内网渗透系列之信息收集(全网最详细版本!!!)

内网渗透系列之信息收集(全网最详细版本!!!)"/>

内网渗透系列之信息收集(全网最详细版本!!!)

内网渗透(一)：信息收集

内网渗透系列文章
内网渗透一：信息收集

---

目录

• 内网渗透(一)：信息收集
• 1.判断当前角色
• 2.收集基本信息
• 3.判断权限
• 4.常见杀毒软件进程
• 5.网段主机探测
• 6.域内信息收集
• 7.定位域管理员
• 8.敏感信息收集

---

1.判断当前角色

当我们拿到一台主机时，从外网打点进入内网，就要进行我们的内网渗透了，当我们所处内网的环境时，我们需要来判断当前我们拿到的主机在内网里是一个什么样的角色

角色判断：
对于目前的主机是 普通Web服务器 , 开发测试服务器 ,DNS服务器等，具体的判断是通过对机器内的主机名、文件、网络链接、服务等多种情况综合进行。

拓扑结构分析
对内网进行全面的数据收集分析整理，绘制出大概的内网整体拓扑结构，以便于进一步内网渗透及定位目标。

所处位置区域的判断：
对目前机器所处位置区域的判断，是指判断机器处于网络拓扑中的哪个区域，是在 外网区域, Dmz区域, 内网区域(办公区,核心区) 等位置，当然这里不是绝对的，只是一个大概的环境，不同位置的网络环境不一样，区域的界限也不一定明显。

外网即互联网。
内网即局域网。
DMZ称为隔离区，又被称作为"非军事化区"。它的存在是为了解决安装了防火墙后外网不能访问内网而设立的一个非安全系统与安全系统之间的缓冲区。

我们假设这样一种场景，我们有在内网有安放Web服务器或者邮件服务器这种需要对外网开放访问的需求，这个时候假如我们把我们的Web服务器或邮件服务器放在内网区域中，由于为了安全考虑，一般外网是访问不了内网的，但是为了外网可以访问到我们的Web和邮件服务器，我们需要对防火墙作出相应的配置使其能被外网访问到。但是不巧的是黑客通过一些漏洞拿到了这个Web或邮件服务器的权限，且拿到的服务器和内网中一些重要服务器（如数据库服务器、企业服务器等）在同一个内网，所以黑客想要通过后续信息收集和漏洞利用可以很容易的去拿到同一内网中的其他服务器。 当Web和邮件服务器在DMZ区域时，就算黑客拿到了Web或邮件服务器的权限，黑客还面对一层防火墙，就可以很好的保护到内部网络。

2.收集基本信息

本机信息包括主机的系统、权限、内网分配的ip段、安装的杀毒软件、端口、服务、补丁、网络链接、共享、会话等

如果是域内主机，系统、软件、补丁、服务、杀软通常都统一下发安装的，
通过收集本机相关信息，可以进一步了解整个域的操作系统版本、软件、补丁、用户命名方式等

查询网络配置信息：ipconfig /all

查询操作系统及安装软件的版本信息
英文：systeminfo | findstr /B /C:"OS Name" /C:"OS Version”
中文：systeminfo | findstr /B /C:"OS 名称" /C:"OS 版本"
软件查询：wmic product get name,version
Powershell：powershell "Get-WmiObject -class Win32_Product |Select-Object -Property name,version"

查询本机服务信息：wmic service list brief

查询进程列表：Tasklist /v
关闭360杀毒软件：taskkill /im 360Tray.exe /f

查询启动程序信息：wmic startup get command,caption

查询计划任务及开机时间
计划任务：schtasks /query /fo LIST /v
开机时间： net statistics workstation

查询用户列表
用户：Net user 可以找命名规则 推测整个域的用户命名方式
获取本地管理员（含域）：net localgroup administrators
查询当前在线用户：query user || qwinsta
读取密码：mimikatz

查询端口列表及补丁
端口查询：Netstat –ano
查询补丁列表：Systeminfo
例：wmic qfe get Caption,Description,HotFixID,InstalledOn

查询路由表：arp -a

查询本机共享列表：net share

查询IE浏览器的代理信息：reg query “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings”

