Introduction to intranet penetration

Introduction
It has been a long time since the previous article. I promised to write an article on Intranet penetration. I will take some time today to flatten this article. I don't think I can penetrate into the Intranet. Penetration is more experience than accumulation. In addition, I personally think that many of my predecessors have already been well written. Here I will introduce myself to others and integrate the experience of my predecessors into a basic article. If you have any shortcomings or better implementation methods, feel free to contact us. Let's talk about the communication method by email. the email address is at the end of the article. Q added many people to the previous public, instant messaging = instant interruption, and concentrated cleaning in a period of time, if you are accidentally cleared up, please do not blame. Here is a greeting in advance.
Body
Suppose we are already in an intranet and the Intranet is in a domain. Our ultimate goal is to control the domain controller.
Intranet Information Retrieval
Information can be obtained directly through the Command provided by Windows,Easy to write:

ipconfig /all

netstat –an

net start

net user

net user /domain

Net group "domain admins" # view domain administrators

net localgroup administrators

net view /domain

Dsquery server # view the domain controller server

Dsquery subnet # view domain IP ranges

After the preceding command is executed, the Intranet information is basically obtained. For some commands, add or subtract them based on your hobbies.
Starting from domain control
Assuming that the result of executing the dsquery server we found that the domain controller server was both DC-2008 and DC-2003, and the host where we executed the command was also under the domain, then we could directly WCE-w, if you are lucky, the plaintext password will appear directly in front of you. Another hacker, mimikatz, can also get the plaintext password. I will not intercept it. Let's do it on your own!
If you are lucky, Congratulations. Now you have the domain controller administrator password in your hand and can walk freely in the domain. Use the domain controller administrator password to access the domain controller server, and use various password dump tools such as pwdump and fgdump to retrieve the password hash of the entire domain controller.
If you are not lucky enough to use wce, you can try the following method:

Incognito

Smb

Wce-s Spoofing

Sniffer + ARP

Others (Where is Yu ?)

Sniffer is very dynamic. We recommend you do not try it later.
Conclusion
This article rejects any form of attack for the purpose of technical communication.
After thinking for a long time, I decided to add the above sentence in front of the conclusion. penetration is a technical activity and an artistic activity. All kinds of creative skills are in place. At the same time, the environment is complex and changing, but it never changes, with static braking and backend braking.
The article is a little sloppy, but the promise is finally fulfilled.
Next pitfall
I dug a hole for myself and wanted to write something about SCADA, but this thing is too... If there is better, I will change it.
About me
R0b1n, Freebufer, Pentester
Email: G. r0b1n [a. t] foxmail [dot] com