First, determine whether there is a domain
ipconfig /all
systeminfo
workgroup
net config workstation
net time /domain (this command has three cases)
1. A domain exists, and the current user is not a domain user.
2. A domain exists, and the current user is a domain user.
3. Domain does not exist.
2. Detection of surviving hosts in the domain
Use netbios to quickly detect the intranet
Tool: nbtsacn
Command: nbtsacn.exe ip
Using the icmp protocol to quickly detect the intranet
Tools: 1, ping command: for /L %l in (1,1,254) DO @ping -w 1 -n 1 192.168.1.%l | findstr "TTL="
2. VBS script
4. Use arp scan to completely detect the intranet
tool:
1,arp-scan command: arp.exe -t ip
2,invoke-arpscan.ps1
3. The arpscan module in empire
5. Use regular tcp/udp port scanning to detect intranet
Tool: scanline
命令:sl -h -t 22,80-89,110,389 -u 53,161,137,139 -O c:\windows\temp\xxx.txt -p 192.168.1.1-254 /b
Three, intra-domain port scanning
S-scanner
s.exe tcp 192.168.1.1 192.168.1.254 445,3389,1433,7001,80,8080,22,23,21,25,3306,5432 /banner /save
metasploit
sea
4. Collection of basic information in the domain
net view /domain
net view /domain:xxx
net group /domain
net group "domain computers" /domain
net accounts /domain
nltest /domain_trusts
Five, the search for the controller in the domain
nltest /dclist:xxx
nslookup-type=srv _ladp._tcp
net time /domain
net group "domain controllers" /domain
netdom query pdc
6. Acquisition of users and administrators in the domain
net user /domain
wmic useraccuntget /all
dsquery user
net localgroup administrators /domain
Seven, query the domain administrator user group
net group "domain admins" /domain
net group "enterprise admins" /domain