2013年3月5日 星期二
簡單的內網入侵指令與步驟
第一個重要的命令:ifconfig
ifconfig /all
要知道內網的初步結構,第一個是ipconfig /all。我們可以看到子網submask、本機IP、getway和dns的IP位址是多少。
,看看有幾個Subnet呀,每個Subnet可能有多大等等
第二個重要的命令就是net指令:net
net view -> 是可以看到本機所在的網域約有多少台機器
net view /domain ->可以看到有幾個網域
net view /domain:域名 -> 是看每個網域中有多少台機器
net group ->是看看把用戶分了多少個群組
net group "domain admins" /domain ->是可以看到網域管理員的名字,運氣好的情況下是直接可以看到域服務器(AD)是哪一台
另一個辦法是net time /domain,因為網域服務器(AD)一般也做時間服務器
我們可以寫一個很簡短的vbs程序來探測出 網域服務器是哪一台,
1.vbs代碼如下:
set obj=GetObject("LDAP://rootDSE") wscript.echo obj.servername
cscript 1.vbs
收集的到這些信息夠了嗎?當然不足夠,所以我們還要繼續收集。
http://www.rlmueller.net這個網站是有很多專門針對網域的vbs,讓它更適應我們的入侵。
DocumentProperties.vbs
cscript DocumentProperties.vbs LDAP://dc=gethash,dc=cn,你會得很多的信息了,
大家可能會想我為什麼會用LDAP://dc=gethash,dc=cn這個,這串從哪來的,其實就是1.vbs來得到的。
我們再用DocumentProperties.vbs來舉兩例,用它也直接可以探測本機信息的。
第一個是cscript DocumentProperties.vbs WinNT://./administrator,查看本機administrator的信息,看一下密碼長度呀,多久過期等。
如果你看到可能一兩天就要過期了,表示管理員一定會來修改密碼,這時你就必須想到趕緊要丟一下記錄密碼的東東上去了。
' DocumentProperties.vbs
' VBScript program to document all properties for a given Active
' Directory object. All properties in the Schema are listed, whether
' assigned a value or not. The values of the properties are output. The
' program requires the full AdsPath to an Active Directory object, using
' either the WinNT provider or the LDAP provider. Each provider exposes
' different properties.
'
' ----------------------------------------------------------------------
' Copyright (c) 2002-2010 Richard L. Mueller
' Hilltop Lab web site - http://www.rlmueller.net
' Version 1.0 - November 10, 2002
' Version 1.1 - February 19, 2003 - Standardize Hungarian notation.
' Version 1.2 - May 9, 2003 - Account for error in IADsLargeInteger
' property methods HighPart and LowPart.
' Version 1.3 - January 25, 2004 - Modify error trapping.
' Version 1.4 - February 24, 2004 - Bug fix.
' Version 1.5 - October 13, 2010 - Improve handling of Integer8 and
' Boolean values.
' Version 1.6 - November 6, 2010 - No need to set objects to Nothing.
'
' This script is designed to be run at a command prompt, using the
' Cscript host. The output can be redirected to a text file. For
' example:
' cscript //nologo DocumentProperties.vbs "ADSPATH" > Properties.txt
' ADSPATH can be similar to:
' "WinNT://MyDomain/TestUser,user"
' or
' "LDAP://cn=TestUser,ou=Sales,dc=MyDomain,dc=com"
'
' You have a royalty-free right to use, modify, reproduce, and
' distribute this script file in any way you find useful, provided that
' you agree that the copyright owner above has no warranty, obligations,
' or liability for such use.
Option Explicit
Dim objADObject, objClass, strProperty, strValue, strAdsPath
Dim objShell, lngBiasKey, lngBias, j, strHex, strItem, objDate, dtmDate
Dim lngHigh, lngLow, lngValue, dtmValue
If (Wscript.Arguments.Count = 0) Then
Wscript.Echo "Error, required argument missing."
