forked from p15670423/monkey
docs: Change the docs for PowerShell
This commit is contained in:
Ilija Lazoroski
parent
e9ac64f108
commit
e435894187
|
|
@ -0,0 +1,36 @@
|
||||||
|
---
|
||||||
|
title: "PowerShell"
|
||||||
|
date: 2021-08-24T12:19:21+03:00
|
||||||
|
draft: false
|
||||||
|
tags: ["exploit", "windows"]
|
||||||
|
---
|
||||||
|
|
||||||
|
### Description
|
||||||
|
|
||||||
|
his exploiter uses brute-force to propagate to a victim through PowerShell Remoting using Windows Remote Management (WinRM).
|
||||||
|
|
||||||
|
More on [PowerShell Remoting Protocol]("https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1") and [Windows Remote Management]("https://docs.microsoft.com/en-us/windows/win32/winrm/portal").
|
||||||
|
|
||||||
|
### Implementation
|
||||||
|
|
||||||
|
The exploit brute forces the credentials of PSRP with every possible combination of username and password that
|
||||||
|
the user provides (see ["configuration"]({{< ref "/usage/configuration" >}})).
|
||||||
|
|
||||||
|
#### Credentials list
|
||||||
|
|
||||||
|
The PowerShell Remoting Client has ability to use the cached username or/and password from the system we are currently
|
||||||
|
logged in. This means that the exploiter uses the following combination of credentials to propagate to the victim in the order written:
|
||||||
|
|
||||||
|
1. Cached username and password; meaning that the client we use is going to take the stored credentials
|
||||||
|
from the system we are using to connect. In order for the user to connect without entering username and password
|
||||||
|
the victim must have enabled basic authentication, http and no encryption on the victim machine.
|
||||||
|
|
||||||
|
2. Cached password; brute-force with different usernames and stored password.
|
||||||
|
|
||||||
|
3. List of usernames and passwords set in the configuration.
|
||||||
|
|
||||||
|
|
||||||
|
#### Security considerations
|
||||||
|
|
||||||
|
The security concerns, recommendations and best practices when using PowerShell Remoting
|
||||||
|
can be found [here](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1).
|
||||||
|
|
@ -1,57 +0,0 @@
|
||||||
---
|
|
||||||
title: "PowerShell"
|
|
||||||
date: 2021-08-24T12:19:21+03:00
|
|
||||||
draft: false
|
|
||||||
tags: ["exploit", "windows"]
|
|
||||||
---
|
|
||||||
|
|
||||||
### Description
|
|
||||||
|
|
||||||
PowerShell Remoting is a brute-force exploit that uses PowerShell Remoting Protocol (PSRP) and
|
|
||||||
Windows Remote Management(WinRM) services to propagate to a victim.
|
|
||||||
|
|
||||||
### PowerShell Remoting Protocol
|
|
||||||
|
|
||||||
PowerShell Remoting Protocol uses Windows Remote Management service, which is Microsoft implementation of Web Services
|
|
||||||
for Management (WS-Management) protocol, to allow users to run PowerShell commands on remote computers.
|
|
||||||
|
|
||||||
PowerShell Remoting and WinRM listens on the following ports:
|
|
||||||
1. HTTP: 5895
|
|
||||||
2. HTTPS: 5896
|
|
||||||
|
|
||||||
By default, PowerShell Remoting only allows connections from members of the Administrators group. Sessions are launched
|
|
||||||
under the user's context, so all operating system access controls applied to individual users and groups continue to apply
|
|
||||||
to them while connected over PowerShell Remoting.
|
|
||||||
|
|
||||||
On private networks, the default Windows Firewall rule for PowerShell Remoting accepts all connections. On public networks,
|
|
||||||
the default Windows Firewall rule allows PowerShell Remoting connections only from within the same subnet. You have to
|
|
||||||
explicitly change that rule to open PowerShell Remoting to all connections on a public network.
|
|
||||||
|
|
||||||
More on [PowerShell Remoting Protocol]("https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1").
|
|
||||||
|
|
||||||
### Windows Remote Management
|
|
||||||
|
|
||||||
Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, a standard Simple Object
|
|
||||||
Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different
|
|
||||||
vendors, to interoperate.
|
|
||||||
|
|
||||||
More on [Windows Remote Management]("https://docs.microsoft.com/en-us/windows/win32/winrm/portal").
|
|
||||||
|
|
||||||
### Implementation
|
|
||||||
|
|
||||||
The exploit brute forces the credentials of PSRP with every possible combination of username and password that
|
|
||||||
the user provides (see ["configuration"]({{< ref "/usage/configuration" >}})).
|
|
||||||
|
|
||||||
#### Credentials list
|
|
||||||
|
|
||||||
The PowerShell Remoting Client has ability to use the cached username or/and password from the system we are currently
|
|
||||||
log in. That means that the exploiter uses the following combination of credentials to propagate to the victim in the order written:
|
|
||||||
|
|
||||||
1. Username = None and Password = None; which means that the client we use is going to take the stored credentials
|
|
||||||
from the system we are using to connect. In order for the user to connect without entering username and password
|
|
||||||
the victim must have enabled basic authentication, http and no encryption on the victim machine.
|
|
||||||
|
|
||||||
2. Username list of usernames and Password = None; brute-force with different usernames and None as
|
|
||||||
password which means that we use the cached one from the system.
|
|
||||||
|
|
||||||
3. List of usernames and passwords as plain-text entered by the user.
|
|
||||||
Loading…
Reference in New Issue