单机信息收集
内网信息收集
概述
- 判断当前机器角色
- 判断所处网络环境拓扑结构
- 分析当前机器所处区域
本机信息收集
内容包括操作系统,权限,内网IP地址段,杀软,端口,服务,补丁,网络连接,共享,会话等
手动信息收集
网络配置
ipconfig /all
操作系统及软件信息
-
操作系统和版本信息
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
中文版就用中文
-
系统体系结构
echo %PROCESSOR_ARCHITECTURE%
-
查看安装的软件及版本、路径
wmic product get name,version
powshell收集
powershell "Get-WmiObject -class Win32_Product | Select-Object -Property name,version"
本机服务
-
wmic service list brief
进程列表
tasklist
-
wmic process list brief
-
各类杀软进程名字
{"360tray.exe", "360安全卫士"}, {"360sd.exe", "360杀毒"}, {"a2guard.exe", "a-squared杀毒"}, {"ad-watch.exe", "Lavasoft杀毒"}, {"cleaner8.exe", "The Cleaner杀毒"}, {"vba32lder.exe", "vb32杀毒"}, {"MongoosaGUI.exe", "Mongoosa杀毒"}, {"CorantiControlCenter32.exe", "Coranti2012杀毒"}, {"F-PROT.EXE", "F-PROT杀毒"}, {"CMCTrayIcon.exe", "CMC杀毒"}, {"K7TSecurity.exe", "K7杀毒"}, {"UnThreat.exe", "UnThreat杀毒"}, {"CKSoftShiedAntivirus4.exe", "Shield Antivirus杀毒"}, {"AVWatchService.exe", "VIRUSfighter杀毒"}, {"ArcaTasksService.exe", "ArcaVir杀毒"}, {"iptray.exe", "Immunet杀毒"}, {"PSafeSysTray.exe", "PSafe杀毒"}, {"nspupsvc.exe", "nProtect杀毒"}, {"SpywareTerminatorShield.exe", "SpywareTerminator杀毒"}, {"BKavService.exe", "Bkav杀毒"}, {"MsMpEng.exe", "Microsoft Security Essentials"}, {"SBAMSvc.exe", "VIPRE"}, {"ccSvcHst.exe", "Norton杀毒"}, {"QQ.exe", "QQ"}, {"f-secure.exe", "冰岛"}, {"avp.exe", "卡巴斯基"}, {"KvMonXP.exe", "江民杀毒"}, {"RavMonD.exe", "瑞星杀毒"}, {"Mcshield.exe", "麦咖啡"}, {"egui.exe", "NOD32"}, {"kxetray.exe", "金山毒霸"}, {"knsdtray.exe", "可牛杀毒"}, {"TMBMSRV.exe", "趋势杀毒"}, {"avcenter.exe", "Avira(小红伞)"}, {"ashDisp.exe", "Avast网络安全"}, {"rtvscan.exe", "诺顿杀毒"}, {"ksafe.exe", "金山卫士"}, {"QQPCRTP.exe", "QQ电脑管家"}, {"Miner.exe", "流量矿石"}, {"AYAgent.aye", "韩国胶囊"}, {"patray.exe", "安博士"}, {"avgwdsvc.exe", "AVG杀毒"}, {"ccSetMgr.exe", "赛门铁克"}, {"QUHLPSVC.EXE", "QUICK HEAL杀毒"}, {"mssecess.exe", "微软杀毒"}, {"SavProgress.exe", "Sophos杀毒"}, {"fsavgui.exe", "F-Secure杀毒"}, {"vsserv.exe", "比特梵德"}, {"remupd.exe", "熊猫卫士"}, {"FortiTray.exe", "飞塔"}, {"safedog.exe", "安全狗"}, {"parmor.exe", "木马克星"}, {"beikesan.exe", "贝壳云安全"}, {"KSWebShield.exe", "金山网盾"}, {"TrojanHunter.exe", "木马猎手"}, {"GG.exe", "巨盾网游安全盾"}, {"adam.exe", "绿鹰安全精灵"}, {"AST.exe", "超级巡警"}, {"ananwidget.exe", "墨者安全专家"}, {"AVK.exe", "GData"}, {"avg.exe", "AVG Anti-Virus"}, {"spidernt.exe", "Dr.web"}, {"Mcshield.exe", "Mcafee"}, {"avgaurd.exe", "Avira Antivir"}, {"F-PROT.exe", "F-Prot AntiVirus"}, {"vsmon.exe", "ZoneAlarm"}, {"avp.exee", "Kaspersky"}, {"cpf.exe", "Comodo"}, {"outpost.exe", "Outpost