From e435894187ef8540b604a599d6ee66e59988119a Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Mon, 30 Aug 2021 14:34:21 +0200 Subject: [PATCH] docs: Change the docs for PowerShell --- .../reference/exploiters/PowerShell.md | 36 ++++++++++++ .../reference/exploiters/powershell.md | 57 ------------------- 2 files changed, 36 insertions(+), 57 deletions(-) create mode 100644 docs/content/reference/exploiters/PowerShell.md delete mode 100644 docs/content/reference/exploiters/powershell.md diff --git a/docs/content/reference/exploiters/PowerShell.md b/docs/content/reference/exploiters/PowerShell.md new file mode 100644 index 000000000..ec8d71878 --- /dev/null +++ b/docs/content/reference/exploiters/PowerShell.md @@ -0,0 +1,36 @@ +--- +title: "PowerShell" +date: 2021-08-24T12:19:21+03:00 +draft: false +tags: ["exploit", "windows"] +--- + +### Description + +his exploiter uses brute-force to propagate to a victim through PowerShell Remoting using Windows Remote Management (WinRM). + +More on [PowerShell Remoting Protocol]("https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1") and [Windows Remote Management]("https://docs.microsoft.com/en-us/windows/win32/winrm/portal"). + +### Implementation + +The exploit brute forces the credentials of PSRP with every possible combination of username and password that +the user provides (see ["configuration"]({{< ref "/usage/configuration" >}})). + +#### Credentials list + +The PowerShell Remoting Client has ability to use the cached username or/and password from the system we are currently +logged in. This means that the exploiter uses the following combination of credentials to propagate to the victim in the order written: + +1. Cached username and password; meaning that the client we use is going to take the stored credentials +from the system we are using to connect. In order for the user to connect without entering username and password +the victim must have enabled basic authentication, http and no encryption on the victim machine. + +2. Cached password; brute-force with different usernames and stored password. + +3. List of usernames and passwords set in the configuration. + + +#### Security considerations + +The security concerns, recommendations and best practices when using PowerShell Remoting +can be found [here](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1). diff --git a/docs/content/reference/exploiters/powershell.md b/docs/content/reference/exploiters/powershell.md deleted file mode 100644 index 5ab8a56c6..000000000 --- a/docs/content/reference/exploiters/powershell.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -title: "PowerShell" -date: 2021-08-24T12:19:21+03:00 -draft: false -tags: ["exploit", "windows"] ---- - -### Description - -PowerShell Remoting is a brute-force exploit that uses PowerShell Remoting Protocol (PSRP) and -Windows Remote Management(WinRM) services to propagate to a victim. - -### PowerShell Remoting Protocol - -PowerShell Remoting Protocol uses Windows Remote Management service, which is Microsoft implementation of Web Services -for Management (WS-Management) protocol, to allow users to run PowerShell commands on remote computers. - -PowerShell Remoting and WinRM listens on the following ports: -1. HTTP: 5895 -2. HTTPS: 5896 - -By default, PowerShell Remoting only allows connections from members of the Administrators group. Sessions are launched -under the user's context, so all operating system access controls applied to individual users and groups continue to apply -to them while connected over PowerShell Remoting. - -On private networks, the default Windows Firewall rule for PowerShell Remoting accepts all connections. On public networks, -the default Windows Firewall rule allows PowerShell Remoting connections only from within the same subnet. You have to -explicitly change that rule to open PowerShell Remoting to all connections on a public network. - -More on [PowerShell Remoting Protocol]("https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1"). - -### Windows Remote Management - -Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, a standard Simple Object -Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different -vendors, to interoperate. - -More on [Windows Remote Management]("https://docs.microsoft.com/en-us/windows/win32/winrm/portal"). - -### Implementation - -The exploit brute forces the credentials of PSRP with every possible combination of username and password that -the user provides (see ["configuration"]({{< ref "/usage/configuration" >}})). - -#### Credentials list - -The PowerShell Remoting Client has ability to use the cached username or/and password from the system we are currently -log in. That means that the exploiter uses the following combination of credentials to propagate to the victim in the order written: - -1. Username = None and Password = None; which means that the client we use is going to take the stored credentials -from the system we are using to connect. In order for the user to connect without entering username and password -the victim must have enabled basic authentication, http and no encryption on the victim machine. - -2. Username list of usernames and Password = None; brute-force with different usernames and None as -password which means that we use the cached one from the system. - -3. List of usernames and passwords as plain-text entered by the user.