Manual Information Collection
Reference resources:
Intranet penetration test: Intranet information collection, upload and download
Basic Commands
whoami: Who am I? systeminfo: Get basic information about the system ipconfig /all: Get network information
View user information
Guess the Naming Rule of Network Host
net user //See who the users are net localgroup administrators //View local administrator information query user || qwinsta //View current online user information
Tips:
If command execution fails after getshell, for example, systeminfo execution fails
systeminfo > systeminfo.txt type systeminfo.txt
View shared information
After windwos is loaded, there will be an automatic sharing function, which is shared by default by windows
Recommended reading: https://www.cnblogs.com/sstfy/p/10414680.html#2608826650
https://www.cnblogs.com/tongnaifu/articles/588334.html
net share wmic share get name,path,status
View ARP Cache
Simple Judgment of Intranet
arp -a
View local shares
net share wmic share get name,path,status
Get system patches
wmic qfe get Caption,Description,HotFixID,InstalledOn
Use tools: wesng: https://github.com/bitsadmin/wesng (List system vulnerabilities, support XP to win10)
View system information
View all system information
systeminfo
View operating systems and versions directly (no results in windows terminal, possible in cmd or powshell)
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" //English Operating System systeminfo | findstr /B /C:"OS Name" /C:"OS Edition" // Chinese Operating System
View Installed Software Information
View installed programs to determine machine function and value
wmic product get name,version powershell "Get-WmiObject -class Win32_Product |Select-Object -Property name,version"
Local Running Environment
There's nothing to say about set. See if the host has Java, Perl, Python, etc. environments to gather as much information as possible
[Note, entered under the cmd window]
set
View service information
wmic service list brief
View Process List/Software
tasklist /svc wmic process wmic process list brief wmic process get processid,executablepath,name // Display the path, name, pid of the process
Process name | Soft killing |
---|---|
360SD.exe | 360 Antivirus |
HipsMain.exe | Flannel |
SafeDog* | Safe Dog |
D_Safe* | D Shield |
yunsuo* | Cloud Lock |
hws* | Guardian |
avp.exe | Kaspersky |
avcenter.exe | Avira |
Mcshield.exe | McAfee |
QQPCRTP.exe | QQ Computer Housekeeper |
hids | Host Protection Products |
So many soft names, there won't be a single memory, online tools https://maikefee.com/av_list
Use the tasklist command to paste the results into the website
View Startup Items
Startup items often contain the most important business services
wmic startup get command,caption REG QUERY HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
uptime
net statistics workstation systeminfo
View Scheduled Tasks
Scheduled tasks are mostly built by the software itself and can be applied through this analysis
schtasks /query /fo LIST /v
RDP Connection Log
cmdkey /list
Firewall status
netsh firewall show state // Firewall status netsh firewall show config // View firewall configuration netsh firewall set opmode disable // Close firewall (windows server 2003 and before) netsh advfirewall set allprofiles state off // Closing firewalls (after windows server 2003) requires administrator privileges
Modify firewall configuration
netsh firewall add allowedprogram c:\\xxx\\xx.exe "allow xx" enable // Allow all connections to specified programs (windows server 2003 and earlier) windows server 2003 After: netsh advfirewall firewall add rule name="pass xx" dir=in action=allow program="C:\xxx\xx.exe" // Allow a program to connect netsh advfirewall firewall add rule name="pass xx" dir=out action=allow program="C:\xxx\xx.exe" // Allow an out-of-program connection netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow // Open port 3389 to allow port change
Open Remote Desktop
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
Domain environment related commands
Determine whether a domain exists
net config workstation // View current computer name, full name, user name, system version, workstation domain, logged on domain, etc. net view /domain // View Domain
Or ipconfig/all
View domain user information
net user /domain
View domain user details
wmic useraccount get /all
View domain user group information
net group /domain
View Domain Administrator Account
net group "domain admins" /domain
View Domain Administrator User Groups
net group "enterprise admins" /domain
Location Domain Control
net time /domain //Primary domain servers are time servers ping owa.god.org // owa is the domain controller name
Replacing ping with nslookup also gives you domain-controlled ip addresses
As shown in the figure above, the domain-controlled ip is 192.168.52.138.
View Domain Controller
net group "domaincontrollers" /domain
View Primary Domain Controller
net time /domain // The primary domain server acts as both a time server
Domain Trust
Trust relationship is the bridge between domains. When a domain establishes trust relationship with other domains, the two domains can not only manage each other as needed, but also allocate file and printer resources across the network, so that network resources can be shared and managed between different domains.
nltest /domain_trusts
Domain Transfer
Domain name resolution records can be obtained when a domain transfer vulnerability exists
nslookup -type=ns domain.com nslookup sserver dns.domain.com ls domain.com
View list of user groups in the domain
net group /domain
Domain Admins Domain Administrators Group Domain Computers Machines in Domain Domain Controllers domain controller Domain Users Domain User Enterprise Admins Enterprise System Administrators Group
Automatic Information Collection
Automation tool wmic_info (very strong)
Download address: http://www.fuzzysecurity.com/scripts/files/wmic_info.rar
This script can complete services on the target machine. A list of users, queries for user groups, network interfaces, hardware information, network share information, operating systems, installed patches, installed software, bootstraps, time zones, and so on. It uses WMIC to collect information. When the script is executed, all results are written to an HTML file, as shown in the following figure
After unzipping the file, you get a bat file. After double-clicking, you get an html file and open it.
LaZagne
Project Address: https://github.com/AlessandroZ/LaZagne/tree/2.4.3
Mainly used to collect computer accounts (only for understanding)
Characteristic:
- Free open source, full support
- windows, Mac, Linux support
- Usage effect is average
- Need exemption
xenarmor
Primarily used to collect the accounts of various computer protocols, graphical operations, easy to use but for a fee, the password captured in the trial version is hidden with an asterisk
Characteristic:
- Charge (7-day trial supported)
- High accuracy
- Support for windows
Nishang
metasploit
Use metasploit to invoke commands previously used for manual information collection
The third line prompts us to save the collected results in
/root/.msf4/logs/scripts/winenum/LILI-PC_20210302.1819/LILI-PC_20210302.1819.txt
Reference resources
Intranet penetration cornerstone - Intranet information collection (top)
Intranet penetration cornerstone - Intranet information collection (2)