Firewall"}, {"rfwmain.exe", "瑞星防火墙"}, {"kpfwtray.exe", "金山网镖"}, {"MPMon.exe", "微点主动防御"}, {"pfw.exe", "天网防火墙"}, {"S.exe", "在抓鸡"}, {"1433.exe", "在扫1433"}, {"DUB.exe", "在爆破"}, {"ServUDaemon.exe", "发现S-U"}, {"BaiduSdSvc.exe", "百度杀软"}, 安全狗 SafeDogGuardCenter.exe safedogupdatecenter.exe safedogguardcenter.exe SafeDogSiteIIS.exe SafeDogTray.exe SafeDogServerUI.exe D盾 D_Safe_Manage.exe d_manage.exe 云锁 yunsuo_agent_service.exe yunsuo_agent_daemon.exe 护卫神 HwsPanel.exe 护卫神·入侵防护系统(状态托盘) hws_ui.exe 护卫神·入侵防护系统 - www.huweishen.com hws.exe 护卫神·入侵防护系统 服务处理程序 hwsd.exe 护卫神·入侵防护系统 监控组件 火绒 hipstray.exe wsctrl.exe usysdiag.exe
启动程序信息
-
wmic startup get command,caption
计划任务
schtasks /query /fo LIST /v
开机时间
net statistics workstation
用户列表
-
本机用户列表
net user
-
本地管理员
net localgroup administrators
-
当前在线用户
query user || qwinsta
本机与客户端之间的会话
net session
端口
netstat -ano
补丁
-
系统详细信息
systeminfo
通过补丁列表可找到未打补丁的漏洞
-
wmic查看系统中的补丁
wmic qfe get Caption,Description,HotFixID,InstalledOn
共享列表
-
查看本机共享列表
net share
-
wimc
wmic share get name,path,status
路由表和ARP缓存
-
路由表
route print
-
ARP
arp -a
防火墙配置
-
关闭防火墙
-
2003及之前
netsh firewall set opmode disable
-
2003之后
netsh advfirewall set allprofiles state off
-
-
查看防火墙配置
netsh firewall show config
-
修改防火墙配置
允许指定程序连接
-
2003及以前
netsh firewall add allowedprogram c:\nc.exe "allow nc" enable
-
2003后
netsh advfirewall firewall add rule name="pass nc" dir=in action=allow program="c:\nc.exe"
允许指定程序退出
`netsh advfirewall firewall add rule name="Allow nc" dir=out action=allow program="c:\nc.exe"` 允许3389端口放行 `netsh adbfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow`
-
-
自定义防火墙日志存储位置
netsh advfirewall set currentprofile logging filename "c:\windows\temp\fw.log"
代理配置情况
reg query "HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Internet Settings"
远程连接
-
查看远程连接端口
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-TCP /V PortNumber"
-
2003开启3389
wmic path win32_terminalservicesetting where (__CLASS !="") call setallowtsconnections 1
-
2008/2012开启3389
方法一:
wmic /namespace:\\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS !="") call setallowtsconnections 1
方法二:
wmic /namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName='RDP-Tcp') call setuserauthenticationrequired 1
方法三:
开启 REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f 关闭 REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 1 /f
自动化信息收集
wmic,windows命令行工具
默认情况下,xp的低权限用户不能访问wmic,win7以上的允许
一个利用wmic收集目标机器信息的脚本
效果如下