查询RDP端口号：reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP" /V portNumber

查询用户列表：net user
tips:通过分析本机用户列表，分析命名规则，推测整个域的命名方式

3.判断权限

三种情况：
A:普通用户
B: 管理员
C:域用户

在这三种情况下，如果内网存在域，普通用户不能执行域的命令，只能查询本机相关信息，但是管理员和域内用户可以执行域的命令

首先判断是否存在域，如果有，需要判断所控主机是否在域内。

1. 执行 net time /domain
   该命令显示主域控制器的时间
   A：如果当前主机处于工作组中未加入域，则显示找不到域控制器
   
   B：加入了域，且当前用户为本地用户包括本地管理员，则显示拒绝访问
   
   2.执行 ipconfig /all
   当前主机如果是工作组中，则主DNS后缀为空。如果加入了域则主DNS为域名
   
   A:只要没有加入域，主DNS后缀都为空
   B:只要加入域，不管当前用户为域用户本还是本地用户，主DNS后缀，都为域名

3 . 执行 systeminfo
工作组环境systeminfo查询的显示为WORKGROUP，域环境查询的域是域名

4.常见杀毒软件进程

"360tray.exe": "360安全卫士‐实时保护","360safe.exe": "360安全卫士‐主程序","ZhuDongFangYu.exe": "360安全卫士‐主动防御","360sd.exe": "360杀毒","a2guard.exe": "a‐squared杀毒","ad‐watch.exe": "Lavasoft杀毒","cleaner8.exe": "The Cleaner杀毒","vba32lder.exe": "vb32杀毒","MongoosaGUI.exe": "Mongoosa杀毒","CorantiControlCenter32.exe": "Coranti2012杀毒","F‐PROT.exe": "F‐Prot AntiVirus","CMCTrayIcon.exe": "CMC杀毒","K7TSecurity.exe": "K7杀毒","UnThreat.exe": "UnThreat杀毒","CKSoftShiedAntivirus4.exe": "Shield Antivirus杀毒","AVWatchService.exe": "VIRUSfighter杀毒","ArcaTasksService.exe": "ArcaVir杀毒","iptray.exe": "Immunet杀毒","PSafeSysTray.exe": "PSafe杀毒","nspupsvc.exe": "nProtect杀毒","SpywareTerminatorShield.exe": "SpywareTerminator反间谍软件","BKavService.exe": "Bkav杀毒","MsMpEng.exe": "Microsoft Security Essentials","SBAMSvc.exe": "VIPRE","ccSvcHst.exe": "Norton杀毒","f‐secure.exe": "冰岛","avp.exe": "Kaspersky","KvMonXP.exe": "江民杀毒","RavMonD.exe": "瑞星杀毒","Mcshield.exe": "McAfee","Tbmon.exe": "McAfee","Frameworkservice.exe": "McAfee","egui.exe": "ESET NOD32","ekrn.exe": "ESET NOD32","eguiProxy.exe": "ESET NOD32","kxetray.exe": "金山毒霸","knsdtray.exe": "可牛杀毒","TMBMSRV.exe": "趋势杀毒","avcenter.exe": "Avira(小红伞)","avguard.exe": "Avira(小红伞)","avgnt.exe": "Avira(小红伞)","sched.exe": "Avira(小红伞)","ashDisp.exe": "Avast网络安全","rtvscan.exe": "诺顿杀毒","ccapp.exe": "SymantecNorton","NPFMntor.exe": "Norton杀毒软件","ccSetMgr.exe": "赛门铁克","ccRegVfy.exe": "Norton杀毒软件","ksafe.exe": "金山卫士","QQPCRTP.exe": "QQ电脑管家","avgwdsvc.exe": "AVG杀毒","QUHLPSVC.exe": "QUICK HEAL杀毒","mssecess.exe": "微软杀毒","SavProgress.exe": "Sophos杀毒","SophosUI.exe": "Sophos杀毒","SophosFS.exe": "Sophos杀毒","SophosHealth.exe": "Sophos杀毒","SophosSafestore64.exe": "Sophos杀毒","SophosCleanM.exe": "Sophos杀毒","fsavgui.exe": "F‐Secure杀毒","vsserv.exe": "比特梵德","remupd.exe": "熊猫卫士","FortiTray.exe": "飞塔","safedog.exe": "安全狗","parmor.exe": "木马克星","Iparmor.exe.exe": "木马克星","beikesan.exe": "贝壳云安全","KSWebShield.exe": "金山网盾","TrojanHunter.exe": "木马猎手","GG.exe": "巨盾网游安全盾","adam.exe": "绿鹰安全精灵","AST.exe": "超级巡警","ananwidget.exe": "墨者安全专家","AVK.exe": "AntiVirusKit","avg.exe": "AVG Anti‐Virus","spidernt.exe": "Dr.web","avgaurd.exe": "Avira Antivir","vsmon.exe": "Zone Alarm","cpf.exe": "Comodo","outpost.exe": "Outpost