内网信息收集技术详解<\/h1>

文章前言<\/h2>
内网渗透测试中，信息收集的深度与广度以及对关键信息的提取能力直接决定了渗透测试的质量。本文全面介绍内网信息收集的各项技术和方法。<\/p>

主机信息收集<\/h2>

网络配置信息<\/h3>

ipconfig \/all
<\/span><\/span><\/code><\/pre>此命令可查看当前机器是否处于内网、内网网段、DNS地址和域名信息。<\/p>
操作系统信息<\/h3>
systeminfo | findstr \/B \/C:"OS 名称"<\/span> \/C:"OS 版本"<\/span>  # 中文系统
<\/span><\/span>systeminfo | findstr \/B \/C:"OS Name"<\/span> \/C:"OS Version"<\/span>  # 英文系统
<\/span><\/span><\/code><\/pre>软件信息<\/h3>
systeminfo
<\/span><\/span><\/code><\/pre>查看目标主机上安装的第三方应用，寻找可能的漏洞利用点。<\/p>
服务信息<\/h3>
wmic service list brief
<\/span><\/span><\/code><\/pre>获取本机服务信息，寻找可利用的服务。<\/p>
杀毒软件检测<\/h3>
wmic \/namespace:\\root\securitycenter2 path antivirusproduct GET displayName,productState, pathToSignedProductExe
<\/span><\/span><\/code><\/pre>远程桌面服务管理<\/h3>
检查RDP端口：<\/strong><\/p>
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"<\/span> \/V PortNumber
<\/span><\/span><\/code><\/pre>开启RDP服务：<\/strong><\/p>
Windows Server 2003:<\/p>
wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1
<\/span><\/span><\/code><\/pre>Windows Server 2008\/2012:<\/p>
wmic \/namespace:\\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS !=""<\/span>) call setallowtsconnections 1
<\/span><\/span>wmic \/namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName='RDP-Tcp') call setuserauthenticationrequired 1
<\/span><\/span>reg add "HKLM\SYSTEM\CURRENT\CONTROLSET\CONTROL\TERMINAL SERVER"<\/span> \/v fSingleSessionPerUser \/t REG_DWORD \/d 0 \/f
<\/span><\/span><\/code><\/pre>计划任务<\/h3>
schtasks \/query \/fo LIST \/v
<\/span><\/span><\/code><\/pre>用户信息<\/h3>
本地用户列表：<\/strong><\/p>
net user
<\/span><\/span><\/code><\/pre>本地管理员组：<\/strong><\/p>
net localgroup administrators
<\/span><\/span><\/code><\/pre>当前在线用户：<\/strong><\/p>
query user || qwinsta
<\/span><\/span><\/code><\/pre>端口信息<\/h3>
netstat -ano
<\/span><\/span><\/code><\/pre>查看端口列表及对应服务和应用程序。<\/p>
补丁信息<\/h3>
systeminfo
<\/span><\/span>wmic qfe get Caption,Description,HotFixID,InstalledOn
<\/span><\/span><\/code><\/pre>防火墙配置<\/h3>
netsh firewall show config
<\/span><\/span><\/code><\/pre>关闭防火墙：<\/strong><\/p>
Windows Server 2003及之前：<\/p>
netsh firewall set opmode disable
<\/span><\/span><\/code><\/pre>Windows Server 2003之后：<\/p>
netsh advfirewall set allprofiles state off
<\/span><\/span><\/code><\/pre>域环境检测<\/h2>
基本检测方法<\/h3>
ipconfig \/all
<\/span><\/span>net config workstation
<\/span><\/span><\/code><\/pre>域信息收集<\/h3>
ICMP探测内网：<\/strong><\/p>
for<\/span> \/L<\/span> %I in (1,1,254) DO @ping -w 1 -n 1 192.168.174.%I | findstr "TTL="<\/span>
<\/span><\/span><\/code><\/pre>ARP探测内网（使用MSF）：<\/strong><\/p>
msf > use auxiliary\/scanner\/discovery\/arp_sweep
msf > set interface eth0
msf > set smac 00:0c:29:92:fd:85
msf > set rhosts 192.168.174.1\/24
msf > set threads 20
msf > set shost 192.168.174.131
msf > run
<\/code><\/pre>
TCP\/UDP端口扫描（使用ScanLine）：<\/strong><\/p>
scanline -h -t 22,445,3389 -u 53,161,137,139 -O c:\windows\temp\log.txt -p 192.168.174.1-254 \/b
<\/span><\/span><\/code><\/pre>MSF端口扫描：<\/strong><\/p>
msf > use auxiliary\/scanner\/portscan\/tcp
<\/code><\/pre>
PowerShell端口扫描：<\/strong><\/p>
Invoke-Portscan -Hosts 192.168.174.0\/24 -T 4 -ports '445,1433,8080,3389,80'<\/span> -oA c:\windows\temp\res.txt
<\/span><\/span><\/code><\/pre>域信息查询<\/h3>
查询域信息：<\/strong><\/p>
net view \/domain
<\/span><\/span><\/code><\/pre>查询域内主机：<\/strong><\/p>
net view \/domain:XXX
<\/span><\/span><\/code><\/pre>查询域用户组：<\/strong><\/p>
net group \/domain
<\/span><\/span><\/code><\/pre>域控制器定位<\/h3>
方法1：<\/strong><\/p>
Nslookup -type=SRV _ldap._tcp
<\/span><\/span><\/code><\/pre>方法2：<\/strong><\/p>
net time \/domain
<\/span><\/span><\/code><\/pre>方法3：<\/strong><\/p>
net group "Domain Controllers"<\/span> \/domain
<\/span><\/span><\/code><\/pre>域用户信息<\/h3>
net user \/domain
<\/span><\/span><\/code><\/pre>使用dsquery工具：<\/strong><\/p>
dsquery computer       # 查找计算机
<\/span><\/span>dsquery contact        # 查找联系人
<\/span><\/span>dsquery subnet         # 查找子网
<\/span><\/span>dsquery group          # 查找群组
<\/span><\/span>dsquery ou             # 查找组织单位
<\/span><\/span>dsquery site           # 查找站点
<\/span><\/span>dsquery server         # 查找域控制器
<\/span><\/span>dsquery user           # 查找用户
<\/span><\/span>dsquery quota          # 查找配额规格
<\/span><\/span>dsquery partition      # 查找磁盘分区
<\/span><\/span>dsquery *              # 使用LDAP查询查找任何对象
<\/span><\/span><\/code><\/pre>域管理员查询<\/h3>
net group "Domain Admins"<\/span> \/domain
<\/span><\/span><\/code><\/pre>域SID信息<\/h3>
whoami \/all
<\/span><\/span><\/code><\/pre>当前权限查询<\/h3>
通过命令输出判断当前用户是：<\/p>

