n00py/Outpacket

# 📦 Outpacket ## 目录 - [认证快速参考](#auth-quick-reference) - [1. 远程执行](#1-remote-execution) - [WMI 执行](#wmi-exec) · `wmiexec.py` - [DCOM 执行](#dcom-exec) · `dcomexec.py` - [基于服务的执行](#service-based-exec-smbexec--psexec) · `smbexec.py` · `psexec.py` - [计划任务执行](#scheduled-task-exec) · `atexec.py` - [批量执行](#bulk-remote-execution-across-hosts) · `wmiexec.py` · `psexec.py` - [2. Kerberos](#2-kerberos) - [请求 TGT](#request-a-tgt) · `getTGT.py` - [请求服务票据 (TGS)](#request-a-service-ticket-tgs) · `getST.py` - [S4U2self / S4U2proxy](#s4u2self--s4u2proxy) · `getST.py -impersonate` - [Kerberoasting](#kerberoasting) · `GetUserSPNs.py` - [AS-REP 爆破](#as-rep-roasting) · `GetNPUsers.py` - [ccache 爆破](#ccache-roasting-offline) - [预身份验证 / 加密类型探测](#pre-auth--enc-type-probe) · `GetNPUsers.py` - [PKINIT NT 哈希恢复](#pkinit-nt-hash-recovery-unpac) - [票据续期](#ticket-renewal) · `getST.py -renew` - [票据格式转换](#ticket-format-conversion) · `ticketConverter.py` - [更改密码](#change-password) · `changepasswd.py` - [黄金/银色票据](#golden--silver-ticket) · `ticketer.py` - [3. SMB / 文件操作](#3-smb--file-operations) - [列出共享](#list-shares) · `smbclient.py -shares` · `asmbshareenum` - [浏览 / 列出文件](#browse--list-files) · `smbclient.py` · `asmbclient` - [下载文件](#download-a-file) · `smbclient.py get` · `asmbgetfile` - [使用备份语义下载](#download-with-backup-semantics) - [上传文件](#upload-a-file) · `smbclient.py put` - [创建 / 删除目录和文件](#create--remove-directories-and-files) · `smbclient.py` - [列出命名管道](#list-named-pipes) · `smbclient.py` - [传递哈希 — SMB](#pass-the-hash--smb) · `smbclient.py -hashes` · `asmbclient` - [通过 SOCKS5 使用 SMB](#smb-over-socks5) · `proxychains smbclient.py` · `asmbclient` - [枚举打开的文件 / 会话](#enumerate-open-files--sessions) · `netview.py` · `asmbclient` - [远程文件时间戳修改](#remote-file-timestomping) - [VSS 快照枚举](#vss-snapshot-enumeration) · `smbclient.py list_snapshots` - [NTFS 备用数据流 (ADS) 枚举](#ntfs-alternate-data-stream-ads-enumeration) - [服务器网卡枚举](#server-nic-enumeration) - [批量共享枚举](#bulk-share-enumeration) · `smbclient.py` · `asmbscanner` - [4. 凭据转储](#4-credential-dumping) - [LSASS 迷你转储解析](#lsass-minidump-parsing-offline) - [转储 SAM 哈希](#dump-sam-hashes) · `secretsdump.py -sam` - [转储 LSA 机密](#dump-lsa-secrets) · `secretsdump.py -lsa` - [同时转储 SAM + LSA](#dump-sam--lsa-together) · `secretsdump.py` - [批量转储 SAM / LSA](#bulk-sam--lsa-dump-across-hosts) · `secretsdump.py` - [通过 VSS 快照转储 NTDS](#ntds-dump-via-vss-snapshot) · `secretsdump.py -use-vss` - [通过 IFM 转储 NTDS](#ntds-dump-via-ifm-ntdsutil) · `wmiexec.py` · `smbclient.py` - [通过 wbadmin 转储 NTDS](#ntds-dump-via-wbadmin-windows-server-backup) · `wmiexec.py` - [通过 Diskshadow 转储 NTDS](#ntds-dump-via-diskshadow) · `wmiexec.py` · `smbclient.py` - [通过 Kerb-Key-List 转储 NTDS](#ntds-dump-via-kerb-key-list-rodc) · `secretsdump.py -use-keylist` - [NTDS 离线解析](#ntds-offline-parsing) · `secretsdump.py` - [DCSync](#dcsync) · `secretsdump.py -just-dc-ntlm` - [5. 枚举](#5-enumeration) - [枚举域用户 (SAMR)](#enumerate-domain-users-samr) · `samrdump.py` · `net.py` - [枚举组 / 本地别名](#enumerate-groups--local-aliases) · `net.py group` · `net.py localgroup` - [SID 暴力破解 / 查询](#sid-brute-force--lookup) · `lookupsid.py` - [枚举 RPC 端点](#enumerate-rpc-endpoints) · `rpcdump.py` · `rpcmap.py` - [查询 WMI](#query-wmi) · `wmiquery.py` - [WMI 方法调用](#wmi-method-invocation) · `wmiexec.py` - [远程注册表操作](#remote-registry-operations) · `reg.py` - [注册表键安全描述符](#registry-key-security-descriptor) - [服务枚举](#service-enumeration) · `services.py` - [LSA 权限管理](#lsa-privilege-management) - [LSA 权限和账户枚举](#lsa-privilege-and-account-enumeration) - [6. Active Directory / LDAP](#6-active-directory--ldap) - [枚举 AD 用户 / 计算机](#enumerate-ad-users--computers) · `GetADUsers.py` · `GetADComputers.py` - [GPO 和域信任枚举](#gpo-and-domain-trust-enumeration) · `ldapsearch` · `bloodyAD` - [查找委派配置](#find-delegation-configurations) · `findDelegation.py` - [添加计算机账户](#add-a-computer-account) · `addcomputer.py` - [添加用户账户](#add-a-user-account) · `net.py user -add` - [设置 RBCD](#set-rbcd) · `rbcd.py` - [DACL 滥用](#dacl-abuse) · `dacledit.py` · `owneredit.py` - [用户属性修改 (UAC)](#user-attribute-modification-uac-bitflags) · `net.py` - [7. 身份验证胁迫](#7-auth-coercion) · `printerbug.py` · `dfscoerce.py` - [胁迫 + 中继模式](#coerce--relay-pattern) · `ntlmrelayx.py` · `smbserver.py` (捕获) - [8. 证书](#8-certificates) - [自签名 PFX 生成](#self-signed-pfx-generation) - [ADCS 模板枚举](#adcs-certificate-template-enumeration) · `netexec ldap -M adcs` - [ADCS ESC1](#adcs-esc1--enroll-and-recover-nt-hash) · `asmbcertreq` - [9. 异常凭据收集](#9-exotic-credential-harvest) - [certsync — 金色证书 + UnPAC 哈希](#certsync--golden-cert--unpac-the-hash) - [DPAPI 域备份密钥 — 批量凭据解密](#dpapi-domain-backup-key--mass-credential-decryption)

标签：AI合规, AS-REP Roasting, Cheatsheet, DCOM, HTTP, Impacket, Kerberoasting, Pass the Hash, S4U2proxy, S4U2self, SMB, SMB over SOCKS5, SMB执行, SNMP, TGS请求, TGT请求, WMI, 内核驱动, 安全映射, 密码修改, 数据展示, 文件操作, 现代替代, 票据攻击, 票据转换, 红队, 网络协议, 计划任务执行, 远程执行, 逆向工具, 金票, 银票, 错误配置检测