kyau tare da manyan saitunan bayanai.
ruwa
- a baya an fi saninsa da wani kayan aiki don bincika ƙananan yankuna, amma marubucin da kansa ya yi watsi da wannan don goyon bayan Amass da aka ambata. Yanzu an sake rubuta aquatone a cikin Go kuma ya fi dacewa da bincike na farko akan gidajen yanar gizo. Don yin wannan, aquatone yana bi ta cikin ƙayyadaddun wuraren da aka kayyade kuma yana neman gidajen yanar gizo a kan tashar jiragen ruwa daban-daban, bayan haka ya tattara duk bayanan da ke cikin shafin kuma yana ɗaukar hoto. Dace don saurin binciken farko na gidajen yanar gizo, bayan haka zaku iya zaɓar maƙasudin fifiko don hare-hare.
Sakamakon:
- Fitarwa yana ƙirƙirar rukuni na fayiloli da manyan fayiloli waɗanda suka dace don amfani yayin ƙara aiki tare da wasu kayan aikin:
* Rahoton HTML tare da hotunan kariyar kwamfuta da aka tattara da taken amsa an haɗa su ta hanyar kamanceceniya;* Fayil tare da duk URLs inda aka samo gidajen yanar gizo;
* Fayil tare da ƙididdiga da bayanan shafi;
* Babban fayil tare da fayilolin da ke ɗauke da taken martani daga maƙasudan da aka samo;
* Babban fayil tare da fayilolin da ke ɗauke da jikin martani daga abubuwan da aka samo;
* Hoton hotuna na gidajen yanar gizon da aka samo;
- Yana goyan bayan aiki tare da rahotannin XML daga Nmap da Masscan;
- Yana amfani da Chrome/Chromium mara kai don yin hotunan kariyar kwamfuta.
Fursunoni:
- Yana iya jawo hankalin tsarin gano kutse, don haka yana buƙatar daidaitawa.
An ɗauki hoton hoton don ɗaya daga cikin tsofaffin nau'ikan aquatone (v0.5.0), wanda aka aiwatar da bincike na yanki na DNS. Ana iya samun tsofaffin sigogin a .
MassDNS
wani kayan aiki ne don nemo subdomains na DNS. Babban bambancinsa shine yana yin tambayoyin DNS kai tsaye zuwa yawancin masu warware DNS daban-daban kuma yana yin hakan cikin sauri mai yawa.
Sakamakon:
- Fast - iya warware fiye da 350 dubu sunaye a sakan daya.
Fursunoni:
- MassDNS na iya haifar da babban nauyi akan masu warwarewar DNS da ake amfani da su, wanda zai iya haifar da dakatarwa akan waɗancan sabar ko gunaguni ga ISP ɗin ku. Bugu da kari, zai sanya babban kaya a kan sabar DNS na kamfanin, idan suna da su kuma idan suna da alhakin wuraren da kuke ƙoƙarin warwarewa.
- Jerin masu warwarewa a halin yanzu ya tsufa, amma idan kun zaɓi ɓatattun masu warwarewar DNS kuma ku ƙara sabbin sanannun, komai zai yi kyau.
Hoton hoton aquatone v0.5.0
nsec3map
kayan aiki ne na Python don samun cikakken jerin yankuna masu kariya na DNSSEC.
Sakamakon:
- Da sauri gano runduna a yankunan DNS tare da ƙaramin adadin tambayoyin idan an kunna tallafin DNSSEC a yankin;
- Ya haɗa da plugin don John the Ripper wanda za'a iya amfani dashi don fashe sakamakon NSEC3 hashes.
Fursunoni:
- Yawancin kurakuran DNS ba a sarrafa su daidai;
- Babu daidaituwa ta atomatik na sarrafa bayanan NSEC - dole ne ku raba sunan da hannu;
- Yawan amfani da ƙwaƙwalwar ajiya.
Acunetix
- na'urar daukar hoto mai lahani na yanar gizo wanda ke sarrafa aikin duba tsaro na aikace-aikacen yanar gizo. Gwada aikace-aikacen don allurar SQL, XSS, XXE, SSRF da sauran raunin yanar gizo da yawa. Koyaya, kamar kowane na'urar daukar hotan takardu, nau'ikan raunin gidan yanar gizo ba ya maye gurbin pentester, tunda ba zai iya samun sarƙaƙƙiya na lahani ko lahani a cikin dabaru ba. Amma ya ƙunshi nau'o'in lahani daban-daban, gami da CVEs daban-daban, waɗanda pentester zai iya mantawa da su, don haka ya dace sosai don 'yantar da ku daga bincike na yau da kullun.
