1. Infiltration process
collect message
Vulnerability Verification/Vulnerability Attack
privilege escalation, privilege maintenance
log cleanup
collect message
Generally, port scanning and vulnerability scanning are run first to obtain exploitable vulnerabilities. Use more search engines
port scan
With authorization, directly use port scanning tools such as nmap, masscan, and write py scripts to directly obtain open ports and obtain server-side banner information. Introduction to port scanning using Python https://thief.one/2018/05/17/1/?hmsr=toutiao.io&utm_medium=toutiao.io&utm_source=toutiao.io Powershell-based port scanning script under Windows.
https://github.com/BornToBeRoot/PowerShell_IPv4PortScanner/tree/master/Scripts
vulnerability scan
Use polar bear scanner, Nessus, awvs and other missing scanning tools to directly scan the target, and you can directly see the surviving host and the vulnerability of the host.
2. Vulnerability attack
If you only use port scanning to find open ports, you need to find the corresponding CVE in the vulnerability database (seebug, ExploitDB) after obtaining the banner information, and then verify whether the vulnerability exists. Security inspections generally try to find all vulnerabilities as much as possible, and evaluate and repair the risks of the vulnerabilities. For intrusion, only focus on high-risk remote code execution and sensitive information disclosure vulnerabilities that can be directly exploited. For vulnerability verification, you can find the POC and EXP with the corresponding CVE number, check the exploit code on ExploitDB, seebug or search on github for related vulnerability verification or utilization tools.
2.1 Web application
You can directly look for vulnerabilities such as injection, upload, code execution, file inclusion, cross-site scripting, etc., to attack. Generally, AWVS can be used to directly scan for common vulnerabilities.
2.1.2 Web middleware
(1)Tomcat
Tomcat is a sub-project of the Apache Jakarta software organization. Tomcat is a JSP/Servlet container. It is a standard implementation of JSP and Servlet specifications developed on the basis of Sun's JSWDK (Java Server Web Development Kit). Using Tomcat can Experience the latest specifications of JSP and Servlet.
Port number: 8080
Attack method:
Default password, weak password, blasting, tomcat5 has two roles by default: tomcat and role1. Among them, the default passwords of accounts both, tomcat, and role1 are tomcat. Weak passwords generally exist in versions below 5.
Deploy the war backdoor file in the management background
Remote Code Execution Vulnerabilities
reference:
(2) Jboss
Is a J2EE application server running EJB. It is an open source project and follows the latest J2EE specification. From the beginning of the JBoss project, it has developed from an EJB container to a J2EE-based Web operating system (operating system for web), which embodies the latest technology in the J2EE specification.
Port: 8080
Attack method:
weak password, blasting
Manage background deployment war backdoor
deserialization
remote code execution
reference:
(3)WebLogic
WebLogic is an Application Server produced by Oracle Corporation in the United States. To be precise, it is a middleware based on JAVAEE architecture. WebLogic is a Java application server for developing, integrating, deploying and managing large-scale distributed Web applications, network applications and database applications. Introduce the dynamic functions of Java and the security of Java Enterprise standard into the development, integration, deployment and management of large-scale network applications.
Port: 7001, 7002
Attack method:
Weak password, blasting, weak password is generally weblogic/Oracle@123 or weblogic
Manage background deployment war backdoor
SSRF
Deserialization Vulnerabilities
weblogic_uac
reference:
(4) WebSphere
A set of typical e-commerce application development tools and operating environment of IBM Corporation.
Port: Default port: 908*; the first application is 9080, the second is 9081; the console is 9090
Attack method:
Console login blasting
Many intranet websphere consoles have weak passwords/default passwords, and you can use passwords such as admin/admin and webshpere/webshpere to log in. After logging in to the console through this password, you can deploy the war package to obtain WEBSHELL.
deserialization
Arbitrary file disclosure
reference:
(5) Glassfish
2.1.3 Web framework
(1) Struts2
Struts2 is an elegant, extensible framework for creating enterprise-ready Java web applications. There are indeed many loopholes. Every time a major loophole is exposed, the platform will be swiped.
