Intranet penetration beginner foundation 02

Intranet information collection 01

Around three aspects:

Who am I?--Judgment of current machine role
 where's this?--Analyze and judge the topology of the current network environment
 Where am i?--Judgment of the area where the current machine is located

Collect native information

Collect information manually

Local information:

operating system
 Intranet IP Address segment
 anti-virus software
 Patch update frequency
 network connections

1. Query network configuration information

Under Windows:
ipconfig /all

2. Query operating system and software information

  1. Query operating system and version information
systeminfo | findstr  /B  /C:"OS Name"  /C:"OS Version"

In the Chinese Version, replace the Name with the Name and the Version with the Version.

  1. View system architecture

  1. Check the installed software, version, path, etc
vmic product get name,version

vmic is used to output

You can also use PowerShell to get the version information of the software

powershell "Get-WmiObject -class Win32_Product  | Select-Object

3. Query local service information

wmic service list brief

4. Query process list

wmic process list brief

5. View launcher information

wmic startup get command,caption

6. View scheduled tasks

schtasks /query /fo LIST /v

7. View host opening hours

net statistics workstation

8. View user list

net user

Get local administrator

net localgroup administrators

View current online users

query user || qwinsta

9. Lists or disconnects the conversation between the local computer and the connected client

net session

Since access is denied due to a system error when running a normal command line, use the powershell administrator to run it

10. Query port list

netstat -ano

11. View patch list


You can also use the wmic command to view the patches installed on the system

wmic qfe get Caption,Description,HotFixID,InstalledOn

12. Query local share list

net share

The wmic command finds the shared list

wmic share get name,path,status

13. Query routing table and ARP cache table of all available interfaces

View routing table

route print

View the ARP cache table for all available interfaces

arp -a

14. Query firewall related configuration

  1. Turn off firewall

Windows sever 2003 and earlier commands:

netsh firewall set opmode disable

Commands after Windows sever 2003

netsh advfirewall set allprofiles state off

  1. View firewall configuration
netsh firewall show config

  1. Modify firewall configuration

Windows Server 2003 and earlier versions allow all specified programs to connect. The command is:

netsh firewall add allowedprogram c:\nc.exe "allow nc" enable

Versions after Windows Server 2003:

  • Allow the specified program to enter, and the command is as follows:
netsh advfirewall firewall add rule name="pass nc" dir=in action
=allow program="C: \nc.exe"
  • Allow the specified program to exit, and the command is as follows:
netsh advfirewall firewall add rule name="Allow nc" dir=out act
ion=allow program="C: \nc.exe"
  • Allow port 3389 to be released. The command is as follows:
netsh advfirewall firewall add rule name="Remote Desktop" protoc
ol=TCP dir=in localport=3389 action=allow
  1. Customize the storage location of firewall logs
netsh advfirewall set currentprofile logging filename "C:\window

15. View agent configuration

reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentV
ersion\Internet Settings"

The figure shows the agent configuration information of (local) port 4780

16. Query and start remote connection service

  • View remote connection ports
    This is the registry query statement. The connected port is 0xd3d. After conversion, it is port 3389
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
Terminal Server\WinStations\RDP-Tcp" /V PortNumber

  • Open port 3389 under Windows 2003
wmic path win32_terminalservicesetting where (_CLASS !=" ") call
 setallowtsconnections 1

Automatically collect information

There will be many scripts for automatically collecting information on the Internet. Of course, you can write one yourself. WMIC is recommended for easy use at present.


It means management tool command line. It is the most useful Windows command line tool.

  • By default, XP users with low privileges cannot access WMIC, and users with low privileges above Windows 7 are allowed to access WMIC and perform related query operations

  • After the WMIC script is executed, all the results will be written to an HTML file

Tags: Cyber Security security Web Security

Posted by Ange52 on Fri, 01 Oct 2021 04:29:55 +0530