How to collect intranet information

The essence of penetration testing is information collection. We can roughly divide the intranet information collection into five steps, namely local information collection, domain information collection, login credential theft, survival host detection, and intranet port scanning.

The two most common questions are:

• Who am I? -- whoami
• Where am I? -- ipconfig/ifconfig

When we gain administrator privileges on a host, we are always eager to learn more.

Local information collection

1. Query account information:

Understand the user role and user permissions of the current host to determine whether permissions need to be further enhanced.

 win: whoami, net user username
 linux: whoami, id, cat /etc/shadow, cat /etc/passwd

2. Query network and port information

Confirm the connected network status based on the IP address/network connection/related network address of the destination host.

 Win: ipconfig, netstat -ano
 ARP table: arp -a
 Routing table: route print
 View the DNS cache record command: ipconfig/displaydns 
 
 linux: ifconfig, netstat -anplt
 ARP table: arp -a / Routing table: route -n
 View login log to obtain login source IP

3. Query the process list

Check all processes running locally and confirm the status of local software, with a focus on security software.

 win:tasklist
 linux: ps, top

4. Query system and patch information

Get the system version and patch update status of the current host, which can be used to assist in escalating permissions.

 win:systeminfo, query system information/patch installation status.
 wmic qfe get Caption,description,HotfixID,installedOn //Query patch information, including description link/patch description/KB number/update time and other information
 wmic qfe list full query all information 
 
 Linux: Check the kernel version by uname -a or use rpm -qa to check which packages are installed

5. Credentials Collection

Sensitive information is stored on the server side, and various login credentials are collected to expand the results.

 Windows:
 Local password hash and plain text password/browser password capture/server plain text password
 linux:
 history records sensitive operations/shadow file cracking/mimipenguin captures passwords/uses Strace to collect login credentials/full disk search for sensitive information

Information collection within the domain

After collecting the relevant information of the local machine, it is necessary to determine whether the current host is in the domain. If it is in the domain, it is necessary to further collect information in the domain.

1. Determine whether there is a domain

Generally, domain servers will also serve as time servers, so use the following command to determine the primary domain

 After running the net time /domain command, there are generally three situations as follows: 
 
 1. A domain exists, but the current user is not a domain user, and the prompt indicates that the permissions are insufficient.
  C:\Users > bypass > net time /domain
 System error 5 occurred
  access denied. 
 
 2. A domain exists and the current user is a domain user
   C:\Users\Administrator > net time /domain
 The current time of \\dc.test.com is 2020/10/23 21:18:37 
 
 The command completed successfully. 
 
 3. The current network environment is a workgroup, and there is no domain
   C:\Users\Administrator > net time /domain
 Unable to locate domain controller for domain WORKGROUP.

2. Find the domain administrator

 net user /domain //Get domain user list
 net group /domain //Query the list of all user groups in the domain
 net group "Domain Admins" /domain //Query domain administrator users
 net group "Domain Controllers" /domain //View domain controllers
 net localgroup administrators /domain //Query the domain's built-in local administrator group users

3. Find the domain controller

Generally speaking, the domain controller server IP address is the DNS server address. By finding the DNS server address, you can locate the domain controller.

 nslookup/ping domain name, resolve to domain controller server IP address