横向移动手法介绍教程
- https://www.bilibili.com/video/BV1Hz4y1Z7pJ
- https://www.bilibili.com/video/BV1Hz4y1Z7pJ?p=2
- https://www.bilibili.com/video/BV1Hz4y1Z7pJ?p=3
smbmap信息搜集
远程管理必须使用Admin$
查看远程共享
1 |
|
msf psexec (成功,不免杀,开启防火墙则无效)
使用的是139,445端口,目标机器必须开放这个端口。
1 |
|
漏洞利用,使用口令去进行命令执行 mimikatz,windows明文密码放在桌面,暴力破解,
psexec.py(成功,不免杀,开启防火墙则无效)
python /usr/share/doc/python-impacket/examples/psexec.py workgroup/administrator@192.168.123.45 cmd.exe
sc.exe (成功,开启防火墙也有效,不免杀)
开启rundll32的反弹shell监听服务器,不会的可以看这个视频:https://www.bilibili.com/video/BV1ey4y1k7PA/
1 |
|
csexec(能过360,但不能过windows防火墙)
1 |
|
用法有点复杂,没有继续看的工具
scshell
1 |
|
2020.10.07
1 |
|
原理:
1 |
|
sharpmove
1 |
|
关闭防火墙命令
关闭公网上的防火墙
netsh advfirewall set currentprofile state off
关闭内网中的防火墙
netsh advfirewall set privateprofile state off
远程关闭防火墙
1 |
|
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
https://www.windows-commandline.com/enable-disable-firewall-command-line/
参考资料
https://pentestlab.blog/2020/07/21/lateral-movement-services/
https://github.com/Mr-Un1k0d3r/SCShell
https://github.com/0xthirteen/MoveKit
https://github.com/0xthirteen/SharpMove
https://github.com/0xthirteen/SharpRDP