RIO
  • Welcome
    • RIO
    • Useful Links
  • PENTESTING
    • Methodology
    • Protocols
      • FTP
      • SMB
      • NFS
      • SSH
      • RDP
      • SMTP
      • IMAP / POP3
      • RSYNC
      • SNMP
      • IPMI
      • R-Services
      • WinRM
      • WMI
      • LDAP
    • Databases
      • MySQL
      • MSSQL
      • Oracle TNS
      • PostgreSQL
    • File Transfers
      • Windows
      • Linux
      • Code
      • Misc
    • Password Attacks
      • John The Ripper
      • Hashcat
    • Docker
  • TOOLS
    • Nmap
    • Metasploit
    • BloodHound
    • Other
  • Linux
    • Theory
    • Commands and Utilities
      • Useful Commands
    • Bash Scripting
    • Post-Exploitation
      • Cred Hunting
      • Pivoting
    • Privilege Escalation
  • WINDOWS
    • Theory
      • Security
    • Commands and Utilities
    • PowerShell
    • Post-Exploitation
      • Tools
      • Enumeration
        • System
        • Network
        • Users
        • Groups
        • Processes / Services
        • Permissions
        • Defence
        • Programs
        • Files
      • Access
      • Pivoting
      • Cred Hunting
    • Privilege Escalation
      • Privileges
      • Built-In Groups
        • Backup Operators
        • Server Operators
        • Print Operators
        • DnsAdmins
        • Event Log Readers
      • Privilege Abuse
        • Potatoes
        • SeDebugPrivilege
        • SeTakeOwnershipPrivilege
      • MISC
        • UAC Bypass
        • User-Interaction Attacks
        • Weak Permissions
  • ACTIVE DIRECTORY
    • Theory
      • Terminology
    • Reconnaissance
      • Responder
      • Password Policies
      • DNS
      • Enumeration
        • Users
        • Groups
          • GPO's
        • Shares
        • Domain
        • Trusts
        • ACL
    • Movement
      • Credentials
        • Dumping
          • DCSync
        • Making a Target List
        • Spraying
        • Powershell Remoting
      • Kerberos
        • Kerbrute
        • Kerberoasting
          • Semi-Manual Way
          • Targeted Kerberoasting
        • ASREProasting
        • Forging
          • Golden Ticket
        • Overpass The Hash
        • Pass The Ticket
        • noPAC
      • MITM / Coerced Auths
        • LLMNR, NBT-NS Poisoning
        • PetitPotam
      • DACL Abuse
        • AddMember
        • ForceChangePassword
      • Trust Abuse
        • ExtraSIDs
      • ADCS
      • Printers
        • PrintNightmare
    • Tools
  • Networking
    • Theory
      • Types / Topologies
      • OSI & TCP/IP Models
      • TCP / UDP
      • MAC Addresses
      • IP / Subnetting
      • Proxies
      • ARP
    • Pivoting
      • Port-Forwarding
    • Commands and Utilities
    • Techniques
  • WEB
    • Web Recon
      • Fuzzing
    • DNS
  • CLOUD
    • Google GKE/GCP
      • Theory
Powered by GitBook
On this page
  • WinRM
  • Regular
  • Evil-WinRM
  • RDP
  • Rdesktop
  • Xfreerdp
  • Remmina (GUI)
  • PSEXEC
  • WMIEXEC
  • SMBEXEC
  • RUNAS
  1. WINDOWS
  2. Post-Exploitation

Access

How to get into a system if you have creds

WinRM

Regular

Here are 3 commands:

  1. Converting our password to secure string

  2. Putting password secure string and username into $cred object

  3. Using $cred for authentication

PS C:\> $password = ConvertTo-SecureString "password123" -AsPlainText -Force

PS C:\> $cred = new-object System.Management.Automation.PSCredential ("MILITECH\sreed", $password)

PS C:\> Enter-PSSession -ComputerName MILITECH-MS13 -Credential $cred

Evil-WinRM

evil-winrm -i 13.13.13.13 -u venator17 -p S3cr3t!

RDP

Rdesktop

rdesktop -u venator17 -p 'amogus' -d domain.kek 13.13.13.13

Xfreerdp

Regular

xfreerdp /u:venator17 /p:amogus /v:13.13.13.13 /d:domain.kek /cert:ignore

With Port-Forwarding

xfreerdp /u:venator17 /p:amogus /v:localhost:3389 /d:domain.kek /cert:ignore

Mounting a local dir

xfreerdp /v:13.13.13.13 /u:venator17 /p:amogus /drive:share,/home/venator17/Assessment123

Remmina (GUI)

reminna

PSEXEC

impacket-psexec administrator:'password123'@13.13.13.13

WMIEXEC

impacket-smbexec sreed:password123@13.13.13.13

SMBEXEC

impacket-wmiexec sreed:password123@13.13.13.13

RUNAS

runas /netonly /user:MILITECH\sreed powershell
PreviousFilesNextPivoting