Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


the technique of discovering the penetration of intranet into mainframe

Posted by barkins at 2020-03-08

In the process of Intranet penetration, in order to expand the results of the war, it is often necessary to find more hosts and carry out security detection or account password test on these hosts, so it is necessary for hosts to find this step. How can we find more hosts without using scanners?

Determining IP segment

Generally, the intranet address is divided into three sections:, and Before doing any operation, we can roughly know the IP address segment of the intranet. However, some companies will have public IP in the intranet, that is to say, there are many IP segments that can be accessed in the intranet.

The following is mainly about how to collect IP segments.

View the IP address of this computer

Use under Windows:

ipconfig /all


ifconfig -a

Taking windows as an example, the execution results are as follows:

From the figure, I can see that my local IP and the following subnet mask can show that my IP segment is a C segment. We can first detect my IP segment, that is,

Another IP in the figure is worth noting, that is, the IP address of the DNS server. Generally, in the intranet, the IP address of the DNS server may not be in the same segment C or B as ours, so you can also see an existing IP segment here, which is also the target IP segment for host discovery and scanning.

View routing table

Use under Windows:

route print


route -n

Take windows for example. The results are as follows:

As can be seen from the above figure, there are also IP segments in the routing table that we have determined above. This is my own network, so it is not so complicated. You can see multiple IP segments in the actual environment or the company's network. These IP segments are accessible to us, and they are also the target IP segments for host discovery and scanning.

View local connection information

Under Windows:

netstat -ano

Execute under Linux:

netstat -anp

Taking windows as an example, the execution results are as follows:

From the figure, we can see a lot of IP connection information. We don't see the IP address of the intranet. That's because there is no host in the intranet connected to my host. Imagine that if my host is a server, there must be a connection when the intranet users access the server. This is also a way for us to collect the IP segment information of the intranet.

Using net command

We know that in the windows Intranet environment, we can use the

net view

Command to display a list of shared resources on a computer. We can get some host names from this resource list, and then parse out the IP addresses. In this way, we not only collect some surviving hosts, but also collect some IP segments. Because there is no environment, we can fill in the following figure by stealing the map on the network:

We can also use

net session

Command to view the login IP of the administrator, which can be used under Linux


To view, you can also collect several IP addresses from here. If the administrator logs in online, the theft figure is as follows:

With the same principle as above, we can list the user information connected to the file server remotely. We can use a tool provided by foreigners, netses.exe, to list remotely. The command is as follows:

netsess.exe -h dc01 或 netsess.exe \\dc01

The results are as follows:

Using DNS information

When we enter the intranet, at the first time, we should first detect whether there is a DNS domain delivery vulnerability in the DNS service of the intranet. If there is, we can have a lot of time left and get a very complete list of domain names, which basically contains all the surviving hosts in the intranet. How to detect DNS domain transfer please click me.

If there is no DNS domain delivery vulnerability, after we collect a certain host name, we can generate a host name dictionary according to the naming rules of the host name, then use DNS to resolve these names, obtain the IP, and then determine the IP segment according to the IP.

Using domain information

If we have obtained the host permission in a domain, then we can access all the information in the domain. This is to query all the host information in the joined domain through the domain controller. You can use the following command to obtain:

dsquery computer 以及 dsquery server

After obtaining the list of hosts and servers, parse their IP addresses to obtain IP segment information.

In the above ways, after obtaining the permissions of a new host, you can do this processing, and more IP segments may be collected. But someone said that it's tiring to do this. It's not enough to scan all the IP segments of the intranet directly by using NAMP or other large-scale scanners and multithreading. Of course, it's OK to do this, but how big the movement is will cause various security device alarms. Before further penetration, you will directly game over. The boss can't finish the task. The bonus is gone~~~~

We should be very careful in our activities on the intranet. The smaller the activity, the better. Otherwise, what is the significance of this article?

Here's how to find more hosts with as little movement as possible.

How to scan IP segments to find the surviving hosts

There is a command under windows or Linux: Ping. The function of this command is to detect the network connectivity after the network administrator configures the network. We can use this tool to write some simple scripts to detect whether the host survives in batches. Although the speed is slow, it is safe and reliable, and it is not easy to be recognized.

ping sweeping

Under windows, you can use:

ping -n 1


ping -c 1

After knowing the core command, we can write a batch scan script to complete this operation.

These operations are done by smart people.


This article roughly introduces the various postures made by the host in the stage of Intranet information collection, which may be incomplete, or have problems. Please leave a message boldly and don't hesitate to comment!