本地普通用户<\/li>
本地管理员用户<\/li>
域内用户<\/li>
<\/ul>
相关工具<\/h2>

PowerSploit<\/strong>: https:\/\/github.com\/PowerShellMafia\/PowerSploit<\/li>
Nishang<\/strong>: https:\/\/github.com\/samratashok\/nishang<\/li>
Metasploit<\/strong>: https:\/\/github.com\/rapid7\/metasploit-framework<\/li>
Empire<\/strong>: https:\/\/github.com\/EmpireProject\/Empire<\/li>
PowerTools<\/strong>: https:\/\/github.com\/PowerShellEmpire\/PowerTools<\/li>
<\/ol>
推荐GitHub项目<\/h2>


CSPlugins<\/strong>: https:\/\/github.com\/Al1ex\/CSPlugins<\/p>

收集常用Cobalt Strike插件，涉及提权、漏洞利用、横向移动、信息收集、免杀等<\/li>
<\/ul>
<\/li>

Pentest-tools<\/strong>: https:\/\/github.com\/Al1ex\/Pentest-tools<\/p>

收集内网渗透测试常用工具<\/li>
<\/ul>
<\/li>
<\/ol>
总结<\/h2>
内网信息收集是渗透测试的关键环节，本文涵盖了从主机信息收集到域环境探测的全面技术。实际渗透测试中，信息收集的广度和深度应根据目标环境灵活调整，这些技术和方法可根据实际情况组合使用。<\/p>

内网信息收集技术详解<\/h1>

文章前言<\/h2> 内网渗透测试中，信息收集的深度与广度以及对关键信息的提取能力直接决定了渗透测试的质量。本文全面介绍内网信息收集的各项技术和方法。<\/p>

主机信息收集<\/h2>

域环境检测<\/h2>

总结<\/h2> 内网信息收集是渗透测试的关键环节，本文涵盖了从主机信息收集到域环境探测的全面技术。实际渗透测试中，信息收集的广度和深度应根据目标环境灵活调整，这些技术和方法可根据实际情况组合使用。<\/p>

文章前言<\/h2>
内网渗透测试中，信息收集的深度与广度以及对关键信息的提取能力直接决定了渗透测试的质量。本文全面介绍内网信息收集的各项技术和方法。<\/p>

总结<\/h2>
内网信息收集是渗透测试的关键环节，本文涵盖了从主机信息收集到域环境探测的全面技术。实际渗透测试中，信息收集的广度和深度应根据目标环境灵活调整，这些技术和方法可根据实际情况组合使用。<\/p>