Article Directory
- Query network configuration
- Query user list
- Query process list
- Query the version of the operating system and installed software
- Query port list
- Query the patch list
- Query local share
- Query firewall configuration and close the protective wall
- Query and start remote connection service
- Query current permissions
- Get the sid of the domain
- Query the detailed information of a specified user
Query network configuration
- ipconfig /all
- See if there is a domain, whether it is an internal network or an external network, or if there are two network cards, there is an internal network and an external network
Query user list
- net user user list
- net localgroup administrator query local administrators and groups
- query user || qwinsta View current online users----->> 3389 When logging in, see if there is an administrator online
Query process list
- tasklist /v ------->> Analyze whether there is antivirus software, vpn, etc.
- wmic process list brief ------->> Analyze whether there is anti-virus software, vpn, etc.
Query the version of the operating system and installed software
- Operating system: systeminfo | findstr /B /C: "OS Name" /C: "OS Version" English version
- Operating system: systeminfo | findstr /B /C: "OS name" /C: "OS version" Chinese version
- Software: wmic product get name, version can check whether the software has known vulnerabilities
Query port list
- netstat -ano judges the role of the server based on open ports
Query the patch list
- systeminfo
Query local share
- net share
- net share \\hostname
- wmic share get name.path.status
Query firewall configuration and close the protective wall
Query firewall configuration
- netsh firewall show config
Turn off the firewall
- netsh firewall set opmode disable win version before 2003
- netsh advfirewall set allprofiles state off win version after 2003
Query and start remote connection service
开启的3389方法:
1.通用开3389(优化后):
wmic RDTOGGLE WHERE ServerName=’%COMPUTERNAME%’ call SetAllowTSConnections 1
2.For Win2003:
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" “Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
3.For Win2008:
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal” "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
4.For Every:
cmd开3389 win08 win03 win7 win2012 winxp
win08,三条命令即可:
wmic /namespace:\root\cimv2 erminalservices path win32_terminalservicesetting where (__CLASS != “”) call setallowtsconnections 1
wmic /namespace:\root\cimv2 erminalservices path win32_tsgeneralsetting where (TerminalName =‘RDP-Tcp’) call setuserauthenticationrequired 1
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
win2012 common; win7 the first two. Permissions need to run as administrator.
Query current permissions
- whoami
- win7-x64-test\test local ordinary users—cannot check domain information
- win7-x64-test\administrator local administrator—can check domain information
- Users in the hack\administrator domain—can check the information in the domain
- How to judge the domain user: ipconfig //all Look at that domain and how it happens to be in the hack domain, then he is a domain user . You can also check the hostname first to see if the name of the machine is compared to whether it is a domain user.
Get the sid of the domain
- whoami /all get domain SID
Query the detailed information of a specified user
- net user xxx /domain