10.9. 横向移动¶
10.9.1. 域¶
adidnsdump Active Directory Integrated DNS dump tool
BloodHound Six Degrees of Domain Admin
PlumHound Bloodhound for Blue and Purple Teams
windapsearch Python script to enumerate users, groups and computers from a Windows domain through LDAP queries
ldapdomaindump Active Directory information dumper via LDAP
Kerberoast a series of tools for attacking MS Kerberos implementations
ADRecon Active Directory Recon
Creds Some usefull Scripts and Executables for Pentest & Forensics
Lithnet Password Protection for Active Directory Active Directory password filter featuring breached password checking and custom complexity rules
ASREPRoast Project that retrieves crackable hashes from KRB5 AS-REP responses for users without kerberoast preauthentication enabled.
10.9.2. LDAP¶
SharpHound3 Data Collector for the BloodHound Project
10.9.3. 容器¶
CDK an open-sourced container penetration toolkit, offering stable exploitation in different slimmed containers without any OS dependency
10.9.4. 微软系产品利用¶
LyncSniper A tool for penetration testing Skype for Business and Lync deployments
MSOLSpray A password spraying tool for Microsoft Online accounts (Azure/O365)
MailSniper MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms
10.9.5. Azure AD¶
ROADtools Azure AD exploration framework
10.9.6. Exchange¶
ruler A tool to abuse Exchange services
PrivExchange Exchange your privileges for Domain Admin privs by abusing Exchange
10.9.7. PowerShell¶
10.9.8. 内网信息收集¶
nbtscan NetBIOS scanning tool
SharpShares Quick and dirty binary to list network share information from all machines in the current domain and if they’re readable
WinShareEnum Windows Share Enumerator
HackBrowserData 全平台的浏览器数据导出工具
10.9.9. Kerberos¶
kerbrute A tool to perform Kerberos pre-auth bruteforcing
kerberoast A series of tools for attacking MS Kerberos implementations
10.9.10. 自动化审计¶
Infection Monkey Data center Security Testing Tool
10.9.11. 绕过¶
SysWhispers AV/EDR evasion via direct system calls
SysWhispers2 AV/EDR evasion via direct system calls
Dumpert LSASS memory dumper using direct system calls and API unhooking