Sakamakon:
- Ƙananan matakin ƙimar ƙarya;
- Ana iya fitar da sakamakon a matsayin rahotanni;
- Yana yin babban adadin cak don lahani daban-daban;
- Daidaitawar sikanin runduna da yawa.
Fursunoni:
- Babu wani algorithm na cirewa (Acunetix zai yi la'akari da shafukan da suka dace a cikin aiki don zama daban-daban, tun da suna jagorantar URL daban-daban), amma masu haɓaka suna aiki akan shi;
- Yana buƙatar shigarwa akan sabar gidan yanar gizo daban, wanda ke dagula tsarin gwajin abokin ciniki tare da haɗin VPN da amfani da na'urar daukar hotan takardu a cikin keɓantaccen yanki na cibiyar sadarwar abokin ciniki na gida;
- Sabis ɗin da ke kan binciken yana iya yin hayaniya, alal misali, ta hanyar aika da yawa da yawa na kai hari zuwa hanyar tuntuɓar rukunin yanar gizon, wanda hakan ke dagula hanyoyin kasuwanci sosai;
- Mai mallakar mallaka ce kuma, saboda haka, ba mafita kyauta ba.
Bincike
- kayan aikin Python don tilasta kundayen adireshi da fayiloli akan gidajen yanar gizo.
Sakamakon:
- Za a iya bambanta ainihin shafukan "200 Ok" daga shafukan "200 Ok", amma tare da rubutun "shafi ba a samo ba";
- Ya zo tare da ƙamus mai amfani wanda ke da kyakkyawar ma'auni tsakanin girma da ingantaccen bincike. Ya ƙunshi daidaitattun hanyoyi gama-gari ga yawancin CMS da tarin fasaha;
- Tsarin ƙamus na kansa, wanda ke ba ku damar samun ingantaccen aiki da sassauci a cikin ƙididdige fayiloli da kundayen adireshi;
- Fitarwa mai dacewa - rubutu a sarari, JSON;
- Yana iya yin maƙarƙashiya - tsayawa tsakanin buƙatun, wanda ke da mahimmanci ga kowane sabis mara ƙarfi.
Fursunoni:
- Dole ne a wuce abubuwan haɓakawa azaman kirtani, wanda ba shi da daɗi idan kuna buƙatar wuce kari da yawa lokaci ɗaya;
- Domin amfani da ƙamus ɗin ku, zai buƙaci a ɗan gyara shi zuwa tsarin ƙamus ɗin Dirsearch don iyakar inganci.
wfuzz
- Python aikace-aikacen yanar gizo fuzzer. Wataƙila ɗaya daga cikin shahararrun mashahuran yanar gizo. Ka'idar mai sauƙi ce: wfuzz yana ba ku damar aiwatar da kowane wuri a cikin buƙatun HTTP, wanda ke ba ku damar aiwatar da sigogin GET/POST, masu taken HTTP, gami da kuki da sauran kanun tantancewa. A lokaci guda, yana da dacewa don sauƙi mai sauƙi na kundayen adireshi da fayiloli, wanda kuke buƙatar ƙamus mai kyau. Hakanan yana da tsarin tacewa mai sassauƙa, wanda zaku iya tace martani daga gidan yanar gizon gwargwadon sigogi daban-daban, wanda ke ba ku damar cimma sakamako mai inganci.
Sakamakon:
- Multifunctional - tsarin tsarin, taro yana ɗaukar 'yan mintoci kaɗan;
- Ingantacciyar hanyar tacewa da fuzzing;
- Kuna iya sarrafa kowace hanyar HTTP, da kowane wuri a cikin buƙatun HTTP.
Fursunoni:
- Karkashin ci gaba.
zuf
- Fuzzer na yanar gizo a cikin Go, wanda aka kirkira a cikin "hoto da kamanni" na wfuzz, yana ba ku damar zazzage fayiloli, kundayen adireshi, hanyoyin URL, sunaye da ƙimar sigogin GET / POST, masu buga HTTP, gami da mai watsa shiri don ƙarfi mai ƙarfi. na kama-da-wane runduna. wfuzz ya bambanta da ɗan'uwansa a cikin mafi girman gudu da wasu sabbin abubuwa, misali, yana goyan bayan tsarin ƙamus na Dirsearch.
