前⾔
对于操作系统的信息搜集有什么作⽤?提权、深⼊测试、域渗透、留后门······有⼀位⼤师傅曾经说过:内⽹渗透的本质是信息搜集。
看了许多内⽹信息收集的⽂章,所⽤到的收集信息的命令⼤都是相同的。既然如此,写⼀个简单的脚本省去⼀些重复操作。
Windows
常⽤命令
whoami/echo %USERNAME% # 当前⽤户ipconfig # IP 信息net user # ⽤户列表
systeminfo # 查看系统信息
wmic qfe get HotFixID # 纯补丁信息set # 查看环境变量
netsh firewall show state # 查看防⽕墙状态net localgroup # 查看⽤户组
net localgroup administrators # 查看本机管理员
net config workstation # 查看当前计算机名,全名,⽤户名,系统版本,⼯作 站域,登陆域
netstat -ano # 查看端⼝tasklist # 查看所有进程
net start # 查看已启动的服务net share # 查看共享列表
net user /domain # 获取域内⽤户信息net view /domain # 查询域
net group /domain # 查询域内所有⽤户
net group \"domain computers\" /domain # 查询所有域成员计算机net accounts /domain # 获取域密码信息
net group \"Domain admins\" /domain # 收集管理员列表net group \"Domain Controller\" /domain # 查询域控制器列表Nslookup -type=SRV _ldap._tcp # 查看域控制器的主机
可能存在敏感⽂件
C:\\Apache\\conf\\httpd.confC:\\Apache\\logs\\access.logC:\\Apache\\logs\\error.logC:\\Apache2\\conf\\httpd.confC:\\Apache2\\logs\\access.logC:\\Apache2\\logs\\error.logC:\\Apache22\\conf\\httpd.confC:\\Apache22\\logs\\access.logC:\\Apache22\\logs\\error.logC:\\Apache24\\conf\\httpd.confC:\\Apache24\\logs\\access.logC:\\Apache24\\logs\\error.log
C:\\Documents and Settings\\Administrator\\NTUser.datC:\\php\\php.iniC:\\php4\\php.iniC:\\php5\\php.iniC:\\php7\\php.ini
C:\\Program Files (x86)\\Apache Group\\Apache\\conf\\httpd.confC:\\Program Files (x86)\\Apache Group\\Apache\\logs\\access.logC:\\Program Files (x86)\\Apache Group\\Apache\\logs\\error.logC:\\Program Files (x86)\\Apache Group\\Apache2\\conf\\httpd.confC:\\Program Files (x86)\\Apache Group\\Apache2\\logs\\access.logC:\\Program Files (x86)\\Apache Group\\Apache2\\logs\\error.logc:\\Program Files (x86)\\php\\php.ini\"
C:\\Program Files\\Apache Group\\Apache\\conf\\httpd.conf
C:\\Program Files\\Apache Group\\Apache\\conf\\logs\\access.logC:\\Program Files\\Apache Group\\Apache\\conf\\logs\\error.logC:\\Program Files\\Apache Group\\Apache2\\conf\\httpd.conf
C:\\Program Files\\Apache Group\\Apache2\\conf\\logs\\access.logC:\\Program Files\\Apache Group\\Apache2\\conf\\logs\\error.logC:\\Program Files\\FileZilla Server\\FileZilla Server.xmlC:\\Program Files\\MySQL\\my.cnfC:\\Program Files\\MySQL\\my.ini
C:\\Program Files\\MySQL\\MySQL Server 5.0\\my.cnfC:\\Program Files\\MySQL\\MySQL Server 5.0\\my.iniC:\\Program Files\\MySQL\\MySQL Server 5.1\\my.cnf
C:\\Program Files\\MySQL\\MySQL Server 5.1\\my.iniC:\\Program Files\\MySQL\\MySQL Server 5.5\\my.cnfC:\\Program Files\\MySQL\\MySQL Server 5.5\\my.iniC:\\Program Files\\MySQL\\MySQL Server 5.6\\my.cnfC:\\Program Files\\MySQL\\MySQL Server 5.6\\my.iniC:\\Program Files\\MySQL\\MySQL Server 5.7\\my.cnfC:\\Program Files\\MySQL\\MySQL Server 5.7\\my.iniC:\\Program Files\\php\\php.ini
C:\\Users\\Administrator\\NTUser.datC:\\Windows\\debug\\NetSetup.LOG
C:\\Windows\\Panther\\Unattend\\Unattended.xmlC:\\Windows\\Panther\\Unattended.xmlC:\\Windows\\php.ini
C:\\Windows\\repair\\SAMC:\\Windows\\repair\\system
C:\\Windows\\System32\\config\\AppEvent.evtC:\\Windows\\System32\\config\\RegBack\\SAMC:\\Windows\\System32\\config\\RegBack\\systemC:\\Windows\\System32\\config\\SAM
