p15693087
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Docs: Fix formatting of PowerShell exploit markdown

This commit is contained in:
Mike Salvatore 2021-08-31 11:36:58 -04:00
parent e435894187
commit b96a0e74d9
1 changed files with 21 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
docs/content/reference/exploiters/PowerShell.md
View File

@ -7,23 +7,32 @@ tags: ["exploit", "windows"]
### Description ### Description
his exploiter uses brute-force to propagate to a victim through PowerShell Remoting using Windows Remote Management (WinRM). his exploiter uses brute-force to propagate to a victim through PowerShell
Remoting using Windows Remote Management (WinRM).
More on [PowerShell Remoting Protocol]("https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1") and [Windows Remote Management]("https://docs.microsoft.com/en-us/windows/win32/winrm/portal"). More on [PowerShell Remoting
Protocol]("https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1")
and [Windows Remote
Management]("https://docs.microsoft.com/en-us/windows/win32/winrm/portal").
### Implementation ### Implementation
The exploit brute forces the credentials of PSRP with every possible combination of username and password that The exploit brute forces the credentials of PSRP with every possible
the user provides (see ["configuration"]({{< ref "/usage/configuration" >}})). combination of username and password that the user provides (see
["configuration"]({{< ref "/usage/configuration" >}})).
#### Credentials list #### Credentials list
The PowerShell Remoting Client has ability to use the cached username or/and password from the system we are currently The PowerShell Remoting Client has ability to use the cached username or/and
logged in. This means that the exploiter uses the following combination of credentials to propagate to the victim in the order written: password from the system we are currently logged in. This means that the
exploiter uses the following combination of credentials to propagate to the
victim in the order written:
1. Cached username and password; meaning that the client we use is going to take the stored credentials 1. Cached username and password; meaning that the client we use is going to
from the system we are using to connect. In order for the user to connect without entering username and password take the stored credentials from the system we are using to connect. In
the victim must have enabled basic authentication, http and no encryption on the victim machine. order for the user to connect without entering username and password the
victim must have enabled basic authentication, http and no encryption on the
victim machine.
2. Cached password; brute-force with different usernames and stored password. 2. Cached password; brute-force with different usernames and stored password.
@ -32,5 +41,6 @@ the victim must have enabled basic authentication, http and no encryption on the
#### Security considerations #### Security considerations
The security concerns, recommendations and best practices when using PowerShell Remoting The security concerns, recommendations and best practices when using PowerShell
can be found [here](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1). Remoting can be found
[here](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1).