2.3 KiB
title | date | draft | tags | ||
---|---|---|---|---|---|
PowerShell | 2021-08-24T12:19:21+03:00 | false |
|
Description
This exploiter uses brute-force to propagate to a victim through PowerShell Remoting using Windows Remote Management (WinRM).
See Microsoft's documentation for more on PowerShell Remoting Protocol and Windows Remote Management.
Credentials used
The PowerShell exploiter can be run from both Linux and Windows attackers. On Windows attackers, the exploiter has the ability to use the cached username and/or password from the current user. On both Linux and Windows attackers, the exploiter uses all combinations of the [user-configured usernames and passwords]({{< ref "/usage/configuration/basic-credentials" >}}). Different combinations of credentials are attempted in the following order:
-
Cached username and password (Windows attacker only) - The exploiter will use the stored credentials of the current user to attempt to log into the victim machine.
-
Brute force usernames with blank passwords - Windows allows you to configure a user with a blank/empty password. The exploiter will attempt to log into the victim machine using each username set in the [configuration]({{< ref "/usage/configuration/basic-credentials" >}}) with a blank password.
In order for the attacker to connect with a blank password, the victim must have enabled basic authentication, http and no encryption.
-
Brute force usernames with cached password (Windows attacker only) - The exploiter will attempt to log into the victim machine using each username set in the [configuration]({{< ref "/usage/configuration/basic-credentials"
}}) and the current user's cached password.
-
Brute force usernames and passwords - The exploiter will attempt to use all combinations of usernames and passwords that were set in the [configuration.]({{< ref "/usage/configuration/basic-credentials" >}})
Securing PowerShell Remoting
Information about how to remediate security concerns related to PowerShell Remoting can be found here.