PowerShell Remoting
PS Remoting
PSRemoting uses Windows Remote Management (WinRM). It is enabled by default on Server 2012 onwards with a firewall exception.
It is a high integrity process which means that we always get an elevated shell.
Note: This is why we need admin privileges while running PSRemotingLocalAccess to hunt admin users. Unless it is an admin user, we won't be able to use PSRemoting and hence the test.
To get a shell of another computer using PS Remoting
#Enable PowerShell Remoting on current Machine (Needs Admin Access)
Enable-PSRemoting
#Entering or Starting a new PSSession (Needs Admin Access)
Enter-PSSession -ComputerName <Name>
#OR
$sess = New-PSSession -ComputerName <Name>
Enter-PSSession -Sessions <SessionName>
Remote Code Execution with PS Credentials
$SecPassword = ConvertTo-SecureString '<Wtver>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('htb.local\<WtverUser>', $SecPassword)
Invoke-Command -ComputerName <WtverMachine> -Credential $Cred -ScriptBlock {whoami}
Invoke PowerShell Module & Execute Remotely
#Execute the command and start a session
Invoke-Command -Credential $cred -ComputerName <NameOfComputer> -FilePath c:\FilePath\file.ps1 -Session $sess
#Interact with the session
Enter-PSSession -Session $sess
Remote Code Execution on Multiple Servers using a Target File
Invoke-Command -Scriptblock {Get-Process} -ComputerName
(Get-Content <list_of_servers>)
Invoke-Command -Scriptblock {Get-Process} -ComputerName
(Get-Content <list_of_servers>)
WinRS Executable instead of PSRemoting for Stealth
winrs -remote:server1 -u:server1\administrator -p:Pass@1234 hostname
Last updated