Domain penetration (Elementary)

I recently heard people around me discuss the problem of Intranet penetration. write a small article on the Intranet. this article is purely a cainiao. I have some personal understanding of Intranet penetration. if there is a mistake, please correct it. don't spit on me.
 
Purely Popular Science! Laruence, old birds float!
 
1. Collect information.
 
Whether it is for the Internet or Intranet, information collection is a necessary first step. When we control a machine, what structure is the Intranet? What role is this machine? What role is a machine user? What is anti-virus installed above? How does a machine access the Internet? Is the machine a notebook or a desktop? And so on...
 
1. ipconfig/all
 
@ Is used to view the network environment of the current machine and determine whether it is a working group or a domain environment. How are the network segments divided? How many machines are there in each segment and what is the IP address of the DNS server.
 
2. net view
 
@ Is used to view the name of the machine associated with the local machine. Note that it is a machine associated with the local machine, not a segment machine.
 
3. net view/domain www.2cto.com
 
@ Is used to view several domains in the current network environment.
 
4. net view/domain: xxxx
 
@ View the machines associated with the local machine in the xxx domain.
 
5. net group "domain admins"/domain
 
@ View the domain administrator.
 
6. net user/domain
 
@ View the username in the domain.
 
7. net group "domain computers"/domain
 
@ View all machine names in the domain.
 
8. netstat
 
@ View the connection information.
 
9. nbtstat
 
@ Obtain the machine name from the IP address
 
With this command set, some basic information about the Intranet is almost fixed.
 
2. Analyze the Intranet environment
 
We have obtained some intranet information above. Now we need to analyze it carefully.
 
1. analyze how the internal network is divided by department, floor, or region.
 
2. Analyze the naming rules for machine names in the internal network. in particular, it is important for individuals to select valuable targets. however, some intranets use the rule-free naming method, which is also normal. but it is still regular.
 
3. Analyze the computer names of important people in the internal network. these important figures are generally introduced on external websites. according to the naming rules, we can roughly analyze these machines. note that some people have multiple computers. some people use laptops.
 
4. Analyze the domain structure. Some internal networks are multi-layer Domain Structures and multi-level domain structures. In this way, we need to analyze them first. Now the computer is located in several subdomains, what are the subdomain domain control, root domain control, and domain control of other domains. generally, domain control names all contain the words "DC.
 
3. Attack the Intranet.
 
I personally think that the attacking Intranet mainly lies in a single word. Penetrate like a dog. The following methods are generally used to attack the Intranet;
 
1. Intranet WEB penetration. intranet WEB is generally easier to implement. After all, it is not like putting it on a public network. with such a large risk, management is loose. in addition, some servers in the Intranet are used for testing. For which servers are used for testing, we can analyze them by determining the machine name. Generally, the machine names are named regularly. this has some habits with the national customs, but some companies adopt the rule-free command method, which is very painful.
 
2. Intranet SQL. intranet SQL is particularly useful. because the Intranet of the domain structure usually values permissions. in general, there will be login verification on the WEB. These verification SQL statements are particularly useful. Take them down, the corresponding person and the machine, and then, you know.
 
3. Capture the HASH and match the weak password with the Intranet machine. Generally, weak passwords of machines on the Intranet still exist. Some common internal passwords are analyzed, and some passwords are combined by yourself, and then matched by tools. In the past, some HASH codes could not be cracked, and we had to rely on HASH injection. Now we have something new, mimikatz, which can capture the memory password and still directly display it in plain text. It's much easier.
 
4. Sort out common intranet attack commands:
 
Net use \ IP \ ipc $ password/user: username @ domain (IPC peer)
 
Net use \ ip \ ipc $ "pwd"/user: ip \ username @ domain (permission problems encountered during IPC)
 
Net time \ IP
 
At \ IP
 
 
Iv. Summary of this article.
 
Since childhood, teachers have taught us to write more things in the general structure of the total score. So, let's make a summary.
 
In fact, the penetration of the domain is not that difficult. In contrast, the penetration of WORKGROUP is much more difficult. Only the internal network of the domain exists. In the process of penetration, we must be fine-tuned. Many people start to sniff something when doing Intranet penetration. This is really too small to look at your opponent. Currently, various IPS, IDS, and various monitoring methods are available. As long as you are a little bigger, you will die. In addition, we hope that you can accumulate more tools at ordinary times. After a lot of people go to the Intranet, they can directly use a tool that everyone thinks is good on the Internet, not to mention whether others will capture BANNER and blacklist such tools. However, I feel annoyed when it comes to black eating. In addition, you can use your own things for intranet. After all, you have to deal with various types of anti-virus and FIREWALL.
 
Finally, I 'd like to post a BAT to you. There are also some online.
 
@ Echo off
 
Setlocal ENABLEDELAYEDEXPANSION
 
@ FOR/F "usebackq delims =," % j in ('net view/domain ^ | find "2 minutes /v ^ | find" The command completed successfully. "/v ^ | find" 1 route /v ^ | find "--"/v ^ | find "Domain"/v ^ | find "/v ^ | find" cannot exceed limit the specified region has been deleted normally. "/v/I ') do (
 
@ Echo ==== domain: % J ========
 
@ FOR/F "usebackq eol =; delims =," % I in ('net view/domain: % J ^ | findstr "\" ') DO (
 
@ FOR/F "usebackq eol =; tokens = 1, 2, 3 * delims = \" % a in ('echo % I ') do (
 
@ FOR/F "tokens = 1, 2, 4 * usebackq delims =: "% k in ('@ ping-a-n 1-w 100% % a ^ | findstr" Pinging "') do (
 
@ Echo \ % L % M
 
)
 
)
 
)
 
)
 
Echo % 0
 
@ This BAT is used to collect information. Let's test the specific situation.
 
 
So much for the time being. I have limited ability to express myself. I hope you will take a look at it later. For more information, see domain penetration (intermediate ).
 
 
This article is reproduced from adwin's Blog