Catalog

Basic information collection

Network information collection

User information collection

Relevant users collect operation commands

Voucher information collection operation

Probe host domain control architecture service operation

Attach a photo of the class , Among them DMZ Area , Officially, it is also called demilitarized zone , It is to solve the problem that the access users of the external network cannot access the internal network server after installing the firewall , Hot set up a buffer between non safety system and safety system .

For this picture , That is, businesses that have to be put on the Internet 、 The server is in DMZ Area , and DMZ There is also a firewall between the area and the intranet , So this increases when we fight DMZ Area （ For example web The server ）, It will be more difficult to attack the server in the intranet （ file 、 database 、 Enterprises and some financial office computers ）.

Know the following nouns ： LAN 、 Working group 、 Domain environment 、 Active directory AD、 domain controller DC        

LAN ： It refers to a group of computers interconnected by multiple computers in a certain area , It's usually within a few thousand meters . LAN can realize file management 、 Application software sharing 、 Printer sharing 、 Schedule within the working group 、 E-mail and fax communication services .

Working group ： Simply put, it's like the network in our family 、 The network in the school , There are many users 、 Users , There is no hierarchy .

Domain environment ： Different from the working group , Compared with the working group , The domain environment is larger , There is a manager , It can send relevant commands .（ Then I will introduce how to distinguish between workgroup and domain environment ）

Active directory AD： Is a directory service provided by Microsoft （ Inquire about , Authentication ）, The core of the active directory contains the active directory database , The active directory database contains all the objects in the domain （ user , Computer , Group …）, Active directory (Active Directory) It's for Windows Standard Server、Windows Enterprise Server as well as Windows Datacenter Server Directory service for . Its role ：

1. Centralized storage of user and password lists ;
2. Provide a set of servers as authentication servers ;
3. Maintain a searchable index of resources in the domain for easy searching ;
4. It can better do hierarchical management ;

domain controller DC：“ A domain controller is one that “ Domain ” In mode , At least one server is responsible for the verification of each computer and user connected to the network , It's the same as the guard of a unit , be called “ domain controller （Domain Controller, Shorthand for DC）”

AD Domain controllers are only in win server Does the system do ？LINUX Is that OK ？

answer ：linux There is also a corresponding active directory on , But it needs to be installed LDAP Environmental Science , Ordinary enterprises rarely use LDAP To manage , Because it is less powerful than domain , Also used linux To manage , The threshold for technicians is also relatively high , Personally think that linux It is better to be a server .

Let's use a diagram to explain the whole process .

​

Here is a single domain , domain controller （DC） its ip The address is 192.168.3.21, You can clearly see that all the servers in the figure are in one network segment , That is to say 192.168.3.0/24 This segment , Then we can see that there are file servers in this domain 、 database server 、web Server and two PC（ Namely marry and jack）. We can see web The server has two addresses （192.168.3.32 and 192.168.230.131） One is external , The other is intranet oriented . See that there is an attacker below （192.168.230.133） It can be seen that he and web The server is in a network segment , That is, the attack won web The server , Then, with the help of web The server （ Because he can access the intranet ） Take down the domain controller DC.

Basic information collection

Mainly including version 、 Patch 、 service 、 Mission 、 Protection, etc .

It aims to understand the basic information of the computer of the current server , For the subsequent judgment of the role of the server 、 Prepare for the network environment

systeminfo                Details （ Operating system version 、 Patch number ）

net start                      Services started

tasklist                        Process list

schtasks                      Planning tasks

Network information collection

Know the network interface information of the current server freely , To judge the current role , function 、 Network architecture

ipconfig    /all                Determine the domain of existence -dns

net    view  /domain                Determine whether there is a domain

net    time  /domain                  Determine the primary domain

netstat  -ano                            The current network port is open

nslookup        domain name   Tracking the source address

In fact, you can judge whether it is a workgroup or a domain environment ;

When there is a domain environment , The one we use ipconfig   -all command , You can see that there is a master DNS suffix .

​

This echo is DOG It means that there is a domain .

​

Above we execute net time /domain There is god.org. This is the Lord we saw before DNS suffix  , The full name of each computer = Computer name + Lord DNS Suffix name . So we got the name of a computer , Then you can go through nslookp To track the computer's ip Address .

