10.9. 横向移动

10.9.1.

  • adidnsdump Active Directory Integrated DNS dump tool

  • BloodHound Six Degrees of Domain Admin

  • PlumHound Bloodhound for Blue and Purple Teams

  • windapsearch Python script to enumerate users, groups and computers from a Windows domain through LDAP queries

  • ldapdomaindump Active Directory information dumper via LDAP

  • Kerberoast a series of tools for attacking MS Kerberos implementations

  • ADRecon Active Directory Recon

  • Creds Some usefull Scripts and Executables for Pentest & Forensics

  • Lithnet Password Protection for Active Directory Active Directory password filter featuring breached password checking and custom complexity rules

  • ASREPRoast Project that retrieves crackable hashes from KRB5 AS-REP responses for users without kerberoast preauthentication enabled.

10.9.2. LDAP

  • SharpHound3 Data Collector for the BloodHound Project

10.9.3. 容器

  • CDK an open-sourced container penetration toolkit, offering stable exploitation in different slimmed containers without any OS dependency

10.9.4. 微软系产品利用

  • LyncSniper A tool for penetration testing Skype for Business and Lync deployments

  • MSOLSpray A password spraying tool for Microsoft Online accounts (Azure/O365)

  • MailSniper MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms

10.9.5. Azure AD

10.9.6. Exchange

10.9.7. PowerShell

10.9.8. 内网信息收集

  • nbtscan NetBIOS scanning tool

  • SharpShares Quick and dirty binary to list network share information from all machines in the current domain and if they’re readable

  • WinShareEnum Windows Share Enumerator

  • HackBrowserData 全平台的浏览器数据导出工具

10.9.9. Kerberos

  • Rubeus

  • kerbrute A tool to perform Kerberos pre-auth bruteforcing

  • kerberoast A series of tools for attacking MS Kerberos implementations

10.9.10. 自动化审计

10.9.11. 绕过

  • SysWhispers AV/EDR evasion via direct system calls

  • SysWhispers2 AV/EDR evasion via direct system calls

  • Dumpert LSASS memory dumper using direct system calls and API unhooking

10.9.12. 内网扫描

  • InScan 边界打点后的自动化渗透工具

  • fscan 一款内网综合扫描工具,方便一键自动化、全方位漏扫扫描。