Domain penetration note

1. Obtain Domain Information
1. List all machine names in the domain (dsquery computer domainroot-limit 65535 & net group "domain computers"/domain)
2. List all user names in the domain (dsquery user domainroot-limit 65535 & net user/domain)
3. List the network segments in this domain (dsquery subnet)
4. List groups in this domain (dsquery group & net group/domain)
5. List organizations in the domain (dsquery ou)
6. List the domain controllers in this domain (dsquery server & net time/domain)
7. List domain administrator accounts (net group "domain admins"/domain)

2. Analyze domain information to determine the target
Through the information collected above, we can analyze a lot of important information, such as the users and machines in each group (net group name/domain & dsquery
"Ou information") file server, email server, and target location.
 
Iii. Intra-domain penetration
1. Capture hash cracking passwords (gsecdump, wce, pwdump7, and gethash)
2. hash injection (wce-s)
3. Read lsa plaintext passwords (wce1.3-w, gsecdump-)
4. 0-day overflow (smb, rdp, dns, rpc, etc)
5. Install gina to record the Administrator account password
6. hd weak password scanning and other www.2cto.com
Use the above method to obtain the domain controller permission
4. Determine the target IP Address
1. Determine the logon date of the target user (net user aa/domain)
2. Export the domain controller logon log (cscript eventquery. vbs/fi "Datetime eq 06/25/2012, 03:15:00 AM/06/25/2012, 03:15:00"
/L Security> c: \ xxx.txt)
3. Export DHCP configuration (netsh dhcp)
 
Through log analysis, you can determine the target IP address for further precise attacks.
 
The above commands are examples !~ Please test it yourself !~

From c4bbage Space