# 内网渗透相关

## bmjoker（实战系列）

[1.我所了解的内网渗透](https://www.cnblogs.com/bmjoker/p/10336247.html)

[2.内网渗透之端口转发](https://www.cnblogs.com/bmjoker/p/10264148.html)

[3.内网渗透之reGeorg+Proxifier](https://www.cnblogs.com/bmjoker/p/10205407.html)

[4. 内网渗透之IPC$入侵](https://www.cnblogs.com/bmjoker/p/10355934.html)

[5.内网渗透之PTH\&PTT\&PTK](https://www.cnblogs.com/bmjoker/p/10355979.html)

[6.Dump域内用户Hash姿势集合](https://www.cnblogs.com/bmjoker/p/10529360.html)

[7.内网渗透之windows认证机制](https://www.cnblogs.com/bmjoker/p/10723432.html)

## ARESX（实战+原理系列）

[戏说地狱三头犬](https://ares-x.com/2020/03/12/%E6%88%8F%E8%AF%B4%E5%9C%B0%E7%8B%B1%E4%B8%89%E5%A4%B4%E7%8A%AC/)

[关于IPC和PTH用户权限问题](https://ares-x.com/2020/03/10/%E5%85%B3%E4%BA%8EIPC%E5%92%8CPTH%E7%94%A8%E6%88%B7%E6%9D%83%E9%99%90%E9%97%AE%E9%A2%98/)

[（一）Windows认证机制](https://ares-x.com/2020/03/16/%E5%9F%9F%E6%B8%97%E9%80%8F%E5%AD%A6%E4%B9%A0%EF%BC%88%E4%B8%80%EF%BC%89Windows%E8%AE%A4%E8%AF%81%E6%9C%BA%E5%88%B6/)

[（二）Kerberos协议](https://ares-x.com/2020/03/17/%E5%9F%9F%E6%B8%97%E9%80%8F%E5%AD%A6%E4%B9%A0%EF%BC%88%E4%BA%8C%EF%BC%89Kerberos%E5%8D%8F%E8%AE%AE/)

[（三）域内信息搜集](https://ares-x.com/2020/03/18/%E5%9F%9F%E6%B8%97%E9%80%8F%E5%AD%A6%E4%B9%A0%EF%BC%88%E4%B8%89%EF%BC%89%E5%9F%9F%E5%86%85%E4%BF%A1%E6%81%AF%E6%90%9C%E9%9B%86/)

[（四）Dump Password & Hash](https://ares-x.com/2020/03/21/%E5%9F%9F%E6%B8%97%E9%80%8F%E5%AD%A6%E4%B9%A0%EF%BC%88%E5%9B%9B%EF%BC%89Dump-Password-Hash/)

[（五）基于IPC的远程连接](https://ares-x.com/2020/03/21/%E5%9F%9F%E6%B8%97%E9%80%8F%E5%AD%A6%E4%B9%A0%EF%BC%88%E4%BA%94%EF%BC%89%E5%9F%BA%E4%BA%8EIPC%E7%9A%84%E8%BF%9C%E7%A8%8B%E8%BF%9E%E6%8E%A5/)

[（六）PTH 哈希传递攻击](https://ares-x.com/2020/03/21/%E5%9F%9F%E6%B8%97%E9%80%8F%E5%AD%A6%E4%B9%A0%EF%BC%88%E5%85%AD%EF%BC%89PTH-%E5%93%88%E5%B8%8C%E4%BC%A0%E9%80%92%E6%94%BB%E5%87%BB/)

[（七）PTT 票据传递攻击](https://ares-x.com/2020/03/21/%E5%9F%9F%E6%B8%97%E9%80%8F%E5%AD%A6%E4%B9%A0%EF%BC%88%E4%B8%83%EF%BC%89PTT-%E7%A5%A8%E6%8D%AE%E4%BC%A0%E9%80%92%E6%94%BB%E5%87%BB/)

## CoolCat（实战+原理分析系列）

[2020-02-2 Windows本地hashdump备忘录](https://thekingofduck.github.io/post/Dumping-Windows-Local-Credentials-Tools/)

[2020-02-28 ](https://thekingofduck.github.io/post/scan-ports-by-cscript/)[利用cscript进行内网端口扫描](https://thekingofduck.github.io/post/scan-ports-by-cscript/)

[2020-03-02 域渗透学习笔记一：域环境的搭建](https://thekingofduck.github.io/post/ADStudy-Part-1-AD-Install/)

[2020-03-02 域渗透学习笔记二：Windows认证机制Net-NTLM刨析](https://thekingofduck.github.io/post/ADStudy-Part-2-Net-NTLM-Study/)

[2020-03-04 域渗透学习笔记三：攻击NTLM](https://thekingofduck.github.io/post/ADStudy-Part-3-Attack-NTLM/)

[2020-03-04 域渗透学习笔记四：域认证机制Kerbroes刨析](https://thekingofduck.github.io/post/ADStudy-Part-4-Kerbroes-Study/)

[2020-03-04 域渗透学习笔记五：攻击Kerbroes](https://thekingofduck.github.io/post/ADStudy-Part-5-Attack-Kerbroes/)

## 彻底理解Windows认证（原理分析系列）

<https://payloads.online/archivers/2018-11-30/1>

## 这才叫专业（深入原理系列）

[windows-protocol](https://daiker.gitbook.io/windows-protocol/) - daikerSec \[内网渗透的常见协议kerberos,ntlm,smb,ldap,netbios分析]

[windows-access-control](https://rootclay.gitbook.io/windows-access-control/) - rootclay \[Windows访问控制]

[NTLM & SSP](https://rootclay.gitbook.io/ntlm/) - rootclay \[NTLM中高级进阶]

[hackndo blog](https://en.hackndo.com/archives/) - Pixis \[AD分析的很详细、很彻底]

## Pentesting\_Active\_directory（脑图）

<https://github.com/Orange-Cyberdefense/ocd-mindmaps> \[最新]

<https://github.com/zha0gongz1/Pentest_MindMap/tree/main/Pentesting%20Active%20Directory> \[翻译较旧]

## Active Directory 漏洞利用备忘单

{% embed url="<https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet>" %}

{% embed url="<https://github.com/RistBS/Awesome-RedTeam-Cheatsheet>" %}

{% embed url="<https://github.com/0range-x/Domain-penetration_one-stop>" %}

{% embed url="<https://github.com/JDArmy/DCSec>" %}

{% embed url="<https://github.com/vpxuser/Central-Management-System-Exploitation-Cheat-Sheet>" %}

## Game Of Active Directory v2

<https://mayfly277.github.io/posts/GOADv2/><br>