docs: Add better documentation for powershell remoting exploiter

This commit is contained in:
Ilija Lazoroski 2021-08-27 11:18:16 +02:00
parent 73a3f2057a
commit e9ac64f108
1 changed files with 49 additions and 2 deletions

View File

@ -4,7 +4,54 @@ date: 2021-08-24T12:19:21+03:00
draft: false
tags: ["exploit", "windows"]
---
### Description
PowerShell Remoting exploit brute forces machines via WinRM service using credentials provided by the user
(see ["configuration"]({{< ref "/usage/configuration" >}}) for instructions) .
PowerShell Remoting is a brute-force exploit that uses PowerShell Remoting Protocol (PSRP) and
Windows Remote Management(WinRM) services to propagate to a victim.
### PowerShell Remoting Protocol
PowerShell Remoting Protocol uses Windows Remote Management service, which is Microsoft implementation of Web Services
for Management (WS-Management) protocol, to allow users to run PowerShell commands on remote computers.
PowerShell Remoting and WinRM listens on the following ports:
1. HTTP: 5895
2. HTTPS: 5896
By default, PowerShell Remoting only allows connections from members of the Administrators group. Sessions are launched
under the user's context, so all operating system access controls applied to individual users and groups continue to apply
to them while connected over PowerShell Remoting.
On private networks, the default Windows Firewall rule for PowerShell Remoting accepts all connections. On public networks,
the default Windows Firewall rule allows PowerShell Remoting connections only from within the same subnet. You have to
explicitly change that rule to open PowerShell Remoting to all connections on a public network.
More on [PowerShell Remoting Protocol]("https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1").
### Windows Remote Management
Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, a standard Simple Object
Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different
vendors, to interoperate.
More on [Windows Remote Management]("https://docs.microsoft.com/en-us/windows/win32/winrm/portal").
### Implementation
The exploit brute forces the credentials of PSRP with every possible combination of username and password that
the user provides (see ["configuration"]({{< ref "/usage/configuration" >}})).
#### Credentials list
The PowerShell Remoting Client has ability to use the cached username or/and password from the system we are currently
log in. That means that the exploiter uses the following combination of credentials to propagate to the victim in the order written:
1. Username = None and Password = None; which means that the client we use is going to take the stored credentials
from the system we are using to connect. In order for the user to connect without entering username and password
the victim must have enabled basic authentication, http and no encryption on the victim machine.
2. Username list of usernames and Password = None; brute-force with different usernames and None as
password which means that we use the cached one from the system.
3. List of usernames and passwords as plain-text entered by the user.