1. Working group information collection

Get the victim's host permission , After entering the intranet, first collect the victim's host and current intranet information

windows command

Local information collection
Query network configuration ipconfig/all

Query user list
View a list of local users net user
Local administrator （ Usually contains domain users ）net localgroup administrator
View current online users query user || qwinsta

Query process list
Check whether anti-virus software is installed 、vpn Services like that
tasklist /v
wmic process list brief

Get operating system and version information
systeminfo | findstr /B /C:"OS name " /C:"OS edition "

Version and installation of the software , Path, etc
wmic product get name,version

powershell "Get-WmiObject -class Win32_Product |Select-Object -Property name,version"

Query port list
netstat -ano

Query patch list
Systeminfo
wmic qfe get Caption,Description,HotFixID,Installed0n

Query local share
net share
net share \\hostname
wmic share get name,path,status

Query current permissions
whoami /all Get domain SID
net user XXX /domain Query the details of the specified account

In domain information collection

2. In domain information collection

Determine whether there is a domain

ipconfig /all
systeminfo If it is wordgroup Is not in the domain
net config workstation
net time /domain

1. Domain of existence , The current user is not a domain user
2. Domain of existence , The current user is a domain user
3. No domain exists

Domain memory live host detection

utilize netbios Fast detection of intranet
Tools ：Nbtscan
Usage method ：nbtscan.exe <ip>

ping command
for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.1.%I | findstr "TTL=“

vbs Script
cscript icmp.vbs

utilize arp Scan the whole intranet
Tools ：
1.arp-scan command ：Arp.exe -t <ip>
2.invoke-ARPScan.ps1
3.Empire Medium arpscan modular

Use routine tcp / udp Port scan detects intranet
Tools ： scanline

scanline.exe -h -t 22,80-89,110,389,445,3389,1099,1433,2049,6379,7001,8080,1521,3306,3389,5432 -u 53,161,137,139 -O c:\windows\temp\sl_res.txt -p 192.168.116.1-254 /b

Basic information collection in the domain
Only domain users can execute commands
net view /domain Query domain
net view /domain:< Domain name > Query the computers in the domain
net group /domain Query all user groups in the domain

Query domain administrators user group
net group "domain admins" /domain
net group "Enterprise Admins" /domain

Query the list of all domain users
net user /domain
wmic useraccount get /all
dsquery user
net localgroup administrators /domain