Agent Skills
› Unclecheng-li/VulnClaw
› intranet-pentest-advanced
intranet-pentest-advanced
GitHub用于内网渗透测试,涵盖横向移动、凭据窃取、提权、持久化及AD/ADCS攻击。需已获初始访问权限,提供场景路由与标准化测试流程,指导从信息收集到隧道代理的完整操作。
触发场景
内网渗透测试
横向移动
域环境攻击
权限提升
持久化维持
安装
npx skills add Unclecheng-li/VulnClaw --skill intranet-pentest-advanced -g -y
SKILL.md
Frontmatter
{
"name": "intranet-pentest-advanced",
"routing": {
"phases": [
"post_exploitation",
"exploitation"
],
"tooling": [
"bloodhound",
"impacket",
"crackmapexec",
"mimikatz",
"chisel",
"ligolo",
"frp"
],
"protocols": [
"smb",
"ldap",
"kerberos",
"rdp"
],
"task_types": [
"pentest"
],
"target_types": [
"intranet",
"network",
"host"
],
"vulnerability_classes": [
"lateral_movement",
"privilege_escalation",
"credential_theft"
]
},
"description": "内网渗透高级 — 横向移动、凭据窃取、提权、持久化、隧道代理、AD攻击、ADCS滥用、Exchange\/SharePoint攻击"
}
内网渗透高级 Skill
当任务从互联网评估转入主机、域或内网操作时使用本 Skill。需要已获得初始访问权限或立足点。
前置条件:如果尚未获得初始访问,先完成外网渗透获取立足点。
场景路由
| 目标类型 | 首选参考 |
|---|---|
| 横向移动(PsExec/WMI/WinRM/DCOM/SSH/RDP/PTH/PTT) | references/intranet-playbook-01-lateral-movement.md |
| 规避与反检测(AMSI绕过/ETW/注入/伪装/签名二进制滥用) | references/intranet-playbook-02-evasion-and-anti-detection.md |
| 凭据窃取(Mimikatz/Kerberoasting/DCSync/浏览器Vault) | references/intranet-playbook-03-credential-theft.md |
| 提权与持久化(Token/Service/Potato/Cron/Registry/WMI) | references/intranet-playbook-04-privilege-escalation.md + 05-persistence.md |
| 隧道与代理(FRP/Chisel/Ligolo/SOCKS/SSH/DNS/ICMP) | references/intranet-playbook-06-tunneling-and-proxy.md |
| 信息收集 | references/intranet-playbook-07-information-gathering.md |
| AD 攻击(BloodHound/AS-REP/Kerberoasting/Golden/Silver) | references/intranet-playbook-08-active-directory-attacks.md |
| ADCS 攻击(ESC1-8/Certipy/Certreq) | references/intranet-playbook-09-adcs-attacks.md |
| Exchange 攻击 | references/intranet-playbook-10-exchange-attacks.md |
| SharePoint 攻击 | references/intranet-playbook-11-sharepoint-attacks.md |
测试流程
1. 信息收集
- 内网拓扑、网段、主机发现
- 域信息、信任关系
- 服务识别与漏洞探测
2. 凭据获取
- Mimikatz 抓取内存凭据
- Kerberoating / AS-REP Roasting
- 浏览器/密码管理器凭据提取
- DCSync(需域管权限)
3. 横向移动
- Pass-the-Hash / Pass-the-Ticket
- PsExec / WMI / WinRM / DCOM
- SSH / RDP 横向
4. 权限提升
- Token 篡改 / 服务滥用
- Potato 家族
- 域提权(GPO/ACL滥用)
5. 持久化
- 计划任务 / WMI 事件订阅
- 注册表 / 启动项 / 服务
- 黄金票据 / 白银票据
6. 隧道与代理
- SOCKS 代理 / SSH 转发
- FRP / Chisel / Ligolo
- DNS / ICMP 隧道
7. AD/ADCS 专项
- BloodHound 路径分析
- ADCS 证书模板滥用
- Exchange/SharePoint 攻击链
参考文档
references/06-intranet-and-host-operations-integrated.md— 内网操作整合参考references/intranet-playbook-01~11-*.md— 各专项 Playbook(11 个)references/intranet-pentest-playbook-skill.md— Playbook 入口
版本历史
- fcad047 当前 2026-07-11 17:52
- 47fd4a0 2026-07-05 09:19


