内网信息收集小知识（一）

单机信息收集

内网信息收集

概述

• 判断当前机器角色
• 判断所处网络环境拓扑结构
• 分析当前机器所处区域

本机信息收集

内容包括操作系统，权限，内网IP地址段，杀软，端口，服务，补丁，网络连接，共享，会话等

手动信息收集

网络配置

• ipconfig /all

操作系统及软件信息

• 操作系统和版本信息

  systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

  中文版就用中文

  

• 系统体系结构

  echo %PROCESSOR_ARCHITECTURE%

• 查看安装的软件及版本、路径

  wmic product get name,version

powshell收集

powershell "Get-WmiObject -class Win32_Product | Select-Object -Property name,version"

本机服务

• wmic service list brief

  

进程列表

• tasklist

• wmic process list brief

  

• 各类杀软进程名字

  {"360tray.exe",    "360安全卫士"},
  {"360sd.exe",      "360杀毒"},
  {"a2guard.exe",    "a-squared杀毒"},
  {"ad-watch.exe",    "Lavasoft杀毒"},
  {"cleaner8.exe",    "The Cleaner杀毒"},
  {"vba32lder.exe",    "vb32杀毒"},
  {"MongoosaGUI.exe",    "Mongoosa杀毒"},
  {"CorantiControlCenter32.exe",    "Coranti2012杀毒"},
  {"F-PROT.EXE",    "F-PROT杀毒"},
  {"CMCTrayIcon.exe",    "CMC杀毒"},
  {"K7TSecurity.exe",    "K7杀毒"},
  {"UnThreat.exe",    "UnThreat杀毒"},
  {"CKSoftShiedAntivirus4.exe",    "Shield Antivirus杀毒"},
  {"AVWatchService.exe",    "VIRUSfighter杀毒"},
  {"ArcaTasksService.exe",    "ArcaVir杀毒"},
  {"iptray.exe",    "Immunet杀毒"},
  {"PSafeSysTray.exe",    "PSafe杀毒"},
  {"nspupsvc.exe",    "nProtect杀毒"},
  {"SpywareTerminatorShield.exe",    "SpywareTerminator杀毒"},
  {"BKavService.exe",    "Bkav杀毒"},
  {"MsMpEng.exe",    "Microsoft Security Essentials"},
  {"SBAMSvc.exe",    "VIPRE"},
  {"ccSvcHst.exe",    "Norton杀毒"},
  {"QQ.exe",    "QQ"},
  {"f-secure.exe",    "冰岛"},
  {"avp.exe",        "卡巴斯基"},
  {"KvMonXP.exe",    "江民杀毒"},
  {"RavMonD.exe",    "瑞星杀毒"},
  {"Mcshield.exe",   "麦咖啡"},
  {"egui.exe",       "NOD32"},
  {"kxetray.exe",    "金山毒霸"}, 
  {"knsdtray.exe",   "可牛杀毒"},
  {"TMBMSRV.exe",    "趋势杀毒"},
  {"avcenter.exe",   "Avira(小红伞)"},
  {"ashDisp.exe",    "Avast网络安全"}, 
  {"rtvscan.exe",    "诺顿杀毒"}, 
  {"ksafe.exe",      "金山卫士"}, 
  {"QQPCRTP.exe",    "QQ电脑管家"},
  {"Miner.exe",    "流量矿石"},
  {"AYAgent.aye",    "韩国胶囊"},
  {"patray.exe",    "安博士"},
  {"avgwdsvc.exe",    "AVG杀毒"},
  {"ccSetMgr.exe",    "赛门铁克"},
  {"QUHLPSVC.EXE",    "QUICK HEAL杀毒"},
  {"mssecess.exe",    "微软杀毒"},
  {"SavProgress.exe",    "Sophos杀毒"},
  {"fsavgui.exe",    "F-Secure杀毒"},
  {"vsserv.exe",    "比特梵德"},
  {"remupd.exe",    "熊猫卫士"},
  {"FortiTray.exe",    "飞塔"},
  {"safedog.exe",    "安全狗"},
  {"parmor.exe",    "木马克星"},
  {"beikesan.exe",    "贝壳云安全"},
  {"KSWebShield.exe",    "金山网盾"},
  {"TrojanHunter.exe",    "木马猎手"},
  {"GG.exe",    "巨盾网游安全盾"},
  {"adam.exe",    "绿鹰安全精灵"},
  {"AST.exe",    "超级巡警"},
  {"ananwidget.exe",    "墨者安全专家"},
  {"AVK.exe",    "GData"},
  {"avg.exe",    "AVG Anti-Virus"},
  {"spidernt.exe",    "Dr.web"},
  {"Mcshield.exe",    "Mcafee"},
  {"avgaurd.exe",    "Avira Antivir"},
  {"F-PROT.exe",    "F-Prot AntiVirus"},
  {"vsmon.exe",    "ZoneAlarm"},
  {"avp.exee",    "Kaspersky"},
  {"cpf.exe",    "Comodo"},
  {"outpost.exe",    "Outpost Firewall"},
  {"rfwmain.exe",    "瑞星防火墙"},
  {"kpfwtray.exe",    "金山网镖"},
  {"MPMon.exe",    "微点主动防御"},
  {"pfw.exe",    "天网防火墙"},
  {"S.exe",    "在抓鸡"},
  {"1433.exe",    "在扫1433"},
  {"DUB.exe",    "在爆破"},
  {"ServUDaemon.exe",    "发现S-U"},
  {"BaiduSdSvc.exe",    "百度杀软"},
  
