渗透测试-内网信息收集

成都知道创宇

于 2022-04-28 14:20:54 发布

阅读量3.2k

点赞数

分类专栏：创宇安全文章标签：系统安全 web安全安全安全性测试

本文链接：https://blog.csdn.net/cdyunaq/article/details/124472890

版权

本文详细介绍了内网渗透测试中的信息收集步骤，包括手动、自动收集本机信息，查询当前权限，判断是否存在域，探测内网主机，扫描端口，收集域内基础信息，查找域控制器，获取域内用户和管理员信息，定位域管理员，以及利用powershell收集域信息。通过这些方法，安全专业人员可以评估和加强网络安全性。

摘要由CSDN通过智能技术生成

1 收集本机信息

1.1 手动收集信息

查询网络配置信息

ipconfig /all

查询操作系统和版本信息

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
systeminfo | findstr /B /C:"OS 名称" /C:"OS 版本"

查询系统体系结构

echo %PROCESSOR_ARCHITECTURE%

查看安装的软件及版本、路径等

wmic product get name,version

利用PowerShell命令，收集软件的版本信息

powershell "Get-WmiObject -class Win32_Product |Select-Object -Property name,version"

查询本机服务信息

wmic service list brief

查询进程列表

tasklist
wmic process list brief

常见杀毒软件进程

{"360tray.exe",    "360安全卫士"},
{"360sd.exe",      "360杀毒"},
{"a2guard.exe",    "a-squared杀毒"},
{"ad-watch.exe",    "Lavasoft杀毒"},
{"cleaner8.exe",    "The Cleaner杀毒"},
{"vba32lder.exe",    "vb32杀毒"},
{"MongoosaGUI.exe",    "Mongoosa杀毒"},
{"CorantiControlCenter32.exe",    "Coranti2012杀毒"},
{"F-PROT.EXE",    "F-PROT杀毒"},
{"CMCTrayIcon.exe",    "CMC杀毒"},
{"K7TSecurity.exe",    "K7杀毒"},
{"UnThreat.exe",    "UnThreat杀毒"},
{"CKSoftShiedAntivirus4.exe",    "Shield Antivirus杀毒"},
{"AVWatchService.exe",    "VIRUSfighter杀毒"},
{"ArcaTasksService.exe",    "ArcaVir杀毒"},
{"iptray.exe",    "Immunet杀毒"},
{"PSafeSysTray.exe",    "PSafe杀毒"},
{"nspupsvc.exe",    "nProtect杀毒"},
{"SpywareTerminatorShield.exe",    "SpywareTerminator杀毒"},
{"BKavService.exe",    "Bkav杀毒"},
{"MsMpEng.exe",    "Microsoft Security Essentials"},
{"SBAMSvc.exe",    "VIPRE"},
{"ccSvcHst.exe",    "Norton杀毒"},
{"QQ.exe",    "QQ"},
{"f-secure.exe",    "冰岛"},
{"avp.exe",        "卡巴斯基"},
{"KvMonXP.exe",    "江民杀毒"},
{"RavMonD.exe",    "瑞星杀毒"},
{"Mcshield.exe",   "麦咖啡"},
{"egui.exe",       "NOD32"},
{"kxetray.exe",    "金山毒霸"},
{"knsdtray.exe",   "可牛杀毒"},
{"avcenter.exe",   "Avira(小红伞)"},
{"ashDisp.exe",    "Avast网络安全"},
{"rtvscan.exe",    "诺顿杀毒"},
{"ksafe.exe",      "金山卫士"},
{"QQPCRTP.exe",    "QQ电脑管家"},
{"Miner.exe",    "流量矿石"},
{"AYAgent.aye",    "韩国胶囊"},
{"patray.exe",    "安博士"},
{"V3Svc.exe",    "安博士V3"},
{"avgwdsvc.exe",    "AVG杀毒"},
{"ccSetMgr.exe",    "赛门铁克"},
{"QUHLPSVC.EXE",    "QUICK HEAL杀毒"},
{"mssecess.exe",    "微软杀毒"},
{"SavProgress.exe",    "Sophos杀毒"},
{"fsavgui.exe",    "F-Secure杀毒"},
{"vsserv.exe",    "比特梵德"},
{"remupd.exe",    "熊猫卫士"},
{"FortiTray.exe",    "飞塔"},
{"safedog.exe",    "安全狗"},
{"parmor.exe",    "木马克星"},
{"beikesan.exe",    "贝壳云安全"},
{"KSWebShield.exe",    "金山网盾"},
{"TrojanHunter.exe",    "木马猎手"},
{"GG.exe",    "巨盾网游安全盾"},
{"adam.exe",    "绿鹰安全精灵"},
{"AST.exe",    "超级巡警"},
{"ananwidget.exe",    "墨者安全专家"},
{"AVK.exe",    "GData"},
{"ccapp.exe",    "Symantec Norton"},
{"avg.exe",    "AVG Anti-Virus"},
{"spidernt.exe",    "Dr.web"},
{"Mcshield.exe",    "Mcafee"},
{"avgaurd.exe",    "Avira Antivir"},
{"F-PROT.exe",    "F-Prot AntiVirus"},
{"vsmon.exe",    "ZoneAlarm"},
{"avp.exee",    "Kaspersky"},
{"cpf.exe",    "Comodo"},
{"outpost.exe",    "Outpost Firewall"},
{"rfwmain.exe",    "瑞星防火墙"},
{"kpfwtray.exe",    "金山网镖"},
{"FYFireWall.exe",    "风云防火墙"},
{"MPMon.exe",    "微点主动防御"},
{"pfw.exe",    "天网防火墙"},
{"S.exe",    "在抓鸡"},
{"1433.exe",    "在扫1433"},
{"DUB.exe",    "在爆破"},
{"ServUDaemon.exe",    "发现S-U"},
{"BaiduSdSvc.exe",    "百度杀软"},

