内网信息收集
简介
在渗透测试中信息收集的深度与广度以及对关键信息的提取,直接或间接的决定了渗透测试的质量,所以信息收集的重要性不容小觑,看得懂并不代表会,不如自己实操一遍,这里将提供一个单域的环境,进行信息收集,下载地址在文末提供。
单域环境
这张图为这次信息收集所搭建的单域内网环境。[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/760d4f9f946745f6bc945abee8bf3e34~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-82bc3f9127b783540fb8591caa84ca7687ad133d.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-82bc3f9127b783540fb8591caa84ca7687ad133d.png”” style=“margin: auto” />
工作组与域环境比较
工作组是一群计算机的集合,它仅仅是一个逻辑的集合,各自计算机还是各自管理的,你要访问其中的计算机,还是要到被访问计算机上来实现用户验证的。而域不同,域是一个有安全边界的计算机集合,在同一个域中的计算机彼此之间已经建立了信任关系,在域内访问其他机器,不再需要被访问机器的许可了。为什么要区分呢?因为这两种环境攻击的手法不同,ARP欺骗、DNS欺骗只在工作组有效。
基本网络框架组成
<img src="https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/064209ffeffa4249864dd8ff390b2052~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)dmz在实际的渗透测试中,大多数情况下,在web环境中拿到的权限都在dmz中。这个区域不属于严格意义上的内网。如果访问控制策略配置合理,dmz就会处在从内网能够访问DMz,而从dmz访问不能进入内网的状态。内网内网中包括很多服务器、办公电脑等,办公区的安全防护水平通常不高,基本的防护机制大多数为杀毒软件或主机入侵检测产品。服务器、域控制器的防护比较强,我们主要的目标是要拿下域控制器,要拿下域控前期的信息收集就显得格外重要。AD域控制器一般只在Windows server系统linux一般很少会被当成域控制器,因为管理起来特别麻烦,功能也比较少,不过linux上也有相应的活动目录的,可是要装LDAP这个环境,一般企业很少会用LDAP来管理的,功能上不及域强大,而且用linux来管理的话要求技术人员门槛也比较高。而windows作为域控制器有图形化界面,能够很好的进行管理" style=“margin: auto” />
信息收集
基本信息收集
目的:为了了解当前服务器的计算机基本信息、防护的强弱,为后续判断服务器角色、网络环境做准备。
systeminfo查看计算机版本、补丁编号等信息[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/671674af18324c4c89ac2ddb317bc852~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-deac2ab7b086e76ebe4af21b69b94eeecb8ed222.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-deac2ab7b086e76ebe4af21b69b94eeecb8ed222.png”” style=“margin: auto” />
net start查看启动的服务
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/1ad857f06e4b464f8036c5aefcb2714e~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-ee653ffb69aa4bd8f787fc4a629b1deeeb4bb5f0.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-ee653ffb69aa4bd8f787fc4a629b1deeeb4bb5f0.png”” style=“margin: auto” />
tasklist查看进程列表
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/1158b0060d534dd2a7d618813f0de91c~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-5e44362ef208b12cf991343d3e14facb4d2bad0d.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-5e44362ef208b12cf991343d3e14facb4d2bad0d.png”” style=“margin: auto” />
schtasks /query /fo LIST /v查看目标主机上的计划任务信息
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/f72a6cc676c14758aa1b4cb064622685~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-7c2b4305039cb4f6dcef6083f2b6734c1cce7b0a.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-7c2b4305039cb4f6dcef6083f2b6734c1cce7b0a.png”” style=“margin: auto” />
schtasks查看计划任务
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/f865e06e19674e9a8b3661ff0fe0218d~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-ee560d9b9a827409e8030364c901f7f14c55de68.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-ee560d9b9a827409e8030364c901f7f14c55de68.png”” style=“margin: auto” />
SPN:服务主体名称。使用Kerberos须为服务器注册SPN,因此可以在内网中扫描SPN,快速寻找内网中注册的服务,SPN扫描可以规避像端口扫描的不确定性探测动作。主要利用工具有:setspn。利用Windows自带的setspn工具,普通域用户权限执行即可:setspn -T rootkit.org -Q */* 可以发现内网存在mssql等服务
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/9a9812d305b74139a0eabcf9e9c37ca1~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-fffc94ac93782ad26c8c8b7eb90de47ea0c65cb1.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-fffc94ac93782ad26c8c8b7eb90de47ea0c65cb1.png”” style=“margin: auto” />
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/887b353992cc43a7bd464e11e4eac1a6~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-d2682b0fcb90bc94788c115607f895914cf1564e.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-d2682b0fcb90bc94788c115607f895914cf1564e.png”” style=“margin: auto” />
powershell "Get-WmiO bject -class Win32_Product |Select-O bject -Property name,version"系统命令查看安装软件的版本信息
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/908b6a33fbef46c9a6c338f929937ede~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-9e173b7bb89e6050963761fe9a3f8d5c282da06c.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-9e173b7bb89e6050963761fe9a3f8d5c282da06c.png”” style=“margin: auto” />
nltest /domain_trusts 获取域信任列表信息
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/7ad3fb840467430b820f93182c59e7b5~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-899e790a94e4a983c29e9889d910e887164738b2.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-899e790a94e4a983c29e9889d910e887164738b2.png”” style=“margin: auto” />