C:\\Windows\\System32\\config\\SecEvent.evtC:\\Windows\\System32\\config\\SysEvent.evtC:\\Windows\\System32\\config\\SYSTEMC:\\Windows\\System32\\drivers\\etc\\hosts
C:\\Windows\\System32\\winevt\\Logs\\Application.evtxC:\\Windows\\System32\\winevt\\Logs\\Security.evtxC:\\Windows\\System32\\winevt\\Logs\\System.evtxC:\\Windows\\win.ini
C:\\xampp\\apache\\conf\\extra\\httpd-xampp.confC:\\xampp\\apache\\conf\\httpd.confC:\\xampp\\apache\\logs\\access.logC:\\xampp\\apache\\logs\\error.log
C:\\xampp\\FileZillaFTP\\FileZilla Server.xmlC:\\xampp\\MercuryMail\\MERCURY.INIC:\\xampp\\mysql\\bin\\my.iniC:\\xampp\\php\\php.ini
C:\\xampp\\security\\webdav.htpasswdC:\\xampp\\sendmail\\sendmail.iniC:\\xampp\omcat\\conf\\server.xml
Linux
常⽤命令
whoami # ⽤户名id # ⽤户 id
cat /etc/shadow #获取⽤户 hash,需要 root 权限cat /etc/issue # 查看系统名称
cat /etc/lsb-release # 查看系统名称、版本号uname -a # 查看所有信息
ps aux # 查看所有进程详细信息top # 查看进程
ifconfig/ip addr # 查看 IP
cat /etc/serivices # 查看存在的服务history # 查看历史命令
cat ~/.bash_history # 所有历史命令dpkg -l # 查看安装的软件包lastlog # 查看⽤户登录⽇志cat /etc/group # 查看⽤户组
grep -v -E \"^#\" /etc/passwd | awk -F: '$3==0{print $1}' # 列出超级⽤户env # 查看环境变量last # 历史登陆⽤户
可能存在的敏感⽂件
cat /etc/httpd/logs/access_logcat /etc/httpd/logs/access.logcat /etc/httpd/logs/error_logcat /etc/httpd/logs/error.log
cat /var/log/apache2/access_logcat /var/log/apache2/access.logcat /var/log/apache2/error_logcat /var/log/apache2/error.logcat /var/log/apache/access_logcat /var/log/apache/access.logcat /var/log/auth.logcat /var/log/chttp.log
cat /var/log/cups/error_logcat /var/log/dpkg.logcat /var/log/faillog
cat /var/log/httpd/access_logcat /var/log/httpd/access.log
cat /var/log/httpd/error_logcat /var/log/httpd/error.logcat /var/log/lastlog
cat /var/log/lighttpd/access.logcat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.logcat /var/log/lighttpd/lighttpd.error.logcat /var/log/messagescat /var/log/securecat /var/log/syslogcat /var/log/wtmpcat /var/log/xferlogcat /var/log/yum.logcat /var/run/utmp
cat /var/webmin/miniserv.logcat /var/www/logs/access_logcat /var/www/logs/access.logls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/ls -alh /var/log/proftpd/ls -alh /var/log/samba/
简易脚本
# -s 指定操作系统 Linux/Windos
# -d 指定是否存在域,不清楚可省略 0/1 0表⽰⽆,1表⽰有import subprocessimport argparse
cmds = [{
'whoami': '当前⽤户', 'ipconfig': 'IP 信息', 'net user': '⽤户列表',
'systeminfo': '查看系统信息',
'wmic qfe get HotFixID': '补丁信息', 'set': '环境变量',
'netsh firewall show state': '防⽕墙状态', 'net localgroup': '所有⽤户组',
'net localgroup administrators': '管理员组成员',
'net config workstation': '当前计算机名、全名、⽤户名、系统版本、⼯作站域、登陆域'}, {
'netstat -ano': '端⼝信息', 'tasklist': '所有进程', 'net start': '已启动服务', 'net share': '共享列表',}, {
'net view /domain': '查询域结果', 'net user /domain': '域内⽤户信息', 'net group /domain': '域内所有⽤户组',
'net group \"domain computers\" /domain': '所有域成员计算机', 'net accounts /domain': '域密码信息',
'net group \"Domain admins\" /domain': '域管理员列表',
'net group \"Domain Controller\" /domain': '查询域控制器列表', 'nslookup -type=SRV _ldap._tcp': '域控制器的主机',}]
bashs = [ {
'whoami': '⽤户名', 'id': '⽤户 id',
