原文:
278K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6E0K9$3g2D9L8r3g2J5L8h3q4F1i4K6u0W2k6$3W2@1K9s2g2T1i4K6u0W2K9h3!0Q4x3V1k6p5k6h3q4@1K9q4)9#2k6Y4c8G2i4K6g2X3M7s2y4W2P5r3g2U0i4K6u0r3
正如之前博客中提到的,我决定写一下让我决定放弃PsExec(
5bcK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6V1L8$3y4K6i4K6u0W2L8h3W2U0M7X3!0K6L8$3k6@1i4K6u0W2j5$3!0E0i4K6u0r3k6h3&6Q4x3X3c8#2M7#2)9J5c8Y4y4&6M7$3W2F1N6r3g2J5L8X3q4D9M7#2)9J5c8X3c8G2N6$3&6D9L8$3q4V1M7#2)9J5c8Y4m8K6k6i4S2W2i4K6t1&6i4@1f1%4i4K6W2m8i4K6R3@1i4@1f1^5i4@1u0r3i4K6R3%4i4@1f1%4i4@1p5^5i4K6S2n7i4@1f1K6i4K6R3H3i4K6R3J5 为什么...PsExec怎么了? 通常,我们在测试环境中使用PsExec执行远程NUnit测试。大多数时候它工作正常,但当出现网络中断或其它连接问题时,与测试机的连接会话会崩溃,但是测试进程仍然在远程机器上运行。这时,你就需要实现大量的错误处理来在离线时重连来继续工作或获得测试结果...这只是其中一个噩梦。
为什么不用PowerShel远程会话? 你听说过Double-Hop问题么?Ashley McGlone有一个很好的文章(
3a1K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6T1L8r3!0Y4M7#2)9J5k6i4c8W2j5$3S2F1k6i4c8Q4x3X3g2E0K9h3y4J5L8%4y4G2k6Y4c8Q4x3X3g2U0L8$3#2Q4x3V1k6S2M7$3S2D9k6i4W2E0j5$3N6D9L8$3&6W2i4K6u0r3x3U0l9I4y4W2)9J5c8U0l9^5i4K6u0r3x3K6m8Q4x3V1k6H3L8%4N6W2M7Y4y4Z5k6h3I4D9i4K6u0V1M7X3g2E0L8%4c8A6L8X3N6Q4x3X3c8C8k6i4u0T1k6i4u0G2M7#2)9J5k6r3c8G2N6h3u0D9k6g2)9J5k6r3S2G2M7q4)9J5k6s2y4G2L8s2k6W2k6q4)9J5k6s2y4W2j5%4g2J5k6h3I4&6i4K6u0r3i4@1g2r3i4@1u0o6i4K6R3&6i4@1f1^5i4@1p5%4i4@1p5K6i4@1f1&6i4K6R3%4i4K6S2m8i4@1f1^5i4@1u0r3i4K6V1&6i4@1f1@1i4@1t1^5i4@1q4m8i4@1f1&6i4K6V1%4i4@1q4q4i4@1f1&6i4@1p5J5i4K6V1^5i4@1f1#2i4@1t1&6i4@1t1$3i4@1f1$3i4K6S2r3i4K6V1H3i4@1f1@1i4@1u0q4i4K6W2n7i4@1f1@1i4@1u0m8i4K6R3$3i4@1f1#2i4@1u0q4i4K6R3^5i4@1f1#2i4@1p5@1i4K6W2m8i4@1f1^5i4@1p5%4i4@1p5K6i4@1f1#2i4K6R3$3i4@1t1K6i4@1f1#2i4K6S2m8i4K6W2q4i4@1f1$3i4@1t1K6i4K6V1#2i4@1f1K6i4K6R3H3i4K6R3J5 为什么不采用其中的一个解决办法? 很简单,我想将脚本指向一个IP地址,使它神奇地运行起来。我不想安装AD环境或者在远程环境中配置任何东西。
Marc...你真事多 我想简单地通过多次使用Invoke-Command命令来实现,同时增加一个-As $Credential参数为在远程机器上执行的<ScriptBlock>提供<PSCredential>,并且还能享有PowerShell远程会话在连接方面的优点。
我希望的命令类似如下形式:
Invoke-CommandAs -Session <Session> -ScriptBlock <ScriptBlock> -As <PSCredential>
在执行该命令前,需要首先先做一些准备工作(与远程机器建立PowerShell远程会话,以不同证书执行一个进程,并获得一个powershell对象)?