或者使用wmic product get name.version命令
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/ff279d8889e4469592d29cfb140961f4~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-777008b2c489bd47702f7f659ef814268ae561c5.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-777008b2c489bd47702f7f659ef814268ae561c5.png”” style=“margin: auto” />
wmic service list brief获取本机服务信息,查看是否有可以可以进行深入利用的点
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/38d0ee907a46480c9af02fe944376f82~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-78e8ac873c0bbdd53b83671e35b906034321a0ff.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-78e8ac873c0bbdd53b83671e35b906034321a0ff.png”” style=“margin: auto” />
netsh firewall show config查看防火墙的配置信息
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/7fbfbe640f6e4345a43ed08896d304c8~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-2222edbd335f17cc1e5f711ba6e92784eded0c92.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-2222edbd335f17cc1e5f711ba6e92784eded0c92.png”” style=“margin: auto” />
wmic nteventlog get path,filename,writeable查看是否能修改删除日志
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/e46ff99f027b468db15756cb448681e3~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-2863cf41b351685e711256d8eecf67f50124a4ac.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-2863cf41b351685e711256d8eecf67f50124a4ac.png”” style=“margin: auto” />
网络信息收集
目的:为了了解当前服务器的网络接口信息,为判断当前拿下的主机角色、功能、熟悉网络架构,获取当前内网的存活主机做准备。
ipconfig /all 判断存在域-dns 有域的有dns后缀,无域的无dns后缀
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/adcbd055df05459eacf3c0d816ae9679~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-2481ae057c862e6a58fc72cd4303866463dab389.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-2481ae057c862e6a58fc72cd4303866463dab389.png”” style=“margin: auto” />
这个是自己的本机无域环境,两者进行对比
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/5fbdddd3b26a4e94a1c3e22186e5a1b0~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-a91a2088dc420c03e6e0cb69ee2aee35bc905d2d.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-a91a2088dc420c03e6e0cb69ee2aee35bc905d2d.png”” style=“margin: auto” />
net time /domain 获取主域名,其实这个就是主域的计算机名,再通过nslookup或ping命令来获取主域的IP地址
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/bbff9dc539d94704b4f712c6f9a1fcc3~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-170ea53506428263fb26a87fecbc7463a0520658.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-170ea53506428263fb26a87fecbc7463a0520658.png”” style=“margin: auto” />
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/e4c563e2b9b34f9ab05c2c43cb0afc2c~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-b77a34ada7c54904d1dc8869ddf1bc5fbddbf421.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-b77a34ada7c54904d1dc8869ddf1bc5fbddbf421.png”” style=“margin: auto” />
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/95c471d31ee34b6da2de1ba875980f93~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-afc65857a680ca4451e3679f9ecbea717200ae5e.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-afc65857a680ca4451e3679f9ecbea717200ae5e.png”” style=“margin: auto” />
netstat -ano查看当前网络端口开放
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/96d242061c63415a982946c266d91a13~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-22665a30dd933b1b27c2bf48453096565d0683b2.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-22665a30dd933b1b27c2bf48453096565d0683b2.png”” style=“margin: auto” />
常见端口及其服务
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/d41cbe125461493e84ff1a2b23e9ba04~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-0f3b38ed981841166c568cfadbf4c165e9fdc96c.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-0f3b38ed981841166c568cfadbf4c165e9fdc96c.png”” style=“margin: auto” />
防护软件信息收集域内的较件和杀毒软件应该是一致的,常见的杀毒软件进程如下:
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/63098756d6064e52900378eb75792115~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-05f9f730479cb9ccdc788c3877606226796854d9.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-05f9f730479cb9ccdc788c3877606226796854d9.png”” style=“margin: auto” />
系统命令获取反病毒产品详情信息,包括安装位置和版本:
wmic /namespace:\root\securitycenter2 path antivirusproduct GET displayName,productState, pathToSignedProductExe