Exploitable Vulnerabilities
S2-046 CVE-2017-5638 Struts 2.3.5-2.3.31,Struts 2.5-2.5.10
S2-045 CVE-2017-5638 Struts 2.3.5-2.3.31,Struts 2.5-2.5.10
S2-037 CVE-2016-4438 Struts 2.3.20-2.3.28.1
S2-032 CVE-2016-3081 Struts 2.3.18-2.3.28
S2-020 CVE-2014-0094 Struts 2.0.0-2.3.16
S2-019 CVE-2013-4316 Struts 2.0.0-2.3.15.1
S2-016 CVE-2013-2251 Struts 2.0.0-2.3.15
S2-013 CVE-2013-1966 Struts 2.0.0-2.3.14
S2-009 CVE-2011-3923 Struts 2.0.0-2.3.1.1
S2-005 CVE-2010-1870 Struts 2.0.0-2.1.8.1
reference:
https://github.com/SecureSkyTechnology/study-struts2-s2-054_055-jackson-cve-2017-7525_cve-2017-15095
(2) Spring Framework
Spring Framework is an open source Java/Java EE full-stack (full-stack) application framework, released in the form of the Apache License 2.0 open source license agreement, and also has a ported version on the .NET platform. Spring Framework provides a simple development method, which will avoid a large number of property files and helper classes that may cause the underlying code to become complicated and confusing.
Exploitable Vulnerabilities
CVE-2010-1622
CVE-2018-1274
CVE-2018-1270
CVE-2018-1273
deserialization
directory traversal
reference
2.1.4 Web server
IIS : WWW Server for Windows
Port: 80
Attack method:
IIS, with WebDAV enabled, you can directly view server PUT files
Short Filename Enumeration Vulnerability
remote code execution
privilege escalation vulnerability
parsing loopholes
reference:
Apache
Port: 80
Attack method:
parsing loopholes
directory traversal
Nginx
Port: 80
Attack method:
parsing loopholes
directory traversal
CVE-2016-1247: It is necessary to obtain the host operation permission, and the attacker can replace the log file by soft linking any file, so as to realize the privilege escalation and obtain the root privilege of the server.
reference:
lighttpd
Port: 80
Attack method:
directory traversal
2.2 Common operation and maintenance systems
Generally, it is divided into tools related to automated deployment and operation and maintenance monitoring. Vulnerabilities can be obtained through search engines, github searches, ExploitDB searches, and security notices on the official website. A common problem with general-purpose applications on the intranet is weak passwords. If an administrator can log in to several systems, the accounts and passwords for these systems are basically the same.
2.2.1 Gitlab
GitLab is an open source application developed using Ruby on Rails that implements a self-hosted project repository that can be accessed through a web interface for public or private projects.
Exploitable Vulnerabilities:
Arbitrary file read vulnerability
Unexpected user token disclosure vulnerability
command execution vulnerability
reference:
2.2.2 Jenkins
Jenkins is a cross-platform continuous integration and delivery application software, which facilitates the continuous and stable delivery of new software versions and improves your work efficiency. The DevOps tool also makes it easier for developers to incorporate changes to a project and use a wide range of testing and deployment techniques.
Exploitable Vulnerabilities:
Remote Code Execution Vulnerabilities
Deserialization Vulnerabilities
Unauthorized Access Vulnerability
Login entry blasting
reference
2.2.3 Puppet
Puppet Enterprise specializes in managing infrastructure as code (IAC), a type of IT infrastructure provisioning process in which systems are built, managed and configured automatically using code rather than scripted processes. Since it's code, the whole process is easily repeatable. Puppet facilitates easier version control, automated testing, and continuous delivery for faster response to issues or bugs.
Exploitable Vulnerabilities, Few Public PoCs
deserialization
remote command execution
2.2.4 Ansible
Ansible is a configuration and management tool for client-oriented software deployment and configuration, supporting Unix, Linux and Windows. It uses JSON and YAML, not IAC, and doesn't require node-agent at all to install. It is available on in-house systems via OpenStack as well as on Amazon EC2.
Exploitable Vulnerabilities
remote code execution
2.2.5 Nagios
Nagios is an open source computer system and network monitoring tool, which can effectively monitor the host status of Windows, Linux and Unix, network settings such as switches and routers, printers, etc. When the system or service status is abnormal, an email or SMS alarm is sent to notify the website operation and maintenance personnel at the first time, and a normal email or SMS notification is sent after the status is restored.
Exploitable Vulnerabilities
code execution
SQLi
reference
2.2.6 Zabbix
Zabbix is a powerful open source distributed monitoring system that can display data provided by SNMP, JMX, and Zabbix Agent through WEB GUI.
