2021-08-30 20:34:21 +08:00
|
|
|
---
|
|
|
|
|
title: "PowerShell"
|
|
|
|
|
date: 2021-08-24T12:19:21+03:00
|
|
|
|
|
draft: false
|
|
|
|
|
tags: ["exploit", "windows"]
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
### Description
|
|
|
|
|
|
2021-09-01 00:21:08 +08:00
|
|
|
This exploiter uses brute-force to propagate to a victim through PowerShell
|
2021-08-31 23:36:58 +08:00
|
|
|
Remoting using Windows Remote Management (WinRM).
|
2021-08-30 20:34:21 +08:00
|
|
|
|
2021-09-01 00:21:08 +08:00
|
|
|
See Microsoft's documentation for more on [PowerShell Remoting
|
|
|
|
|
Protocol](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1)
|
2021-08-31 23:36:58 +08:00
|
|
|
and [Windows Remote
|
2021-09-01 00:21:08 +08:00
|
|
|
Management](https://docs.microsoft.com/en-us/windows/win32/winrm/portal).
|
2021-08-30 20:34:21 +08:00
|
|
|
|
|
|
|
|
|
2021-09-01 00:21:08 +08:00
|
|
|
##### Credentials used
|
2021-08-30 20:34:21 +08:00
|
|
|
|
2021-09-01 00:21:08 +08:00
|
|
|
The PowerShell exploiter can be run from both Linux and Windows attackers. On
|
|
|
|
|
Windows attackers, the exploiter has the ability to use the cached username
|
|
|
|
|
and/or password from the current user. On both Linux and Windows attackers, the
|
|
|
|
|
exploiter uses all combinations of the [user-configured usernames and
|
|
|
|
|
passwords]({{< ref "/usage/configuration/basic-credentials" >}}). Different
|
|
|
|
|
combinations of credentials are attempted in the following order:
|
2021-08-30 20:34:21 +08:00
|
|
|
|
2021-09-01 00:21:08 +08:00
|
|
|
1. **Cached username and password (Windows attacker only)** - The exploiter will
|
|
|
|
|
use the stored credentials of the current user to attempt to log into the
|
2021-08-31 23:36:58 +08:00
|
|
|
victim machine.
|
2021-08-30 20:34:21 +08:00
|
|
|
|
2021-09-01 00:21:08 +08:00
|
|
|
1. **Brute force usernames with blank passwords** - Windows allows you to
|
|
|
|
|
configure a user with a blank/empty password. The exploiter will attempt to
|
|
|
|
|
log into the victim machine using each username set in the
|
|
|
|
|
[configuration]({{< ref "/usage/configuration/basic-credentials" >}}) with a
|
|
|
|
|
blank password.
|
|
|
|
|
|
|
|
|
|
In order for the attacker to connect with a blank password, the victim must
|
|
|
|
|
have enabled basic authentication, http and no encryption.
|
|
|
|
|
|
|
|
|
|
1. **Brute force usernames with cached password (Windows attacker only)** - The
|
|
|
|
|
exploiter will attempt to log into the victim machine using each username
|
|
|
|
|
set in the [configuration]({{< ref "/usage/configuration/basic-credentials"
|
|
|
|
|
>}}) and the current user's cached password.
|
2021-08-30 20:34:21 +08:00
|
|
|
|
2021-09-01 00:21:08 +08:00
|
|
|
1. **Brute force usernames and passwords** - The exploiter will attempt to use
|
|
|
|
|
all combinations of usernames and passwords that were set in the
|
|
|
|
|
[configuration.]({{< ref "/usage/configuration/basic-credentials" >}})
|
2021-08-30 20:34:21 +08:00
|
|
|
|
|
|
|
|
|
2021-09-01 00:21:08 +08:00
|
|
|
#### Securing PowerShell Remoting
|
2021-08-30 20:34:21 +08:00
|
|
|
|
2021-09-01 00:21:08 +08:00
|
|
|
Information about how to remediate security concerns related to PowerShell
|
2021-08-31 23:36:58 +08:00
|
|
|
Remoting can be found
|
|
|
|
|
[here](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1).
|