应当更加简单。。。
需要以不同证书执行进程?小事一桩 我想通过多次使用RunAs.exe,实现在一个证书集合中以不同证书启动powershell进程。但是我无法远程启动RunAs.exe并提供证书。
Invoke-CmdAs 我的一个同事发现一个项目(Jetbrains/runAs,
f24K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6v1k6i4c8n7M7X3q4A6L8Y4y4Q4x3V1k6J5N6h3&6m8M7#2!0q4c8W2!0n7b7#2)9^5z5g2!0q4c8W2!0n7b7#2)9^5b7#2!0q4y4g2!0m8c8g2)9^5x3#2!0q4y4g2!0m8y4q4)9&6b7g2!0q4y4W2!0m8b7#2!0m8x3g2!0q4y4q4!0n7c8q4!0n7c8W2!0q4y4#2)9&6y4q4!0m8z5q4u0#2L8V1q4K6i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1#2i4@1t1&6i4@1t1$3i4@1f1@1i4@1t1^5i4K6V1@1i4@1f1#2i4K6R3%4i4K6R3$3i4@1f1^5i4@1q4q4i4@1t1^5i4@1f1#2i4K6W2o6i4@1p5^5i4@1f1#2i4K6V1I4i4@1u0p5i4@1f1@1i4@1u0n7i4@1p5@1i4@1f1^5i4@1p5I4i4K6S2o6i4@1f1&6i4K6R3%4i4K6S2o6i4@1f1$3i4K6S2o6i4K6R3%4i4@1f1#2i4@1q4q4i4K6W2m8i4@1f1^5i4@1q4r3i4K6R3I4i4@1f1@1i4@1t1&6i4@1p5$3i4@1f1K6i4K6R3H3i4K6R3J5i4@1f1^5i4@1q4r3i4@1p5$3i4@1f1%4i4@1u0n7i4K6R3$3i4@1f1%4i4K6W2o6i4K6S2n7i4@1f1$3i4K6R3^5i4K6V1I4i4@1f1%4i4K6W2m8i4K6R3@1i4@1f1#2i4@1t1H3i4K6R3I4i4@1f1^5i4@1p5K6i4K6R3#2i4@1g2r3i4@1u0o6i4K6W2m8K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6E0K9$3g2D9L8r3g2J5L8h3q4F1i4K6u0r3f1q4y4d9N6h3&6m8M7#2)9J5c8X3u0D9L8$3u0Q4x3V1k6E0j5i4y4@1k6i4u0Q4x3V1k6u0L8Y4k6G2K9$3g2Q4x3X3c8o6L8h3c8m8M7#2)9J5c8V1W2F1N6X3!0C8k6g2)9J5k6p5g2^5M7s2u0W2M7%4y4A6L8$3&6m8M7#2)9J5k6i4m8K6x3g2!0q4x3#2)9^5x3q4)9^5x3R3`.`. 直接复制代码非常不优雅。
Invoke-RunAs 之后我发现Ruben Boonen(@FuzzySec)的Invoke-RunAs,使用Add-Type加载DLL并调用'Advapi32::CreateProcessWithLogonW',这和RunAs.exe的做法一样。详情看我的封装:
61aK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6E0K9$3g2D9L8r3g2J5L8h3q4F1i4K6u0r3f1q4y4d9N6h3&6m8M7#2)9J5c8Y4c8J5k6h3g2Q4x3V1k6E0j5i4y4@1k6i4u0Q4x3V1k6u0L8Y4k6G2K9$3g2Q4x3X3c8d9N6h3&6m8M7H3`.`. Start-ProcessAsUser 同样,Lee Christensen (@tifkin_)修改过的Matthew Graeber (@mattifestation)的Start-ProcessAsUser使用反射来加载DLL并调用‘Advapi32::CreateProcessWithLogonW’,和RunAs.exe的方法一样。详情见我的封装:
9c9K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6E0K9$3g2D9L8r3g2J5L8h3q4F1i4K6u0r3f1q4y4d9N6h3&6m8M7#2)9J5c8Y4c8J5k6h3g2Q4x3V1k6E0j5i4y4@1k6i4u0Q4x3V1k6e0N6r3q4J5N6q4)9J5k6q4m8J5L8$3y4W2M7%4y4m8M7#2g2K6k6i4t1`. 这些实现都需要其它代码返回一个PowerShell对象。
Invoke-ScheduledTask 此外,一个经常被讨论的方法是在远程机器创建一个任务调度,并以system权限(或者其它被支持的证书)执行你的进程。这很简单,深入研究发现它创建了一个Scheduled Job,并且你可以接收JOB的结果并作为一个PowerShell对象。
所以我创建了一个Invoke-ScheduleTask命令来简化这个过程,并创建了一个封装实现上面的过程:
f35K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6E0K9$3g2D9L8r3g2J5L8h3q4F1i4K6u0r3f1q4y4d9N6h3&6m8M7#2)9J5c8X3u0D9L8$3u0Q4x3V1k6E0j5i4y4@1k6i4u0Q4x3V1k6u0L8Y4k6G2K9$3g2Q4x3X3c8e0j5$3S2W2k6s2g2D9k6h3c8v1L8$3u0Q4x3V1j5`. 越简单越好 尝试过所有这些方法之后,我决定引入Invoke-ScheduleJob到我最后的解决方案中,它返回原生的PowerShell对象且不破坏任何输出流。详情看:
5f4K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6E0K9$3g2D9L8r3g2J5L8h3q4F1i4K6u0r3d9h3&6$3L8$3E0W2i4K6u0V1b7$3!0E0L8h3q4F1k6p5q4K6 它也在PowerShell Gallery中。
# Install Module
Install-Module -Name Invoke-CommandAs
# Execute Locally.
Invoke-CommandAs -ScriptBlock { Get-Process }
# Execute As different Credentials.
Invoke-CommandAs -ScriptBlock { Get-Process } -As $Credential
# Execute Remotely using ComputerName/Credential.
Invoke-CommandAs -ComputerName 'VM01' -Credential $Credential -ScriptBlock { Get-Process }
# Execute Remotely using PSSession.
Invoke-CommandAs -Session $PSSession -ScriptBlock { Get-Process }
# Execute Remotely on multiple Computers at the same time.
Invoke-CommandAs -ComputerName 'VM01', 'VM02' -Credential $Credential -ScriptBlock { Get-Process }
# Execute Remotely as Job.
Invoke-CommandAs -Session $PSSession -ScriptBlock { Get-Process } -AsJob
我确定有很多其它方法实现这个,或者在某些情况下一个解决方案会比其它的都好,我很期望知道它们。
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