Vulnerabilities that can be exploited (refer to ExploitDB for details):
remote code execution
SQLi
shell command injection
authentication bypass
The default account and password, the default password is admin/zabbix, or guest/empty
reference
2.2.7 Cacit
Cacti is a set of graphical analysis tools for network traffic monitoring developed based on PHP, MySQL, SNMP and RRDTool.
Exploitable Vulnerabilities
arbitrary code execution
SQLi
login blasting
Default password admin/admin
reference:
2.2.8 Splunk
Splunk Enterprise can monitor and analyze machine data from any source to provide operational intelligence to optimize your IT, security and business performance. With intuitive analytics, machine learning, packaged applications, and open APIs, Splunk Enterprise is a flexible platform that scales from focused use cases to an enterprise-wide analytics backbone.
Exploitable Vulnerabilities
information leakage
command injection
server request forgery
reference
ExploitDB Search
2.3 Common Web Applications
There are also common email applications and CMS applications, search for corresponding vulnerabilities on search engines, and use known vulnerabilities to attack.
2.3.1 Mail system
Some of them use Tencent Enterprise Mailbox and Ali Enterprise Mailbox, and it is difficult to have exploitable loopholes. The other is a mail system that can be deployed independently, and is commonly used by government and enterprise mailbox applications:
Coremail
billion mail
35 Internet
TurboMail
Exchange
IBM Lotus
2.3.2 CMS application
2.4 Database/Cache/Message Service
2.4.1 MySQL database
Default port: 3306
Attack method:
Blasting: weak passwords
Authentication Vulnerability: CVE-2012-2122
denial of service attack
Phpmyadmin universal password bypass: Username: 'localhost'@'@" password arbitrary
Escalation of rights
reference:
2.4.2 MSSQL database
Default port: 1433 (Server database service), 1434 (Monitor database monitoring)
Attack method:
Blasting: weak password/use system user
injection
reference:
2.4.3 Oracle database
Default ports: 1521 (database port), 1158 (Oracle EMCTL port), 8080 (Oracle XDB database), 210 (Oracle XDB FTP service)
Attack method:
Blasting: weak passwords
injection attack;
Exploitation; - Reference:
2.4.4 PostgreSQL database
PostgreSQL is a free software object-relational database management system with complete features. It can be said to be the most advanced and powerful free database management system in the world. Including the msf in the Kali system also uses this database; talking about postgresql database attack technology Most of the attacks on it are still sql injection, so injection is a topic that remains unchanged in the database.
Default port: 5432
Attack method:
Blasting: weak password: postgres postgres
Buffer overflow: CVE-2014-2669
reference:
2.4.5 MongoDB database
MongoDB, NoSQL database; attack method is similar to other databases》
Default port: 27017
Attack method:
Blasting: weak passwords
Unauthorized access; github has attack code; please click
reference:
2.4.6 Redis database
Redis is an open-source, log-type, key-value database written in C language that supports the network and can be memory-based or persistent. This database has been very popular in the past two years, and many problems have been exposed. Especially the unauthorized access that was exposed some time ago.
Attack method:
Blasting: weak passwords
Unauthorized access + escalation with ssh key;
reference:
2.4.7 SysBase database
Default port: service port 5000; listening port 4100; backup port: 4200
Attack method:
Blasting: weak passwords
Command injection:
reference
2.4.8 DB2 database
Default port: 5000
Attack method:
Security Restriction Bypass: Unauthorized Actions Can Be Performed On Success (CVE-2015-1922)
reference:
2.5 Common Services/Agreement
2.5.1 FTP service
FTP service: I can divide ftp service into two situations. The first one is to use system software to configure, such as FTP file sharing in IIS or the default service software in Linux; the second is to use third-party software to configure, such as Serv -U There are also some simple ftp servers written on the Internet; default port: 20 (data port); 21 (control port); 69 (tftp small file transfer protocol)
Attack method:
Blasting: There are many blasting tools for ftp, here I recommend the Bruter of owasp and the ftp blasting module in msf;
Anonymous access: username: anonymous password: empty or any mailbox
Sniffing: ftp uses plaintext transmission technology (but sniffing is given to the LAN and needs to spoof or listen to the gateway)
backdoor vsftp
remote overflow
jump attack
2.5.2 NFS service
NFS (Network File System) is a network file system, which is one of the file systems supported by FreeBSD. It allows computers in the network to share resources through the TCP/IP network. In NFS applications, local NFS client applications can transparently read and write files located on remote NFS servers, just like accessing local files. Today, NFS has the function of preventing the export folder from being exploited, but if the NFS service in the legacy system is improperly configured, it may still be exploited by malicious attackers.
