操作系统基础信息搜集

前言

对于操作系统的信息搜集有什么作用？提权、深入测试、域渗透、留后门······
有一位大师傅曾经说过：内网渗透的本质是信息搜集。

看了许多内网信息收集的文章，所用到的收集信息的命令大都是相同的。既然如此，写一个简单的脚本省去一些重复操作。

Windows

常用命令

whoami/echo %USERNAME%  # 当前用户
ipconfig  # IP 信息
net user  # 用户列表
systeminfo  # 查看系统信息
wmic qfe  get HotFixID  # 纯补丁信息
set  # 查看环境变量
netsh firewall show state  # 查看防火墙状态
net localgroup  # 查看用户组
net localgroup administrators  # 查看本机管理员
net config workstation  # 查看当前计算机名，全名，用户名，系统版本，工作 站域，登陆域


netstat -ano  # 查看端口
tasklist  # 查看所有进程
net start  # 查看已启动的服务
net share  # 查看共享列表


net user /domain  # 获取域内用户信息
net view /domain  # 查询域
net group /domain  # 查询域内所有用户
net group "domain computers" /domain  # 查询所有域成员计算机
net accounts /domain  # 获取域密码信息
net group "Domain admins" /domain  # 收集管理员列表
net group "Domain Controller" /domain  # 查询域控制器列表
Nslookup -type=SRV _ldap._tcp  # 查看域控制器的主机

可能存在敏感文件

C:Apacheconfhttpd.conf
C:Apachelogsaccess.log
C:Apachelogserror.log
C:Apache2confhttpd.conf
C:Apache2logsaccess.log
C:Apache2logserror.log
C:Apache22confhttpd.conf
C:Apache22logsaccess.log
C:Apache22logserror.log
C:Apache24confhttpd.conf
C:Apache24logsaccess.log
C:Apache24logserror.log
C:Documents and SettingsAdministratorNTUser.dat
C:phpphp.ini
C:php4php.ini
C:php5php.ini
C:php7php.ini
C:Program Files (x86)Apache GroupApacheconfhttpd.conf
C:Program Files (x86)Apache GroupApachelogsaccess.log
C:Program Files (x86)Apache GroupApachelogserror.log
C:Program Files (x86)Apache GroupApache2confhttpd.conf
C:Program Files (x86)Apache GroupApache2logsaccess.log
C:Program Files (x86)Apache GroupApache2logserror.log
c:Program Files (x86)phpphp.ini"
C:Program FilesApache GroupApacheconfhttpd.conf
C:Program FilesApache GroupApacheconflogsaccess.log
C:Program FilesApache GroupApacheconflogserror.log
C:Program FilesApache GroupApache2confhttpd.conf
C:Program FilesApache GroupApache2conflogsaccess.log
C:Program FilesApache GroupApache2conflogserror.log
C:Program FilesFileZilla ServerFileZilla Server.xml
C:Program FilesMySQLmy.cnf
C:Program FilesMySQLmy.ini
C:Program FilesMySQLMySQL Server 5.0my.cnf
C:Program FilesMySQLMySQL Server 5.0my.ini
C:Program FilesMySQLMySQL Server 5.1my.cnf
C:Program FilesMySQLMySQL Server 5.1my.ini
C:Program FilesMySQLMySQL Server 5.5my.cnf
C:Program FilesMySQLMySQL Server 5.5my.ini
C:Program FilesMySQLMySQL Server 5.6my.cnf
C:Program FilesMySQLMySQL Server 5.6my.ini
C:Program FilesMySQLMySQL Server 5.7my.cnf
C:Program FilesMySQLMySQL Server 5.7my.ini
C:Program Filesphpphp.ini
C:UsersAdministratorNTUser.dat
C:WindowsdebugNetSetup.LOG
C:WindowsPantherUnattendUnattended.xml
C:WindowsPantherUnattended.xml
C:Windowsphp.ini
C:Windows
epairSAM
C:Windows
epairsystem
C:WindowsSystem32configAppEvent.evt
C:WindowsSystem32configRegBackSAM
C:WindowsSystem32configRegBacksystem
C:WindowsSystem32configSAM
C:WindowsSystem32configSecEvent.evt
C:WindowsSystem32configSysEvent.evt
C:WindowsSystem32configSYSTEM
C:WindowsSystem32driversetchosts
C:WindowsSystem32winevtLogsApplication.evtx
C:WindowsSystem32winevtLogsSecurity.evtx
C:WindowsSystem32winevtLogsSystem.evtx
C:Windowswin.ini
C:xamppapacheconfextrahttpd-xampp.conf
C:xamppapacheconfhttpd.conf
C:xamppapachelogsaccess.log
C:xamppapachelogserror.log
C:xamppFileZillaFTPFileZilla Server.xml
C:xamppMercuryMailMERCURY.INI
C:xamppmysqlinmy.ini
C:xamppphpphp.ini
C:xamppsecuritywebdav.htpasswd
C:xamppsendmailsendmail.ini
C:xampp	omcatconfserver.xml

