2013年3月5日 星期二

簡單的內網入侵指令與步驟


第一個重要的命令:ifconfig
ifconfig /all

要知道內網的初步結構,第一個是ipconfig /all。我們可以看到子網submask、本機IP、getway和dns的IP位址是多少。
,看看有幾個Subnet呀,每個Subnet可能有多大等等

第二個重要的命令就是net指令:net

net view         -> 是可以看到本機所在的網域約有多少台機器
net view /domain  ->可以看到有幾個網域
net view /domain:域名 -> 是看每個網域中有多少台機器
net group ->是看看把用戶分了多少個群組
net group "domain admins" /domain ->是可以看到網域管理員的名字,運氣好的情況下是直接可以看到域服務器(AD)是哪一台
另一個辦法是net time /domain,因為網域服務器(AD)一般也做時間服務器

我們可以寫一個很簡短的vbs程序來探測出 網域服務器是哪一台,
1.vbs代碼如下:
set obj=GetObject("LDAP://rootDSE") wscript.echo obj.servername

cscript 1.vbs

收集的到這些信息夠了嗎?當然不足夠,所以我們還要繼續收集。
http://www.rlmueller.net這個網站是有很多專門針對網域的vbs,讓它更適應我們的入侵。

DocumentProperties.vbs
cscript DocumentProperties.vbs LDAP://dc=gethash,dc=cn,你會得很多的信息了,

大家可能會想我為什麼會用LDAP://dc=gethash,dc=cn這個,這串從哪來的,其實就是1.vbs來得到的。

我們再用DocumentProperties.vbs來舉兩例,用它也直接可以探測本機信息的。
第一個是cscript DocumentProperties.vbs WinNT://./administrator,查看本機administrator的信息,看一下密碼長度呀,多久過期等。

如果你看到可能一兩天就要過期了,表示管理員一定會來修改密碼,這時你就必須想到趕緊要丟一下記錄密碼的東東上去了。



' DocumentProperties.vbs
' VBScript program to document all properties for a given Active
' Directory object. All properties in the Schema are listed, whether
' assigned a value or not. The values of the properties are output. The
' program requires the full AdsPath to an Active Directory object, using
' either the WinNT provider or the LDAP provider. Each provider exposes
' different properties.
'
' ----------------------------------------------------------------------
' Copyright (c) 2002-2010 Richard L. Mueller
' Hilltop Lab web site - http://www.rlmueller.net
' Version 1.0 - November 10, 2002
' Version 1.1 - February 19, 2003 - Standardize Hungarian notation.
' Version 1.2 - May 9, 2003 - Account for error in IADsLargeInteger
'                             property methods HighPart and LowPart.
' Version 1.3 - January 25, 2004 - Modify error trapping.
' Version 1.4 - February 24, 2004 - Bug fix.
' Version 1.5 - October 13, 2010 - Improve handling of Integer8 and
'                                  Boolean values.
' Version 1.6 - November 6, 2010 - No need to set objects to Nothing.
'
' This script is designed to be run at a command prompt, using the
' Cscript host. The output can be redirected to a text file. For
' example:
' cscript //nologo DocumentProperties.vbs "ADSPATH" > Properties.txt
' ADSPATH can be similar to:
'   "WinNT://MyDomain/TestUser,user"
' or
'   "LDAP://cn=TestUser,ou=Sales,dc=MyDomain,dc=com"
'
' You have a royalty-free right to use, modify, reproduce, and
' distribute this script file in any way you find useful, provided that
' you agree that the copyright owner above has no warranty, obligations,
' or liability for such use.

Option Explicit

Dim objADObject, objClass, strProperty, strValue, strAdsPath
Dim objShell, lngBiasKey, lngBias, j, strHex, strItem, objDate, dtmDate
Dim lngHigh, lngLow, lngValue, dtmValue

If (Wscript.Arguments.Count = 0) Then
    Wscript.Echo "Error, required argument missing."
    Wscript.Echo "DocumentProperties.vbs"
    Wscript.Echo "Program to list AD object properties"
    Wscript.Echo "Syntax:"
    Wscript.Echo "cscript DocumentProperties.vbs ADSPATH > output.txt"
    Wscript.Echo "where ADSPATH is the full AdsPath of an AD object."
    Wscript.Echo "For example, ADSPATH could be:"
    Wscript.Echo "  WinNT://MyDomain/TestUser,user"
    Wscript.Echo "  LDAP://cn=TestUser,ou=Sales,dc=MyDomain,dc=com"
    Wscript.Quit(1)
End If

' Bind to Active Directory object specified.
strAdsPath = Wscript.Arguments(0)
On Error Resume Next
Set objADObject = GetObject(strAdsPath)
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "Object not found in Active Directory"
    Wscript.Echo strAdsPath
    Wscript.Quit(1)
End If
On Error GoTo 0

' Determine Time Zone bias in local registry.
' This bias changes with Daylight Savings Time.
Set objShell = CreateObject("Wscript.Shell")
lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\" _
    & "Control\TimeZoneInformation\ActiveTimeBias")
If (UCase(TypeName(lngBiasKey)) = "LONG") Then
    lngBias = lngBiasKey
ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
    lngBias = 0
    For j = 0 To UBound(lngBiasKey)
        lngBias = lngBias + (lngBiasKey(j) * 256^j)
    Next
End If

Set objClass = GetObject(objADObject.Schema)

