Abusing Windows Remote Management with Metasploit David Maloney Metasploit Software Engineer Rapid7
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Abusing Windows Remote Management with Metasploit
David Maloney
Metasploit Software Engineer
Rapid7
2
Introduction
• Windows Remote Management
and Windows Remote Shell
• Why they’re interesting for
penetration testers
Abusing WinRM and WinRS
Live demo
Setting up your demo
environment
• Pitfalls to watch out for
Q&A
Agenda
3
Windows Remote
Manangement
Remote management service for
Windows
XP and higher: Installed but not
enabled
• Can be installed on lower versions
HTTP/S SOAP Listener
Kerberos and NTLM authentication
Introducing WinRM and WinRS
Windows Remote Shell
WinRM’s twin sister
Remote shell service for Windows
HTTP/S SOAP Listener
Kerberos and NTLM authentication
4
Additional attack vector on systems
• Especially WinRS surprisingly often enabled
Avoid anti-virus detection
• Great alternative to PSExec module
Why They Are Interesting to Penetration Testers
5
Find WinRM listeners on the
network
Metasploit module: use
auxiliary/scanner/winrm/winrm
_auth_methods
Discovery
6
Bruteforce
Click icon to add pictureBruteforce credentials on
WinRM service
• Accessing service requires
credentials
Supports Negotiate (NTLM)
authentication
Metasploit module: use
auxiliary/scanner/winrm/winrm_l
ogin
7
Running WMI Queries
Click icon to add pictureWMI = Windows Management
Instrumentation
Execute arbitrary WQL (SQL for
WMI) queries against target
• Find out architecture (32/64 bit)
• We’ll need the architecture later
Metasploit module: use
auxiliary/scanner/winrm_wql
8
Running Commands
Click icon to add pictureInstantiate a shell
• Stateless shell over HTTP/SOAP
Send Windows command
Receive output streams
• STDOUT and STDERR
Metasploit module: (use
auxiliary/scanner/winrm/winrm_
cmd)
9
Two different payloads
• PowerShell 2.0
Checks if PowerShell 2.0 is
available
Enables unrestricted script
execution
Necessary to run unsigned script
files
• VBS CmdStager
Activated if PowerShell 2.0 fails
Metasploit Module: use
exploit/windows/winrm/winrm_s
cript_exec
Problem: Shells expire after 5
minutes
Getting Shells
10
Writes payload into script file
using Append-Content
cmdlet and executes it
• Not flagged by any known AV
solutions
• Pick correct architecture for
payload
Must migrate before shell
expires
• Migrate –f doesn’t work because
child processes also expire
New smart_migrate module
• Migrates into existing
winlogon.exe and explorer.exe
• Not child processes, so don’t
expire
Metasploit Module: use
post/windows/manage/smart_m
igrate
PowerShell 2.0
11
Is initiated if PowerShell 2.0
checks fail
Writes two files to the file
system
• Base64-encoded version of
payload
• Vbscript to decode executable and
launch the payload
Less stealthy because it writes
executable to file system
Same migration needed – shell
times out!
VBS CmdStager
Live Demo
Abusing WinRM/WinRS with Metasploit
12
13
From command prompt: winrm quickconfig
Default quickconfig setup is broken
• Will set AllowUnencrypted to False, i.e. non-SSL traffic will be refused
• However, will not set up HTTPS listener
To fix
• Either set AllowUnencrypted to True
• Or set up HTTPS listener
How To Set Up WinRM for Your Demo Environment (1)
14
If listener is HTTPS
• Set SSL to True
• Set SSLVersion to correct SSL
Version
• Adjust RPORT
Listener types
• WinRM: WMI
• WinRS: Remote Shell
How To Set Up WinRM for Your Demo Environment (2)
Default Ports for WinRM
Older Versions Newer Versions
HTTP 80 5985
HTTPS 443 5986
Q&A
David Maloney, Metasploit Software Engineer, Rapid7
@TheLightCosine
Related Documents