Linux

常用命令

whoami  # 用户名
id  # 用户 id
cat /etc/shadow #获取用户 hash，需要 root 权限
cat /etc/issue  # 查看系统名称
cat /etc/lsb-release  # 查看系统名称、版本号
uname -a  # 查看所有信息
ps aux  # 查看所有进程详细信息
top  # 查看进程
ifconfig/ip addr  # 查看 IP
cat /etc/serivices  # 查看存在的服务
history  # 查看历史命令
cat ~/.bash_history # 所有历史命令
dpkg -l  # 查看安装的软件包
lastlog  # 查看用户登录日志
cat /etc/group  # 查看用户组
grep -v -E "^#" /etc/passwd | awk -F: '$3==0{print $1}'  # 列出超级用户
env  # 查看环境变量
last  # 历史登陆用户

可能存在的敏感文件

cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/

简易脚本

# -s 指定操作系统  Linux/Windos
# -d 指定是否存在域，不清楚可省略 0/1 0表示无，1表示有
import subprocess
import argparse


cmds = [{
    'whoami': '当前用户',
    'ipconfig': 'IP 信息',
    'net user': '用户列表',
    'systeminfo': '查看系统信息',
    'wmic qfe get HotFixID': '补丁信息',
    'set': '环境变量',
    'netsh firewall show state': '防火墙状态',
    'net localgroup': '所有用户组',
    'net localgroup administrators': '管理员组成员',
    'net config workstation': '当前计算机名、全名、用户名、系统版本、工作站域、登陆域'
}, {
    'netstat -ano': '端口信息',
    'tasklist': '所有进程',
    'net start': '已启动服务',
    'net share': '共享列表',
}, {
    'net view /domain': '查询域结果',
    'net user /domain': '域内用户信息',
    'net group /domain': '域内所有用户组',
    'net group "domain computers" /domain': '所有域成员计算机',
    'net accounts /domain': '域密码信息',
    'net group "Domain admins" /domain': '域管理员列表',
    'net group "Domain Controller" /domain': '查询域控制器列表',
    'nslookup -type=SRV _ldap._tcp': '域控制器的主机',
}]

bashs = [
    {
        'whoami': '用户名',
        'id': '用户 id',
        'cat /etc/issue': '查看系统名称',
        'cat /etc/lsb-release': '系统名称、版本号',
        'uname -a': '内核信息',
        'ip addr': 'IP',
        'cat ~/.bash_history': '历史命令',
        'grep -v -E "^#" /etc/passwd | awk -F: "$3==0{print $1}"': '超级用户',
        'env': '环境变量',
        'lastlog': '用户登录日志',
        'last': '历史登陆用户',
        'cat /etc/group': '查看用户组',
    },
    {
        'dpkg -l': '查看安装的软件包',
        'cat /etc/serivices': '存在的服务',
        'pa aux': '所有进程详细信息',
    },
    {
        'cat /etc/shadow': '用户 hash',
    }
]