Firewall","rfwmain.exe": "瑞星防火墙","kpfwtray.exe": "金山网镖","FYFireWall.exe": "风云防火墙","MPMon.exe": "微点主动防御","pfw.exe": "天网防火墙","BaiduSdSvc.exe": "百度杀毒‐服务进程","BaiduSdTray.exe": "百度杀毒‐托盘进程","BaiduSd.exe": "百度杀毒‐主程序","SafeDogGuardCenter.exe": "安全狗","safedogupdatecenter.exe": "安全狗","safedogguardcenter.exe": "安全狗","SafeDogSiteIIS.exe": "安全狗","SafeDogTray.exe": "安全狗","SafeDogServerUI.exe": "安全狗","D_Safe_Manage.exe": "D盾","d_manage.exe": "D盾","yunsuo_agent_service.exe": "云锁","yunsuo_agent_daemon.exe": "云锁","HwsPanel.exe": "护卫神","hws_ui.exe": "护卫神","hws.exe": "护卫神","hwsd.exe": "护卫神","hipstray.exe": "火绒","wsctrl.exe": "火绒","usysdiag.exe": "火绒","SPHINX.exe": "SPHINX防火墙","bddownloader.exe": "百度卫士","baiduansvx.exe": "百度卫士‐主进程","AvastUI.exe": "Avast!5主程序","emet_agent.exe": "EMET","emet_service.exe": "EMET","firesvc.exe": "McAfee","firetray.exe": "McAfee","hipsvc.exe": "McAfee","mfevtps.exe": "McAfee","mcafeefire.exe": "McAfee","scan32.exe": "McAfee","shstat.exe": "McAfee","vstskmgr.exe": "McAfee","engineserver.exe": "McAfee","mfeann.exe": "McAfee","mcscript.exe": "McAfee","updaterui.exe": "McAfee","udaterui.exe": "McAfee","naprdmgr.exe": "McAfee","cleanup.exe": "McAfee","cmdagent.exe": "McAfee","frminst.exe": "McAfee","mcscript_inuse.exe": "McAfee","mctray.exe": "McAfee","_avp32.exe": "卡巴斯基","_avpcc.exe": "卡巴斯基","_avpm.exe": "卡巴斯基","aAvgApi.exe": "AVG","ackwin32.exe": "已知杀软进程,名称暂未收录","alertsvc.exe": "Norton AntiVirus","alogserv.exe": "McAfee VirusScan","anti‐trojan.exe": "Anti‐Trojan Elite","arr.exe": "Application Request Route","atguard.exe": "AntiVir","atupdater.exe": "已知杀软进程,名称暂未收录","atwatch.exe": "Mustek","au.exe": "NSIS","aupdate.exe": "Symantec","auto‐protect.nav80try.exe": "已知杀软进程,名称暂未收录","autodown.exe": "AntiVirus AutoUpdater","avconsol.exe": "McAfee","avgcc32.exe": "AVG","avgctrl.exe": "AVG","avgemc.exe": "AVG","avgrsx.exe": "AVG","avgserv.exe": "AVG","avgserv9.exe": "AVG","avgw.exe": "AVG","avkpop.exe": "G DATA SOFTWARE AG","avkserv.exe": "G DATA SOFTWARE AG","avkservice.exe": "G DATA SOFTWARE AG","avkwctl9.exe": "G DATA SOFTWARE AG","avltmain.exe": "Panda Software Aplication","avnt.exe": "H+BEDV Datentechnik GmbH","avp32.exe": "Kaspersky Anti‐Virus","avpcc.exe": " Kaspersky AntiVirus","avpdos32.exe": " Kaspersky AntiVirus","avpm.exe": " Kaspersky AntiVirus","avptc32.exe": " Kaspersky AntiVirus","avpupd.exe": " Kaspersky AntiVirus","avsynmgr.exe": "McAfee","avwin.exe": " H+BEDV","bargains.exe": "Exact Advertising SpyWare","beagle.exe": "Avast","blackd.exe": "BlackICE","blackice.exe": "BlackICE","blink.exe": "micromedia","blss.exe": "CBlaster","bootwarn.exe": "Symantec","bpc.exe": "Grokster","brasil.exe": "Exact Advertising","ccevtmgr.exe": "Norton Internet Security","cdp.exe": "CyberLink Corp.","cfd.exe": "Motive Communications","cfgwiz.exe": " Norton AntiVirus","claw95.exe": "已知杀软进程,名称暂未收录","claw95cf.exe": "已知杀软进程,名称暂未收录","clean.exe": "windows流氓软件清理大师","cleaner.exe": "windows流氓软件清理大师","cleaner3.exe": "windows流氓软件清理大师","cleanpc.exe": "windows流氓软件清理大师","cpd.exe": "McAfee","ctrl.exe": "已知杀软进程,名称暂未收录","cv.exe": "已知杀软进程,名称暂未收录","defalert.exe": "Symantec","defscangui.exe": "Symantec","defwatch.exe": "Norton Antivirus","doors.exe": "已知杀软进程,名称暂未收录","dpf.exe": "已知杀软进程,名称暂未收录","dpps2.exe": "PanicWare","dssagent.exe": "Broderbund","ecengine.exe": "已知杀软进程,名称暂未收录","emsw.exe": "Alset