xfeng

xfeng

健身 技术 阅读 思考 记录
tg_channel
tg_channel
github
bilibili
tg_channel
HomePortfoliosArchivesAbout

Internal Network Basics

#内网渗透97
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses basic knowledge about internal networks, focusing on workgroups and domains. It explains the concept of domains, different domain environments, domain name servers, and domain terminology. It also provides domain information gathering commands.

1. Workgroup#

Workgroup: A workgroup is a concept in a local area network (LAN) and is a long-term resource management mode. By default, resource management is done using workgroup mode, classifying different computers into different groups according to different requirements.

Domain: Used to describe an architecture, which corresponds to "workgroup". It is an advanced architecture derived from workgroups. A domain is a collection of computers with a security boundary (the security boundary means that in two domains, users in one domain cannot access resources in another domain). The domain can be simply understood as an upgraded version of a "workgroup". Compared to workgroups, it has a stricter security management control mechanism. If you want to access resources within the domain, you must have a valid identity to log in to the domain, and the permissions you have on the resources within the domain also depend on your user identity in the domain.

2. Several Environments of Domains#

2.1 Single Domain#

Usually, a small company only needs one domain. In a domain, there should be at least two domain servers, one as a domain controller and the other as a backup. The database of Active Directory [including user account information] is stored in the domain controller. If there is no backup, it will become paralyzed and cannot be used normally.

2.2 Domain Tree#

2.3 Domain Forest#

Refers to a collection composed of multiple domain trees through establishing trust relationships. For example, a company acquires other companies.

3. Domain Name Server#

It refers to the server used to implement the conversion between domain names and their corresponding IP addresses. From the introduction of the domain tree, it can be seen that the domain names in the domain tree are very similar to DNS domain names. In fact, because computers with domain names use DNS to locate domain controllers, servers, and other computers and network services, the name of the domain is the name of the DNS domain.

4. Domain Terminology#

  • DC: Domain Controller, the creator of the domain.
  • Domain Management: Administrators on the domain controller.
  • AD: Active Directory.
  • NTDS.dit: Domain user accounts are saved in the Active Directory in the form of a domain database.
  • Ntdsutil.exe: ntdsutil.exe is a domain database management tool that comes with the domain controller by default starting from Windows Server 2008. Therefore, we can extract all domain user information from the domain using ntdsutil.exe.
  • Common Structures: Organizational Unit (OU), Domain (DOMAIN), Domain Tree (tree), Domain Forest (forest). All domains within the domain tree share an Active Directory, and the data in this Active Directory is stored in each domain in a distributed manner, and each domain only stores data within that domain.
  • Active Directory:
    • Centralized account management: All accounts are stored on the server, making it easy to rename/reset passwords for accounts.
    • Centralized software management: Unified software deployment, unified installation of network printers, etc. Software can be distributed using software deployment policies, allowing users to choose to install software freely.
    • Centralized environment management: AD can be used to centrally manage client desktops, IE, TCP/IP settings, etc.
    • Enhanced security: Unified deployment of antivirus software and virus scanning tasks, centralized management of user computer permissions, unified formulation of user password policies, etc., can monitor the network and centrally manage data.
    • More reliable: Less downtime. For example, using AD to control user access permissions, using clustering, load balancing, and other technologies to set up disaster recovery for file servers, making them more reliable and reducing downtime.
    • Active Directory is the underlying platform for Microsoft's unified management. Other services such as ISA, Exchange, SMS, etc., depend on this underlying platform.

5. Domain Information Collection Commands#

ipconfig
systeminfo
net time /domain
tasklist /svc
netstat -ano
query user || qwinsta # View currently logged-in users
net user # View local users
net user /domain # View domain users
net view & net group "domain computers" /domain # View the current domain computer list
net view /domain # View the number of domains
net view \\\\dc # View shared files within the dc domain
net group /domain # View groups in the domain
net group "domain admins" /domain # View domain administrators
net localgroup administrators /domain /# This is also used to check domain administrators. When upgrading to a domain controller, local accounts also become domain administrators.
net group "domain controllers" /domain # Domain controller
net config workstation # Current login domain - computer name - username
net use \\\\#domain controller (e.g., pc.xx.com) password /user:xxx.com\username # Equivalent to logging in to the host within the domain with this account and accessing resources
tasklist /S ip /U domain\username /P /V # View remote computer tasklist
net localgroup administrators && whoami # Check if the current user belongs to the administrators group
nltest /dclist:xx # View domain controllers
whoami /all # View Mandatory Label UAC level and SID number
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.