---
title: "PowerShell"
date: 2021-08-24T12:19:21+03:00
draft: false
tags: ["exploit", "windows"]
---

### Description

his exploiter uses brute-force to propagate to a victim through PowerShell Remoting using Windows Remote Management (WinRM).

More on [PowerShell Remoting Protocol]("https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1") and [Windows Remote Management]("https://docs.microsoft.com/en-us/windows/win32/winrm/portal").

### Implementation

The exploit brute forces the credentials of PSRP with every possible combination of username and password that
the user provides (see ["configuration"]({{< ref "/usage/configuration" >}})).

#### Credentials list

The PowerShell Remoting Client has ability to use the cached username or/and password from the system we are currently
logged in. This means that the exploiter uses the following combination of credentials to propagate to the victim in the order written:

1. Cached username and password; meaning that the client we use is going to take the stored credentials
from the system we are using to connect. In order for the user to connect without entering username and password
the victim must have enabled basic authentication, http and no encryption on the victim machine.

2. Cached password; brute-force with different usernames and stored password.

3. List of usernames and passwords set in the configuration.


#### Security considerations

The security concerns, recommendations and best practices when using PowerShell Remoting
can be found [here](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1).