monkey/docs/content/reference/exploiters/PowerShell.md

---
title: "PowerShell"
date: 2021-08-24T12:19:21+03:00
draft: false
tags: ["exploit", "windows"]
---

### Description

his exploiter uses brute-force to propagate to a victim through PowerShell
Remoting using Windows Remote Management (WinRM).

More on [PowerShell Remoting
Protocol]("https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1")
and [Windows Remote
Management]("https://docs.microsoft.com/en-us/windows/win32/winrm/portal").

### Implementation

The exploit brute forces the credentials of PSRP with every possible
combination of username and password that the user provides (see
["configuration"]({{< ref "/usage/configuration" >}})).

#### Credentials list

The PowerShell Remoting Client has ability to use the cached username or/and
password from the system we are currently logged in. This means that the
exploiter uses the following combination of credentials to propagate to the
victim in the order written:

1. Cached username and password; meaning that the client we use is going to
   take the stored credentials from the system we are using to connect. In
   order for the user to connect without entering username and password the
   victim must have enabled basic authentication, http and no encryption on the
   victim machine.

2. Cached password; brute-force with different usernames and stored password.

3. List of usernames and passwords set in the configuration.


#### Security considerations

The security concerns, recommendations and best practices when using PowerShell
Remoting can be found
[here](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1).