abusing windows remote management with metasploit david maloney metasploit software engineer rapid7
TRANSCRIPT
2
Introduction
• Windows Remote Management
and Windows Remote Shell
• Why they’re interesting for
penetration testers
Abusing WinRM and WinRS
Live demo
Setting up your demo
environment
• Pitfalls to watch out for
Q&A
Agenda
3
Windows Remote
Manangement
Remote management service for
Windows
XP and higher: Installed but not
enabled
• Can be installed on lower versions
HTTP/S SOAP Listener
Kerberos and NTLM authentication
Introducing WinRM and WinRS
Windows Remote Shell
WinRM’s twin sister
Remote shell service for Windows
HTTP/S SOAP Listener
Kerberos and NTLM authentication
4
Additional attack vector on systems
• Especially WinRS surprisingly often enabled
Avoid anti-virus detection
• Great alternative to PSExec module
Why They Are Interesting to Penetration Testers
5
Find WinRM listeners on the
network
Metasploit module: use
auxiliary/scanner/winrm/winrm
_auth_methods
Discovery
6
Bruteforce
Click icon to add pictureBruteforce credentials on
WinRM service
• Accessing service requires
credentials
Supports Negotiate (NTLM)
authentication
Metasploit module: use
auxiliary/scanner/winrm/winrm_l
ogin
7
Running WMI Queries
Click icon to add pictureWMI = Windows Management
Instrumentation
Execute arbitrary WQL (SQL for
WMI) queries against target
• Find out architecture (32/64 bit)
• We’ll need the architecture later
Metasploit module: use
auxiliary/scanner/winrm_wql
8
Running Commands
Click icon to add pictureInstantiate a shell
• Stateless shell over HTTP/SOAP
Send Windows command
Receive output streams
• STDOUT and STDERR
Metasploit module: (use
auxiliary/scanner/winrm/winrm_
cmd)
9
Two different payloads
• PowerShell 2.0
Checks if PowerShell 2.0 is
available
Enables unrestricted script
execution
Necessary to run unsigned script
files
• VBS CmdStager
Activated if PowerShell 2.0 fails
Metasploit Module: use
exploit/windows/winrm/winrm_s
cript_exec
Problem: Shells expire after 5
minutes
Getting Shells
10
Writes payload into script file
using Append-Content
cmdlet and executes it
• Not flagged by any known AV
solutions
• Pick correct architecture for
payload
Must migrate before shell
expires
• Migrate –f doesn’t work because
child processes also expire
New smart_migrate module
• Migrates into existing
winlogon.exe and explorer.exe
• Not child processes, so don’t
expire
Metasploit Module: use
post/windows/manage/smart_m
igrate
PowerShell 2.0
11
Is initiated if PowerShell 2.0
checks fail
Writes two files to the file
system
• Base64-encoded version of
payload
• Vbscript to decode executable and
launch the payload
Less stealthy because it writes
executable to file system
Same migration needed – shell
times out!
VBS CmdStager
13
From command prompt: winrm quickconfig
Default quickconfig setup is broken
• Will set AllowUnencrypted to False, i.e. non-SSL traffic will be refused
• However, will not set up HTTPS listener
To fix
• Either set AllowUnencrypted to True
• Or set up HTTPS listener
How To Set Up WinRM for Your Demo Environment (1)
14
If listener is HTTPS
• Set SSL to True
• Set SSLVersion to correct SSL
Version
• Adjust RPORT
Listener types
• WinRM: WMI
• WinRS: Remote Shell
How To Set Up WinRM for Your Demo Environment (2)
Default Ports for WinRM
Older Versions Newer Versions
HTTP 80 5985
HTTPS 443 5986
Q&A
David Maloney, Metasploit Software Engineer, Rapid7
@TheLightCosine