Sakamakon:
- Filters suna kama da masu tace wfuzz, suna ba ku damar daidaita ƙarfi mai ƙarfi;
- Yana ba ku damar ɓata ƙimar taken HTTP, bayanan buƙatun POST da sassa daban-daban na URL, gami da sunaye da ƙimar sigogin GET;
- Kuna iya ƙayyade kowace hanyar HTTP.
Fursunoni:
- Karkashin ci gaba.
gobuster
- Kayan aikin Go don bincike, yana da nau'ikan aiki guda biyu. Ana amfani da na farko don murƙushe fayiloli da kundayen adireshi akan gidan yanar gizo, na biyu kuma ana amfani da shi don murƙushe ƙananan yanki na DNS. Kayan aikin baya tallafawa ƙididdiga masu yawa na fayiloli da kundayen adireshi da farko, wanda, ba shakka, yana adana lokaci, amma a gefe guda, dole ne a ƙaddamar da ƙarfin kowane sabon ƙarshen akan gidan yanar gizon daban.
Sakamakon:
- Babban gudun aiki duka biyu don binciken ƙarfi na yanki na DNS da kuma ƙarfin ƙarfi na fayiloli da kundayen adireshi.
Fursunoni:
- Sigar na yanzu baya goyan bayan saitin taken HTTP;
- Ta hanyar tsohuwa, kawai wasu lambobin matsayin HTTP (200,204,301,302,307) ana ɗaukar inganci.
Arjun
- kayan aiki don ƙarfin ƙarfi na ɓoyayyun sigogin HTTP a cikin sigogin GET/POST, haka kuma a cikin JSON. Ƙamus ɗin da aka gina a ciki yana da kalmomi 25, waɗanda Ajrun ke dubawa a cikin kusan daƙiƙa 980. Dabarar ita ce, Ajrun ba ya duba kowace siga daban, amma yana duba sigogi ~ 30 a lokaci guda kuma ya ga ko amsar ta canza. Idan amsar ta canza, ta raba wannan sigogi 1000 zuwa kashi biyu kuma a duba wane bangare ne ya shafi amsar. Don haka, ta amfani da bincike mai sauƙi na binary, ana samun siga ko ɓoyayyun sigogi da yawa waɗanda suka rinjayi amsar kuma, sabili da haka, na iya kasancewa.
Sakamakon:
- Babban gudun saboda binciken binary;
- Taimako don sigogi na GET / POST, da kuma sigogi a cikin nau'i na JSON;
Abubuwan plugin ɗin don Burp Suite yana aiki akan ka'ida iri ɗaya - , wanda kuma yana da kyau sosai wajen gano ma'aunin HTTP masu ɓoye. Za mu gaya muku ƙarin game da shi a cikin labarin mai zuwa game da Burp da plugins ɗin sa.
LinkFinder
- rubutun Python don neman hanyoyin haɗi a cikin fayilolin JavaScript. Yana da fa'ida don nemo ɓoye ko manta wuraren ƙarewa/URL a cikin aikace-aikacen gidan yanar gizo.
Sakamakon:
- Mai sauri;
- Akwai plugin na musamman don Chrome bisa LinkFinder.
.
Fursunoni:
- Ƙarshe maras dacewa;
- Ba ya nazarin JavaScript akan lokaci;
- Hankali mai sauƙi don neman hanyoyin haɗin gwiwa - idan JavaScript ya ɓoye ko ta yaya, ko kuma hanyoyin haɗin sun ɓace kuma an ƙirƙira su da ƙarfi, to ba zai iya samun komai ba.
JSParser
rubutun Python ne da ke amfani da shi и don rarraba URLs dangi daga fayilolin JavaScript. Yana da matukar amfani don gano buƙatun AJAX da haɗa jerin hanyoyin API waɗanda aikace-aikacen ke mu'amala da su. Yana aiki yadda ya kamata tare da LinkFinder.