Wscript.Echo "DocumentProperties.vbs"
Wscript.Echo "Program to list AD object properties"
Wscript.Echo "Syntax:"
Wscript.Echo "cscript DocumentProperties.vbs ADSPATH > output.txt"
Wscript.Echo "where ADSPATH is the full AdsPath of an AD object."
Wscript.Echo "For example, ADSPATH could be:"
Wscript.Echo " WinNT://MyDomain/TestUser,user"
Wscript.Echo " LDAP://cn=TestUser,ou=Sales,dc=MyDomain,dc=com"
Wscript.Quit(1)
End If
' Bind to Active Directory object specified.
strAdsPath = Wscript.Arguments(0)
On Error Resume Next
Set objADObject = GetObject(strAdsPath)
If (Err.Number <> 0) Then
On Error GoTo 0
Wscript.Echo "Object not found in Active Directory"
Wscript.Echo strAdsPath
Wscript.Quit(1)
End If
On Error GoTo 0
' Determine Time Zone bias in local registry.
' This bias changes with Daylight Savings Time.
Set objShell = CreateObject("Wscript.Shell")
lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\" _
& "Control\TimeZoneInformation\ActiveTimeBias")
If (UCase(TypeName(lngBiasKey)) = "LONG") Then
lngBias = lngBiasKey
ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
lngBias = 0
For j = 0 To UBound(lngBiasKey)
lngBias = lngBias + (lngBiasKey(j) * 256^j)
Next
End If
Set objClass = GetObject(objADObject.Schema)
' Enumerate mandatory object properties.
For Each strProperty In objClass.MandatoryProperties
On Error Resume Next
strValue = objADObject.Get(strProperty)
If (Err.Number = 0) Then
On Error GoTo 0
If (TypeName(strValue) = "String") Or (TypeName(strValue) = "Long") _
Or (TypeName(strValue) = "Date") Then
Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) & " = " _
& CStr(strValue)
ElseIf (TypeName(strValue) = "Byte()") Then
strHex = OctetToHexStr(strValue)
Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) & " = " _
& CStr(strHex)
ElseIf (TypeName(strValue) = "Variant()") Then
For Each strItem In strValue
On Error Resume Next
Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) _
& " = " & CStr(strItem)
If (Err.Number <> 0) Then
On Error GoTo 0
Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) _
& " = (Value cannot be displayed"
End If
On Error GoTo 0
Next
ElseIf (TypeName(strValue) = "Boolean") Then
Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) _
& " = " & CBool(strValue)
Else
Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) _
& " Type " & TypeName(strValue)
End If
Else
Err.Clear
sColl = objADObject.GetEx(strProperty)
If (Err.Number = 0) Then
For Each strItem In sColl
Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) _
& CStr(strItem)
If (Err.Number <> 0) Then
Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) _
& "(Value cannot be displayed)"
End If
Next
On Error GoTo 0
Else
Err.Clear
Set objDate = objADObject.Get(strProperty)
If (Err.Number = 0) Then
lngHigh = objDate.HighPart
If (Err.Number = 0) Then
lngLow = objDate.LowPart
If (lngLow < 0) Then
lngHigh = lngHigh + 1
End If
lngValue = (lngHigh * (2 ^ 32)) + lngLow
If (lngValue > 120000000000000000) Then
dtmValue = #1/1/1601# + (lngValue / 600000000 - lngBias) / 1440
On Error Resume Next
dtmDate = CDate(dtmValue)
If (Err.Number <> 0) Then
Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) _
& " = <Never>"
Else
Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) _
& " = " & CStr(dtmDate)
End If
Else
Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) _
& " = " & FormatNumber(lngValue, 0)
End If
Else
Wscript.Echo "(M) " & Left(strProperty & Space(34), 35) _
& " = (Value cannot be displayed)"
End If
Else
On Error GoTo 0
Wscript.Echo "(M) " & strProperty
End If
On Error GoTo 0
End If
End If
Next
' Enumerate optional object properties.
