Linux Intranet penetration

After obtaining the linux permission. First, collect information about port information. Check whether there is a connection such as 389 .. (If you have port 389, you may have an ldap configuration file or a DC Password. I will have it.) You can also see some Intranet IP addresses on the port... Then collect the Intranet IP address segments .. Arp-a also shows some Intranet ip addresses. Many linux built-in nmap instances can use weak passwords if their versions are relatively high... If the nmap extension script version is relatively low. You can use the socket proxy of python to transfer the port out and use socketcap tsocket to connect to the Intranet. Here, when nmap fails the socket proxy, it may prompt that it has no permission .. For details, refer to Baidu. I have encountered this before. The foreign php shell weevely seems like this. Can be used as an http Proxy... You can use the http proxy to scan for weak tomcat jboss phpmyadmin passwords. Open the http port. Then use web scaner to scan the website for injection .. Upload or something. Sqlmap can use a proxy to remove pants .. If the password of a domain user is cracked, adexplorer can export information of all domain users without a password. In the Intranet, you can use nbtscan to scan smb information and obtain the host name .. Many companies have regular division. If you can get the address book to determine the it department, you may be able to see all the passwords in the it department. Many companies share data anonymously, and many files cannot be verified and can be accessed directly. If you don't think nmap will be used, you can use the socket proxy to mount hSCAN .... In fact, Intranet penetration should be open-minded, so do not stare at it... If the Intranet host cannot be connected to the Internet, it will be miserable... In addition, the fake su is ineffective if the network administrator prefers su... Or. bash_history is a good thing .. Maybe you can see that the network administrator has executed smbmount and the like... And then know the password .. Mount can mount windows disks and then detach files without interactive smbclient-L //-N. Some host information such as sharing can be seen... This is basically the case... By the way, we just said that we can't do external work .. In fact, weevely http proxy can be used. In addition, I heard that Daniel wrote the mod of apache and used port multiplexing to forward it as a proxy... Similar to isapi. I really want this artifact .. Ps Nima is hard to find a job right now, either too far or less.