1 / 15

Abusing Windows Remote Management with Metasploit

Abusing Windows Remote Management with Metasploit. David Maloney Metasploit Software Engineer Rapid7. Agenda. Introduction Windows Remote Management and Windows Remote Shell Why they’re interesting for penetration testers Abusing WinRM and WinRS. Live demo

manning
Download Presentation

Abusing Windows Remote Management with Metasploit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Abusing Windows Remote Management with Metasploit David Maloney Metasploit Software Engineer Rapid7

  2. Agenda • Introduction • Windows Remote Management and Windows Remote Shell • Why they’re interesting for penetration testers • Abusing WinRM and WinRS • Live demo • Setting up your demo environment • Pitfalls to watch out for • Q&A

  3. Introducing WinRM and WinRS Windows Remote Manangement Windows Remote Shell • Remote management service for Windows • XP and higher: Installed but not enabled • Can be installed on lower versions • HTTP/S SOAP Listener • Kerberos and NTLM authentication • WinRM’s twin sister • Remote shell service for Windows • HTTP/S SOAP Listener • Kerberos and NTLM authentication

  4. Why They Are Interesting to Penetration Testers • Additional attack vector on systems • Especially WinRS surprisingly often enabled • Avoid anti-virus detection • Great alternative to PSExec module

  5. Discovery • Find WinRM listeners on the network • Metasploit module: use auxiliary/scanner/winrm/winrm_auth_methods

  6. Bruteforce • Bruteforce credentials on WinRM service • Accessing service requires credentials • Supports Negotiate (NTLM) authentication • Metasploit module: use auxiliary/scanner/winrm/winrm_login

  7. Running WMI Queries • WMI = Windows Management Instrumentation • Execute arbitrary WQL (SQL for WMI) queries against target • Find out architecture (32/64 bit) • We’ll need the architecture later • Metasploit module: use auxiliary/scanner/winrm_wql

  8. Running Commands • Instantiate a shell • Stateless shell over HTTP/SOAP • Send Windows command • Receive output streams • STDOUT and STDERR • Metasploit module: (use auxiliary/scanner/winrm/winrm_cmd)

  9. Getting Shells • Two different payloads • PowerShell 2.0 • Checks if PowerShell 2.0 is available • Enables unrestricted script execution • Necessary to run unsigned script files • VBS CmdStager • Activated if PowerShell 2.0 fails • Metasploit Module: use exploit/windows/winrm/winrm_script_exec • Problem: Shells expire after 5 minutes

  10. PowerShell 2.0 • Writes payload into script file using Append-Content cmdlet and executes it • Not flagged by any known AV solutions • Pick correct architecture for payload • Must migrate before shell expires • Migrate –f doesn’t work because child processes also expire • New smart_migratemodule • Migrates into existing winlogon.exe and explorer.exe • Not child processes, so don’t expire • Metasploit Module: use post/windows/manage/smart_migrate

  11. VBS CmdStager • Is initiated if PowerShell 2.0 checks fail • Writes two files to the file system • Base64-encoded version of payload • Vbscript to decode executable and launch the payload • Less stealthy because it writes executable to file system • Same migration needed – shell times out!

  12. Live Demo Abusing WinRM/WinRS with Metasploit

  13. How To Set Up WinRM for Your Demo Environment (1) • From command prompt: winrmquickconfig • Default quickconfig setup is broken • Will set AllowUnencrypted to False, i.e. non-SSL traffic will be refused • However, will not set up HTTPS listener • To fix • Either set AllowUnencrypted to True • Or set up HTTPS listener

  14. How To Set Up WinRM for Your Demo Environment (2) • If listener is HTTPS • Set SSL to True • Set SSLVersion to correct SSL Version • Adjust RPORT • Listener types • WinRM: WMI • WinRS: Remote Shell

  15. Q&A David Maloney, Metasploit Software Engineer, Rapid7 David_Maloney@rapid7.com @TheLightCosine

More Related