Docs: Reword PowerShell exploiter documentation

This commit is contained in:
Mike Salvatore 2021-08-31 12:21:08 -04:00
parent b96a0e74d9
commit c83a0b4668
1 changed files with 31 additions and 22 deletions

View File

@ -7,40 +7,49 @@ tags: ["exploit", "windows"]
### Description ### Description
his exploiter uses brute-force to propagate to a victim through PowerShell This exploiter uses brute-force to propagate to a victim through PowerShell
Remoting using Windows Remote Management (WinRM). Remoting using Windows Remote Management (WinRM).
More on [PowerShell Remoting See Microsoft's documentation for more on [PowerShell Remoting
Protocol]("https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1") Protocol](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1)
and [Windows Remote and [Windows Remote
Management]("https://docs.microsoft.com/en-us/windows/win32/winrm/portal"). Management](https://docs.microsoft.com/en-us/windows/win32/winrm/portal).
### Implementation
The exploit brute forces the credentials of PSRP with every possible ##### Credentials used
combination of username and password that the user provides (see
["configuration"]({{< ref "/usage/configuration" >}})).
#### Credentials list The PowerShell exploiter can be run from both Linux and Windows attackers. On
Windows attackers, the exploiter has the ability to use the cached username
and/or password from the current user. On both Linux and Windows attackers, the
exploiter uses all combinations of the [user-configured usernames and
passwords]({{< ref "/usage/configuration/basic-credentials" >}}). Different
combinations of credentials are attempted in the following order:
The PowerShell Remoting Client has ability to use the cached username or/and 1. **Cached username and password (Windows attacker only)** - The exploiter will
password from the system we are currently logged in. This means that the use the stored credentials of the current user to attempt to log into the
exploiter uses the following combination of credentials to propagate to the
victim in the order written:
1. Cached username and password; meaning that the client we use is going to
take the stored credentials from the system we are using to connect. In
order for the user to connect without entering username and password the
victim must have enabled basic authentication, http and no encryption on the
victim machine. victim machine.
2. Cached password; brute-force with different usernames and stored password. 1. **Brute force usernames with blank passwords** - Windows allows you to
configure a user with a blank/empty password. The exploiter will attempt to
log into the victim machine using each username set in the
[configuration]({{< ref "/usage/configuration/basic-credentials" >}}) with a
blank password.
3. List of usernames and passwords set in the configuration. In order for the attacker to connect with a blank password, the victim must
have enabled basic authentication, http and no encryption.
1. **Brute force usernames with cached password (Windows attacker only)** - The
exploiter will attempt to log into the victim machine using each username
set in the [configuration]({{< ref "/usage/configuration/basic-credentials"
>}}) and the current user's cached password.
1. **Brute force usernames and passwords** - The exploiter will attempt to use
all combinations of usernames and passwords that were set in the
[configuration.]({{< ref "/usage/configuration/basic-credentials" >}})
#### Security considerations #### Securing PowerShell Remoting
The security concerns, recommendations and best practices when using PowerShell Information about how to remediate security concerns related to PowerShell
Remoting can be found Remoting can be found
[here](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1). [here](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1).