10.9. 横向移动

10.9.1. 域

  • impacket is a collection of Python classes for working with network protocols
  • adidnsdump Active Directory Integrated DNS dump tool
  • BloodHound Six Degrees of Domain Admin
  • PlumHound Bloodhound for Blue and Purple Teams
  • windapsearch Python script to enumerate users, groups and computers from a Windows domain through LDAP queries
  • ldapdomaindump Active Directory information dumper via LDAP
  • Kerberoast a series of tools for attacking MS Kerberos implementations
  • ADRecon Active Directory Recon
  • Creds Some usefull Scripts and Executables for Pentest & Forensics
  • Lithnet Password Protection for Active Directory Active Directory password filter featuring breached password checking and custom complexity rules
  • ASREPRoast Project that retrieves crackable hashes from KRB5 AS-REP responses for users without kerberoast preauthentication enabled.

10.9.2. LDAP

  • SharpHound3 Data Collector for the BloodHound Project

10.9.3. 微软系产品利用

  • LyncSniper A tool for penetration testing Skype for Business and Lync deployments
  • MSOLSpray A password spraying tool for Microsoft Online accounts (Azure/O365)
  • MailSniper MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms

10.9.4. Azure AD

  • ROADtools Azure AD exploration framework
  • Stormspotter Azure Red Team tool for graphing Azure and Azure Active Directory objects

10.9.5. Exchange

10.9.6. PowerShell

10.9.7. 内网信息收集

  • nbtscan NetBIOS scanning tool
  • SharpShares Quick and dirty binary to list network share information from all machines in the current domain and if they're readable
  • WinShareEnum Windows Share Enumerator
  • HackBrowserData 全平台的浏览器数据导出工具

10.9.8. Kerberos

  • Rubeus
  • kerbrute A tool to perform Kerberos pre-auth bruteforcing
  • kerberoast A series of tools for attacking MS Kerberos implementations

10.9.9. 自动化审计

10.9.10. 绕过

  • SysWhispers AV/EDR evasion via direct system calls
  • SysWhispers2 AV/EDR evasion via direct system calls
  • Dumpert LSASS memory dumper using direct system calls and API unhooking

10.9.11. 内网扫描

  • InScan 边界打点后的自动化渗透工具
  • fscan 一款内网综合扫描工具,方便一键自动化、全方位漏扫扫描。