Inc","ent.exe": "已知杀软进程,名称暂未收录","espwatch.exe": "已知杀软进程,名称暂未收录","ethereal.exe": "RationalClearCase","exe.avxw.exe": "已知杀软进程,名称暂未收录","expert.exe": "已知杀软进程,名称暂未收录","f‐prot95.exe": "已知杀软进程,名称暂未收录","fameh32.exe": "F‐Secure","fast.exe": " FastUsr","fch32.exe": "F‐Secure","fih32.exe": "F‐Secure","findviru.exe": "F‐Secure","firewall.exe": "AshampooSoftware","fnrb32.exe": "F‐Secure","fp‐win.exe": " F‐Prot Antivirus OnDemand","fsaa.exe": "F‐Secure","fsav.exe": "F‐Secure","fsav32.exe": "F‐Secure","fsav530stbyb.exe": "F‐Secure","fsav530wtbyb.exe": "F‐Secure","fsav95.exe": "F‐Secure","fsgk32.exe": "F‐Secure","fsm32.exe": "F‐Secure","fsma32.exe": "F‐Secure","fsmb32.exe": "F‐Secure","gbmenu.exe": "已知杀软进程,名称暂未收录","guard.exe": "ewido","guarddog.exe": "ewido","htlog.exe": "已知杀软进程,名称暂未收录","htpatch.exe": "Silicon Integrated Systems Corporation","hwpe.exe": "已知杀软进程,名称暂未收录","iamapp.exe": "Symantec","iamserv.exe": "Symantec","iamstats.exe": "Symantec","iedriver.exe": " Urlblaze","iface.exe": "Panda Antivirus Module","infus.exe": "Infus Dialer","infwin.exe": "Msviewparasite","intdel.exe": "Inet Delivery","intren.exe": "已知杀软进程,名称暂未收录","jammer.exe": "已知杀软进程,名称暂未收录","kavpf.exe": "Kapersky","kazza.exe": "Kapersky","keenvalue.exe": "EUNIVERSE INC","launcher.exe": "Intercort Systems","ldpro.exe": "已知杀软进程,名称暂未收录","ldscan.exe": "Windows Trojans Inspector","localnet.exe": "已知杀软进程,名称暂未收录","luall.exe": "Symantec","luau.exe": "Symantec","lucomserver.exe": "Norton","mcagent.exe": "McAfee","mcmnhdlr.exe": "McAfee","mctool.exe": "McAfee","mcupdate.exe": "McAfee","mcvsrte.exe": "McAfee","mcvsshld.exe": "McAfee","mfin32.exe": "MyFreeInternetUpdate","mfw2en.exe": "MyFreeInternetUpdate","mfweng3.02d30.exe": "MyFreeInternetUpdate","mgavrtcl.exe": "McAfee","mgavrte.exe": "McAfee","mghtml.exe": "McAfee","mgui.exe": "BullGuard","minilog.exe": "Zone Labs Inc","mmod.exe": "EzulaInc","mostat.exe": "WurldMediaInc","mpfagent.exe": "McAfee","mpfservice.exe": "McAfee","mpftray.exe": "McAfee","mscache.exe": "Integrated Search Technologies Spyware","mscman.exe": "OdysseusMarketingInc","msmgt.exe": "Total Velocity Spyware","msvxd.exe": "W32/Datom‐A","mwatch.exe": "已知杀软进程,名称暂未收录","nav.exe": "Reuters Limited","navapsvc.exe": "Norton AntiVirus","navapw32.exe": "Norton AntiVirus","navw32.exe": "Norton Antivirus","ndd32.exe": "诺顿磁盘医生","neowatchlog.exe": "已知杀软进程,名称暂未收录","netutils.exe": "已知杀软进程,名称暂未收录","nisserv.exe": "Norton","nisum.exe": "Norton","nmain.exe": "Norton","nod32.exe": "ESET Smart Security","norton_internet_secu_3.0_407.exe": "已知杀软进程,名称暂未收录","notstart.exe": "已知杀软进程,名称暂未收录","nprotect.exe": "Symantec","npscheck.exe": "Norton","npssvc.exe": "Norton","ntrtscan.exe": "趋势反病毒应用程序","nui.exe": "已知杀软进程,名称暂未收录","otfix.exe": "已知杀软进程,名称暂未收录","outpostinstall.exe": "Outpost","patch.exe": "趋势科技","pavw.exe": "已知杀软进程,名称暂未收录","pcscan.exe": "趋势科技","pdsetup.exe": "已知杀软进程,名称暂未收录","persfw.exe": "Tiny Personal Firewall","pgmonitr.exe": "PromulGate SpyWare","pingscan.exe": "已知杀软进程,名称暂未收录","platin.exe": "已知杀软进程,名称暂未收录","pop3trap.exe": "PC‐cillin","poproxy.exe": "NortonAntiVirus","popscan.exe": "已知杀软进程,名称暂未收录","powerscan.exe": "Integrated