内网(域)渗透–1.基本命令
====================================================
ipconfig /all #查询本机IP段,所在域等 net user #本机用户列表 net localhroup administrators #本机管理员[通常含有域用户] net user /domain #查询域用户 net group /domain #查询域里面的工作组 net group "domain admins" /domain #查询域管理员用户组 net localgroup administrators /domain #登录本机的域管理员 net localgroup administrators workgroupuser001 /add #域用户添加到本机 net group "domain controllers" /domain #查看域控制器(如果有多台) net time /domain #判断主域,主域服务器都做时间服务器 net config workstation #当前登录域 net session #查看当前会话 net use \ipipc$ pawword /user:username #建立IPC会话[空连接-***] net share #查看SMB指向的路径[即共享] net view #查询同一域内机器列表 net view \ip #查询某IP共享 net view /domain #查询域列表 net view /domain:domainname #查看workgroup域中计算机列表 net start #查看当前运行的服务 net accounts #查看本地密码策略 net accounts /domain #查看域密码策略 nbtstat –A ip #netbios查询 netstat –an/ano/anb #网络连接查询 route print #路由表
====================================================
dsquery computer # finds computers in the directory. dsquery contact # finds contacts in thedirectory. dsquery subnet # finds subnets in thedirectory. dsquery group # finds groups in thedirectory. dsquery ou # finds organizationalunits in the directory. dsquery site # finds sites in thedirectory. dsquery server # finds domain controllers inthe directory. dsquery user # finds users in thedirectory. dsquery quota # finds quota specificationsin the directory. dsquery partition # finds partitions in thedirectory. dsquery * # finds any object inthe directory by using a generic LDAP query. dsquery server –domain Yahoo.com | dsget server–dnsname –site # 搜索域内域控制器的DNS主机名和站点名 dsquery computer domainroot –name *-xp –limit 10 # 搜索域内以-xp结尾的机器10台 dsquery user domainroot –name admin* -limit # 搜索域内以admin开头的用户10个 …… …… [注:dsquery来源于Windows Server 2003 Administration Tools Pack]
====================================================
tasklist /V # 查看进程[显示对应用户] tasklist /S ip /U domainusername /P /V # 查看远程计算机进程列表 qprocess * # 类似tasklist qprocess /SERVER:IP # 远程查看计算机进程列表 nslookup –qt-MX Yahoo.com # 查看邮件服务器 whoami /all # 查询当前用户权限等 set # 查看系统环境变量 systeminfo # 查看系统信息 qwinsta # 查看登录情况 qwinsta /SERVER:IP # 查看远程登录情况 fsutil fsinfo drives # 查看所有盘符 gpupdate /force # 更新域策略
===================================================
wmic bios # 查看bios信息 wmic qfe # 查看补丁信息 wmic qfe get hotfixid # 查看补丁-Patch号 wmic startup # 查看启动项 wmic service # 查看服务 wmic os # 查看OS信息 wmic process get caption,executablepath,commandline wmic process call create “process_name” (executes a program) wmic process where name=”process_name” call terminate (terminates program) wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber (hard drive information) wmic useraccount (usernames, sid, and various security related goodies) wmic useraccount get /ALL wmic share get /ALL (you can use ? for gets help ! ) wmic startup list full (this can be a huge list!!!) wmic /node:"hostname" bios get serialnumber (this can be great for finding warranty info about target)
====================================================
Password hashes dump tools ——抓hash工具列表[大集合]
《 “[collect]一些Windows命令[bak]” 》 有 23 条评论
内网渗透的一些工具和平台汇总
https://www.secpulse.com/archives/54670.html
`
框架/平台:Metasploit、Cobaltstrike、Empire、Empyre
代理/端口转发:sockscap、proxifier、Redsocks、Proxychains、SSH本地/远程端口转发、netcat/socat/hping、Metasploit
端口扫描:nmap、fscan、Metasploit、Portscan.ps1
PowerShell脚本:nishang、powersploit、PowerTools、PowerShell-AD-Recon
`
一次完整的从webshell到域控的探索之路
https://www.secpulse.com/archives/51092.html
内网渗透
https://www.secpulse.com/archives/category/articles/intranet-penetration
https://www.secpulse.com/archives/tag/internal-penetration
内网如何定位管理员
https://www.secpulse.com/archives/32859.html
内网渗透随想
https://www.secpulse.com/archives/5432.html
内网渗透中常见的几个问题
https://www.secpulse.com/archives/5671.html
渗透技巧——快捷方式文件的参数隐藏技巧
https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E5%BF%AB%E6%8D%B7%E6%96%B9%E5%BC%8F%E6%96%87%E4%BB%B6%E7%9A%84%E5%8F%82%E6%95%B0%E9%9A%90%E8%97%8F%E6%8A%80%E5%B7%A7/
Windows安全
https://3gstudent.github.io/3gstudent.github.io/
https://github.com/3gstudent
Windows10初始化的PowerShell脚本
https://github.com/Disassembler0/Win10-Initial-Setup-Script
一个根据打补丁的情况来判断存在哪些本地提权的漏洞的PowerShell脚本(PowerShell script to quickly find missing Microsoft patches for local privilege escalation vulnerabilities.)