Sakamakon:
- Fassarar sauri na fayilolin JavaScript.
sqlmap
tabbas yana ɗaya daga cikin shahararrun kayan aikin don nazarin aikace-aikacen yanar gizo. Sqlmap yana sarrafa bincike da aiki na alluran SQL, yana aiki da yarukan SQL da yawa, kuma yana da ɗimbin dabaru daban-daban a cikin arsenal ɗin sa, kama daga madaidaitan magana zuwa hadaddun vectors don allurar SQL na tushen lokaci. Bugu da kari, yana da dabaru da yawa don ƙarin amfani ga DBMS daban-daban, don haka yana da amfani ba kawai azaman na'urar daukar hotan takardu don allurar SQL ba, har ma a matsayin kayan aiki mai ƙarfi don amfani da riga an sami allurar SQL.
Sakamakon:
- Babban adadin dabaru daban-daban da vectors;
- Ƙananan adadin ƙididdiga na ƙarya;
- Zaɓuɓɓukan daidaitawa da yawa, dabaru daban-daban, bayanan da aka yi niyya, rubutun lalata don ƙetare WAF;
- Ikon ƙirƙirar juji na fitarwa;
- Yawancin damar aiki daban-daban, alal misali, ga wasu bayanan bayanai - lodi ta atomatik / sauke fayiloli, samun ikon aiwatar da umarni (RCE) da sauransu;
- Taimako don haɗin kai tsaye zuwa bayanan bayanan ta amfani da bayanan da aka samu yayin harin;
- Kuna iya ƙaddamar da fayil ɗin rubutu tare da sakamakon Burp azaman shigarwa - babu buƙatar haɗa duk halayen layin umarni da hannu.
Fursunoni:
- Yana da wahala a keɓancewa, misali, rubuta wasu cak ɗin ku saboda ƙarancin takaddun wannan;
- Ba tare da saitunan da suka dace ba, yana aiwatar da tsarin binciken da bai cika ba, wanda zai iya zama yaudara.
NoSQLMap
- kayan aikin Python don sarrafa atomatik bincike da amfani da alluran NoSQL. Ya dace don amfani ba kawai a cikin bayanan NoSQL ba, har ma kai tsaye lokacin duba aikace-aikacen yanar gizon da ke amfani da NoSQL.
Sakamakon:
- Kamar sqlmap, ba wai kawai yana samun yuwuwar lahani ba, har ma yana bincika yiwuwar amfani da shi don MongoDB da CouchDB.
Fursunoni:
- Baya goyan bayan NoSQL don Redis, Cassandra, ci gaba yana gudana ta wannan hanyar.
oxml_xxe
- kayan aiki don saka XXE XML yana amfani da su cikin nau'ikan fayiloli daban-daban waɗanda ke amfani da tsarin XML ta wani nau'i.
Sakamakon:
- Yana goyan bayan tsarin gama gari da yawa kamar DOCX, ODT, SVG, XML.
Fursunoni:
- Ba a cika aiwatar da tallafi don PDF, JPEG, GIF ba;
- Yana ƙirƙirar fayil ɗaya kawai. Don magance wannan matsala zaka iya amfani da kayan aiki , wanda zai iya haifar da adadi mai yawa na fayilolin biya a wurare daban-daban.
Abubuwan da ke sama suna yin babban aiki na gwada XXE lokacin loda takaddun da ke ɗauke da XML. Amma kuma ku tuna cewa ana iya samun masu sarrafa tsarin XML a wasu lokuta da yawa, misali, ana iya amfani da XML azaman tsarin bayanai maimakon JSON.
Don haka, muna ba da shawarar ku kula da ma'ajiyar da ke gaba, wanda ya ƙunshi adadi mai yawa na nau'ikan kaya daban-daban: .
tplmap
- kayan aikin Python don ganowa ta atomatik da yin amfani da raunin alluran Samfurin Sabis na Side; yana da saituna da tutoci masu kama da sqlmap. Yana amfani da dabaru daban-daban da na'urori daban-daban, gami da allura makaho, kuma yana da dabaru don aiwatar da lamba da lodawa / loda fayiloli na sabani. Bugu da kari, yana da dabarun arsenal dinsa na injunan samfuri guda goma sha biyu da wasu dabaru don neman eval() -kamar code injections a Python, Ruby, PHP, JavaScript. Idan ya yi nasara, yana buɗe na'ura mai kwakwalwa ta kwamfuta.
