The idea of Intranet penetration is derived from the idea of Trojan horse-bastion hosts are the easiest way to break through from the inside. A large website, a large company, a large target, and an external target, administrators will always do everything they can to strengthen prevention and fix vulnerabilities. It is almost impossible to use conventional methods.
The breakthrough of Intranet penetration is how we get an intranet PC or server. I have three personal experiences: one is to penetrate the Internet substation into the Intranet, the second is to send Trojans to the Intranet machine, and the third is to use the Trust to obtain the Intranet machine.
1. penetration from the Internet substation to the Intranet
A large site usually has many sub-stations. There are many sub-stations that we do not know or the directories of unknown sites. The larger the sites, the more opportunities they will face us, you can use traditional methods to obtain the server permissions of a sub-station, such as injection, guessing, and overflow. When a substation server is obtained, there are two ideas: first, the substation is infiltrated into the main station or other substations, and they need to be allocated with an intranet without VLAN division, in this case, more sub-stations can be obtained through obtaining passwords or Intranet sniffing. Second, through the analysis of substation servers, the Administrator is tempted to get the Administrator's password on the substation server, collect the mailbox information on the substation, and view the FTP information of the substation server, collect commonly used tools by administrators, or files that may be downloaded by administrators (usually in tools files of the Administrator transmission tool), or tools stored by administrators in the site directory.
2. Sending Trojans to retrieve Intranet machines
This should be a combination of social engineering and vulnerabilities, such as 0 day, where word, PDF, or ie0day plays a role. Many people directly use ie0day for Trojans. In fact, ie0day is more valuable. It is also an art to trick the Administrator into clicking the URL link in your email. You can also think about the problems related to his website and the problems related to his products. This is a technical issue that administrators will always click on. During the sending of conventional Trojan messages, CHM Trojans are used more because they are not killed, and the hit rate can reach. Should the Administrator enable the trojan? Even the customer service machine is equally useful. For example, when I send a trojan message, the attachment is the CHM package, and the Intranet of the message is: "After using your XX, I think it is quite good, however, some bugs were found during use. I don't know whether it was my machine problem or you didn't take this into consideration. I saved the specific information in the attachment in the form of text and text." Of course, you need to find the target email address, which is easily found on the website or Google.
3. Obtain Intranet machines with trust
Website administrators or customer service personnel will all have e-mail, MSN, QQ, or real-world people. We can gradually draw close to each other to grasp his weaknesses or psychology, such as what he prefers, it's not impossible to chat with him slowly, reduce his psychological defense, and send URLs or bind Trojans in packaged software when he is mature. Specifically, it involves social engineering. It mainly depends on how you use it.
Intranet penetration-how to open a breakthrough, this is just a summary of some of the usual experience, there is no specific steps, there is only one idea, black station is no longer a pure game injection era. In a short time, I will write "intranet penetration-basic techniques" for technical discussion and sharing.