https://github.com/rasta-mouse/Sherlock
(Windows提权工具)Windows Privilege Escalation Tool
https://github.com/AlessandroZ/BeRoot
内网域渗透之无管理员权限的重要信息搜集
http://www.4hou.com/technology/4555.html
https://adsecurity.org/?p=2535
扫描活动目录权限与特权账户
https://adsecurity.org/?p=3658
icebreaker – 在内网环境下自动化攻击活动目录的工具
https://github.com/DanMcInerney/icebreaker
Windows 提权命令指南
http://www.4hou.com/system/10212.html
http://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
LaZagneForensic – 远程 Windows 密码解密工具
https://github.com/AlessandroZ/LaZagneForensic
Windows 主机中使用自带工具 Netsh 实现端口转发
http://woshub.com/port-forwarding-in-windows/
使用Windows命令来实现端口转发
https://xianzhi.aliyun.com/forum/topic/2068
pyrexecd – Windows 系统上的独立 SSH 服务
https://github.com/euske/pyrexecd
Windows Domain Controller Authentication Logon Logging and Forensics (Windows域控认证日志和审计)
https://serverfault.com/questions/682842/windows-domain-controller-authentication-logon-logging-and-forensics
Logon Type Codes Revealed
http://techgenix.com/logon-types/
Logon types in Windows Server
https://social.technet.microsoft.com/Forums/Lync/en-US/ff70e069-5453-4250-b5c7-8d52ce558ce2/logon-types-in-windows-server?forum=winserverDS
`
•2: Interactive logon — This is used for a logon at the console of a computer. A type 2 logon is logged when you attempt to log on at a Windows computer’s local keyboard and screen.
•3: Network logon — This logon occurs when you access remote file shares or printers. Also, most logons to Internet Information Services (IIS) are classified as network logons, other than IIS logons that use the basic authentication protocol (those are logged as logon type 8).
•4: Batch logon — This is used for scheduled tasks. When the Windows Scheduler service starts a scheduled task, it first creates a new logon session for the task, so that it can run in the security context of the account that was specified when the task was created.
•5: Service logon — This is used for services and service accounts that log > on to start a service. When a service starts, Windows first creates a logon session for the user account that is specified in the service configuration.
•7: Unlock—This is used whenever you unlock your Windows machine.
•8: Network clear text logon—This is used when you log on over a network and the password is sent in clear text. This happens, for example, when you use basic authentication to authenticate to an IIS server.
•9: New credentials-based logon—This is used when you run an application using the RunAs command and specify the /netonly switch. When you start a program with RunAs using /netonly, the program starts in a new logon session that has the same local identity (this is the identity of the user you are currently logged on with), but uses different credentials (the ones specified in the runas command) for other network connections. Without /netonly, Windows runs the program on the local computer and on the network as the user specified in the runas command, and logs the logon event with type 2.
•10: Remote Interactive logon—This is used for RDP-based applications like Terminal Services, Remote Desktop or Remote Assistance.
•11: Cached Interactive logon—This is logged when users log on using cached credentials, which basically means that in the absence of a domain controller, you can still log on to your local machine using your domain credentials. Windows supports logon using cached credentials to ease the life of mobile users and users who are often disconnected.
`
如何使用 DCShadow 关闭活动目录审计功能
https://www.labofapenetrationtester.com/2018/05/dcshadow-sacl.html
check_hashes.py 检查使用相同密码 Hash 的域用户的脚本
`
#Purpose: To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller
#Script requires a command line argument of a file containing usernames/hashes in the format of user:sid:LMHASH:NTLMHASH:::
# ./check_hashes.py
`
https://gist.github.com/bandrel/3dd47c93cd430606865ec84d281913dc
taskmgr.exe 的命令行参数研究
http://www.hexacorn.com/blog/2018/07/22/taskmgr-exe-slashing-numbers/
r0ak – 只需要管理员权限就可以实现在 Windows 内核态实现任意读写和代码执行的命令行工具
https://github.com/ionescu007/r0ak
Windows命令行备忘单(第1部分):一些有用的提示
https://www.andreafortuna.org/command-line/windows-command-line-cheatsheet-part-1-some-useful-tips/
SpoolerScanner – 检测 Windows 远程打印机服务是否开启的工具(Check if MS-RPRN is remotely available with powershell/c#)
https://github.com/vletoux/SpoolerScanner
Windows-Kernel-Explorer – 一款 Windows 内核研究工具
https://github.com/AxtMueller/Windows-Kernel-Explorer
Get Process List with Command Line Arguments
https://malicious.link/post/2020/get-process-list/
`
> tasklist /v
> WMIC path win32_process get Caption,Processid,Commandline
> Get-WmiObject Win32_Process -Filter “name = ‘firefox.exe’” | Select-Object CommandLine
`
GetProcessList.cs
https://gist.github.com/mubix/a8882940311d511dfe0e598e5a3fd1a8
Is there a command in Windows like ps -aux in UNIX?
https://superuser.com/questions/18830/is-there-a-command-in-windows-like-ps-aux-in-unix
`
tasklist
tasklist | findstr /i “keyword_here”
wmic process
wmic process | findstr /i “keyword_here”
`