Sakamakon:
- Babban adadin dabaru daban-daban da vectors;
- Yana goyan bayan injunan yin samfuri da yawa;
- Yawancin dabarun aiki.
CeWL
- janareta na ƙamus a cikin Ruby, wanda aka ƙirƙira don fitar da keɓaɓɓun kalmomi daga ƙayyadadden gidan yanar gizon, yana bin hanyoyin haɗin yanar gizon zuwa ƙayyadadden zurfin. Ƙamus ɗin da aka haɗa na musamman za a iya amfani da su daga baya don murƙushe kalmomin shiga na tilastawa akan ayyuka ko manyan fayiloli da kundayen adireshi a kan gidan yanar gizon guda ɗaya, ko don kai hari ga hashes ta amfani da hashcat ko John the Ripper. Yana da amfani yayin tattara jerin “manufa” masu yuwuwar kalmomin shiga.
Sakamakon:
- Sauƙi don amfani.
Fursunoni:
- Kuna buƙatar yin hankali tare da zurfin bincike don kada ku kama wani yanki.
Weakpass
- sabis ɗin da ke ɗauke da ƙamus da yawa tare da keɓaɓɓun kalmomin shiga. Yana da matuƙar amfani ga ayyuka daban-daban masu alaƙa da fashe kalmar sirri, kama daga sassauƙan ƙarfin asusu na kan layi akan ayyukan da aka yi niyya, zuwa kashe-kashen layi na karɓar hashes ta amfani da ko . Ya ƙunshi kusan kalmomin sirri biliyan 8 masu tsayi daga haruffa 4 zuwa 25.
Sakamakon:
- Ya ƙunshi ƙamus guda biyu da ƙamus na musamman tare da kalmomin sirri na gama gari - zaku iya zaɓar takamaiman ƙamus don bukatun ku;
- Ana sabunta ƙamus kuma an cika su da sabbin kalmomin shiga;
- Ana jera ƙamus ta inganci. Za ka iya zaɓar zaɓi don duka sauri-sauri kan layi da cikakken zaɓi na kalmomin shiga daga ƙamus mai ƙarfi tare da sabbin leaks;
- Akwai kalkuleta wanda ke nuna lokacin da ake ɗaukar kalmar sirri akan kayan aikin ku.
Muna son haɗa kayan aiki don bincikar CMS a cikin rukuni daban: WPScan, JoomScan da AEM dan gwanin kwamfuta.
AEM_hacker
kayan aiki ne don gano lahani a cikin aikace-aikacen Adobe Experience Manager (AEM).
Sakamakon:
- Za a iya gano aikace-aikacen AEM daga jerin URLs da aka ƙaddamar zuwa shigar da shi;
- Ya ƙunshi rubutun don samun RCE ta loda harsashi JSP ko amfani da SSRF.
JoomScan
- kayan aikin Perl don sarrafa gano lahani yayin tura Joomla CMS.
Sakamakon:
- Iya samun ɓangarorin sanyi da matsaloli tare da saitunan gudanarwa;
- Ya jera nau'ikan Joomla da raunin da ke da alaƙa, haka ma na ɗayan abubuwan haɗin gwiwa;
- Ya ƙunshi fiye da amfani 1000 don abubuwan haɗin Joomla;
- Fitar da rahotanni na ƙarshe a cikin rubutu da tsarin HTML.
WPScan
- kayan aiki don bincika shafukan yanar gizon WordPress, yana da lahani a cikin arsenal duka don injin WordPress da kansa da kuma wasu plugins.
Sakamakon:
- Iya yin lissafin ba kawai plugins da jigogi na WordPress marasa lafiya ba, har ma da samun jerin masu amfani da fayilolin TimThumb;
- Za a iya kai hare-hare na karfi a kan shafukan WordPress.
Fursunoni:
- Ba tare da saitunan da suka dace ba, yana aiwatar da tsarin binciken da bai cika ba, wanda zai iya zama yaudara.
Gabaɗaya, mutane daban-daban sun fi son kayan aiki daban-daban don aiki: duk suna da kyau a hanyarsu, kuma abin da mutum ɗaya yake so bazai dace da wani ba kwata-kwata. Idan kuna tunanin cewa mun yi watsi da wasu amfani mai kyau ba bisa ƙa'ida ba, rubuta game da shi a cikin sharhi!
source: www.habr.com