Agent SkillsUnclecheng-li/VulnClaw › intranet-pentest-advanced

intranet-pentest-advanced

GitHub

适用于内网渗透高级阶段,涵盖横向移动、凭据窃取、提权、持久化及AD/ADCS攻击。需先获立足点,通过信息收集、权限提升和隧道代理深入内网,利用Playbook指导专项操作。

vulnclaw/skills/specialized/intranet-pentest-advanced/SKILL.md Unclecheng-li/VulnClaw

Trigger Scenarios

已获得内网初始访问权限 需要进行域环境渗透测试 需要执行横向移动或特权提升 涉及Active Directory或ADCS攻击场景

Install

npx skills add Unclecheng-li/VulnClaw --skill intranet-pentest-advanced -g -y
More Options

Non-standard path

npx skills add https://github.com/Unclecheng-li/VulnClaw/tree/main/vulnclaw/skills/specialized/intranet-pentest-advanced -g -y

Use without installing

npx skills use Unclecheng-li/VulnClaw@intranet-pentest-advanced

指定 Agent (Claude Code)

npx skills add Unclecheng-li/VulnClaw --skill intranet-pentest-advanced -a claude-code -g -y

安装 repo 全部 skill

npx skills add Unclecheng-li/VulnClaw --all -g -y

预览 repo 内 skill

npx skills add Unclecheng-li/VulnClaw --list

SKILL.md

Frontmatter
{
    "name": "intranet-pentest-advanced",
    "description": "内网渗透高级 — 横向移动、凭据窃取、提权、持久化、隧道代理、AD攻击、ADCS滥用、Exchange\/SharePoint攻击"
}

内网渗透高级 Skill

当任务从互联网评估转入主机、域或内网操作时使用本 Skill。需要已获得初始访问权限或立足点。

前置条件:如果尚未获得初始访问,先完成外网渗透获取立足点。

场景路由

目标类型 首选参考
横向移动(PsExec/WMI/WinRM/DCOM/SSH/RDP/PTH/PTT) references/intranet-playbook-01-lateral-movement.md
规避与反检测(AMSI绕过/ETW/注入/伪装/签名二进制滥用) references/intranet-playbook-02-evasion-and-anti-detection.md
凭据窃取(Mimikatz/Kerberoasting/DCSync/浏览器Vault) references/intranet-playbook-03-credential-theft.md
提权与持久化(Token/Service/Potato/Cron/Registry/WMI) references/intranet-playbook-04-privilege-escalation.md + 05-persistence.md
隧道与代理(FRP/Chisel/Ligolo/SOCKS/SSH/DNS/ICMP) references/intranet-playbook-06-tunneling-and-proxy.md
信息收集 references/intranet-playbook-07-information-gathering.md
AD 攻击(BloodHound/AS-REP/Kerberoasting/Golden/Silver) references/intranet-playbook-08-active-directory-attacks.md
ADCS 攻击(ESC1-8/Certipy/Certreq) references/intranet-playbook-09-adcs-attacks.md
Exchange 攻击 references/intranet-playbook-10-exchange-attacks.md
SharePoint 攻击 references/intranet-playbook-11-sharepoint-attacks.md

测试流程

1. 信息收集

  • 内网拓扑、网段、主机发现
  • 域信息、信任关系
  • 服务识别与漏洞探测

2. 凭据获取

  • Mimikatz 抓取内存凭据
  • Kerberoating / AS-REP Roasting
  • 浏览器/密码管理器凭据提取
  • DCSync(需域管权限)

3. 横向移动

  • Pass-the-Hash / Pass-the-Ticket
  • PsExec / WMI / WinRM / DCOM
  • SSH / RDP 横向

4. 权限提升

  • Token 篡改 / 服务滥用
  • Potato 家族
  • 域提权(GPO/ACL滥用)

5. 持久化

  • 计划任务 / WMI 事件订阅
  • 注册表 / 启动项 / 服务
  • 黄金票据 / 白银票据

6. 隧道与代理

  • SOCKS 代理 / SSH 转发
  • FRP / Chisel / Ligolo
  • DNS / ICMP 隧道

7. AD/ADCS 专项

  • BloodHound 路径分析
  • ADCS 证书模板滥用
  • Exchange/SharePoint 攻击链

参考文档

  • references/06-intranet-and-host-operations-integrated.md — 内网操作整合参考
  • references/intranet-playbook-01~11-*.md — 各专项 Playbook(11 个)
  • references/intranet-pentest-playbook-skill.md — Playbook 入口

Version History

  • 47fd4a0 Current 2026-07-05 09:19

Same Skill Collection

vulnclaw/skills/specialized/ai-mcp-security/SKILL.md
vulnclaw/skills/specialized/client-reverse/SKILL.md
vulnclaw/skills/specialized/crypto-toolkit/SKILL.md
vulnclaw/skills/specialized/ctf-crypto/SKILL.md
vulnclaw/skills/specialized/ctf-misc/SKILL.md
vulnclaw/skills/specialized/ctf-web/SKILL.md
vulnclaw/skills/specialized/osint-recon/SKILL.md
vulnclaw/skills/specialized/pentest-tools/SKILL.md
vulnclaw/skills/specialized/rapid-checklist/SKILL.md
vulnclaw/skills/specialized/web-pentest/SKILL.md
vulnclaw/skills/specialized/web-security-advanced/SKILL.md
vulnclaw/skills/specialized/android-pentest/SKILL.md
vulnclaw/skills/specialized/secknowledge-skill/SKILL.md

Metadata

Files
0
Version
47fd4a0
Hash
8c155afb
Indexed
2026-07-05 09:19

Accueil - Wiki
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-08 21:32
浙ICP备14020137号-1 $Carte des visiteurs$