xfeng

xfeng

健身 技术 阅读 思考 记录
tg_channel
tg_channel
github
bilibili
tg_channel
HomePortfoliosArchivesAbout

Internal Network Basics

#内网渗透98
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This article discusses the basic knowledge of internal networks and penetration testing. It covers topics such as workgroups, domains, domain environments, domain name servers, and domain terminology. It also provides a list of domain information gathering commands. The article emphasizes the importance of understanding these concepts before starting internal network penetration testing.

1. Workgroup#

Workgroup: Workgroup is a concept in a local area network (LAN), and it is a long-term resource management mode. By default, resource management is done using the workgroup method, classifying different computers into different groups according to different requirements.

Domain: It is used to describe an architecture that corresponds to the "workgroup". It is an advanced architecture derived from the workgroup. A domain is a collection of computers with a security boundary (the security boundary means that in two domains, a user in one domain cannot access resources in another domain). The domain can be understood as an upgraded version of the "workgroup". Compared to the workgroup, it has a stricter security management control mechanism. If you want to access resources within the domain, you must have a legitimate identity to log in to the domain, and the permissions you have for the resources within the domain also depend on your user identity in the domain.

2. Several Domain Environments#

2.1 Single Domain#

Usually, a small company only needs one domain. In a domain, there should be at least two domain servers, one as the domain controller and the other as a backup. The database of the Active Directory, including user account information, is stored in the domain controller. If there is no backup, it will become paralyzed and cannot be used normally.

2.2 Domain Tree#

2.3 Domain Forest#

Refers to a collection composed of multiple domain trees through establishing trust relationships. For example, when a company acquires another company.

3. Domain Name Server#

It refers to a server used to implement the conversion between domain names and their corresponding IP addresses. From the introduction of the domain tree, it can be seen that the domain names in the domain tree are very similar to DNS domain names. In fact, because computers with domain names use DNS to locate domain controllers, servers, and other computers and network services, the name of the domain is the name of the DNS domain.

4. Domain Terminology#

  • DC: Domain Controller, the creator of the domain.
  • Domain Management: Administrators on the domain controller.
  • AD: Active Directory.
  • NTDS.dit: Domain user accounts are stored in the Active Directory in the form of a domain database.
  • Ntdsutil.exe: ntdsutil.exe is a domain database management tool that comes with the domain controller by default starting from Windows Server 2008. Therefore, we can use ntdsutil.exe to extract all domain user information from the domain.
  • Common Structures: Organizational Unit (OU), Domain (DOMAIN), Domain Tree (tree), Domain Forest (forest). All domains within the domain tree share an Active Directory, and the data in this Active Directory is stored in each domain in a distributed manner, and each domain only stores data within that domain.
  • Active Directory:
    • Centralized account management: All accounts are stored on the server, making it easy to rename/reset passwords for accounts.
    • Centralized software management: Unified software deployment, unified installation of network printers, etc. Software can be distributed using software deployment policies, allowing users to choose software installation freely.
    • Centralized environment management: AD can be used to centrally manage client desktops, IE, TCP/IP settings, etc.
    • Enhanced security: Unified deployment of antivirus software and virus scanning tasks, centralized management of user computer permissions, unified formulation of user password policies, etc., can monitor the network and centrally manage data.
    • More reliable: Less downtime. For example, using AD to control user access permissions, using clustering, load balancing, and other technologies to set up disaster recovery for file servers, making them more reliable and less prone to downtime.
    • Active Directory is the underlying platform for Microsoft's unified management. Other services such as ISA, Exchange, SMS, etc., rely on this underlying platform.

5. Domain Information Gathering Commands#

ipconfig
systeminfo
net time /domain 
tasklist /svc
netstat -ano
query user || qwinsta # View currently logged-in users
net user # View local users
net user /domain # View domain users
net view & net group "domain computers" /domain # View the current domain computer list
net view /domain # View the number of domains
net view \\\\dc # View shared files within the DC domain
net group /domain # View groups in the domain
net group "domain admins" /domain # View domain administrators
net localgroup administrators /domain /# This is also used to check domain administrators. When upgrading to a domain controller, local accounts also become domain administrators.
net group "domain controllers" /domain # Domain controller
net config workstation # Current login domain - computer name - username
net use \\\\#domain controller (e.g., pc.xx.com) password /user:xxx.com\username # Equivalent to logging in to the host within the domain with this account and accessing resources
tasklist /S ip /U domain\username /P /V # View remote computer tasklist
net localgroup administrators && whoami # Check if the current user belongs to the administrator group
nltest /dclist:xx # View domain controllers
whoami /all # View Mandatory Label UAC level and SID number
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.