经过个人测试,这条命令在这个环境内是不可以用的,但在本机进行测试时,可以清晰的看到所有防护软件,所以这里就介绍一下。[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/c7eedba53b3243299685d8e07a14eef6~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-0f8202939accdeac7e74c884704194123d9c4620.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-0f8202939accdeac7e74c884704194123d9c4620.png”” style=“margin: auto” />
使用ping命令检查局域网内存活的主机linux主机环境下:
for i in {132…254}; do ping -q -i 0.01 -c 3 192.168.64.i &> /dev/null && echo 192.168.64.i is alive; done
个人感觉很不好用,要是没有在存活主机IP地址的位置开始,那么都会出现一直卡壳,这是我试验过的,所以只能从存活的主机开始。
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/92a62437f0db4d85a35ddaafa2ac91f3~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-5a5fa0c7d1693a4eed6bab0669b14b5f6e03f08d.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-5a5fa0c7d1693a4eed6bab0669b14b5f6e03f08d.png”” style=“margin: auto” />
windows主机环境下:
for /l %p in (143,1,254) do @ping -l 1 -n 3 -w 40 192.168.3.%p & if errorlevel 1 (echo 192.168.3.%p>>na.txt) else (echo 192.168.3.%p>>wangcheng.txt)
na.txt记录所有ping不通的主机,wangcheng.txt则记录所有可以ping通的主机,这个文件保存的位置有点难找,需细心。
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/b3c8ced3c16c4b1b9425fcb5961474a4~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-c242454e79826020604089862e9def289bca6dfb.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-c242454e79826020604089862e9def289bca6dfb.png”” style=“margin: auto” />
用户信息收集
目的:为了了解当前计算机或域环境下的用户及用户组信息,便于后期利用凭据进行测试。系统默认常见用户身份:Domain Admins :域管理员(默认对域控制器有完全控制权)Domain Computers :域内机器Domain Controllers :域控制器Domain Users :域用户Domain Guest : 域访客,权限低Enterprise Admins : 企业系统管理员用户
whoami /all获取用户权限
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/e662c4bc62f0404e875d9cd285c7372b~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-9e2fbac7a85f8cf0e2fc7184a9b52cabcae73e7f.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-9e2fbac7a85f8cf0e2fc7184a9b52cabcae73e7f.png”” style=“margin: auto” />
net config workstation获取登录信息
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/febdd5b6e566452e979b86908d35eb55~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-a62e04048a6ba6a884e5dd30427f1daf5bd7795b.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-a62e04048a6ba6a884e5dd30427f1daf5bd7795b.png”” style=“margin: auto” />
net user 获取本地用户 net user /domain 获取域用户信息
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/3a54e5df71d940c494b97bc51aa01648~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-99b067ea5c1c670922734754ff3f70a0f23be2e7.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-99b067ea5c1c670922734754ff3f70a0f23be2e7.png”” style=“margin: auto” />
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/bebb7ee085ae410791b623759411c399~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-46d96769822a710862aa9d56277810d5909f2c5c.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-46d96769822a710862aa9d56277810d5909f2c5c.png”” style=“margin: auto” />
域用户在执行修改账户类型等操作时,需要输入域控制器的密码
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/3269505075e143e797690eb4af764e1b~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-91c85be4d0ffc14ff4b8e0089baea79ee8d66204.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-91c85be4d0ffc14ff4b8e0089baea79ee8d66204.png”” style=“margin: auto” />
本地用户则不受域控制器的控制
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/3345d7118076403aaf20568c2b48d163~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-519ad75a9154bf855164f0ec656dc40c7ec0fced.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-519ad75a9154bf855164f0ec656dc40c7ec0fced.png”” style=“margin: auto” />
net localgroup获取本地用户组信息
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/c1809ca74ca34573aee87600bd5cf706~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-5850da584f6b1b9b14ceb5c4e30c0d589c1d74b8.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-5850da584f6b1b9b14ceb5c4e30c0d589c1d74b8.png”” style=“margin: auto” />
wmic useraccount get /all 查看域用户详细信息
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/6bccebf3bb1344c380d4b9b4856625e2~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-61defa86973052df4873d58eeb9057e89c2e58bc.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-61defa86973052df4873d58eeb9057e89c2e58bc.png”” style=“margin: auto” />
net group “Enterprise Admins” /domain 查询管理员用户组里面的成员