For Each strProperty In objClass.OptionalProperties
On Error Resume Next
strValue = objADObject.Get(strProperty)
If (Err.Number = 0) Then
On Error GoTo 0
If (TypeName(strValue) = "String") Or (TypeName(strValue) = "Long") _
Or (TypeName(strValue) = "Date") Then
Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) & " = " _
& CStr(strValue)
ElseIf (TypeName(strValue) = "Byte()") Then
strHex = OctetToHexStr(strValue)
Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) & " = " _
& CStr(strHex)
ElseIf (TypeName(strValue) = "Variant()") Then
For Each strItem In strValue
On Error Resume Next
Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) _
& " = " & CStr(strItem)
If (Err.Number <> 0) Then
On Error GoTo 0
Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) _
& " = (Value cannot be displayed"
End If
On Error GoTo 0
Next
ElseIf (TypeName(strValue) = "Boolean") Then
Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) _
& " = " & CBool(strValue)
Else
Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) _
& " Type " & TypeName(strValue)
End If
Else
Err.Clear
sColl = objADObject.GetEx(strProperty)
If (Err.Number = 0) Then
For Each strItem In sColl
Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) _
& CStr(strItem)
If (Err.Number <> 0) Then
Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) _
& "(Value cannot be displayed)"
End If
Next
On Error GoTo 0
Else
Err.Clear
Set objDate = objADObject.Get(strProperty)
If (Err.Number = 0) Then
lngHigh = objDate.HighPart
If (Err.Number = 0) Then
lngLow = objDate.LowPart
If (lngLow < 0) Then
lngHigh = lngHigh + 1
End If
lngValue = (lngHigh * (2 ^ 32)) + lngLow
If (lngValue > 120000000000000000) Then
dtmValue = #1/1/1601# + (lngValue / 600000000 - lngBias) / 1440
On Error Resume Next
dtmDate = CDate(dtmValue)
If (Err.Number <> 0) Then
Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) _
& " = <Never>"
Else
Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) _
& " = " & CStr(dtmDate)
End If
Else
Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) _
& " = " & FormatNumber(lngValue, 0)
End If
Else
Wscript.Echo "(O) " & Left(strProperty & Space(34), 35) _
& " = (Value cannot be displayed)"
End If
Else
On Error GoTo 0
Wscript.Echo "(O) " & strProperty
End If
On Error GoTo 0
End If
End If
Next
Function OctetToHexStr(arrbytOctet)
' Function to convert OctetString (Byte Array) to a hex string.
Dim k
OctetToHexStr = ""
For k = 1 To Lenb(arrbytOctet)
OctetToHexStr = OctetToHexStr _
& Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
Next
End Function
訂閱:
張貼留言 (Atom)
-
若需要分析一堆的惡意程式,減少人工分析的時間與精力,自動化惡意程式沙箱分析系統,是一個很好的解決方案,其中是不錯的選擇,因為它是 " 開源、免費 " 的。 Cuckoo Sandbox惡意程式分析沙箱 網路上有很多的Cuckoo安裝介紹與手冊... -
Hi: 我回來了~ 好久沒有發表文章。 感謝之前許多網友來信問了一些資安相關問題,然小弟我實在太忙常常忘了回信或是拖了超超久屆考才回覆,實在非常的抱歉。 這個網誌隔了快近4年沒有更新,讓一些網友感覺我好像已經遺棄它了,實際上應該說是我太懶,每次想把一些個人研究或收集到的...
-
密碼分析(cryptanalysis) ,是在不知道任何密式邏輯或密鑰的情況下,對所需要的加密訊息(密文)進行解密的學問.然而這通常需要尋找出密鑰,才能有效解譯出原始加密訊息(明文)為何?而這就是所謂的“密碼破解” 在資訊安全領域"密碼學"是一門很深的學...
沒有留言:
張貼留言