Summary of Intranet penetration

Question 1: Cross-origin penetration
In an intranet, the domain administrator permission of Domain a (a. AB .abc.com) has been obtained, and the entire domain has been controlled. Net view/domain: B shows that many machines exist in B domain (B. AB .abc.com). machines in the domain can be pinged to machines in the B domain and want to penetrate machines in the B domain across domains, obtain the domain administrator permission of Domain B.
Can I ask the Daniel in the Group how to jump to B?

1. Check whether the local administrator of domain control has primary domain user management.
2. Check the Same Name of the local user and the management user of another domain. The password may be the same.
3. Check the domain control administrator, check the user name, and check whether there are other trust domain management information.
Find the trust tree or deep forest, and find the x. AB .abc.com and a. AB .abc.com with a trust relationship to verify that the trust relationship has passed?

Method for viewing trust relationships: nltest/domain_trusts
Http://technet.microsoft.com/zh-cn/library/cc731935
4. Check whether the domain is trusted. If yes, use the enterprise administrator of A to log on to domain control B.
5. Use user A to log on to the sub-account of B. If you have the guest permission, you can use enum to view the sub-administrator.
6. ping the server in B to check whether A is in the same C segment. If yes, the local administrator password may be the same.

Question 2: Intranet penetration

If an intranet is a domain environment, there is currently only one PC in the domain and a common domain account password. What methods do you use to gradually obtain domain management permissions?
Let me start with it.
When a common domain user is used for traversal, if you are lucky and the domain administrator's permissions are not strictly set, you can gradually obtain the permissions of other machines in the domain and PERFORM hash cracking.

You can obtain the domain administrator permission.
2. Flip the machine file to find a surprise.

....................

I hope that the experts will express their ideas and let cainiao learn more!

1. First pull all the information about the domain, and then find the Administrator to log on.
2. Find the Intranet web, which is relatively weak to the external web
3. Search for the domain login script, which is generally open to everyone and may obtain some account and password.
4. Try other machines one by one using ipc
5. It mainly collects information and uses the current account to read information of all users in the domain.
6. Weak Password scanning and Intranet Overflow
7. In fact, the conventional method is those things, which are mainly bold and considerate. If we are more thorough, we will consider ips ids and other egg-related devices.

The use of route dns vpn, if the permission is dead, still from the app
Server startup

8 first look for tools for daily communication, such as emails and chat records of communication tools. These are important steps to collect information. For example, you can

Find the structure of the enterprise, then look at the daily work content of the zombie, and send an email to the leaders according to the content. At this time, the keyboard record and Trojan will

Important.

9 Intranet scanning is not recommended, but ARP and other features should not be used... the probability of being detected in a strictly protected Intranet is close to 100%.
10 Intranet penetration cannot immediately stabilize the current machine, dump the local hash of the current machine, use the local administrator account to try another ipc machine... or this

You can use the domain admins account to change the password. If you are lucky, you can expand several more machines.

Guess the domain admins account.

11 wce-w, maybe let you catch the domain administrator password
12. Record the keyboard record on the current machine to see if this person has logged on to other applications on the Intranet.

Question 3: how to find the corresponding machine name based on the domain user

The environment is a domain, and the highest permissions of the domain are: Know a user name in the domain.
How can I find the machine name of this user name in the domain?

Could you advise me?

1 netsess.exe (Getting users online + lucky)
2. List the details of all computers. If you are lucky, you may be able to indicate who the machine remark is.
3. Drag back all domain control logon logs (preferably with command line check, with relatively low volume)
4. If you have an exchange server, go to the logon log. The exchange log is very detailed.
5. service logs in other domains
6. view the time of the last logon domain of the user, and then use the script provided by windows to export logs with a short time. You can view the logs directly.
7. domain control write logon script
8 eventquery. vbs-s server-u-p/l security/fi "id eq 540" | find/I "your user"
9 query all log syntaxes related to logon and logout:
Wevtutil qe security/rd: true/f: text/q: "* [system/eventid = 4624 and 4623 4627]"
Add/r: computer/u: user/p: password to the end of the remote query. For example, query the logon and logout logs on dc1:
Wevtutil qe security/rd: true/f: text/q: "* [system/eventid = 4624 and 4623 and 4672]"/r: dc1

/U: administrator/p: password