diff --git a/docs/content/reference/exploiters/PowerShell.md b/docs/content/reference/exploiters/PowerShell.md index 365c5c72f..5e901e93c 100644 --- a/docs/content/reference/exploiters/PowerShell.md +++ b/docs/content/reference/exploiters/PowerShell.md @@ -7,40 +7,49 @@ tags: ["exploit", "windows"] ### Description -his exploiter uses brute-force to propagate to a victim through PowerShell +This exploiter uses brute-force to propagate to a victim through PowerShell Remoting using Windows Remote Management (WinRM). -More on [PowerShell Remoting -Protocol]("https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1") +See Microsoft's documentation for more on [PowerShell Remoting +Protocol](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1) and [Windows Remote -Management]("https://docs.microsoft.com/en-us/windows/win32/winrm/portal"). +Management](https://docs.microsoft.com/en-us/windows/win32/winrm/portal). -### Implementation -The exploit brute forces the credentials of PSRP with every possible -combination of username and password that the user provides (see -["configuration"]({{< ref "/usage/configuration" >}})). +##### Credentials used -#### Credentials list +The PowerShell exploiter can be run from both Linux and Windows attackers. On +Windows attackers, the exploiter has the ability to use the cached username +and/or password from the current user. On both Linux and Windows attackers, the +exploiter uses all combinations of the [user-configured usernames and +passwords]({{< ref "/usage/configuration/basic-credentials" >}}). Different +combinations of credentials are attempted in the following order: -The PowerShell Remoting Client has ability to use the cached username or/and -password from the system we are currently logged in. This means that the -exploiter uses the following combination of credentials to propagate to the -victim in the order written: - -1. Cached username and password; meaning that the client we use is going to - take the stored credentials from the system we are using to connect. In - order for the user to connect without entering username and password the - victim must have enabled basic authentication, http and no encryption on the +1. **Cached username and password (Windows attacker only)** - The exploiter will + use the stored credentials of the current user to attempt to log into the victim machine. -2. Cached password; brute-force with different usernames and stored password. +1. **Brute force usernames with blank passwords** - Windows allows you to + configure a user with a blank/empty password. The exploiter will attempt to + log into the victim machine using each username set in the + [configuration]({{< ref "/usage/configuration/basic-credentials" >}}) with a + blank password. -3. List of usernames and passwords set in the configuration. + In order for the attacker to connect with a blank password, the victim must + have enabled basic authentication, http and no encryption. + +1. **Brute force usernames with cached password (Windows attacker only)** - The + exploiter will attempt to log into the victim machine using each username + set in the [configuration]({{< ref "/usage/configuration/basic-credentials" + >}}) and the current user's cached password. + +1. **Brute force usernames and passwords** - The exploiter will attempt to use + all combinations of usernames and passwords that were set in the + [configuration.]({{< ref "/usage/configuration/basic-credentials" >}}) -#### Security considerations +#### Securing PowerShell Remoting -The security concerns, recommendations and best practices when using PowerShell +Information about how to remediate security concerns related to PowerShell Remoting can be found [here](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1).