Search Technologies","ppinupdt.exe": "已知杀软进程,名称暂未收录","pptbc.exe": "已知杀软进程,名称暂未收录","ppvstop.exe": "已知杀软进程,名称暂未收录","prizesurfer.exe": "Prizesurfer","prmt.exe": "OpiStat","prmvr.exe": "Adtomi","processmonitor.exe": "Sysinternals","proport.exe": "已知杀软进程,名称暂未收录","protectx.exe": "ProtectX","pspf.exe": "已知杀软进程,名称暂未收录","purge.exe": "已知杀软进程,名称暂未收录","qconsole.exe": "Norton AntiVirus Quarantine Console","qserver.exe": "Norton Internet Security","rapapp.exe": "BlackICE","rb32.exe": "RapidBlaster","rcsync.exe": "PrizeSurfer","realmon.exe": "Realmon ","rescue.exe": "已知杀软进程,名称暂未收录","rescue32.exe": "卡巴斯基互联网安全套装","rshell.exe": "已知杀软进程,名称暂未收录","rtvscn95.exe": "Real‐time virus scanner ","rulaunch.exe": "McAfee User Interface","run32dll.exe": "PAL PC Spy","safeweb.exe": "PSafe Tecnologia","sbserv.exe": "Norton Antivirus","scrscan.exe": "360杀毒","sfc.exe": "System file checker","sh.exe": "MKS Toolkit for Win3","showbehind.exe": "MicroSmarts Enterprise Component ","soap.exe": "System Soap Pro","sofi.exe": "已知杀软进程,名称暂未收录","sperm.exe": "已知杀软进程,名称暂未收录","supporter5.exe": "eScorcher反病毒","symproxysvc.exe": "Symantec","symtray.exe": "Symantec","tbscan.exe": "ThunderBYTE","tc.exe": "TimeCalende","titanin.exe": "TitanHide","tvmd.exe": "Total Velocity","tvtmd.exe": " Total Velocity","vettray.exe": "eTrust","vir‐help.exe": "已知杀软进程,名称暂未收录","vnpc3000.exe": "已知杀软进程,名称暂未收录","vpc32.exe": "Symantec","vpc42.exe": "Symantec","vshwin32.exe": "McAfee","vsmain.exe": "McAfee","vsstat.exe": "McAfee","wfindv32.exe": "已知杀软进程,名称暂未收录","zapro.exe": "Zone Alarm","zonealarm.exe": "Zone Alarm","AVPM.exe": "Kaspersky","A2CMD.exe": "Emsisoft Anti‐Malware","A2SERVICE.exe": "a‐squared free","A2FREE.exe": "a‐squared Free","ADVCHK.exe": "Norton AntiVirus","AGB.exe": "安天防线","AHPROCMONSERVER.exe": "安天防线","AIRDEFENSE.exe": "AirDefense","ALERTSVC.exe": "Norton AntiVirus","AVIRA.exe": "小红伞杀毒","AMON.exe": "Tiny Personal Firewall","AVZ.exe": "AVZ","ANTIVIR.exe": "已知杀软进程,名称暂未收录","APVXDWIN.exe": "熊猫卫士","ASHMAISV.exe": "Alwil","ASHSERV.exe": "Avast Anti‐virus","ASHSIMPL.exe": "AVAST!VirusCleaner","ASHWEBSV.exe": "Avast","ASWUPDSV.exe": "Avast","ASWSCAN.exe": "Avast","AVCIMAN.exe": "熊猫卫士","AVCONSOL.exe": "McAfee","AVENGINE.exe": "熊猫卫士","AVESVC.exe": "Avira AntiVir Security Service","AVEVL32.exe": "已知杀软进程,名称暂未收录","AVGAM.exe": "AVG","AVGCC.exe": "AVG","AVGCHSVX.exe": "AVG","AVGCSRVX": "AVG","AVGNSX.exe": "AVG","AVGCC32.exe": "AVG","AVGCTRL.exe": "AVG","AVGEMC.exe": "AVG","AVGFWSRV.exe": "AVG","AVGNTMGR.exe": "AVG","AVGSERV.exe": "AVG","AVGTRAY.exe": "AVG","AVGUPSVC.exe": "AVG","AVINITNT.exe": "Command AntiVirus for NT Server","AVPCC.exe": "Kaspersky","AVSERVER.exe": "Kerio MailServer","AVSCHED32.exe": "H+BEDV","AVSYNMGR.exe": "McAfee","AVWUPSRV.exe": "H+BEDV","BDSWITCH.exe": "BitDefender Module","BLACKD.exe": "BlackICE","CCEVTMGR.exe": "Symantec","CFP.exe": "COMODO","CLAMWIN.exe": "ClamWin Portable","CUREIT.exe": "DrWeb CureIT","DEFWATCH.exe": "Norton Antivirus","DRWADINS.exe": "Dr.Web","DRWEB.exe": "Dr.Web","DEFENDERDAEMON.exe": "ShadowDefender","EWIDOCTRL.exe": "Ewido Security