Intranet-Information-Gathering-tips

When we get a webshell on a machine, the next question is how to expand the surface we attack and dig deep in the penetration testing. So I wanna recording the tips in this paper!

Network configuration information

we can get information about domain, ip, gateway,even though other network segments if there exists multilevel intranet.

Operating system and version information

1
systeminfo

we can get the computer name and domain and your operating system.

and you can also use this command:

1
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

it can show the name and version directly so that you can conveniently judge if this system have cve and so on to the elevation of authority.

Software information

1
2
3
wmic product get name,version

powershell "Get-WmiObject -class Win32_Product | Select-Object -Property name, version"

Local service Information

1
wmic service list brief | findstr "Running"

Progress Information

1
2
tasklist /v
wmic process list brief

Startup program Information

1
wmic startup get command,caption

just like “cron”,if someone injects a exe programe into the startup items, maybe it could work and help you find the malicious programe.

Scheduled task Information

1
schtasks /query /fo LIST /v

Host boot time

1
net statistics workstation

Query user list

1
2
3
net user
net localgroup administrators
query user||qwinsta

Port list

1
2
netstat -anp
netstat -ano

Patch list

1
wmic qfe get Caption,Description,HotFixID,InstalledOn

(Tips: Pay attention to system version, patch information and update frequency. Hosts in the domain usually patch in batches.)

Local share list

1
2
net share
wmic share get name,path,status

Routing

1
2
arp -a
route print

domain

Judging if there is a domain enviroment:

1
2
systeminfo|findstr "Domain"
systeminfo|findstr "域"

List of computers in the domain or workgroup

1
2
net view /domain
net view /domain:`your domain name`