11、域渗透测试中使用到的命令+工具

命令

ipconfig /all                         ------ 查询本机IP段，所在域等 
net user                              ------ 本机用户列表 
net localhroup administrators         ------ 本机管理员[通常含有域用户] 
net user /domain                      ------ 查询域用户 
net group /domain                     ------ 查询域里面的工作组
net group "domain admins" /domain     ------ 查询域管理员用户组 
net localgroup administrators /domain ------ 登录本机的域管理员
net localgroup administrators workgroup\user001 /add   ------域用户添加到本机
net group "domain controllers" /domain                         ------ 查看域控制器(如果有多台) 
net time /domain                      ------ 判断主域，主域服务器都做时间服务器 
net config workstation                ------ 当前登录域 
net session                           ------ 查看当前会话 
net use \\ip\ipc$ pawword /user:username      ------ 建立IPC会话[空连接-***] 
net share                              ------  查看SMB指向的路径[即共享]
net view                               ------ 查询同一域内机器列表 
net view \\ip                          ------ 查询某IP共享
net view /domain                       ------ 查询域列表
net view /domain:domainname            ------ 查看workgroup域中计算机列表 
net start                              ------ 查看当前运行的服务 
net accounts                           ------  查看本地密码策略 
net accounts /domain                   ------  查看域密码策略 
nbtstat –A ip                          ------netbios 查询 
netstat –an/ano/anb                    ------ 网络连接查询 
route print                            ------ 路由表

dsquery computer          ----- finds computers in the directory.
dsquery contact           ----- finds contacts in thedirectory.
dsquery subnet            ----- finds subnets in thedirectory.
dsquery group             ----- finds groups in thedirectory.
dsquery ou                ----- finds organizationalunits in the directory.
dsquery site              ----- finds sites in thedirectory.
dsquery server            ----- finds domain controllers inthe directory.
dsquery user              ----- finds users in thedirectory.
dsquery quota             ----- finds quota specificationsin the directory.
dsquery partition         ----- finds partitions in thedirectory.
dsquery *                 ----- finds any object inthe directory by using a generic LDAP query.
dsquery server –domain Yahoo.com | dsget server–dnsname –site ---搜索域内域控制器的DNS主机名和站点名
dsquery computer domainroot –name *-xp –limit 10----- 搜索域内以-xp结尾的机器10台
dsquery user domainroot –name admin* -limit ---- 搜索域内以admin开头的用户10个
……
……
[注:dsquery来源于Windows Server 2003 Administration Tools Pack]

wmic bios                                                 ----- 查看bios信息
wmic qfe                                                  ----- 查看补丁信息
wmic qfe get hotfixid                                     ----- 查看补丁-Patch号
wmic startup                                              ----- 查看启动项
wmic service                                              ----- 查看服务
wmic os                                                   ----- 查看OS信息
wmic process get caption,executablepath,commandline
wmic process call create “process_name” (executes a program)
wmic process where name=”process_name” call terminate (terminates program)
wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size,
volumeserialnumber (hard drive information)
wmic useraccount (usernames, sid, and various security related goodies)
wmic useraccount get /ALL
wmic share get /ALL (you can use ? for gets help ! )
wmic startup list full (this can be a huge list!!!)
wmic /node:"hostname" bios get serialnumber (this can be great for finding warranty info about target)

工具

1.mimikatz.exe
https://github.com/gentilkiwi/mimikatz/
 
2.Pwdump7.exe
 
3.QuarksPwDump.exe
 
4.psexec.exe
https://technet.microsoft.com/ko-kr/sysinternals/bb897553.aspx
 
5.kerberoast
https://github.com/nidem/kerberoast
 
6.WMIEXEC.vbs
https://www.t00ls.net/thread-21167-1-1.html