From e9ac64f10832174ab8dc9a0ba556821150c72437 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Fri, 27 Aug 2021 11:18:16 +0200 Subject: [PATCH] docs: Add better documentation for powershell remoting exploiter --- .../reference/exploiters/powershell.md | 51 ++++++++++++++++++- 1 file changed, 49 insertions(+), 2 deletions(-) diff --git a/docs/content/reference/exploiters/powershell.md b/docs/content/reference/exploiters/powershell.md index 8c7e96d29..5ab8a56c6 100644 --- a/docs/content/reference/exploiters/powershell.md +++ b/docs/content/reference/exploiters/powershell.md @@ -4,7 +4,54 @@ date: 2021-08-24T12:19:21+03:00 draft: false tags: ["exploit", "windows"] --- + ### Description -PowerShell Remoting exploit brute forces machines via WinRM service using credentials provided by the user -(see ["configuration"]({{< ref "/usage/configuration" >}}) for instructions) . +PowerShell Remoting is a brute-force exploit that uses PowerShell Remoting Protocol (PSRP) and +Windows Remote Management(WinRM) services to propagate to a victim. + +### PowerShell Remoting Protocol + +PowerShell Remoting Protocol uses Windows Remote Management service, which is Microsoft implementation of Web Services +for Management (WS-Management) protocol, to allow users to run PowerShell commands on remote computers. + +PowerShell Remoting and WinRM listens on the following ports: +1. HTTP: 5895 +2. HTTPS: 5896 + +By default, PowerShell Remoting only allows connections from members of the Administrators group. Sessions are launched +under the user's context, so all operating system access controls applied to individual users and groups continue to apply +to them while connected over PowerShell Remoting. + +On private networks, the default Windows Firewall rule for PowerShell Remoting accepts all connections. On public networks, +the default Windows Firewall rule allows PowerShell Remoting connections only from within the same subnet. You have to +explicitly change that rule to open PowerShell Remoting to all connections on a public network. + +More on [PowerShell Remoting Protocol]("https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1"). + +### Windows Remote Management + +Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, a standard Simple Object +Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different +vendors, to interoperate. + +More on [Windows Remote Management]("https://docs.microsoft.com/en-us/windows/win32/winrm/portal"). + +### Implementation + +The exploit brute forces the credentials of PSRP with every possible combination of username and password that +the user provides (see ["configuration"]({{< ref "/usage/configuration" >}})). + +#### Credentials list + +The PowerShell Remoting Client has ability to use the cached username or/and password from the system we are currently +log in. That means that the exploiter uses the following combination of credentials to propagate to the victim in the order written: + +1. Username = None and Password = None; which means that the client we use is going to take the stored credentials +from the system we are using to connect. In order for the user to connect without entering username and password +the victim must have enabled basic authentication, http and no encryption on the victim machine. + +2. Username list of usernames and Password = None; brute-force with different usernames and None as +password which means that we use the cached one from the system. + +3. List of usernames and passwords as plain-text entered by the user.