Overview of Internal Network Information Collection#
Judging the network environment
Who am I? — Judging the role of the current machine.
Where is this? — Analyzing and judging the topology of the current machine's network environment.
Where am I? — Judging the area where the current machine is located.
Collecting Local Machine Information#
Manual Collection#
(1) Query Network Configuration#
ipconfig /all
(2) Query Information about the Operating System and Software#
View operating system and version information
English version
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Chinese version
systeminfo | findstr /B /C:"OS 名称" /C:"OS 版本"
View system architecture
echo %PROCESSOR_ARCHITECTURE%
View installed software, versions, paths, etc.
wmic product get name,version
Powershell version:
powershell.exe "Get-WmiObject -class Win32_Product | Select-Object -Property name,Version"
(3) Query Local Service Information#
wmic service list brief
(4) Query Process List#
tasklist
//or
wmic process list brief
Common antivirus software processes are as follows
360sd.exe
360tray.exe
ZhuDongFangYu.exe
KSafeTray.exe
SafeDogUpdateCenter.exe
McAfee McShield.exe
egui.exe //NOD32
AVP.EXE //Kaspersky
avguard.exe //Avira
bdagent.exe //BitDefender
(5) View Startup Program Information#
wmic startup get command,caption
(6) View Scheduled Tasks#
schtasks /query /fo LIST /v
(7) View Host Boot Time#
net statistics workstation
(8) Query User List#
net user
//Get local administrator group members:
net localgroup administrators
//View currently online users (not possible)
query user || qwinsta
(9) List or Disconnect Sessions Between the Local Computer and Connected Clients#
Requires administrator privileges
net session
(10) Query Port List#
netstat -ano
(11) Query Patch List#
systeminfo
Use the wmic command to view patches installed on the system:
wmic qfe get Caption,Description,HotFixID,InstalledOn
(12) Query Local Share List#
net share
//wmic:
wmic share get name,path,status
(13) Query Routing Table and ARP Cache Table for All Available Interfaces#
route print
arp -a
(14) Query Firewall Related Configuration#
Disable Firewall
//Before Windows Server 2003
netsh firewall set opmode disable
//After Windows Server 2003
netsh advfirewall set allprofile state off
View Firewall Configuration
netsh firewall show config
Modify Firewall Configuration
Allow specified programs to connect in versions before Windows Server 2003
netsh firewall add allowedprogram c:\nc.exe "allow nc" enable
For versions after Windows Server 2003
//Allow specified program to exit
netsh advfirewall firewall add rule name="pass nc" dir=in action=allow program="c:\nc.exe"
//Allow specified program to exit
netsh advfirewall firewall add rule name="Allow nc" dir=out action=allow program="C:\nc.exe"
//Allow 3389 port to pass
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
Customize the storage location of firewall logs
netsh advfirewall set currentprofile logging filename "C:\windows\temp\fw.log"
(15) View Proxy Configuration#
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
(16) Query and Enable Remote Connection Service#
View Remote Connection Port
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /V PortNumber
Enable 3389 in Windows Server 2003
wmic path win32_terminalservicesetting where (__CLASS !="") call setallowtsconnections 1
In Windows Server 2008 and 2012
wmic /namespace:\\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS !="") call setallowtsconnections 1
wmic /namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName='RDP-Tcp') call setuserauthenticationrequired 1
//Modify registry method
reg query "HKLM\System\CURRENT\CONTROLSET\CONTROL\TERMINAL SERVER" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
Automatic Collection#
WMIC (Windows Management Instrumentation Command-Line) is the most useful Windows command-line tool.
Low-privilege users in Windows XP are not allowed to access WMIC.
Low-privilege users in Windows 7 and above are allowed to access WMIC and perform related query operations.
It can manage not only the local computer but also all computers within the same domain (requires certain permissions), and WMIC does not need to be pre-installed on the managed computer.
