With the default configuration on windows it is possible to login and execute commands as the local administrator user remotely. This can be done a few ways, and in fact you dont even need the password, only the hash.
There are tools to make it easy to exploit this situation such as:
https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html
This article explains how it is possible to use WMI when you know admin credentials to execute commands and references other techniques:
https://www.trustedsec.com/june-2015/no_psexec_needed/
The techniques listed in that article all provide a way with a local administrator account to get code execution on a remote box with the windows default settings (at least up to windows 7 (I am not completely sure about 8/10)).
Last edited by surferxyz; 05-11-2017 at 03:44.
|