explaingit

ridter/intranet_penetration_tips

4,606Audience · developerComplexity · 4/5Setup · hard

TLDR

A Chinese-language reference collection for security professionals testing corporate networks, covering the full intranet penetration cycle from external recon through privilege escalation and trace cleanup.

Mindmap

mindmap
  root((Intranet Pen Tips))
    External Recon
      OSINT tools
      Subdomain enum
      Leaked credentials
    Initial Access
      Weak passwords
      Web app attacks
      Wi-Fi entry
    Internal Recon
      Port scanning
      User enumeration
      Network mapping
    Active Directory
      Kerberos attacks
      Hash extraction
      Domain persistence
    Privilege Escalation
      UAC bypass
      Linux kernel exploits
    Trace Cleanup
      Log clearing
      Backdoor removal
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Test a corporate network systematically to find how far an attacker could get after initial access

USE CASE 2

Build a checklist of Active Directory attack paths during an authorized red team engagement

USE CASE 3

Look up specific Windows persistence techniques when conducting a security audit

USE CASE 4

Extract password hashes from a compromised machine and identify weak credential policies

Tech stack

WindowsLinuxPowerShellPythonMetasploit

Getting it running

Difficulty · hard Time to first run · 1day+

Each technique requires a controlled test environment and legal authorization, no single install step covers everything.

In plain English

This is a Chinese-language resource collection for security professionals who test corporate networks for weaknesses. Assembled in early 2018 by a contributor known as Evi1cg, and expanded over time with community input, it covers the full sequence of steps involved in what the security community calls intranet penetration: probing from the outside, getting in, moving around inside, and removing traces afterward. The collection starts with external information gathering. This means finding company email addresses, subdomain names, leaked credentials, and other details publicly visible online before touching the target network. It then covers ways to gain initial access, including exploiting weak passwords, attacking web applications, and connecting via wireless networks. Much of this section is a curated list of named tools with direct links to their repositories. Once inside a network, the guide covers how to stay hidden. This includes setting up communication channels that look like normal web traffic, routing connections through proxies, and bouncing traffic through multiple machines. A large section then goes deep into gathering information about the internal network itself: listing users, checking which services are running, scanning for open ports, and building a map of how machines are connected. A substantial portion is dedicated to Windows domain environments, which most corporate networks use. Techniques here include attacking Kerberos authentication (the ticket system Windows uses to prove identity), extracting password hashes stored in memory, taking over domain controllers, and setting up ways to maintain access that survive reboots. Both Windows and Linux are covered, with separate sections on backdoors, scheduled tasks, and registry modifications. The final sections address privilege escalation (getting higher-level access than you started with), spreading to additional machines, and removing traces of your activity. The content is organized as a structured list of tools, commands, and brief notes. It reads as a practical working reference for authorized security testers rather than a beginner tutorial. Most content is in Chinese, though many linked tools have English documentation.

Copy-paste prompts

Prompt 1
I have access to a Windows machine inside a corporate network. Give me PowerShell commands to enumerate domain users, find the domain controller, and identify service accounts.
Prompt 2
Show me step-by-step how Kerberos Golden Ticket attacks work and what defenses can detect them.
Prompt 3
I need to set up a SOCKS proxy tunnel from a compromised machine through a firewall to reach internal services. What tools should I use?
Prompt 4
What are the most reliable methods for maintaining persistent access on a Windows server after gaining admin privileges?
Prompt 5
Give me a checklist of log files to clear on Windows and Linux after a penetration test to remove evidence of access.
Open on GitHub → Explain another repo

← ridter on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.