'cat /etc/issue': '查看系统名称',
'cat /etc/lsb-release': '系统名称、版本号', 'uname -a': '内核信息', 'ip addr': 'IP',
'cat ~/.bash_history': '历史命令',
'grep -v -E \"^#\" /etc/passwd | awk -F: \"$3==0{print $1}\"': '超级⽤户', 'env': '环境变量',
'lastlog': '⽤户登录⽇志', 'last': '历史登陆⽤户',
'cat /etc/group': '查看⽤户组', }, {
'dpkg -l': '查看安装的软件包', 'cat /etc/serivices': '存在的服务', 'pa aux': '所有进程详细信息', }, {
'cat /etc/shadow': '⽤户 hash', }]
win = '''C:\\\\Apache\\\\conf\\\\httpd.conf
C:\\\\Apache\\\\logs\\\\access.logC:\\\\Apache\\\\logs\\\\error.logC:\\\\Apache2\\\\conf\\\\httpd.confC:\\\\Apache2\\\\logs\\\\access.logC:\\\\Apache2\\\\logs\\\\error.logC:\\\\Apache22\\\\conf\\\\httpd.confC:\\\\Apache22\\\\logs\\\\access.logC:\\\\Apache22\\\\logs\\\\error.logC:\\\\Apache24\\\\conf\\\\httpd.confC:\\\\Apache24\\\\logs\\\\access.logC:\\\\Apache24\\\\logs\\\\error.log
C:\\\\Documents and Settings\\\\Administrator\\\\NTUser.datC:\\\\php\\\\php.iniC:\\\\php4\\\\php.iniC:\\\\php5\\\\php.iniC:\\\\php7\\\\php.ini
C:\\\\Program Files (x86)\\\\Apache Group\\\\Apache\\\\conf\\\\httpd.confC:\\\\Program Files (x86)\\\\Apache Group\\\\Apache\\\\logs\\\\access.logC:\\\\Program Files (x86)\\\\Apache Group\\\\Apache\\\\logs\\\\error.logC:\\\\Program Files (x86)\\\\Apache Group\\\\Apache2\\\\conf\\\\httpd.confC:\\\\Program Files (x86)\\\\Apache Group\\\\Apache2\\\\logs\\\\access.logC:\\\\Program Files (x86)\\\\Apache Group\\\\Apache2\\\\logs\\\\error.logc:\\\\Program Files (x86)\\\\php\\\\php.ini
C:\\\\Program Files\\\\Apache Group\\\\Apache\\\\conf\\\\httpd.conf
C:\\\\Program Files\\\\Apache Group\\\\Apache\\\\conf\\\\logs\\\\access.logC:\\\\Program Files\\\\Apache Group\\\\Apache\\\\conf\\\\logs\\\\error.logC:\\\\Program Files\\\\Apache Group\\\\Apache2\\\\conf\\\\httpd.conf
C:\\\\Program Files\\\\Apache Group\\\\Apache2\\\\conf\\\\logs\\\\access.logC:\\\\Program Files\\\\Apache Group\\\\Apache2\\\\conf\\\\logs\\\\error.logC:\\\\Program Files\\\\FileZilla Server\\\\FileZilla Server.xmlC:\\\\Program Files\\\\MySQL\\\\my.cnfC:\\\\Program Files\\\\MySQL\\\\my.ini
C:\\\\Program Files\\\\MySQL\\\\MySQL Server 5.0\\\\my.cnfC:\\\\Program Files\\\\MySQL\\\\MySQL Server 5.0\\\\my.iniC:\\\\Program Files\\\\MySQL\\\\MySQL Server 5.1\\\\my.cnfC:\\\\Program Files\\\\MySQL\\\\MySQL Server 5.1\\\\my.iniC:\\\\Program Files\\\\MySQL\\\\MySQL Server 5.5\\\\my.cnfC:\\\\Program Files\\\\MySQL\\\\MySQL Server 5.5\\\\my.iniC:\\\\Program Files\\\\MySQL\\\\MySQL Server 5.6\\\\my.cnfC:\\\\Program Files\\\\MySQL\\\\MySQL Server 5.6\\\\my.iniC:\\\\Program Files\\\\MySQL\\\\MySQL Server 5.7\\\\my.cnfC:\\\\Program Files\\\\MySQL\\\\MySQL Server 5.7\\\\my.iniC:\\\\Program Files\\\\php\\\\php.ini
C:\\\\Users\\\\Administrator\\\\NTUser.datC:\\\\Windows\\\\debug\\\\NetSetup.LOG
C:\\\\Windows\\\\Panther\\\\Unattend\\\\Unattended.xmlC:\\\\Windows\\\\Panther\\\\Unattended.xmlC:\\\\Windows\\\\php.ini
C:\\\\Windows\\\\repair\\\\SAMC:\\\\Windows\\\\repair\\\\system
C:\\\\Windows\\\\System32\\\\config\\\\AppEvent.evtC:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\SAMC:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\systemC:\\\\Windows\\\\System32\\\\config\\\\SAM