win = '''C:\Apache\conf\httpd.conf
C:\Apache\logs\access.log
C:\Apache\logs\error.log
C:\Apache2\conf\httpd.conf
C:\Apache2\logs\access.log
C:\Apache2\logs\error.log
C:\Apache22\conf\httpd.conf
C:\Apache22\logs\access.log
C:\Apache22\logs\error.log
C:\Apache24\conf\httpd.conf
C:\Apache24\logs\access.log
C:\Apache24\logs\error.log
C:\Documents and Settings\Administrator\NTUser.dat
C:\php\php.ini
C:\php4\php.ini
C:\php5\php.ini
C:\php7\php.ini
C:\Program Files (x86)\Apache Group\Apache\conf\httpd.conf
C:\Program Files (x86)\Apache Group\Apache\logs\access.log
C:\Program Files (x86)\Apache Group\Apache\logs\error.log
C:\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf
C:\Program Files (x86)\Apache Group\Apache2\logs\access.log
C:\Program Files (x86)\Apache Group\Apache2\logs\error.log
c:\Program Files (x86)\php\php.ini
C:\Program Files\Apache Group\Apache\conf\httpd.conf
C:\Program Files\Apache Group\Apache\conf\logs\access.log
C:\Program Files\Apache Group\Apache\conf\logs\error.log
C:\Program Files\Apache Group\Apache2\conf\httpd.conf
C:\Program Files\Apache Group\Apache2\conf\logs\access.log
C:\Program Files\Apache Group\Apache2\conf\logs\error.log
C:\Program Files\FileZilla Server\FileZilla Server.xml
C:\Program Files\MySQL\my.cnf
C:\Program Files\MySQL\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\my.cnf
C:\Program Files\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\MySQL\MySQL Server 5.1\my.cnf
C:\Program Files\MySQL\MySQL Server 5.1\my.ini
C:\Program Files\MySQL\MySQL Server 5.5\my.cnf
C:\Program Files\MySQL\MySQL Server 5.5\my.ini
C:\Program Files\MySQL\MySQL Server 5.6\my.cnf
C:\Program Files\MySQL\MySQL Server 5.6\my.ini
C:\Program Files\MySQL\MySQL Server 5.7\my.cnf
C:\Program Files\MySQL\MySQL Server 5.7\my.ini
C:\Program Files\php\php.ini
C:\Users\Administrator\NTUser.dat
C:\Windows\debug\NetSetup.LOG
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\Panther\Unattended.xml
C:\Windows\php.ini
C:\Windows\repair\SAM
C:\Windows\repair\system
C:\Windows\System32\config\AppEvent.evt
C:\Windows\System32\config\RegBack\SAM
C:\Windows\System32\config\RegBack\system
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SecEvent.evt
C:\Windows\System32\config\SysEvent.evt
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\winevt\Logs\Application.evtx
C:\Windows\System32\winevt\Logs\Security.evtx
C:\Windows\System32\winevt\Logs\System.evtx
C:\Windows\win.ini
C:\xampp\apache\conf\extra\httpd-xampp.conf
C:\xampp\apache\conf\httpd.conf
C:\xampp\apache\logs\access.log
C:\xampp\apache\logs\error.log
C:\xampp\FileZillaFTP\FileZilla Server.xml
C:\xampp\MercuryMail\MERCURY.INI
C:\xampp\mysql\bin\my.ini
C:\xampp\php\php.ini
C:\xampp\security\webdav.htpasswd
C:\xampp\sendmail\sendmail.ini
C:\xampp\tomcat\conf\server.xml'''

lin = """/etc/httpd/logs/access_log
/etc/httpd/logs/access.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/log/apache2/access_log
/var/log/apache2/access.log
/var/log/apache2/error_log
/var/log/apache2/error.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/auth.log
/var/log/chttp.log
/var/log/cups/error_log
/var/log/dpkg.log
/var/log/faillog
/var/log/httpd/access_log
/var/log/httpd/access.log
/var/log/httpd/error_log
/var/log/httpd/error.log
/var/log/lastlog
/var/log/lighttpd/access.log
/var/log/lighttpd/error.log
/var/log/lighttpd/lighttpd.access.log
/var/log/lighttpd/lighttpd.error.log
/var/log/messages
/var/log/secure
/var/log/syslog
/var/log/wtmp
/var/log/xferlog
/var/log/yum.log
/var/run/utmp
/var/webmin/miniserv.log
/var/www/logs/access_log
/var/www/logs/access.log"""

Win_files = win.split('
')
Lin_files = lin.split('
')


def getInfo(system, key):
    if system == "Windows":
        exes = cmds
        if key == '0':
            exes.pop()
            print(exes)
        files = Win_files
    else:
        exes = bashs
        files = Lin_files
    all = ''
    for commands in exes:
        for k, v in commands.items():
            try:
                res = subprocess.Popen(k, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, encoding="utf-8")
                res = v + ":
" + res.stdout.read() + "-------******-------
"
                print(res)
                all += res
            except:
                res = subprocess.Popen(k, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, encoding="gbk")
                res = v + ":
" + res.stdout.read() + "-------******-------
"
                print(res)
                all += res

    all += '存在的敏感文件有：
'
    print('存在的敏感文件有：(Linux 下由于权限问题扫描可能会不准确！请复测！！)
')
    for file in files:
        try:
            with open(file, 'r'):
                all += (file + '
')
                print(file + '
')
        except:
            pass
    with open('result.txt', 'a+') as f:
        f.write(all)
    print("

Everything is Done!")
    print('执行的命令有：')
    for command in exes:
        for k, v in command.items():
            print(k)


def main():
    parser = argparse.ArgumentParser(description='InfoScan')
    parser.add_argument("-s", "--system", help="指定操作系统", default='Windows')
    parser.add_argument("-d", "--domain", help="是否存在域，不确定可以不用加", default=0)
    args = parser.parse_args()
    system = args.system
    key = args.domain
    getInfo(system, key)


if __name__ == '__main__':
    main()