Docs: Reword PowerShell exploiter documentation
This commit is contained in:
parent
b96a0e74d9
commit
c83a0b4668
|
@ -7,40 +7,49 @@ tags: ["exploit", "windows"]
|
|||
|
||||
### Description
|
||||
|
||||
his exploiter uses brute-force to propagate to a victim through PowerShell
|
||||
This exploiter uses brute-force to propagate to a victim through PowerShell
|
||||
Remoting using Windows Remote Management (WinRM).
|
||||
|
||||
More on [PowerShell Remoting
|
||||
Protocol]("https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1")
|
||||
See Microsoft's documentation for more on [PowerShell Remoting
|
||||
Protocol](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1)
|
||||
and [Windows Remote
|
||||
Management]("https://docs.microsoft.com/en-us/windows/win32/winrm/portal").
|
||||
Management](https://docs.microsoft.com/en-us/windows/win32/winrm/portal).
|
||||
|
||||
### Implementation
|
||||
|
||||
The exploit brute forces the credentials of PSRP with every possible
|
||||
combination of username and password that the user provides (see
|
||||
["configuration"]({{< ref "/usage/configuration" >}})).
|
||||
##### Credentials used
|
||||
|
||||
#### Credentials list
|
||||
The PowerShell exploiter can be run from both Linux and Windows attackers. On
|
||||
Windows attackers, the exploiter has the ability to use the cached username
|
||||
and/or password from the current user. On both Linux and Windows attackers, the
|
||||
exploiter uses all combinations of the [user-configured usernames and
|
||||
passwords]({{< ref "/usage/configuration/basic-credentials" >}}). Different
|
||||
combinations of credentials are attempted in the following order:
|
||||
|
||||
The PowerShell Remoting Client has ability to use the cached username or/and
|
||||
password from the system we are currently logged in. This means that the
|
||||
exploiter uses the following combination of credentials to propagate to the
|
||||
victim in the order written:
|
||||
|
||||
1. Cached username and password; meaning that the client we use is going to
|
||||
take the stored credentials from the system we are using to connect. In
|
||||
order for the user to connect without entering username and password the
|
||||
victim must have enabled basic authentication, http and no encryption on the
|
||||
1. **Cached username and password (Windows attacker only)** - The exploiter will
|
||||
use the stored credentials of the current user to attempt to log into the
|
||||
victim machine.
|
||||
|
||||
2. Cached password; brute-force with different usernames and stored password.
|
||||
1. **Brute force usernames with blank passwords** - Windows allows you to
|
||||
configure a user with a blank/empty password. The exploiter will attempt to
|
||||
log into the victim machine using each username set in the
|
||||
[configuration]({{< ref "/usage/configuration/basic-credentials" >}}) with a
|
||||
blank password.
|
||||
|
||||
3. List of usernames and passwords set in the configuration.
|
||||
In order for the attacker to connect with a blank password, the victim must
|
||||
have enabled basic authentication, http and no encryption.
|
||||
|
||||
1. **Brute force usernames with cached password (Windows attacker only)** - The
|
||||
exploiter will attempt to log into the victim machine using each username
|
||||
set in the [configuration]({{< ref "/usage/configuration/basic-credentials"
|
||||
>}}) and the current user's cached password.
|
||||
|
||||
1. **Brute force usernames and passwords** - The exploiter will attempt to use
|
||||
all combinations of usernames and passwords that were set in the
|
||||
[configuration.]({{< ref "/usage/configuration/basic-credentials" >}})
|
||||
|
||||
|
||||
#### Security considerations
|
||||
#### Securing PowerShell Remoting
|
||||
|
||||
The security concerns, recommendations and best practices when using PowerShell
|
||||
Information about how to remediate security concerns related to PowerShell
|
||||
Remoting can be found
|
||||
[here](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1).
|
||||
|
|
Loading…
Reference in New Issue