Suite","EZANTIVIRUSREGISTRATIONCHECK.exe": "e‐Trust Antivirus","FIREWALL.exe": "AshampooSoftware","FPROTTRAY.exe": "F‐PROT Antivirus","FPWIN.exe": "Verizon","FRESHCLAM.exe": "ClamAV","FSAV32.exe": "F‐Secure","FSBWSYS.exe": "F‐secure","FSDFWD.exe": "F‐Secure","FSGK32.exe": "F‐Secure","FSGK32ST.exe": "F‐Secure","FSMA32.exe": "F‐Secure","FSMB32.exe": "F‐Secure","FSSM32.exe": "F‐Secure","GUARDGUI.exe": "网游保镖","GUARDNT.exe": "IKARUS","IAMAPP.exe": "Symantec","INOCIT.exe": "eTrust","INORPC.exe": "eTrust","INORT.exe": "eTrust","INOTASK.exe": "eTrust","INOUPTNG.exe": "eTrust","ISAFE.exe": "eTrust","KAV.exe": "Kaspersky","KAVMM.exe": "Kaspersky","KAVPF.exe": "Kaspersky","KAVPFW.exe": "Kaspersky","KAVSTART.exe": "Kaspersky","KAVSVC.exe": "Kaspersky","KAVSVCUI.exe": "Kaspersky","KMAILMON.exe": "金山毒霸","MCAGENT.exe": "McAfee","MCMNHDLR.exe": "McAfee","MCREGWIZ.exe": "McAfee","MCUPDATE.exe": "McAfee","MCVSSHLD.exe": "McAfee","MINILOG.exe": "Zone Alarm","MYAGTSVC.exe": "McAfee","MYAGTTRY.exe": "McAfee","NAVAPSVC.exe": "Norton","NAVAPW32.exe": "Norton","NAVLU32.exe": "Norton","NAVW32.exe": "Norton Antivirus","NEOWATCHLOG.exe": "NeoWatch","NEOWATCHTRAY.exe": "NeoWatch","NISSERV.exe": "Norton","NISUM.exe": "Norton","NMAIN.exe": "Norton","NOD32.exe": "ESET NOD32","NPFMSG.exe": "Norman个人防火墙","NPROTECT.exe": "Symantec","NSMDTR.exe": "Norton","NTRTSCAN.exe": "趋势科技","OFCPFWSVC.exe": "OfficeScanNT","ONLINENT.exe": "已知杀软进程,名称暂未收录","OP_MON.exe": " OutpostFirewall","PAVFIRES.exe": "熊猫卫士","PAVFNSVR.exe": "熊猫卫士","PAVKRE.exe": "熊猫卫士","PAVPROT.exe": "熊猫卫士","PAVPROXY.exe": "熊猫卫士","PAVPRSRV.exe": "熊猫卫士","PAVSRV51.exe": "熊猫卫士","PAVSS.exe": "熊猫卫士","PCCGUIDE.exe": "PC‐cillin","PCCIOMON.exe": "PC‐cillin","PCCNTMON.exe": "PC‐cillin","PCCPFW.exe": "趋势科技","PCCTLCOM.exe": "趋势科技","PCTAV.exe": "PC Tools AntiVirus","PERSFW.exe": "Tiny Personal Firewall","PERVAC.exe": "已知杀软进程,名称暂未收录","PESTPATROL.exe": "Ikarus","PREVSRV.exe": "熊猫卫士","RTVSCN95.exe": "Real‐time Virus Scanner","SAVADMINSERVICE.exe": "SAV","SAVMAIN.exe": "SAV","SAVSCAN.exe": "SAV","SDHELP.exe": "Spyware Doctor","SHSTAT.exe": "McAfee","SPBBCSVC.exe": "Symantec","SPIDERCPL.exe": "Dr.Web","SPIDERML.exe": "Dr.Web","SPIDERUI.exe": "Dr.Web","SPYBOTSD.exe": "Spybot ","SWAGENT.exe": "SonicWALL","SWDOCTOR.exe": "SonicWALL","SWNETSUP.exe": "Sophos","SYMLCSVC.exe": "Symantec","SYMPROXYSVC.exe": "Symantec","SYMSPORT.exe": "Sysmantec","SYMWSC.exe": "Sysmantec","SYNMGR.exe": "Sysmantec","TMLISTEN.exe": "趋势科技","TMNTSRV.exe": "趋势科技","TMPROXY.exe": "趋势科技","TNBUTIL.exe": "Anti‐Virus","VBA32ECM.exe": "已知杀软进程,名称暂未收录","VBA32IFS.exe": "已知杀软进程,名称暂未收录","VBA32PP3.exe": "已知杀软进程,名称暂未收录","VCRMON.exe": "VirusChaser","VRMONNT.exe": "HAURI","VRMONSVC.exe": "HAURI","VSHWIN32.exe": "McAfee","VSSTAT.exe": "McAfee","XCOMMSVR.exe": "BitDefender","ZONEALARM.exe": "Zone Alarm","360rp.exe": "360杀毒","afwServ.exe": " Avast Antivirus ","safeboxTray.exe": "360杀毒","360safebox.exe": "360杀毒","QQPCTray.exe": "QQ电脑管家","KSafeTray.exe": "金山毒霸","KSafeSvc.exe": "金山毒霸","KWatch.exe": "金山毒霸","gov_defence_service.exe": "云锁","gov_defence_daemon.exe": "云锁",