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/5a0c4ac42cb9467cb04b4b24ea106f9f~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-113aaa05c12be3034c465bc083445074aa208373.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-113aaa05c12be3034c465bc083445074aa208373.png”” style=“margin: auto” />
net “Domain users” /domain查看域用户组里面的成员
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/fe7e5b21beb34b44bc7ea4ba987778ef~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-5df42e8bcc8433c5ff41bcc65b03fc8f86c1bb2d.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-5df42e8bcc8433c5ff41bcc65b03fc8f86c1bb2d.png”” style=“margin: auto” />
query user || qwinsta 可以查看当前在线用户信息
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/41192f23e30b4d1b92c9c0d03a4354cb~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-8be406969fee31ae4253b9b5b2ad72968523a713.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-8be406969fee31ae4253b9b5b2ad72968523a713.png”” style=“margin: auto” />
凭证信息收集
目的:为了收集各种密文,明文,口令等,为后续横向渗透做好测试准备获取所连接过的无线网名称。系统命令进行收集
Netsh wlan show profiles 获取登录过的WiFi名称,这是在自己本机上试验,由于我们的环境都是虚拟的,所以没有连接过WiFi,无法获取结果。[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/f7a67ef00ee746e0a261ce7f09081e77~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-e260e453e282bebe554bbea8bc148cf054aad96a.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-e260e453e282bebe554bbea8bc148cf054aad96a.png”” style=“margin: auto” />
netsh wlan show profile name="iQOO U3" key=clear获取iQOO U3中的WiFi密码
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/b7d7d85cc66c42f9975a8385efe13953~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-3ff367d076de14683afbcc42b18f4b6198273a74.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-3ff367d076de14683afbcc42b18f4b6198273a74.png”” style=“margin: auto” />
通过如下命令获取连接过的wifi密码:for /f “skip=9 tokens=1,2 delims=:” %i in (‘netsh wlan show profiles’) do @echo %j | findstr -i -v echo | netsh wlan show profiles %j key=clear
<img src="https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/f935a0c4b6834d35bc044de0f941a207~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)mimikatzgithub.com/gentilkiwi/… 用于破解计算机中的账号密" style=“margin: auto” />
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/889678c59429435e9105e3f9e108570b~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-cd27d183fddba93888423440d786e657276fb45c.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-cd27d183fddba93888423440d786e657276fb45c.png”” style=“margin: auto” />
XenArmor xenarmor.com/ 专用于破解密码,几乎可以破解计算机上所有使用过的密码,非常牛逼,但需要钱,由于不是土豪就不演示了。
cmdkey /list能够列举出系统中的Windows凭据
<img src="https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/ff29585c42404235a70725fb1d78727a~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)vaultcmd(windows系统自带)列出保管库(vault)列表:vaultcmd /list中文操作系统,列出GUID为{4BF4C442-9B8A-41A0-B380-DD4A704DDB28}的保管库(vault)下的所有凭据:vaultcmd /listcreds:{4BF4C442-9B8A-41A0-B380-DD4A704DDB28}列出GUID为{4BF4C442-9B8A-41A0-B380-DD4A704DDB28}的保管库(vault)的属性,包括文件位置、包含的凭据数量、保护方法:Vaultcmd /listproperties:{4BF4C442-9B8A-41A0-B380-DD4A704DDB28}[
](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-0305a5d491338efc7d58bc51ee1e801c881cfbb4.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-0305a5d491338efc7d58bc51ee1e801c881cfbb4.png”" style=“margin: auto” />
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/62f6760413e647ae9eca59d6d6bf89a5~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-edbe01ca67d392223d1e393a2566874bbe1ea27b.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-edbe01ca67d392223d1e393a2566874bbe1ea27b.png”” style=“margin: auto” />
工具进行信息收集
GDA.bat:github.com/nullbind/Ot…PowerSploit: github.com/PowerShellM…Nishang: github.com/samratashok…M etasploit:github.com/rapid7/M etasploit-f rameworkPowerTools: github.com/PowerShellE…
脚本自动化收集信息
ameworkPowerTools: github.com/PowerShellE…
脚本自动化收集信息
下载油猴子脚本 wmic_info.bat 下载地址 www.fuzzysecurity.com/s cripts/files/wmic_info.rar得到的输出结果是out.html[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/9e59c4d25697449983654853752429f9~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fshs3.b.qianxin.com%2Fattack_forum%2F2021%2F07%2Fattach-dddcaa66d99430d5c554d27f47927b40e756c26f.png “https://shs3.b.qianxin.com/attack_forum/2021/07/attach-dddcaa66d99430d5c554d27f47927b40e756c26f.png”” style=“margin: auto” />
726
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
