隧道

出网探测

  1. ping ICMP 但可能不解析,没有配置DNS服务器,也可能会解析,但不出网
  2. nslookup DNS
  3. curl | certutil http

ICMP 和DNS搭建隧道效率低,不如正向隧道

出网无限制

  1. FRP
  2. NPS
  3. 毒液Venom 多级代理很方便

ICMP出网

  1. Icmpsh
  2. PingTunnel
  3. icmp上线cs

image-20211213203230412.png

DNS协议出网

  1. DNS-shell
  2. iodine
  3. dnscat2
  4. dnsbeacon

不出网

  1. Neo-ReGrorg
  2. pystinger
  3. multiplexing_port_socks5
  4. ABPTTS
  5. reBuh
  6. Tunna

端口转发

windows

  1. Netsh
  2. Lcx

Linux

  1. iptables
  2. SSH
  3. Lcx

代理工具

linux

proxychains4

windows

  1. proxifier
  2. Sockscan64

内网信息收集

本地信息收集

image-20211213204116390.png

image-20211213204134669.png

image-20211213204204175.png

  1. ![image-20211213204232172.png](https://cdn.nlark.com/yuque/0/2022/png/8363097/1647236870985-5cf7853d-0e2c-40f0-8192-c7361fd76f67.png#clientId=u97e8701c-0d27-4&crop=0&crop=0&crop=1&crop=1&from=ui&id=ub09c94bd&margin=%5Bobject%20Object%5D&name=image-20211213204232172.png&originHeight=530&originWidth=1187&originalType=binary&ratio=1&rotation=0&showTitle=false&size=189260&status=done&style=none&taskId=u53fd619f-b208-454b-aa25-e936f958a86&title=)

运维开发上有一些工具,可以进行读取
image-20211213204445889.png

内网信息收集

image-20211213204722349.png

image-20211213204751243.png

image-20211213204840863.png

fscan

image-20211213204910931.png
image-20211213204934159.png
image-20211213205033510.png

image-20211213205050850.png

内网横向移动

image-20211213205156032.png

image-20211213205205684.png
image-20211213205226633.png

image-20211213205248800.png

image-20211213205310227.png

image-20211213205351893.png

image-20211213205420738.pngimage-20211213205605011.pngimage-20211213205528511.png

image-20211213205638685.png