' Enumerate mandatory object properties.
For Each strProperty In objClass.MandatoryProperties
    On Error Resume Next
    strValue = objADObject.Get(strProperty)
    If (Err.Number = 0) Then
        On Error GoTo 0
        If (TypeName(strValue) = "String") Or (TypeName(strValue) = "Long") _
                Or (TypeName(strValue) = "Date") Then
            Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) & " = " _
                & CStr(strValue)
        ElseIf (TypeName(strValue) = "Byte()") Then
            strHex = OctetToHexStr(strValue)
            Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) & " = " _
                & CStr(strHex)
        ElseIf (TypeName(strValue) = "Variant()") Then
            For Each strItem In strValue
                On Error Resume Next
                Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) _
                    & " = " & CStr(strItem)
                If (Err.Number <> 0) Then
                    On Error GoTo 0
                    Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) _
                        & " = (Value cannot be displayed"
                End If
                On Error GoTo 0
            Next
        ElseIf (TypeName(strValue) = "Boolean") Then
            Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) _
                & " = " & CBool(strValue)
        Else
            Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) _
                & " Type " & TypeName(strValue)
        End If
    Else
        Err.Clear
        sColl = objADObject.GetEx(strProperty)
        If (Err.Number = 0) Then
            For Each strItem In sColl
                Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) _
                    & CStr(strItem)
                If (Err.Number <> 0) Then
                    Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) _
                        & "(Value cannot be displayed)"
                End If
            Next
            On Error GoTo 0
        Else
            Err.Clear
            Set objDate = objADObject.Get(strProperty)
            If (Err.Number = 0) Then
                lngHigh = objDate.HighPart
                If (Err.Number = 0) Then
                    lngLow = objDate.LowPart
                    If (lngLow < 0) Then
                        lngHigh = lngHigh + 1
                    End If
                    lngValue = (lngHigh * (2 ^ 32)) + lngLow
                    If (lngValue > 120000000000000000) Then
                        dtmValue = #1/1/1601# + (lngValue / 600000000 - lngBias) / 1440
                        On Error Resume Next
                        dtmDate = CDate(dtmValue)
                        If (Err.Number <> 0) Then
                            Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) _
                                & " = <Never>"
                        Else
                            Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) _
                                & " = " & CStr(dtmDate)
                        End If
                    Else
                        Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) _
                            & " = " & FormatNumber(lngValue, 0)
                    End If
                Else
                    Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) _
                        & " = (Value cannot be displayed)"
                End If
            Else
                On Error GoTo 0
                Wscript.Echo "(M) " & strProperty
            End If
            On Error GoTo 0
        End If
    End If
Next

' Enumerate optional object properties.
For Each strProperty In objClass.OptionalProperties
    On Error Resume Next
    strValue = objADObject.Get(strProperty)
    If (Err.Number = 0) Then
        On Error GoTo 0
        If (TypeName(strValue) = "String") Or (TypeName(strValue) = "Long") _
                Or (TypeName(strValue) = "Date") Then
            Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) & " = " _
                & CStr(strValue)
        ElseIf (TypeName(strValue) = "Byte()") Then
            strHex = OctetToHexStr(strValue)
            Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) & " = " _
                & CStr(strHex)
        ElseIf (TypeName(strValue) = "Variant()") Then
            For Each strItem In strValue
                On Error Resume Next
                Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) _
                    & " = " & CStr(strItem)
                If (Err.Number <> 0) Then
                    On Error GoTo 0
                    Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) _
                        & " = (Value cannot be displayed"
                End If
                On Error GoTo 0
            Next
        ElseIf (TypeName(strValue) = "Boolean") Then
            Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) _
                & " = " & CBool(strValue)
        Else
            Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) _
                & " Type " & TypeName(strValue)
        End If
    Else
        Err.Clear
        sColl = objADObject.GetEx(strProperty)
        If (Err.Number = 0) Then
            For Each strItem In sColl
                Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) _
                    & CStr(strItem)
                If (Err.Number <> 0) Then
                    Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) _
                        & "(Value cannot be displayed)"
                End If
            Next
            On Error GoTo 0
        Else
            Err.Clear
            Set objDate = objADObject.Get(strProperty)
            If (Err.Number = 0) Then
                lngHigh = objDate.HighPart
                If (Err.Number = 0) Then
                    lngLow = objDate.LowPart
                    If (lngLow < 0) Then
                        lngHigh = lngHigh + 1
                    End If
                    lngValue = (lngHigh * (2 ^ 32)) + lngLow
                    If (lngValue > 120000000000000000) Then
                        dtmValue = #1/1/1601# + (lngValue / 600000000 - lngBias) / 1440
                        On Error Resume Next
                        dtmDate = CDate(dtmValue)
                        If (Err.Number <> 0) Then
                            Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) _
                                & " = <Never>"
                        Else
                            Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) _
                                & " = " & CStr(dtmDate)
                        End If
                    Else
                        Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) _
                            & " = " & FormatNumber(lngValue, 0)
                    End If
                Else
                    Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) _
                        & " = (Value cannot be displayed)"
                End If
            Else
                On Error GoTo 0
                Wscript.Echo "(O) " & strProperty
            End If
            On Error GoTo 0
        End If
    End If
Next

Function OctetToHexStr(arrbytOctet)
    ' Function to convert OctetString (Byte Array) to a hex string.
    Dim k
    OctetToHexStr = ""
    For k = 1 To Lenb(arrbytOctet)
        OctetToHexStr = OctetToHexStr _
            & Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
    Next
End Function

沒有留言:

張貼留言

用APNIC找出台灣所有的IP位址