Intranet Penetration - Information Collection

Manual Information Collection

Reference resources:
Intranet penetration test: Intranet information collection, upload and download

Basic Commands

whoami: Who am I?
systeminfo: Get basic information about the system
ipconfig /all: Get network information

View user information

Guess the Naming Rule of Network Host

net user      //See who the users are
net localgroup administrators  //View local administrator information
query user || qwinsta  //View current online user information

Tips:
If command execution fails after getshell, for example, systeminfo execution fails

systeminfo > systeminfo.txt
type systeminfo.txt

View shared information

After windwos is loaded, there will be an automatic sharing function, which is shared by default by windows
Recommended reading: https://www.cnblogs.com/sstfy/p/10414680.html#2608826650
https://www.cnblogs.com/tongnaifu/articles/588334.html

net share
wmic share get name,path,status

View ARP Cache

Simple Judgment of Intranet

arp -a

View local shares

net share
wmic share get name,path,status

Get system patches

wmic qfe get Caption,Description,HotFixID,InstalledOn
 Use tools: wesng: https://github.com/bitsadmin/wesng 
 (List system vulnerabilities, support XP to win10)

View system information

View all system information

systeminfo		

View operating systems and versions directly (no results in windows terminal, possible in cmd or powshell)

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"       //English Operating System
systeminfo | findstr /B /C:"OS Name" /C:"OS Edition"          // Chinese Operating System

View Installed Software Information

View installed programs to determine machine function and value

wmic product get name,version
powershell "Get-WmiObject -class Win32_Product |Select-Object -Property name,version"

Local Running Environment

There's nothing to say about set. See if the host has Java, Perl, Python, etc. environments to gather as much information as possible
[Note, entered under the cmd window]

set

View service information

wmic service list brief

View Process List/Software

tasklist /svc
wmic process
wmic process list brief
wmic process get processid,executablepath,name      // Display the path, name, pid of the process
Process nameSoft killing
360SD.exe360 Antivirus
HipsMain.exeFlannel
SafeDog*Safe Dog
D_Safe*D Shield
yunsuo*Cloud Lock
hws*Guardian
avp.exeKaspersky
avcenter.exeAvira
Mcshield.exeMcAfee
QQPCRTP.exeQQ Computer Housekeeper
hidsHost Protection Products

So many soft names, there won't be a single memory, online tools https://maikefee.com/av_list
Use the tasklist command to paste the results into the website

View Startup Items

Startup items often contain the most important business services

wmic startup get command,caption
REG QUERY HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

uptime

net statistics workstation
systeminfo

View Scheduled Tasks

Scheduled tasks are mostly built by the software itself and can be applied through this analysis

schtasks  /query  /fo  LIST /v

RDP Connection Log

cmdkey /list

Firewall status

netsh firewall show state                      // Firewall status
netsh firewall show config                     // View firewall configuration
netsh firewall set opmode disable              // Close firewall (windows server 2003 and before)
netsh advfirewall set allprofiles state off    // Closing firewalls (after windows server 2003) requires administrator privileges

Modify firewall configuration

netsh firewall add allowedprogram c:\\xxx\\xx.exe "allow xx" enable    // Allow all connections to specified programs (windows server 2003 and earlier)

windows server 2003 After:
netsh advfirewall firewall add rule name="pass xx" dir=in action=allow  program="C:\xxx\xx.exe"         // Allow a program to connect
netsh advfirewall firewall add rule name="pass xx" dir=out action=allow program="C:\xxx\xx.exe"               // Allow an out-of-program connection
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow        // Open port 3389 to allow port change

Open Remote Desktop

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f

Domain environment related commands

Determine whether a domain exists

net config workstation     // View current computer name, full name, user name, system version, workstation domain, logged on domain, etc.
net view /domain           // View Domain

Or ipconfig/all

View domain user information

net user /domain

View domain user details

wmic useraccount get /all

View domain user group information

net group /domain

View Domain Administrator Account

net group "domain admins" /domain

View Domain Administrator User Groups

net group "enterprise admins" /domain

Location Domain Control

net time /domain 			//Primary domain servers are time servers
ping owa.god.org      // owa is the domain controller name

Replacing ping with nslookup also gives you domain-controlled ip addresses

As shown in the figure above, the domain-controlled ip is 192.168.52.138.

View Domain Controller

net group "domaincontrollers" /domain

View Primary Domain Controller

net time /domain           // The primary domain server acts as both a time server

Domain Trust

Trust relationship is the bridge between domains. When a domain establishes trust relationship with other domains, the two domains can not only manage each other as needed, but also allocate file and printer resources across the network, so that network resources can be shared and managed between different domains.

nltest /domain_trusts

Domain Transfer

Domain name resolution records can be obtained when a domain transfer vulnerability exists

nslookup -type=ns domain.com
nslookup
sserver dns.domain.com
ls domain.com

View list of user groups in the domain

net group /domain

Domain Admins Domain Administrators Group
Domain Computers Machines in Domain
Domain Controllers domain controller
Domain Users Domain User
Enterprise Admins Enterprise System Administrators Group

Automatic Information Collection

Automation tool wmic_info (very strong)

Download address: http://www.fuzzysecurity.com/scripts/files/wmic_info.rar
This script can complete services on the target machine. A list of users, queries for user groups, network interfaces, hardware information, network share information, operating systems, installed patches, installed software, bootstraps, time zones, and so on. It uses WMIC to collect information. When the script is executed, all results are written to an HTML file, as shown in the following figure

After unzipping the file, you get a bat file. After double-clicking, you get an html file and open it.

LaZagne

Project Address: https://github.com/AlessandroZ/LaZagne/tree/2.4.3
Mainly used to collect computer accounts (only for understanding)
Characteristic:

  1. Free open source, full support
  2. windows, Mac, Linux support
  3. Usage effect is average
  4. Need exemption

xenarmor

Primarily used to collect the accounts of various computer protocols, graphical operations, easy to use but for a fee, the password captured in the trial version is hidden with an asterisk
Characteristic:

  1. Charge (7-day trial supported)
  2. High accuracy
  3. Support for windows

Nishang

See Details - Nishang

metasploit

Use metasploit to invoke commands previously used for manual information collection

The third line prompts us to save the collected results in
/root/.msf4/logs/scripts/winenum/LILI-PC_20210302.1819/LILI-PC_20210302.1819.txt

Reference resources

Intranet penetration cornerstone - Intranet information collection (top)
Intranet penetration cornerstone - Intranet information collection (2)

Tags: penetration test Intranet Penetration

Posted on Sat, 09 Oct 2021 13:35:29 -0400 by TwistedLogix