attack method
unauthorized access
reference
2.5.3 Samba service
Samba is a free software that implements the SMB/CIFS protocol on linux and unix systems, and consists of server and client programs. SMB is a communication protocol that supports shared files and printers in a local area network, and provides sharing services for resources such as files and printers between different computers in a local area network.
attack method
remote code execution
weak password
Unauthorized access (public)
reference
2.5.4 SSH service
SSH is a protocol, and the OpenSSH software is usually used to implement protocol applications. SSH is the abbreviation of Secure Shell, developed by the Network Working Group of IETF; SSH is a security protocol based on the application layer and the transport layer. SSH is currently the most reliable protocol designed to provide security for remote login sessions and other network services. Using the SSH protocol can effectively prevent information leakage in the remote management process.
port: 22
Attack method:
blasting
back door
Vulnerabilities: 28 Backspace Vulnerabilities, OpenSSL Vulnerabilities
reference
2.5.5 Telnet service
The Telnet protocol is a member of the TCP/IP protocol family, and it is the standard protocol and main method of Internet remote login service. It provides users with the ability to do remote host work on their local computer. Use the telnet program on the end user's computer to connect to the server. End users can enter commands in the telnet program, and these commands will be run on the server, just as if they were entered directly on the server console. The server can be controlled locally.
Default port: 21
Attack method:
blasting
to sniff
2.5.6 Windows remote connection
Default port: 3389
attack method
blasting
Shift sticky key backdoor: 5 times shift backdoor
Use ms12-020 to attack port 3389
2.5.7 VNC service
VNC (Virtual Network Computing) is a display screen sharing and remote operation software using the RFB protocol. This software can send keyboard and mouse actions and real-time display screen images through the network.
Default port: 5900 + desktop ID (5901; 5902)
Attack method:
Blasting: weak passwords
Authentication password bypass:
Denial of service attack: (CVE-2015-5239)
Privilege Escalation: (CVE-2013-6886)
2.5.8 SMTP protocol
smtp: mail protocol, this service is enabled by default in linux, and you can send phishing emails to the other party!
Default port: 25 (smtp), 465 (smtps)
Attack method:
Blasting: weak passwords
unauthorized access
2.5.9 POP3 protocol
Default port: 109 (POP2), 110 (POP3), 995 (POP3S)
Attack method:
brute force; weak password
unauthorized access;
2.5.10 DNS Service
Default port: 53
Attack method:
zone transfer vulnerability
2.5.11 IMAP protocol
Default port: 143 (imap), 993 (imaps)
Attack method:
Blasting: weak passwords
improper configuration
2.5.12 SNMP protocol
Default port: 161
Attack method:
Blasting: weak passwords
2.5.13 DHCP service
Default port: 67&68, 546 (DHCP Failover for dual-system hot backup)
Attack method:
DHCP hijacking;
2.6 Cloud environment
2.6.1 VMware
Use VMware vCloud to pool virtual infrastructure resources within existing data centers and deliver them as catalog-based services. Used in conjunction with VMware vSphere, the best platform for cloud computing infrastructure, VMware vCloud Director enables customers to build secure private clouds, transforming the way IT departments deliver and manage infrastructure services and how users access and consume them. In general organizations, there are many private clouds in the form of Esxi installed independently, or virtualized systems deployed independently.
Ports (many):
loophole
host escape
CVE-2017-5638
reference:
2.6.2 OpenStack
OpenStack is Infrastructure as a Service (IaaS) software that enables anyone to create and provide cloud computing services on their own. In addition, OpenStack is also used to create a "Private Cloud" (Private Cloud) within the firewall, providing resources shared by various departments within an organization or enterprise.
Vulnerabilities, there are loopholes but POC basically does not. Check for safe configuration practices.
Permission Bypass Vulnerability
information leakage
Code Execution Vulnerabilities
reference:
2.6.3 Docker
Docker is an open source software project that automates the deployment of applications under software containers, thereby providing an additional software abstraction layer and an automatic management mechanism for operating system layer virtualization on the Linux operating system [1]. Docker uses the resource separation mechanism in the Linux kernel, such as cgroups, and the Linux kernel name space (name space), to create independent software containers (containers). This works under a single Linux entity, avoiding the overhead of booting a virtual machine. The Linux kernel's support for namespaces completely isolates the vision of applications in the working environment, including process trees, networks, user IDs, and mounted file systems, while core cgroups provide resource isolation, including CPU, memory, block I/O, and network. Starting from version 0.9, Dockers began to include the libcontainer function library as a way to start using the virtualization facilities provided by the Linux kernel directly on the basis of using the abstract virtualization interface provided by libvirt's LXC and systemd-nspawn.