C:\\\\Windows\\\\System32\\\\config\\\\SecEvent.evtC:\\\\Windows\\\\System32\\\\config\\\\SysEvent.evtC:\\\\Windows\\\\System32\\\\config\\\\SYSTEMC:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts
C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\Application.evtxC:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\Security.evtxC:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\System.evtxC:\\\\Windows\\\\win.ini
C:\\\\xampp\\\\apache\\\\conf\\\\extra\\\\httpd-xampp.confC:\\\\xampp\\\\apache\\\\conf\\\\httpd.confC:\\\\xampp\\\\apache\\\\logs\\\\access.logC:\\\\xampp\\\\apache\\\\logs\\\\error.log
C:\\\\xampp\\\\FileZillaFTP\\\\FileZilla Server.xmlC:\\\\xampp\\\\MercuryMail\\\\MERCURY.INIC:\\\\xampp\\\\mysql\\\\bin\\\\my.iniC:\\\\xampp\\\\php\\\\php.ini
C:\\\\xampp\\\\security\\\\webdav.htpasswdC:\\\\xampp\\\\sendmail\\\\sendmail.iniC:\\\\xampp\\\omcat\\\\conf\\\\server.xml'''lin = \"\"\"/etc/httpd/logs/access_log/etc/httpd/logs/access.log/etc/httpd/logs/error_log/etc/httpd/logs/error.log
/var/log/apache2/access_log/var/log/apache2/access.log/var/log/apache2/error_log/var/log/apache2/error.log/var/log/apache/access_log/var/log/apache/access.log
/var/log/auth.log/var/log/chttp.log
/var/log/cups/error_log/var/log/dpkg.log/var/log/faillog
/var/log/httpd/access_log/var/log/httpd/access.log/var/log/httpd/error_log/var/log/httpd/error.log/var/log/lastlog
/var/log/lighttpd/access.log/var/log/lighttpd/error.log
/var/log/lighttpd/lighttpd.access.log/var/log/lighttpd/lighttpd.error.log/var/log/messages/var/log/secure/var/log/syslog/var/log/wtmp/var/log/xferlog/var/log/yum.log/var/run/utmp
/var/webmin/miniserv.log/var/www/logs/access_log/var/www/logs/access.log\"\"\"Win_files = win.split('\\n')Lin_files = lin.split('\\n')
def getInfo(system, key): if system == \"Windows\": exes = cmds if key == '0': exes.pop() print(exes) files = Win_files else:
exes = bashs files = Lin_files all = ''
for commands in exes:
for k, v in commands.items(): try:
res = subprocess.Popen(k, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, encoding=\"utf-8\") res = v + \":\\n\" + res.stdout.read() + \"-------******-------\\n\" print(res) all += res except:
res = subprocess.Popen(k, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, encoding=\"gbk\") res = v + \":\\n\" + res.stdout.read() + \"-------******-------\\n\" print(res) all += res
all += '存在的敏感⽂件有:\\n'
print('存在的敏感⽂件有:(Linux 下由于权限问题扫描可能会不准确!请复测!!)\\n') for file in files: try:
with open(file, 'r'): all += (file + '\\n') print(file + '\\n') except: pass
with open('result.txt', 'a+') as f: f.write(all)
print(\"\\n\\nEverything is Done!\") print('执⾏的命令有:') for command in exes:
for k, v in command.items(): print(k)
def main():
parser = argparse.ArgumentParser(description='InfoScan')
parser.add_argument(\"-s\指定操作系统\
parser.add_argument(\"-d\是否存在域,不确定可以不⽤加\ args = parser.parse_args() system = args.system key = args.domain getInfo(system, key)
if __name__ == '__main__': main()
因篇幅问题不能全部显示,请点此查看更多更全内容