A script using WMIC is provided in the book, executing all commands from the previous section and writing the results to an HTML file:
wmic_info.bat
for /f "delims=" %%A in ('dir /s /b %WINDIR%\system32\*htable.xsl') do set "var=%%A"
wmic process get CSName,Description,ExecutablePath,ProcessId /format:"%var%" >> out.html
wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:"%var%" >> out.html
wmic USERACCOUNT list full /format:"%var%" >> out.html
wmic group list full /format:"%var%" >> out.html
wmic nicconfig where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress /format:"%var%" >> out.html
wmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace /format:"%var%" >> out.html
wmic netuse list full /format:"%var%" >> out.html
wmic qfe get Caption,Description,HotFixID,InstalledOn /format:"%var%" >> out.html
wmic startup get Caption,Command,Location,User /format:"%var%" >> out.html
wmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version /format:"%var%" >> out.html
wmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDirectory /format:"%var%" >> out.html
wmic Timezone get DaylightName,Description,StandardName /format:"%var%" >> out.html
3. Host Information Collection under Empire#
Empire provides modules for collecting host information.
View local users, domain group members, password set times, clipboard content, basic system information, network adapter information, shared information, etc.:
usemodule situational_awareness/host/winenum
execute
With administrator privileges, view target host event logs, application control policy logs, RDP login information, PowerShell script execution and saved information, etc.:
usemodule situational_awareness/host/computerdetails
Query Current Permissions#
1. View Current Permissions
whoami
There are three situations: Local Regular User, Local Administrator User, Domain User
If there is a domain in the current internal network, then local regular users can only query local information and cannot query domain information; while local administrator users and domain users can query domain information.
All queries within the domain are implemented through the domain controller (based on LDAP protocol), and this query requires permission authentication, so only domain users have this permission; when domain users execute query commands, they will automatically use Kerberos protocol for authentication, without needing to enter an account and password.
Local Administrator Administrator privileges can be directly elevated to System privileges (using PsExec, etc.), therefore, in the domain, except for regular users, all machines have a machine user (username is the machine name plus $). Essentially, the machine's system user corresponds to the machine user in the domain. Thus, using System privileges can also run domain query commands.
2. Get Domain SID
whoami /all
3. Query Detailed Information of Specified User
net user xxx /domain
No administrator privileges
---Determine if a Domain Exists---#
View DNS Server#
Is the Domain Controller and DNS Server on the same server? (Use nslookup for reverse resolution)
ipconfig /all
//Use nslookup to resolve the DNS server found
nslookup burnchi.cc
View System Detailed Information#
The domain in systeminfo refers to the domain name, and the login server refers to the domain controller.
systeminfo | findstr /B/C:"登录服务器" //If the result is not "WORKGROUP", then the host is a domain host
Query Current Login Domain and User Information#
Only DC can execute
net group workstation
Determine Main Domain#
net time /domain
//The command is used to view the domain time, and it can also view the domain controller.
The execution result has three situations:
- System error 5 occurred: There is a domain, but the current user is not a domain user -
- Display time information: There is a domain, and the current user is a domain user -
- Domain controller not found: No domain exists
Probe Live Hosts in the Domain#
Quick NetBIOS Probe#
Prerequisite
Need to be uploaded to the target host for use.
NetBIOS is an API used by local area network programs, providing a unified command set for requesting low-level services. NetBIOS is also the identification name of a computer, mainly used for inter-computer access in local area networks.
Use nbtscan (http://www.unixwiz.net/tools/nbtscan.html)
nbt.exe 192.168.1.0/20
fscan Probe (Recommended)#
fscan64.exe -h 10.0.0.0/24
Using administrator privileges is faster
Use ICMP Probe#
Ping each IP (very slow)
for /L %I in (1,1,254) DO @ping -w 1 -n 1 10.0.0.%I | findstr "TTL="
ARP Scan#
Scan the internal network using ARPscan tool
arp.exe -t 192.168.1.0/20
ARPscan Module in Empire#
usemode situational_awareness/network/arpscan
execute
Invoke-ARPScan.ps1 in Nishang#
powershell.exe -exec bypass -Command "& (Import-module c:\windows\temp\Invoke-ARPscan.ps1; Invoke-ARPScan -CIDR 192.168.1.0/20)" >> c:\windows\temp\log.txt
type c:\windows\temp\log.txt
Detect Internal Network Using Regular TCP/UDP Port Scanning#
Upload ScanLine for Scanning#
scanline -h -t 22,80-90,110,445 -u 53,161 -O c:\windows\temp\log.txt -p 192.168.1.1-254 /b
fscan#
fscan64.exe -h 10.0.0.0/24
Scan Domain Ports#
Points to focus on:
- Port Banner Information -
- Services Running on Ports -
- Default Ports of Common Applications
Telnet (Requires Adding Feature)#
telnet DC 22
fscan#
fscan64.exe -p 1-60000 -h 10.0.0.107
-p string
Set the scanned ports: 22 | 1-65535 | 22,80,3306 (default "21,22,80,81,135,139,443,445,1433,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017")
Metasploit Port Scan#
No need to say much about Metasploit
use auxiliary/scanner/portscan/tcp
set ports 1-1000
set RHOST 192.168.1.1
set THREADS 10
run
Others#
You can also use scripts like PowerSploit, NiShang's Invoke-portscan, nmap.