5.网段主机探测

常用IP扫描工具：
Nmap：免费开源用于网络发现和安全审计的工具
ARP：局域网活跃主机快速扫描工具。即使这些主机上装有防火墙也依然能够被发现。
Scan Angry IP Scanner：它不是基本命令行，是基于比较漂亮的图形界面。在Linux运行，需要安装Java环境和RPM or Deb package
Advanced IP Scanner：可靠且免费的网络扫描器可以分析 LAN
ARP command：简单且强大的arp命令
Fping：是流行的IP扫描器，Fping利用ICMP回显请求检查远程主机是否处于活动状态。与经典的ping命令不同，fping可以针对大量主机和IP范围运行。

命令行：

For /L %i in (1,1,254) Do @ping –w 1 –n 1 192.168.2.%i | findstr "TTL="

探测完存活主机之后探测端口banner信息

6.域内信息收集

域内用户基本信息

net view 查看域内机器列表net view /domain: ZZZ 查看ZZZ域中所有的机器列表。net group /domain 查询域里面所有的用户组列表net group "domain computers" /domain 查看所有域成员计算机列表net accounts /domain 查询域用户密码过期等信息net user /domain 获取域用户列表net group "domain admins" /domain 获取域管理员列表net group "domain controllers" /domain 查看域控制器(如果有多台)net local group administrators 查看本地管理员组用户[通常含有域用户]net localgroup administrators /domain 登录域管理员用户net view /domain 查看内网存在多少个域

查询所有域用户列表

向域控制器进行查询net user /domain获取域内用户详细信息wmic useraccount get /all查看存在的用户dsquery user查询域内置本地管理员组用户net localgroup administrators /domain

查询域管理员用户组

查询域管理员用户net group “domain admins” /domain查询管理员用户组
net group “Enterprise Admins” /domain

7.定位域管理员

拓扑结构分析内网渗透测试与常规的渗透测试是截然不同的。内网渗透测试的需求是拿到内网中特定用户或特定机器的权限，进而获得特定资源，完成内网渗透测试任务。在通常的网络环境里，内网中部署了大量的网络安全设备，如 IDS、IPS、日志审计、安全网关、反病毒软件等。所以，在域网络攻击测试场景中，如果渗透测试人员获取了域内的一个支点，为了实现对域网络的整体控制，渗透测试人员就需要获取域管理员权限。

工具：

psloggedon.exe 可以显示本地登录的用户和通过本地计算机或远程计算机的资源登录的用户。
如果指定了用户名而不是计算机，psloggedon.exe 会搜索网络邻居中的计算机，并显示该用户当前是否已登录，其原理是通过检 验注册表里
HKEY_USERS 项的 key 值来查询谁登录过机器（同样调用了 NetSessionEnum
API），某些功能需要拥有管理员权限才能使用。

psloggedon [-] [-l] [-x] [\\computername|username]
-：显示支持的选项和用于输出值的单位。
-l：仅显示本地登录，不显示本地和网络资源登录。
-x：不显示登录时间。
\\computername：指定要列出登录信息的计算机的名称。
Username：指定用户名，在网络中搜索该用户登录的计算机。