  
  安全狗
  SafeDogGuardCenter.exe
  safedogupdatecenter.exe
  safedogguardcenter.exe
  SafeDogSiteIIS.exe
  SafeDogTray.exe
  SafeDogServerUI.exe
  D盾
  D_Safe_Manage.exe
  d_manage.exe
  云锁
  yunsuo_agent_service.exe
  yunsuo_agent_daemon.exe
  护卫神
  HwsPanel.exe  护卫神·入侵防护系统（状态托盘）
  hws_ui.exe    护卫神·入侵防护系统 - www.huweishen.com
  hws.exe       护卫神·入侵防护系统 服务处理程序
  hwsd.exe      护卫神·入侵防护系统 监控组件
  火绒
  hipstray.exe
  wsctrl.exe
  usysdiag.exe
  

启动程序信息

• wmic startup get command,caption

  

计划任务

• schtasks /query /fo LIST /v

开机时间

• net statistics workstation

用户列表

• 本机用户列表

  net user

• 本地管理员

  net localgroup administrators

• 当前在线用户

  query user || qwinsta
  

本机与客户端之间的会话

net session

端口

netstat -ano

补丁

• 系统详细信息

  systeminfo

  通过补丁列表可找到未打补丁的漏洞

• wmic查看系统中的补丁

  wmic qfe get Caption,Description,HotFixID,InstalledOn

共享列表

• 查看本机共享列表

  net share

• wimc

  wmic share get name,path,status

路由表和ARP缓存

• 路由表

  route print

• ARP

  arp -a

防火墙配置

• 关闭防火墙

  • 2003及之前

    netsh firewall set opmode disable

  • 2003之后

    netsh advfirewall set allprofiles state off

• 查看防火墙配置

  netsh firewall show config

• 修改防火墙配置

  允许指定程序连接

  • 2003及以前

    netsh firewall add allowedprogram c:\nc.exe "allow nc" enable

  • 2003后

    netsh advfirewall firewall add rule name="pass nc" dir=in action=allow program="c:\nc.exe"

    允许指定程序退出

    `netsh advfirewall firewall add rule name="Allow nc" dir=out action=allow program="c:\nc.exe"` 
    
    允许3389端口放行
    
    `netsh adbfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow`
    

• 自定义防火墙日志存储位置

  netsh advfirewall set currentprofile logging filename "c:\windows\temp\fw.log"

代理配置情况

reg query "HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Internet Settings"

远程连接

• 查看远程连接端口

  REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-TCP /V PortNumber"

• 2003开启3389

  wmic path win32_terminalservicesetting where (__CLASS !="") call setallowtsconnections 1

• 2008/2012开启3389

  方法一：wmic /namespace:\\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS !="") call setallowtsconnections 1

  方法二：wmic /namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName='RDP-Tcp') call setuserauthenticationrequired 1

  方法三：

  开启
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
  关闭
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 1 /f
  

自动化信息收集

wmic，windows命令行工具

默认情况下，xp的低权限用户不能访问wmic，win7以上的允许

一个利用wmic收集目标机器信息的脚本

效果如下