​

You can also use ping Command to view the ip Address .

User information collection

It aims to understand the information of users and user groups in the current computer or domain environment , It is convenient to test with a draw in the later stage

The system defaults to common user identities ：

Domain Admins： Domain administrator （ Full control of the domain controller by default ）

Domain Computers： Domain machines

Domain Controllers： domain controller

Domain Guest： Domain visitors , Low authority

Domain User： Domain users

Enterprise Admins： Enterprise system administrator user （ Full control of the domain controller by default ）

Relevant users collect operation commands

whoami  /all        User permissions

net  config  workstation        login information

net  user                Local users

net  localgroup        Local user groups

net  user /domain                Get domain user information

net  group  /domain                Get domain user group information

wmic  useraccount  get  /all        Domain user details

net  group "Domain Admins"  /domain        Query administrator account

net  group "Enterprise  Admins"  /domain        Query administrator user group

net  group "Domain Controllers"  /domain        Query domain controller

Therefore, you cannot view it in the local group webadmin Of .

However, in the domain, you can see webadmin.

View the details of domain users .

Voucher information collection operation

Designed to collect all kinds of ciphertext 、 Plaintext 、 Password, etc , Prepare for subsequent testing of lateral penetration .

Computer users HASH, Plaintext acquisition （mimikatz-win、mimipenguin-linux） The download addresses of the two tools have been placed below ：

GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security

GitHub - huntergregal/mimipenguin: A tool to dump the login password from the current linux user

Want to use mimikatz This tool , You need to get permission first , To get the first web Server permissions , Then get the authority of the administrator by raising the authority , Then you can use the tool . When using this tool , To use the following two commands ：

privilege::debug

sekurlsa::logonpasswords

Obtain the password of various protocol services of the computer -LaZagne(all)、XenArmor（win）

The tools LaZagne It is a system wide kill . Download address https://github.com/AlessandroZ/LaZagne

The usage is also very simple , Drag straight into cmd Just run the window . The above figure shows the password found by the tool . The tool is free , Less functions , But it supports all systems .

However, the following tool is charged , The function is also quite good .

Mainly collect the following information ：

1. Site source code backup file 、 Database backup files, etc
2. Various databases web Management entrance , Such as ：PHPMyadmin
3. Save password in browser 、 browser Cookie
4. Other user sessions 、3389 and ips Connection record 、 Contents of recycle bin
5. windows The saved wifi password
6. Various accounts inside the network 、 password . Such as ：email、VPN、FTP、OA etc.

Probe host domain control architecture service operation

Prepare for subsequent horizontal thinking , For applications 、 Protocols and other attacks

Probe domain controller name and address information

net  time /domain  nslookup  ping

Live host and address information are stored in the probe domain

nbtscan  192.168.1.0/24  Third party tools （ Old tools ）

 for /L %I in(1,1,254) DO @ping -w 1 -n 1 192.168.3.%I |findst "TTL=" Built in internal commands

（ Built in internal commands , No need to avoid killing , shortcoming , There is not so much content displayed , Only the address of the target ）

nmap masscan The third party Powershell Script nishang empire etc.

# The import module nishang

Import-Moddule .\nishang.psml

Initial first use , Set the execution strategy

# Set execution strategy

Set-ExecutionPolicy RemoteSinged

# Get module nishang Command function of

Get-command -Module nishang

# Get general computer information

Get-Infirmation

# Other features ： Remove the patch 、 rebound shell、 Credential acquisition, etc

It can be seen that the first use is when importing modules , The display cannot be loaded , Then use  # Set execution strategy ,Y Then import the module .

This nishang It integrates mimikatz.

# Get general computer information

Get-Information

# Port scanning

Invoke-PortScan  -StartAddress  192.168.3.1  -EndAddress  192.168.3.100  -ResolveHost  -ScanPort

Probe host role and service information in the domain

Use open port service and computer name to judge

The core business machine ：

1. Senior management 、 System administrator 、 financial / Personnel matters / Personal computers for business people
2. Product management system server
3. Office system server
4. Financial application system server
5. Core product source server （ build by oneself SVN、GIT）
6. database server
7. File or network disk server 、 Shared server
8. Email server
9. Network monitoring system server
10. Other servers （ Internal technical document server 、 Other monitoring servers, etc ）