当前位置：网站首页>Summary of Intranet Information Collection

Summary of Intranet Information Collection

2022-07-28 06:18:00 【cainsoftware】

Preface

This article records some notes on Intranet penetration , The information is scattered , Follow up update and improvement

Local information query ： Frequently used information

 Local service list wmic service list brief List of native processes Tasklist /v Browser proxy information reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"RDP Port number （16 Base number ）reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP" /V portNumber User list net user Local Administrators net localgroup administrators Online users query user || qwinsta

Query and process of patch information related to rights raising

http://uuzdaisuki.com/2021/04/12/windows%E6%8F%90%E6%9D%83%E9%80%9F%E6%9F%A5%E6%B5%81%E7%A8%8B/

This machine 3389 Turn on

1. General motors 3389：

wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

2.Win2003:

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

3.Win2008:

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

4.win08 win2003 win7 win2012 winxp

win08,win2012 All three orders ,win7 The first two :

wmic /namespace:\root\cimv2 erminalservices path win32_terminalservicesetting where (__CLASS != "") call setallowtsconnections 1
wmic /namespace:\root\cimv2 erminalservices path win32_tsgeneralsetting where (TerminalName ='RDP-Tcp') call setuserauthenticationrequired 1
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f

Antivirus software process name

360sd.exe 360 antivirus 360tray.exe 360 Real time protection ZhuDongFangYu.exe 360 Active defense KSafeTray.exe  Jinshan guard SafeDogUpdateCenter.exe  Server security dog McAfee McShield.exe McAfeeegui.exe NOD32AVP.EXE  kaspersky avguard.exe  Avira antivir bdagent.exe BitDefender

Access to sensitive information

Source code Database backup files Browser password 、cookie3389、ipc Connection record vpn Hash extraction http://uuzdaisuki.com/2021/04/22/windows%E5%93%88%E5%B8%8C%E6%8F%90%E5%8F%96%E6%96%B9%E5%BC%8F%E6%80%BB%E7%BB%93/

Domain information or intranet information collection

After getting one shell after , You need to first judge whether this machine has a domain environment 、 Out of network 、 Whether there are multiple network cards 、 What are the intranet segments .

 View network configuration information ipconfig /allifconfig Determine the primary domain net time /domain

Choose different proxy methods according to whether you are out of the network , If the target goes out of the network , May adopt frp And so on , There are webshell , etc. , May adopt reGeorg And so on .

View the network configuration information of the current machine , according to ip The address and subnet mask infer the possible intranet segment . To confirm whether it is necessary for us to set up an agent .

In domain information collection

net view  View the list of machines in the domain net view /domain: ZZZ  see ZZZ List of all machines in the domain .net group /domain  Query the list of all user groups in the domain net group "domain computers" /domain  View a list of all domain member computers net accounts /domain  Query domain user password expiration and other information net user /domain  Get the list of domain users net group "domain admins" /domain  Get the list of domain Administrators net group "domain controllers" /domain  View domain controllers net local group administrators  View local Administrators group users [ Usually contains domain users ]net localgroup administrators /domain  Log in to the domain administrator user net view /domain  Check how many domains exist in the intranet

Domain command execution

http://uuzdaisuki.com/2021/04/29/%E5%9F%9F%E6%B8%97%E9%80%8F%E4%B8%AD%E5%88%A9%E7%94%A8ipc%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%80%BB%E7%BB%93/

Bill delivery

http://uuzdaisuki.com/2021/04/21/%E7%A5%A8%E6%8D%AE%E4%BC%A0%E9%80%92%E6%94%BB%E5%87%BB/

Sensitive system collection

 Domain control OA System  Financial system  Database system  Mail server  File server  Official website server  Personnel system

Intranet information collection

There are two ways to scan the target intranet , One is to scan through an agent , One is in shell Upload and install the scanning tool .

Uploading scanning tools should consider the other party's system 、 Environment, etc

ping Detection survival

1、 If IP continuity , for example （192.168.1.1-192.168.1.10）：@echo off&setlocal ENABLEDELAYEDEXPANSIONif exist onlist.txtif exist offlist.txt for /l %%i in (1,1,10) do (  ping -n 1 192.168.1.%%i>nul 2>nul  if !errorlevel!==0 (echo 192.168.1.%%i >>c:\bat\onlist.txt) else (echo 192.168.1.%%i >>c:\bat\offlist.txt)) 2、 If IP Discontinuous , Then use a file plist Write the address list to be tested , And then batch ：@echo off&setlocal ENABLEDELAYEDEXPANSIONif exist c:\bat\onlist.txt del c:\bat\onlist.txtif exist c:\bat\offlist.txt del c:\bat\offlist.txt for /f %%i in (c:\bat\pclist.txt) do (  ping -n 1 %%i>nul 2>nul  if !errorlevel!==0 (echo %%i >>c:\bat\onlist.txt) else (echo %%i >>c:\bat\offlist.txt))

Self writing python Script probe port

because linux Systems and programmers use windows The environment generally exists python Environmental Science , Use self writing python Script portscan Scanning intranet ports is also very convenient

List of commonly used scanning ports
21,22,80,443,445,1433,1521,3306,3389,5900,6379,7001,8000,8080,8443