安全狗：
SafeDogGuardCenter.exe
safedogupdatecenter.exe
safedogguardcenter.exe
SafeDogSiteIIS.exe
SafeDogTray.exe
SafeDogServerUI.exe

D盾：
D_Safe_Manage.exe
d_manage.exe

云锁：
yunsuo_agent_service.exe
yunsuo_agent_daemon.exe

护卫神：
HwsPanel.exe 护卫神·入侵防护系统（状态托盘）
hws_ui.exe    护卫神·入侵防护系统
hws.exe       护卫神·入侵防护系统服务处理程序
hwsd.exe      护卫神·入侵防护系统监控组件

火绒：
hipstray.exe
wsctrl.exe
usysdiag.exe

趋势科技：
TMBMSRV.exe
ntrtscan.exe
PCCNTMON.exe
TMLISTEN.exe

查看启动程序信息

wmic startup get command,caption

查看计划任务

schtasks /query /fo LIST /v

查看主机开机时间

net statistics workstation

查询用户列表

本机用户列表：
net user
本地管理员（通常包含域用户）信息：
net localgroup administrators
查看当前在线用户
query user || qwinsta

列出或断开本地计算机与所连接的客户端之间的会话

net session

查询端口列表

netstat -ano

查看补丁列表

systeminfo
wmic qfe get Caption,Description,HotFixID,InstalledOn

查询本机共享列表

net share
wmic share get name,path,status

查询路由表及所有可用接口的ARP缓存表

route print
arp -a

查询防火墙相关配置

关闭防火墙：
win2003以前的版本：netsh firewall set opmode disable
win2003以后的版本：netsh advfirewall set allprofiles state off
查看防火墙配置：
netsh firewall show config
修改防火墙配置：
win2003以前的版本：netsh firewall add allowedprogram c:\nc.exe "allow nc" enable
win2003以后的版本：netsh advfirewall firewall add rule name="pass nc" dir=in action=allow program="c:\nc.exe"
允许指定程序退出：netsh advfirewall firewall add rule name="Allow nc" dir=out action=allow program="c:\nc.exe"
允许3389端口放行：netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
自定义防火墙日志的储存位置：
netsh advfirewall set currentprofile logging filename "C:\window\temp\fw.log"

查看代理配置情况

reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

查询并开启远程连接服务

查看远程连接端口：
Reg query "hkey_local_machine\system\currentcontrolset\control\terminal server\winstations\RDP-Tcp" /v portnumber
win2003中开启3389：
wmic path win32_terminalservicesetting where (__CLASS !="") call setallowtsconnections 1

win2008和win2012中开启3389：
wmic /namespace:\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS !="") call setallowtsconnections 1

wmic /namespace:\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName='RDP-Tcp') call setuserauthenticationrequired 1