1.6 KiB
| title | date | draft | tags | ||
|---|---|---|---|---|---|
| PowerShell | 2021-08-24T12:19:21+03:00 | false |
|
Description
his exploiter uses brute-force to propagate to a victim through PowerShell Remoting using Windows Remote Management (WinRM).
More on PowerShell Remoting Protocol and Windows Remote Management.
Implementation
The exploit brute forces the credentials of PSRP with every possible combination of username and password that the user provides (see ["configuration"]({{< ref "/usage/configuration" >}})).
Credentials list
The PowerShell Remoting Client has ability to use the cached username or/and password from the system we are currently logged in. This means that the exploiter uses the following combination of credentials to propagate to the victim in the order written:
-
Cached username and password; meaning that the client we use is going to take the stored credentials from the system we are using to connect. In order for the user to connect without entering username and password the victim must have enabled basic authentication, http and no encryption on the victim machine.
-
Cached password; brute-force with different usernames and stored password.
-
List of usernames and passwords set in the configuration.
Security considerations
The security concerns, recommendations and best practices when using PowerShell Remoting can be found here.