---
title: "PowerShell"
date: 2021-08-24T12:19:21+03:00
draft: false
tags: ["exploit", "windows"]
---

### Description

This exploiter uses brute-force to propagate to a victim through PowerShell
Remoting using Windows Remote Management (WinRM).

See Microsoft's documentation for more on [PowerShell Remoting
Protocol](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1)
and [Windows Remote
Management](https://docs.microsoft.com/en-us/windows/win32/winrm/portal).


##### Credentials used

The PowerShell exploiter can be run from both Linux and Windows attackers. On
Windows attackers, the exploiter has the ability to use the cached username
and/or password from the current user. On both Linux and Windows attackers, the
exploiter uses all combinations of the [user-configured usernames and
passwords]({{< ref "/usage/configuration/basic-credentials" >}}), as well as
and LM or NT hashes that have been collected. Different combinations of
credentials are attempted in the following order:

1. **Cached username and password (Windows attacker only)** - The exploiter will
   use the stored credentials of the current user to attempt to log into the
   victim machine.

1. **Brute force usernames with blank passwords** - Windows allows you to
   configure a user with a blank/empty password. The exploiter will attempt to
   log into the victim machine using each username set in the
   [configuration]({{< ref "/usage/configuration/basic-credentials" >}}) with a
   blank password.

   In order for the attacker to connect with a blank password, the victim must
   have enabled basic authentication, http and no encryption.

1. **Brute force usernames with cached password (Windows attacker only)** - The
   exploiter will attempt to log into the victim machine using each username
   set in the [configuration]({{< ref "/usage/configuration/basic-credentials"
   >}}) and the current user's cached password.

1. **Brute force usernames and passwords** - The exploiter will attempt to use
   all combinations of usernames and passwords that were set in the
   [configuration.]({{< ref "/usage/configuration/basic-credentials" >}})

1. **Brute force usernames and LM hashes** - The exploiter will attempt to use
   all combinations of usernames that were set in the [configuration]({{< ref
   "/usage/configuration/basic-credentials" >}}) and LM hashes that were
   collected from any other victims.

1. **Brute force usernames and NT hashes** - The exploiter will attempt to use
   all combinations of usernames that were set in the [configuration]({{< ref
   "/usage/configuration/basic-credentials" >}}) and NT hashes that were
   collected from any other victims.


#### Securing PowerShell Remoting

Information about how to remediate security concerns related to PowerShell
Remoting can be found
[here](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1).