下载链接：psloggedon

pveFindADUser.exe 可用于查找 Active Directory 用户登录的位置，枚举域用户，以及查找在特定计算机上登录的用户，包括本地用户、通过 RDP 登录的用户、用于运行服务和计划任务的用户账户。运行该工具的计算机需要具有.NET Framework 2.0，并且需要具有管理员权限

pveFindADUser.exe <参数>
-h：显示帮助。
-u：检查是否有更新版本的实用程序。
-current [''username'']：如果仅指定了-current 参数，将获取所有目标计算机上当前登录的所有用户。如果指定了用户名（DOMAIN\Username），则显示该用户登录的计算机。
-last [''username'']：如果仅指定了-last 参数，将获取目标计算机上的最后一个登录用户。如果指定了用户名（DOMAIN\Username），则显示具有此用户账户作为上次登录的计算机。根据网络的策略，可能会隐藏最后一个登录用户名，且该工具可能无法得到该用户名。
-noping：阻止该工具在尝试获取用户登录信息之前对目标计算机执行 ping 命令。
-target：可选参数，用于指定要查询的主机。如果未指定此参数，将查询当前域中的所有主机。如果指定此参数，则后跟一个由逗号分隔的主机名列表。

下载链接：pveFindADUser.exe

netview.exe 是一个枚举工具，使用 WinAPI 枚举系统，利用 NetSessionEnum 找寻登录会话，利用 NetShareEnum 找寻共享，利用 NetWkstaUserEnum 枚举登录的用户。同时，netview.exe 能够查询共享入口和有价值用户。netview.exe 的绝大部分功能不需要管理员权限即可执行.

netview.exe <参数>-h：显示帮助菜单。-f filename.txt：指定从中提取主机列表的文件。-e filename.txt：指定要排除的主机名文件。-o filename.txt：将所有输出重定向到文件。-d domain：指定从中提取主机列表的域。如果没有指定，则使用当前域。-g group：指定用户搜寻的组名。如果没有指定，则使用 Domain Admins。-c：检查对已找到共享的访问权限。

下载链接：netiview

如果有域账户或者本地账户，就可以使用 Nmap 的 smb-enum-sessions.nse 引擎来获取远程机器的登录会话，并且不需要管理员权限

smb-enum-domains.nse：对域控制器进行信息收集，可以获取主机信息、用户、密码策略可以使用的用户等。
smb-enum-users.nse：在进行域渗透测试的时候，如果获取了域内某台主机的权限，但是权限有限，不能获取更多的域用户信息，就可以借助这个脚本对域控制器进行扫描。
smb-enum-shares.nse：遍历远程主机的共享目录。
smb-enum-processes.nse：对主机的系统进程进行遍历。通过这些信息，可以知道目标主机上运行软件信息，选择合适的漏洞或者规避防火墙及杀毒软件。
smb-enum-sessions.nse：获取域内主机的用户登录会话，查看当前是否有用户登录。
smb-os-discovery.nse：收集目标主机的操作系统、计算机名、域名、全称域名、域林名称、NetBIOS 机器名、NetBIOS 域名、工作组、系统时间。

下载链接：nmap

PowerView 是一款 PowerShell 脚本，里面有一些功能可以辅助找寻定位关键用户

Invoke-StealthUserHunter ：只需要一次查询，就可以获取域内的所有用户。从user.HomeDirectories 中提取所有用户，并对每个服务器进行 Get-NetSessions 获取。因为不需要使用 Invoke-UserHunter 对每台机器进行操作，所以这个方法的隐蔽性相对较高，但涉及的机器面不一定完整。默认使用 Invoke-StealthUserHunter，如果找不到需要的信息，就接着使用 Invoke-UserHunter 方法。
Invoke-UserHunter：找到域内特定的用户群。它接收用户名、用户列表或域组查询，并接收一个主机列表或查询可用的主机域名。它会使用 Get-NetSessions 和 Get-NetLoggedon（调用 NetSessionEnum 和 NetWkstaUserEnum API）扫描每个服务器，而且会比较结果，筛选出目标用户集。使用这个工具是不需要管理员权限的。在本地绕过执行该脚本，如图 2-72所示。

下载链接：PowerView

Empire 下的 user_hunter 模块;在 Empire 下也存在类似 Invoke-UserHunter 的模块——user_hunter，这个模块就是用来查找域管理员登录的机器的。

使用 usemodule situational_awareness/network/powerview/user_hunter 模块可以清楚地看到哪个用

8.敏感信息收集

A:站点源码备份文件，数据库配置文件备份，数据库备份文件（后缀.zip、xx.sql）

B：各类数据库的web管理入口，例如：phpmyadmin、adminer…

C:浏览器密码和浏览器cookie获取(Ie、Chrome、Firefox)

D:其他用户session，3389和ipc$连接记录，各用户回收站信息收集

E：目标内部各种账号密码信息，包括邮箱、Vpn、Ftp、Teamview……

D:vpn：mimikatz.exe privilege::debug token::elevate lsadump::sam lsadump::secrets exit

一些敏感文件

Dir c:*.doc /sDir /b/s password.txtDir /b/s config.*Dir /s pass == cred == vnc ==.config

收集当前主机中的明文密码

ssh> cd /var/www/htmlssh> shell find ./ -name “*.php” | xargs egrep –i “user|pass|pwd|uname|login|db_”