Security issues (pocs with few vulnerabilities, security checks are also based on best practices and official security recommendations):
CVE-2015-3630 1.6.0 Docker Libcontainer Security Bypass Vulnerability
CVE-2015-3627 1.6.1 Libcontainer and Docker Engine permissions and access control vulnerabilities
CVE-2015-3630 1.6.1 Docker Engine Security Bypass Vulnerability
CVE-2014-9358 1.3.3 Docker directory traversal vulnerability
CVE-2014-9357 1.3.2 Docker permission and access control vulnerability
CVE-2014-6408 1.3.1 Docker permission and access control vulnerability
CVE-2014-5277 1.3.0 Docker and docker-py code injection vulnerability
Kernel exploits Containers are kernel-based virtualization, and the host (host) and all containers on the host share a set of kernels. If the operation of a container causes a kernel crash, then the containers on the entire machine will be affected in turn.
Denial-of-service attacks (Denial-of-service attacks) All containers share kernel resources. If a container monopolizes a certain resource (memory, CPU, various IDs), it may cause other containers to fail to work due to lack of resources (forming DoS attack).
Container breakouts (Container breakouts) The namespace mechanism of Linux is one of the cores of the container, which allows a process with PID=1 inside the container, but the process number outside the container is different (such as 1234). The problem now is that if a process with PID=1 breaks through the namespace limit, then he will gain root privileges on the host.
Poisoned images (Poisoned images) mainly consider the security of the image itself, there is not much to say.
reference:
2.7 Big data
2.7.1 Elsaticsearch
Elasticsearch is a distributed search and analysis engine that can be used for full-text search, structured search and analysis, and can combine the three. Elasticsearch is developed based on Lucene and is now one of the most widely used open source search engines. Wikipedia, Stack Overflow, GitHub, etc. build their search engines based on Elasticsearch.
Default port: 9200(), 9300()
Attack method:
unauthorized access;
remote command execution;
file traversal;
Low version webshell implantation;
reference
2.7.2 hadoop
Hadoop is an open source framework that can write and run distributed applications to process large-scale data. It is designed for offline and large-scale data analysis. It is not suitable for the online transaction processing mode of random read and write of several records. Hadoop=HDFS (file system, related to data storage technology) + Mapreduce (data processing), the data source of Hadoop can be in any form, and it has better performance compared with relational database in processing semi-structured and unstructured data , with more flexible processing capabilities, regardless of any data form will eventually be converted into key/value, key/value is the basic data unit. Use functional style to change to Mapreduce instead of SQL. SQL is a query statement, while Mapreduce uses scripts and codes. For relational databases, Hadoop, which is used to SQL, can be replaced by the open source tool hive. Hadoop is a distributed computing solution.
reference:
2.7.3 Hive
Hive is a data warehouse product in the Hadoop family. The biggest feature of Hive is that it provides SQL-like syntax and encapsulates the underlying MapReduce process, so that business personnel with SQL foundation can also directly use Hadoop to operate big data.
reference:
2.7.4 Scoop
Apache Sqoop (SQL-to-Hadoop) project aims to assist RDBMS and Hadoop for efficient big data exchange. With the help of Sqoop, users can easily import relational database data into Hadoop and related systems (such as HBase and Hive); at the same time, they can also extract data from Hadoop systems and export them to relational databases. In addition to these main functions, Sqoop also provides some practical tools such as viewing database tables.
reference
2.7.5 HBase
Based on HDFS, HBase provides a database system with high reliability, high performance, column storage, scalability, and real-time read and write. It is between NoSQL and RDBMS. It can only retrieve data through row keys and row key sequences, and only supports single-row transactions (complex operations such as multi-table union can be realized through Hive support). It is mainly used to store unstructured and semi-structured loose data. Like Hadoop, the HBase goal mainly relies on horizontal expansion to increase computing and storage capabilities by continuously adding cheap commodity servers.