Then some vulnerability information can refer to:
http://www.securityfocus.com/bid
https://www.exploit-db.com/
Collect Domain Information#
The domain query commands in this section essentially query the domain controller via LDAP protocol, so domain user permissions are required, and local users cannot run them (unless they are System users).
By default, Domain Admins and Enterprise Admins have full control permissions over all domain controllers.
The commands are as follows:
Query Domain#
net view /domain
Query All Computers in the Domain#
net view /domain:HACKE
Query List of All User Groups in the Domain#
net group /domain
Query List of All Domain Member Computers#
net group "domain computers" /domain
Get Password Information in the Domain#
net accounts /domain
Domain Trust Information#
nltest /domain_trusts
Find Domain Controller#
The commands are as follows:
View the Machine Name of the Domain Controller#
nltest /DCLIST:hacke
View Current Time#
net time /domain
View Hostname of Domain Controller#
nslookup -type=SRV _ldap._tcp
View Domain Controller Group#
net group "Domain Controllers" /domain
View Primary Domain Controller#
May only be executable on the domain controller?
netdom query pdc
Get Domain User and Administrator Information#
Query List of All Domain Users#
net user /domain
Get Detailed Information of Domain Users#
wmic useraccount get /all
//View existing users, but this can only be used on domain controllers or hosts with the corresponding service installed, otherwise it will prompt that the command does not exist.
dsquery user
Execute on DC
Find Computers in the Directory#
dsquery computer
Execute on DC
dsquery Command#
Query Local Administrator Group Users#
Users in the Domain Admins group in the domain are by default local administrator users on domain machines.
net localgroup administrators
Query Domain Administrator User Group#
//Query Domain Administrator User Group
net group "domain admins" /domain
//Query Administrator User Group
net group "Enterprise Admins" /domain
Locate Domain Administrators#
In the internal network, a large number of network security systems and devices are usually deployed, such as IDS, IPS, log auditing, security gateways, antivirus software, etc.
In a domain, when a computer joins the domain, the domain administrator group is by default granted local system administrator privileges. This means that when a computer is added to the domain and becomes a member host of the domain, the system automatically adds the domain administrator group to the local system administrator group. Therefore, members of the domain administrator group can access local computers and have full control permissions.
When obtaining regular permissions in a Windows domain for lateral penetration, it is necessary to know the login location of domain users, whether they are local administrators of any system/host, and their group affiliations. Tools that can be used include: psloggedon.exe, PVEFindADUser.exe, netness.exe, hunter, NetView, PowerView.
- psloggedon.exe
This tool can view resources on remote computers, meaning it can see which accounts are logged in on the target host.
Download link: https://docs.microsoft.com/zh-cn/sysinternals/downloads/psloggedon
psloggedon.exe \DC
- PVEFindADUser.exe
PVEFindADUser can be used to find where Active Directory users are logged in, enumerate domain users, and find users logged in on specific computers: local users, users logged in via RDP, users used to run services and scheduled tasks. (This tool requires .NET 3.5)
Installing .NET 3.5 on Windows Server 2012 may not succeed, and you need to specify the installation source: https://www.cr173.com/soft/921507.html
Download link: https://github.com/chrisdee/Tools/tree/master/AD/ADFindUsersLoggedOn
PVEFindADUser.exe
Parameters:
-h: Display help information
-u: Check if the program has a new version
-current[“username”]: If only the -current parameter is specified, it will get all users currently logged in on the target computer; if a username (Domain\Username) is specified, it will display the computer where that user is logged in.
-last[“username”]: If only the -last parameter is specified, it will get the last logged-in user on the target computer; if a username (Domain\Username) is specified, it will display the computer where this user last logged in. Depending on the network's security policy, the last logged-in user's username may be hidden, and using this tool may not yield that username.
