基本命令

1、获取当前组的计算机名(一般remark有Dc可能是域控):

  1. C:\Documents and Settings\Administrator\Desktop>net view
  2. Server Name            Remark
  4. -----------------------------------------------------------------------------
  5. \\DC1
  6. \\DM-WINXP
  7. \\DM_WIN03
  8. The command completed successfully.

2、查看所有域

  1. C:\Documents and Settings\Administrator\Desktop>net view /domain
  2. Domain
  4. -----------------------------------------------------------------------------
  5. CENTOSO
  6. The command completed successfully.

3、从计算机名获取ipv4地址

  1. C:\Documents and Settings\Administrator\Desktop>ping -n 1 DC1 -4
  3. Pinging DC1.centoso.com [192.168.206.100] with 32 bytes of data:
  5. Reply from 192.168.206.100: bytes=32 time<1ms TTL=128
  7. Ping statistics for 192.168.206.100:
  8.     Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
  9. Approximate round trip times in milli-seconds:
  10.     Minimum = 0ms, Maximum = 0ms, Average = 0ms

Ps:如果计算机名很多的时候,可以利用bat批量ping获取ip

  1. @echo off
  2. setlocal ENABLEDELAYEDEXPANSION
  3. @FOR /F "usebackq eol=- skip=1 delims=\" %%j IN (`net view ^| find "命令成功完成" /v ^|find "The command completed successfully." /v`) DO (
  4. @FOR /F "usebackq delims=" %%i IN (`@ping -n 1 -4 %%j ^| findstr "Pinging"`) DO (
  5. @FOR /F "usebackq tokens=2 delims=[]" %%k IN (`echo %%i`) DO (echo %%k  %%j)
  6. )
  7. )

基本命令 - 图1

以下执行命令时候会发送到域控查询,如果渗透的机器不是域用户权限,则会报错

  1. The request will be processed at a domain controller for domain
  2. System error 1326 has occurred.
  3. Logon failure: unknown user name or bad password.

4、查看域中的用户名

  1. dsquery user
  2. 或者:
  3. C:\Users\lemon\Desktop>net user /domain
  5. User accounts for \\DC1
  7. -------------------------------------------------------------------------------
  8. Administrator            Guest                    krbtgt
  9. lemon                    pentest
  10. The command completed successfully.

5、查询域组名称

  1. C:\Users\lemon\Desktop>net group /domain
  3. Group Accounts for \\DC1
  5. ----------------------------------------------
  6. *DnsUpdateProxy
  7. *Domain Admins
  8. *Domain Computers
  9. *Domain Controllers
  10. *Domain Guests
  11. *Domain Users
  12. *Enterprise Admins
  13. *Enterprise Read-only Domain Controllers
  14. *Group Policy Creator Owners
  15. *Read-only Domain Controllers
  16. *Schema Admins
  17. The command completed successfully.

6、查询域管理员

  1. C:\Users\lemon\Desktop>net group "Domain Admins" /domain
  2. Group name     Domain Admins
  3. Comment        Designated administrators of the domain
  5. Members
  7. -----------------------------------------------------------
  8. Administrator

7、添加域管理员账号

  1. 添加普通域用户
  2. net user lemon iam@L3m0n /add /domain
  3. 将普通域用户提升为域管理员
  4. net group "Domain Admins" lemon /add /domain

8、查看当前计算机名,全名,用户名,系统版本,工作站域,登陆域

  1. C:\Documents and Settings\Administrator\Desktop>net config Workstation
  2. Computer name                        \\DM_WIN03
  3. Full Computer name                   DM_win03.centoso.com
  4. User name                            Administrator
  6. Workstation active on
  7.         NetbiosSmb (000000000000)
  8.         NetBT_Tcpip_{6B2553C1-C741-4EE3-AFBF-CE3BA1C9DDF7} (000C2985F6E4)
  10. Software version                     Microsoft Windows Server 2003
  12. Workstation domain                   CENTOSO
  13. Workstation Domain DNS Name          centoso.com
  14. Logon domain                         DM_WIN03
  16. COM Open Timeout (sec)               0
  17. COM Send Count (byte)                16
  18. COM Send Timeout (msec)              250

9、查看域控制器(多域控制器的时候,而且只能用在域控制器上)

  1. net group "Domain controllers"

10、查询所有计算机名称

  1. dsquery computer
  2. 下面这条查询的时候,域控不会列出
  3. net group "Domain Computers" /domain

11、net命令

  1. >1、映射磁盘到本地
  2. net use z: \\dc01\sysvol
  4. >2、查看共享
  5. net view \\192.168.0.1
  7. >3、开启一个共享名为app$,在d:\config
  8. >net share app$=d:\config

12、跟踪路由

  1. tracert 8.8.8.8