reference:
2.7.6 Spark
Spark is a Hadoop MapReduce-like general parallel computing framework open sourced by UC Berkeley AMP lab. Spark implements distributed computing based on the map reduce algorithm, and has the advantages of Hadoop MapReduce; however, it is different from MapReduce in that the intermediate output and results of jobs can be Stored in memory, thus eliminating the need to read and write to HDFS. refer to:
3. Maintenance of authority escalation
3.1 Escalation of rights
SecWiki sums it up:
3.2 Establish backdoor/port forwarding
reference:
Port forwarding and proxy tools
LCX: port forwarding software under windows.
sockscap: mainly for port forwarding and proxy forwarding on the windows platform.
proxifier: cross-platform port forwarding and proxy tool, suitable for windows, linux, Macos platforms, proxy forwarding tool
Rsscoks: *The port forwarding and proxy tool under the nix platform, it is very easy to use with proxychains.
Proxychains: *The old-fashioned socks proxy tool under the nix platform, the general system will come with it, and whoever uses it will know.
ssh proxy: Port proxy and forwarding through ssh, usually included in *nix systems.
netcat: socat, hping, can do port forwarding and data proxy forwarding in many cases.
Metasploit: There are many proxy modules and port forwarding modules in metasploit's post-infiltration module.
Download the port forwarding tool (encrypted and compressed) on the transit server:
Can connect to the Internet to download
Disk loading via mstsc
Transit through the entry server
Upload via remote control software
3.3 Transfer files
3.3.1 File packaging
About packing
Rar file package, compress all doc files modified after 2013-01-01 in the d:\data\ directory, 100M/package password is Pass, -x is the exclusion option
rar.exe a–r –v100m new.rar –ta20130101000000 –hpPass –n*.doc –x*.exe d:\data\7z encryption, compress all files under d:\data, password is Pass, sub-volume 100M/package
7z.exe a c:\xx.7z -pPass -mhe d:\data -v100mLinux can add passwords to package files with tar, and it must be used in conjunction with openssl.
tar -zcvf - pma|openssl des3 -salt -k password | dd of=pma.des3Use tar to extract the encrypted file:
dd if=pma.des3 |openssl des3 -d -k password|tar zxf -### 3.4.2 Several ideas for file transfer
Send data directly using port forwarding;
Build FTP and HTTP protocols;
Upload to the cloud and then download;
3.4 Making a backdoor/trojan program
Generally use Matisploit's msfvenom, use reference:
SET can also generate backdoor programs, and you can also pay attention to the latest Office and PDF vulnerabilities
4. Log cleaning
Before doing log cleaning, you need to understand the following:
It is difficult to completely delete the traces of attacks and intrusions, and the absence of log records is itself a characteristic of intrusion;
Deleting or clearing the local logs of the intrusion system does not mean that the traces are deleted, and records still remain on network devices, security devices, and centralized log systems;
The retained backdoor itself will contain information about the attacker;
The proxy or springboard used may be reverse hacked;
Check whether there is an administrator login before operation;
Delete the uploaded tool, use the disk overwrite function to delete;
Windows log type
Web logs: IIS, Apache, and other web logs
Operation logs: 3389 login list, recently accessed files, browser access logs such as IE, file access logs
Login log: system application log - security log, etc.
Before the attack and the state is restored, try to keep it consistent
Linux operation log
Linux history operation
unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null;SSHD login records delete records in ~/.ssh/known_hosts
Modify the file timestamp touch –r The original file needs to be modified
Delete temporary use files, especially the tmp directory
log steamer
5 Tools and others
Some principles of using tools to infiltrate the intranet
Use the tools that suit you. There is no need to collect too many tools, just enough;
Can write applicable tools according to the actual situation;
Tools that cannot ensure safety must run in a virtual machine (many bundled with viruses and Trojan horses);
For security checks, try to use open source tools on GitHub.
Tool introduction I am used to using kali's own tools, and search for specific POCs from Github first. Recommend a website for tool introduction: https://www.kitploit.com/
Penetration Considerations
Check the intranet monitoring and prevention system
Use ARP software and large area scanning software with caution
Use no idle machines in the target network as packaging objects
Use intranet high-traffic machines as transmission objects, such as wsus servers and video conferencing systems
Use temporary machines for packaging and data transmission, do not use controlled machines, use wmi scripts or wmic remote operations to infiltrate precautions
Disable psexec.exe
Avoid user working hours when packaging
Control volume size <100M
Choose user-commonly used compression software
Off-peak download data
Control traffic flow
Clear all operation logs
Before logging in to the host, check whether the administrator is