> For the complete documentation index, see [llms.txt](https://www.xtormin.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.xtormin.com/pentesting-en-infraestructuras/misc/conexion-remota.md).

# Conexión remota

### Windows

#### Runas

```powershell
runas /user:xtormincorp\usuario powershell.exe
```

Para comprobar el acceso con el usuario no servirá whoami, en vez de ello sería mejor usar:

```powershell
nltest /dsgetdc:xtormincorp.local
```

#### PSExec

<table><thead><tr><th width="174.79736328125"></th><th></th></tr></thead><tbody><tr><td>Puerto</td><td><code>445/tcp (SMB)</code></td></tr><tr><td>Grupo requerido</td><td>Administradores</td></tr></tbody></table>

**Herramienta de Sysinternals:**

<https://learn.microsoft.com/es-es/sysinternals/downloads/psexec>

```powershell
psexec64.exe \\MACHINE_IP -u Administrator -p <password> -i cmd.exe
```

**Metasploit:**

```bash
use exploit/windows/smb/psexec
set RHOSTS file:/home/kali/scope.txt
set smbuser xtormin
set smbpass password123
exploit
```

{% code overflow="wrap" %}

```powershell
psexec -i -s powershell.exe # Ejecución de consola interactiva con el usuario actual
```

{% endcode %}

#### WinRM

<table><thead><tr><th width="174.79736328125"></th><th></th></tr></thead><tbody><tr><td>Puerto</td><td><p><code>5985/tcp</code> (WinRM HTTP)</p><p><code>5986/tcp</code> (WinRM HTTPS)</p></td></tr><tr><td>Grupo requerido</td><td>Remote Management Users</td></tr></tbody></table>

**CMD:**

```powershell
winrs.exe -u:Administrator -p:Mypass123 -r:target cmd
```

**PowerShell:**

Primero se debe crear un objeto PSCredential con las credenciales del usuario:

{% code overflow="wrap" %}

```powershell
$username = 'Administrator';
$password = 'Mypass123';
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force; 
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
```

{% endcode %}

* Crear sesión activa:

```powershell
Enter-PSSession -Computername TARGET -Credential $credential
```

* Ejecutar ScriptBlocks vía WinRM:

```powershell
Invoke-Command -Computername TARGET -Credential $credential -ScriptBlock {whoami}
```

#### Netexec

```bash
IP='10.10.10.100'
USER='xtormin'
PASS='password123'
netexec winrm $IP -u $USER -p $PASS
```

### Linux

```bash
evil-winrm -i 192.168.1.100 -u <usuario> -p <contraseña>
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://www.xtormin.com/pentesting-en-infraestructuras/misc/conexion-remota.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.