Measure the test taker's knowledge about the Intranet Structure of information collection in the intra-Domain Network.

Author:Lcx

The column in this issue is my question. If I have read enough about the injection, do I want to know the Intranet intrusion techniques? As the author, you must write an article. Among all kinds of intranets of different sizes, the most common is the Intranet. In fact, the logic of intrude into the domain network is the same as that of our usual intrusion methods in general. It is also the collection and analysis of information to identify weak points, then to break through them, and then to make a comprehensive summary, it is a success to finally get the domain administrator's password. With the permissions of the first machine on the Intranet, how to collect information is a key step. This article describes the first step in collecting information about the Intranet.

Speaking of this, we are not a professional networking staff. It is really difficult to divide the Intranet topology through the IP address, subnet mask, and dns of the first machine. However, I have always thought that this is not important. We are here to destroy it, not to build it. However, if you want to know the General Division, you can use the Advanced IP Address Calculator tool for analysis. To understand the general structure of the Intranet in the Intranet, several commands are enough. The first one is ipconfig/all. I set up a domain environment on the local machine and run it. Expected result 1 is displayed. Figure 1 shows the subnet mask, local IP address, gateway, and dns server. You can use this data in combination with the Advanced IP Address Calculator tool to draw a general structure in your mind, to see how many subnets there are, how big each subnet may be, etc. I don't think it is important, skipped. In most intranets, it is very likely that the DNS server is one of the domain servers. Another important command is the net command. net view shows the number of machines in the Local Machine's domain. net view/domain shows several domains, "net view/domain: the domain name "shows the number of machines in each domain. net group" domain admins "/domain indicates the name of the domain administrator, if you are lucky, you can directly see which Domain Server is, as shown in figure 2. Net group is to see how many groups the user is divided. In the English machine, we need to check that the domain administrator password uses net group "domain admins"/domain, if you want to change the domain admins name in a non-English language, you must first use net group to check which group may be a domain administrator.

The above key steps are to detect the name of the domain administrator and the name of the Domain Server. There are several other methods to detect which domain Server is. Apart from the dns name and the net group "domain admins"/domain command, the other method is net time/domain, because domain servers are generally used as time servers. However, in addition to using system commands, combining tools is also a good solution. Microsoft provides a dedicated adsi (Active Directory) Active Directory Service Model for the domain. The domain uses the LDAP provider, one of The ADSI interfaces, to manage the domain. We can write a very short vbs program to detect which Domain Server is. 1. The vbs code is as follows:★Set obj = GetObject ("LDAP: // rootDSE") wscript. echo obj. servername★Result 3 is displayed.

Is the collected information sufficient? Of course not enough, so we need to continue collecting.Http://www.rlmueller.netThis website has many vbs dedicated to domains. I have selected two of them and made some changes to make them more suitable for our intrusion. The first is DocumentProperties. vbs. If the code is too long, I will not list it. Let's look at the running example. The first is cscript DocumentProperties. vbs LDAP: // dc = gethash, dc = cn. You will get too much information. In Figure 4 and figure 5, I cannot cover the entire graph, let's just run it. You may wonder why I use LDAP: // dc = gethash, dc = cn, where does this string come from, it is actually the two small codes I wrote in figure 3. vbs. Of course, you can also see a specific user string like LDAP: // cn = TestUser, ou = Sales, dc = MyDomain, dc = com, indicates the specific information of the TestUser in the Sales department in the MyDomain domain.

We will use DocumentProperties. vbs for two examples, which can also be used to directly detect local information. The first one is cscript DocumentProperties. vbs WinNT: //./administrator. Check the administrator information of the Local Machine and check the password length and the expiration time. If you see that it may be about to expire in a day or two, it indicates that it is about to change the password. At this time, you will think of dropping the record password. The other is cscript DocumentProperties. vbs WinNT ://. /Themes, service, to view the Themes service information, you can see the path, startup mode, and account startup mode, respectively, Example 6, figure 7.

The biggest benefit of this DocumentProperties. vbs is that it does not require too many permissions, and the permissions of common domain users are enough. Another vbs is Inventory2.vbs. I tried it in the intranet and it seems that the domain administrator privilege is required. However, this script requires a low level of permission, but it also has advantages. It can be run directly. Unlike the previous DocumentProperties. vbs, you need to have some concepts related to domain knowledge. Since this script was originally used to call the excel component, and the ie dialog box will pop up, I spent a little time modifying it and can directly save it as html, Which is silent and convenient for intrusion, you do not need to provide any excel components, which are supported by default. In the program, I use an array pc (65535, 10). If the Intranet is too large (> ?, Haha) Please use it with caution. After running it directly, result 8 shows that it lists the system versions of each machine in the domain, the important roles it plays, and the patch numbers it plays.

To be honest, although I have had experience in intruding into the domain network, I have not personally set up the domain network. I did not look up professional dictionaries for many professional terms, but I just wrote them on my own, so if there is something not rigorous, I hope readers will point out that we will continue our Intranet intrusion journey in the next phase.