xfeng

xfeng

Sporting | Reading | Technology | Recording
github
bilibili
Home作品集ArchivesAbout

Internal Network Fundamentals

#内网渗透83
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses the basic knowledge of internal networks and penetration testing. It explains the concepts of workgroups and domains, including single domains, domain trees, and domain forests. It also mentions domain name servers and domain terminology. The article provides commands for collecting domain information and suggests watching a video for further understanding.

1. Workgroup#

Workgroup: Workgroup is a concept in a local area network. It is a long-term resource management mode. By default, resource management is done using workgroup mode, where different computers are classified into different groups according to different requirements.

Domain: It is used to describe an architecture that corresponds to "workgroup". It is an advanced architecture that is upgraded from workgroup. A domain is a collection of computers with a security boundary (the security boundary means that in two domains, a user in one domain cannot access resources in another domain). Domain can be simply understood as an upgraded version of "workgroup". Compared to workgroup, it has a stricter security management control mechanism. If you want to access resources within the domain, you must have a legitimate identity to log in to the domain, and the permissions you have for the resources within the domain also depend on your user identity in the domain.

2. Several Environments of Domain#

2.1 Single Domain#

Usually, a small company only needs one domain. In a domain, there should be at least two domain servers, one as the domain controller and the other as a backup. The database of Active Directory [including user account information] is stored in the domain controller. If there is no backup, it will be paralyzed and cannot be used normally.

2.2 Domain Tree#

2.3 Domain Forest#

Refers to a collection composed of multiple domain trees through establishing trust relationships. For example, when a company acquires another company.

3. Domain Name Server#

It refers to a server used to implement the conversion between domain names and their corresponding IP addresses. From the introduction of the domain tree, it can be seen that the domain names in the domain tree are very similar to DNS domain names. In fact, because computers with domain names use DNS to locate domain controllers, servers, and other computers and network services, the name of the domain is the name of the DNS domain.

4. Domain Terminology#

  • DC: Domain Controller, the creator of the domain
  • Domain Management: Administrators on the domain controller
  • AD: Active Directory
  • NTDS.dit: Domain user accounts are saved in the Active Directory in the form of a domain database
  • Ntdsutil.exe: ntdsutil.exe is a domain database management tool that comes with the domain controller by default starting from Windows Server 2008. Therefore, we can use ntdsutil.exe to extract all domain user information in the domain.
  • Common Structures: Organizational Unit (OU), Domain (DOMAIN), Domain Tree (tree), Domain Forest (forest). All domains in the domain tree share an Active Directory. The data in this Active Directory is stored in various domains and each domain only stores data within that domain.
  • Active Directory:
    • Centralized account management: All accounts are stored on the server, making it easy to rename/reset passwords for accounts.
    • Centralized software management: Unified software deployment, unified installation of network printers, etc. Software can be distributed using software deployment policies, allowing users to choose to install software freely.
    • Centralized environment management: AD can be used to centrally manage client desktops, IE, TCP/IP settings, etc.
    • Enhanced security: Deploy antivirus software and scanning tasks centrally, centrally manage user computer permissions, establish unified user password policies, etc., monitor networks, and centrally manage data.
    • More reliable: Less downtime. For example, use AD to control user access permissions, use clustering, load balancing, and other technologies to set up disaster recovery for file servers, making them more reliable with less downtime.
    • Active Directory is the underlying platform for Microsoft's unified management. Other services such as ISA, Exchange, SMS, etc., depend on this underlying platform.

5. Domain Information Gathering Commands#

ipconfig
systeminfo
net time /domain 
tasklist /svc
netstat -ano
query user || qwinsta # View currently online users
net user # View local users
net user /domain # View domain users
net view & net group "domain computers" /domain # View the current domain computer list
net view /domain # View how many domains there are
net view \\\\dc # View shared files within the dc domain
net group /domain # View groups in the domain
net group "domain admins" /domain # View domain administrators
net localgroup administrators /domain /# This is also used to check domain administrators. When upgrading to a domain controller, local accounts also become domain administrators.
net group "domain controllers" /domain # Domain controller
net config workstation # Current login domain - computer name - username
net use \\\\#domain controller (such as pc.xx.com) password /user:xxx.com\username # Equivalent to logging in to the host within the domain with this account and accessing resources
tasklist /S ip /U domain\username /P /V # View remote computer tasklist
net localgroup administrators && whoami # Check if the current user belongs to the administrator group
nltest /dclist:xx # View domain controllers
whoami /all # View Mandatory Label UAC level and SID number

Finally, watch a video combined with text to understand and learn (requires access to the Internet)

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.