-noping: Prevents the tool from executing a ping command on the target computer before attempting to obtain user login information.
-target: Optional parameter used to specify the host to query. If this parameter is not specified, it will query all hosts in the current domain; if this parameter is specified, it will be followed by a comma-separated list of hostnames.
- NetView.exe
NetView is an enumeration tool that uses WinAPI to enumerate systems, utilizing NetSessionEnum to find login sessions, NetShareEnum to find shares, and NetWkstaUserEnum to enumerate logged-in users. It can also query shared entries and valuable users.
Download link: https://github.com/mubix/netview
netview.exe
Parameters:
-h: Display help information
-f aaa.txt: Specify the file to extract the host list
-e aaa.txt: Specify the file of hostnames to exclude
-o aaa.txt: Redirect all output to the specified file
-d aaa.txt: Specify the domain to extract the host list from; if not specified, it extracts the host list from the current domain.
-g group: Specify the group name to search. If not specified, it searches in the Domain Admins group.
-c: Check the access permissions of the found shared directories/files.
- PowerView
PowerView is a PowerShell script that provides auxiliary functions for locating key users.
Download link: https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView
- Empire
Empire also has this type of script:
usemodule situational_awareness/network/powerview/user_hunter
execute
- Nmap's NSE Script
Obtain remote machine login sessions through Nmap's NSE script.
smb-enum-sessions.nse retrieves user login sessions on domain hosts to check if any users are currently logged in, without requiring administrator privileges.
smb-enum-domains.nse collects information from the domain controller, including host information, users with usable password policies, etc.
smb-enum-users.nse can be used to scan the domain controller.
Download link: https://nmap.org/nsedoc/scripts/smb-enum-sessions.html
Find Domain Administrator Processes#
In systems with administrator privileges, look for domain administrator login processes to collect domain administrator credentials.
A hypothetical situation:
A penetration tester has obtained the permissions of a regular domain user in a certain internal network environment. First, they obtain local administrator privileges on the current server through various methods, and then analyze the user login list and session information on the current server to see which users are logged into this server. If the penetration tester finds through analysis that the users they can obtain permissions for are not domain administrator accounts and that no users from the domain administrator group are logged into this server, they can use another account and find out on which machine in the internal network that account has administrative privileges, then enumerate the logged-in users on that machine, and continue penetration testing until they find a valid path to obtain domain administrator privileges.
There is a reference: Five methods to find "Domain Admin" running processes.
- Local Check
//Get the list of domain administrators
net group "Domain Admins" /domain
//List all processes and process users on the local machine
tasklist /v
- Query Domain User Sessions on Domain Controller
//Query domain controller list
net group "Domain Controllers" /domain
//Collect domain administrator list
net group "Domain Admins" /domain
//Collect all active domain session lists
netsess -h
Use PowerShell to Collect Domain Information#
Use PowerView
Download link:
https://github.com/shigophilo/tools/blob/master/PowerView.ps1
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
Some usage:
PowerView usage records
PowerView usage notes
Sensitive Data Protection#
- Locating Materials, Data, and Files
Internal network data protection must first familiarize oneself with the attacker's data acquisition process.
In actual network environments, attackers mainly locate the machines of relevant personnel within the company through various malicious methods to obtain materials and data files. The process is as follows:
Locate the internal personnel organizational structure
Look for personnel to monitor within the internal personnel organizational structure
Locate the machines of relevant personnel
Monitor the locations where relevant personnel store documents
List the directories of servers storing documents
2. Core Business Machines
Personal computers of senior management, system administrators, finance/human resources/business personnel
Product management system servers
Office system servers
Financial application system servers
Core product source code servers (IT companies usually set up their own SVN or GIT servers)
Database servers
File servers, shared servers
Email service servers
Network monitoring system servers
Other servers (branch offices, factories)
3. Sensitive Information
Site source code backup files, database backup files, etc.
Web management interfaces for various databases, such as phpMyAdmin, Adminer
Browser passwords and browser cookies
Other user sessions, 3389 and ipc$ connection records, information in the "Recycle Bin," etc.
Windows wireless passwords
Various accounts and passwords within the network, including email, VPN, FTP, TeamViewer, etc.