Why should the machine within the network information collection:
Including network penetration testing environment, there are a lot of equipment and protective software. By collecting target information within the network, insight within the network topology, the network to find the weakest link.
After infiltrators into the network, we need to determine the current network environment, in which the network structure is what kind of, what its role is, what is the use of this machine's role is, and this machine is equipped with a What anti-virus software, etc., the need for information gathering.
As a big brother said: penetration is essentially information gathering.
Manual information collection:
This machine includes operating system information, permissions, network anti-virus software IP addresses, ports, services, patch update frequency, network connection, sharing, conversation and so on. If it is within the host, operating system, application software, patches, service, anti-virus software are generally mass installation.
By information of the machine, you can learn more about the operating system version for the entire domain, software and patch installation, the user named.
Query the network configuration information:
Command: ipconfig / all
Query the operating system and software information:
-
Query the operating system and the version of the system:
command: systeminfo | findstr / B / C : "OS Name" / C: "OS Version"
If the command is executed for the Chinese version of the system: systeminfo | findstr / B / C : "OS Name" / C: "OS version"
-
View the system architecture:
command: echo% PROCESSOR_ARCHITECTURE%
-
View installed software and version, and path:
use wmic command outputs the results to a text file: wmic product get name, version
-
Use PowerShell commands, collection software version information: powershell "Get-WmiObject -class Win32_Product | Select-Object -Property name, version"
Checks the local service information:
Command: wmic service list brief
Query the process list:
-
View the current list of processes and user processes, analysis software, mail client, VPN, and antivirus software processes
the command: tasklist
-
View Process
command: wmic process list brief
View initiator information:
命令: wmic startup get command,caption
View scheduled tasks:
Command: schtasks / query / fo LIST / V
if the error in the implementation, resources can not be loaded column, you can use the command chcp encoding temporarily set to English.
Execution: chcp 437
runs and then use the command chcp encoding settings back to Chinese GBK (936) after completion schtasks.
Execution: chcp 936
View Host Boot time:
Command: net statistics workstation
Query user list:
-
Check local user list: net user
-
Check local administrator: net localgroup administrators
-
Displays information about all users logged into the system of: query user
Lists or disconnect a session between the local computer and the client is connected to:
Command: net session
Query port list:
Command: netstat -ano
View patch list:
Instruction: systeminfo
Use wmic View installed in patch system: wmic qfe get Caption, Description, HotFixID, InstalledOn
View native shared list:
Command: net share
Wmic command to find a list of shared use: wmic share get name, path, status
ARP cache table lookup routing table and all available interfaces
Command: route print and arp -a
Firewall configuration:
- Turn off the firewall
- Windows Server 2003 and previous versions
command: netsh firewall set opmode disable - After the Windows Server 2003 version of
the command: netsh advfirewall set allprofiles state off
-
Check the firewall configuration
command: netsh advfirewall show allprofiles
-
Modify firewall configuration
- Windows Server 2003 and earlier versions, the program allows you to specify all connected
command: netsh firewall add allowedprogram c: \ nc.exe "allow nc" enable - After the Windows Server 2003 version of the program allows you to specify all connected
command: netsh advfirewall firewall add rule name = "pass nc" dir = in action = allow program = "C: \ nc.exe" - Allows you to specify the program exits
the command: netsh advfirewall firewall add rule name = "Allow nc" dir = out action = out program = "C: \ nc.exe" - 3389 port allows the release
command: netsh advfirewall firewall add rule name = "Remote Desktop" protocol = TCP dir = in localport = 3389 action = allow
- Custom Firewall storage location
command: netsh advfirewall set currentprofile logging filename " C: \ windows \ temp \ fw.log"
Check proxy configuration:
命令: reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
Query and open the remote connection service:
- Query the remote port
command: REG Query HKLM \ the SYSTEM \ CurrentControlSet \ Control \ Terminal "" Server \ WinStations \ RDP-Tcp / v PortNumber
0xd3d is converted to decimal 3389
- In Windows Server 2003, open port 3389
command: wmic path win32_terminalservicesetting where (! __CLASS = "") call setallowsconnections 1 - In other systems (pro-test the server2012, win7, win10) opening and closing the port 3389
on command: REG ADD HKLM \ SYSTEM \ CurrentControlSet \ Control \ Terminal "" Server / v fDenyTSConnections / t REG_DWORD / d 00000000 / f
close command: REG ADD HKLM \ SYSTEM \ CurrentControlSet \ Control \ Terminal "" Server / v fDenyTSConnections / t REG_DWORD / d 11111111 / f
The machine automatically collect information:
Any version of Windows xp unable to perform low-rights wmic, more than 7 versions of Windows allow low-privileged users to access wmic and take actions
to create a .bat file execution result is written to the HTML file:
for /f "delims=" %%A in ('dir /s /b %WINDIR%\system32\*htable.xsl') do set "var=%%A"
wmic process get CSName,Description,ExecutablePath,ProcessId /format:"%var%" >> out.html
wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:"%var%" >> out.html
wmic USERACCOUNT list full /format:"%var%" >> out.html
wmic group list full /format:"%var%" >> out.html
wmic nicconfig where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress /format:"%var%" >> out.html
wmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace /format:"%var%" >> out.html
wmic netuse list full /format:"%var%" >> out.html
wmic qfe get Caption,Description,HotFixID,InstalledOn /format:"%var%" >> out.html
wmic startup get Caption,Command,Location,User /format:"%var%" >> out.html
wmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version /format:"%var%" >> out.html
wmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDirectory /format:"%var%" >> out.html
wmic Timezone get DaylightName,Description,StandardName /format:"%var%" >> out.html
Query current permission:
View current permission:
When there is a domain within the network, the local ordinary users can query the machine-related information, can not query the domain information. Local administrator user and domain users can query domain information. Principle: All queries are implemented by domain domain controller (based on LDAP protocol), and this query requires certification authority, so only users in your domain have this privilege, when the domain user executes a command, it will automatically use the Kerberos protocol for authentication, no additional enter the account password.
Get domain SID:
Command: whoami / all
Queries specify the user details:
命令: net user username /domain
Determine whether the domain:
After obtaining this relation information, there is determined whether the current network domain, if the domain is present, the controller will need to determined whether the host domain.
Using the ipconfig command
Execute command to view IP gateway, whether the DNS IP addresses, domain names, the machine and the DNS server in the same network segment and other information.
Command: ipconfig / all
and then, to resolve domain name through IP reverse lookup command nslookup. Comparing the resolved IP address, DNS servers and the domain controller determines whether on the same server.
View detailed information system:
"Domain" that domain name, "login server" as a domain controller. If the "field" is "WORKGROUP", it indicates that the current server is not the domain.
Command: systeminfo
Query the current login domain and user login status:
"Workstation domain DNS name" for the domain name (if it is "WORKGROUP" indicates that the current non-domain environment), "landing field" indicates the currently logged in user is a domain user or a local user.
Command: net config workstation
Analyzing the primary:
Command: net time / domain, three cases:
- Domain exists, but is currently not a domain user
- There is a domain, the current domain user
- Domain does not exist, the current network environment for the Group
