monkey/docs/content/reference/exploiters/PowerShell.md

66 lines
2.9 KiB
Markdown
Raw Normal View History

2021-08-30 20:34:21 +08:00
---
title: "PowerShell"
date: 2021-08-24T12:19:21+03:00
draft: false
tags: ["exploit", "windows"]
---
### Description
This exploiter uses brute-force to propagate to a victim through PowerShell
Remoting using Windows Remote Management (WinRM).
2021-08-30 20:34:21 +08:00
See Microsoft's documentation for more on [PowerShell Remoting
Protocol](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1)
and [Windows Remote
Management](https://docs.microsoft.com/en-us/windows/win32/winrm/portal).
2021-08-30 20:34:21 +08:00
##### Credentials used
2021-08-30 20:34:21 +08:00
The PowerShell exploiter can be run from both Linux and Windows attackers. On
Windows attackers, the exploiter has the ability to use the cached username
and/or password from the current user. On both Linux and Windows attackers, the
exploiter uses all combinations of the [user-configured usernames and
2022-08-29 17:17:33 +08:00
passwords]({{< ref "/usage/configuration/basic-credentials" >}}), as well as LM or NT hashes that have been collected. Different combinations of
credentials are attempted in the following order:
2021-08-30 20:34:21 +08:00
1. **Cached username and password (Windows attacker only)** - The exploiter will
use the stored credentials of the current user to attempt to log into the
victim machine.
2021-08-30 20:34:21 +08:00
1. **Brute force usernames with blank passwords** - Windows allows you to
configure a user with a blank/empty password. The exploiter will attempt to
log into the victim machine using each username set in the
[configuration]({{< ref "/usage/configuration/basic-credentials" >}}) with a
blank password.
In order for the attacker to connect with a blank password, the victim must
have enabled basic authentication, http and no encryption.
1. **Brute force usernames with cached password (Windows attacker only)** - The
exploiter will attempt to log into the victim machine using each username
set in the [configuration]({{< ref "/usage/configuration/basic-credentials"
>}}) and the current user's cached password.
2021-08-30 20:34:21 +08:00
1. **Brute force usernames and passwords** - The exploiter will attempt to use
all combinations of usernames and passwords that were set in the
[configuration.]({{< ref "/usage/configuration/basic-credentials" >}})
2021-08-30 20:34:21 +08:00
1. **Brute force usernames and LM hashes** - The exploiter will attempt to use
all combinations of usernames that were set in the [configuration]({{< ref
"/usage/configuration/basic-credentials" >}}) and LM hashes that were
collected from any other victims.
1. **Brute force usernames and NT hashes** - The exploiter will attempt to use
all combinations of usernames that were set in the [configuration]({{< ref
"/usage/configuration/basic-credentials" >}}) and NT hashes that were
collected from any other victims.
2021-08-30 20:34:21 +08:00
#### Securing PowerShell Remoting
2021-08-30 20:34:21 +08:00
Information about how to remediate security concerns related to PowerShell
Remoting can be found
[here](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1).