Docs: Fix formatting of PowerShell exploit markdown

This commit is contained in:
Mike Salvatore 2021-08-31 11:36:58 -04:00
parent e435894187
commit b96a0e74d9
1 changed files with 21 additions and 11 deletions

View File

@ -7,23 +7,32 @@ tags: ["exploit", "windows"]
### Description
his exploiter uses brute-force to propagate to a victim through PowerShell Remoting using Windows Remote Management (WinRM).
his exploiter uses brute-force to propagate to a victim through PowerShell
Remoting using Windows Remote Management (WinRM).
More on [PowerShell Remoting Protocol]("https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1") and [Windows Remote Management]("https://docs.microsoft.com/en-us/windows/win32/winrm/portal").
More on [PowerShell Remoting
Protocol]("https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1")
and [Windows Remote
Management]("https://docs.microsoft.com/en-us/windows/win32/winrm/portal").
### Implementation
The exploit brute forces the credentials of PSRP with every possible combination of username and password that
the user provides (see ["configuration"]({{< ref "/usage/configuration" >}})).
The exploit brute forces the credentials of PSRP with every possible
combination of username and password that the user provides (see
["configuration"]({{< ref "/usage/configuration" >}})).
#### Credentials list
The PowerShell Remoting Client has ability to use the cached username or/and password from the system we are currently
logged in. This means that the exploiter uses the following combination of credentials to propagate to the victim in the order written:
The PowerShell Remoting Client has ability to use the cached username or/and
password from the system we are currently logged in. This means that the
exploiter uses the following combination of credentials to propagate to the
victim in the order written:
1. Cached username and password; meaning that the client we use is going to take the stored credentials
from the system we are using to connect. In order for the user to connect without entering username and password
the victim must have enabled basic authentication, http and no encryption on the victim machine.
1. Cached username and password; meaning that the client we use is going to
take the stored credentials from the system we are using to connect. In
order for the user to connect without entering username and password the
victim must have enabled basic authentication, http and no encryption on the
victim machine.
2. Cached password; brute-force with different usernames and stored password.
@ -32,5 +41,6 @@ the victim must have enabled basic authentication, http and no encryption on the
#### Security considerations
The security concerns, recommendations and best practices when using PowerShell Remoting
can be found [here](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1).
The security concerns, recommendations and best practices when using PowerShell
Remoting can be found
[here](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1).