Because I am currently studying "Intranet Security Attack and Defense Penetration Testing Practical Guide", I will record some notes here, and thank you for your wonderful explanation.
1. Determine whether there is a domain
1.ipconfig /all or nslookup hacker.testlab
2.systeminfo
3.net config workstation
4.net time /domain If system error 5 occurs, it means that it is a domain user with insufficient authority. If prompted If the domain controller of WORKGROUP cannot be found, the domain of the workgroup does not exist
2. Detection of surviving hosts in the domain
1. Use netbios to quickly detect the intranet (netbios is a protocol for network neighbors in windows)
Netbios function: The local area network is carried out on the basis of this protocol.
Note when scanning: 1. Avoid triggering the domain Some anti-virus software performs alarm interception, and avoid using nmap when it is not authorized.
2. Do not use graphical tools on the target machine. Try to use the tools that come with the server system. Powershell scripts are recommended.
3. It is recommended to work during the day. Detect it again, and detect it again in the
middle of the night to compare and analyze the surviving host and the corresponding ip address Tool: Nbtscan
Usage: nbtscan.exe IP
2. Use the icmp protocol to quickly detect the internal network
Tools: 1. Ping command: for /L %l in (1,1,254) DO @ping -w 1 -n 1 192.168.1.%l | findstr "TTL="
2. VBS script code
3. Complete detection of the intranet through arp scan
Tool: 1. arp-scan command: Arp.exe -t IP
2. Arpscan module in
Emipre 3. Invoke-ARPScan.ps1 (belonging to the script in nishang)
4. Use conventional tcp/udp port scanning to detect intranet
tools: scanline
command: scanline -h -t 22,80-89,110,389,445,3389,1099,1433,2049,6379,7001,8080,1521,3306,3389,5432 -u 53,161,137,139 -O c:\windows\temp\sl_res.txt -p 192.168.4.1-254 /b
3. Intra- domain port scanning
Purpose: 1. Banner information of the
port 2. Services running on the port
3. The default port of common applications 1. The
telnet command (in the TCP/IP protocol, which provides the computer remote login protocol)
telnet DC 22 and Connecting to port 22 of the DC machine can detect whether port 22 is open. The speed is fast and will not trigger the other party’s prevention and control alarm. 2.
S scanner (TCP scan and Syn scan) Scanning is very fast below 2003, and sometimes it will be prompted above 03 Some errors It is
recommended to use TCP scan
S.exe TCP 192.168.1.1 192.168.1.254 445,3389,1443,7001,1099,8080,80,22,23,21,25,110,3306,5432,1521,6379,2049,111 256 /Banner /save
3.Metasploit
4.Invoke-portscan.ps1
4. Collection of basic information in the domain (ldip protocol, no domain authorization can not be queried) The local system permissions can be
1.net view /domain display domain
2.net view /domain:HACKER query computers in the
domain 3.net group /domain Query the workgroup in the domain, usually including the default (only in the domain control)
4.net group "domain computers" /domain query domain member command (only in the domain control)
5.net accounts /domain password policy, Display password length, period
6.nltest /domain_trusts Obtaining domain trust information
Except for Xyz$ system, everything else will not work
V. Find the domain controller
1.nltest /DCLIST:HACKER can obtain the domain control list
2. Nslookup -type=SRV_ldap._tcp can obtain the domain control ip
3.net time /domain display the domain control time
4.net group “Domain Controllers "/Domain View the domain controller group (at least two domain controllers)
5. netdom query pdc domain primary domain controller
6. Query the list of all domain users
1.net user /domain
2.wmic 0useraccount get /all Get the detailed information of users in the domain
3.dsquery user (a command of AD)
4.net localgroup administrators /domain Query the built-in local administrators of the domain Group of users
7. Query the domain administrator user group
1.net group "domain admins" /domain
2.net group "Enterprise Admins" /domain