160 likes | 581 Vues
Abusing Windows Remote Management with Metasploit. David Maloney Metasploit Software Engineer Rapid7. Agenda. Introduction Windows Remote Management and Windows Remote Shell Why they’re interesting for penetration testers Abusing WinRM and WinRS. Live demo
E N D
Abusing Windows Remote Management with Metasploit David Maloney Metasploit Software Engineer Rapid7
Agenda • Introduction • Windows Remote Management and Windows Remote Shell • Why they’re interesting for penetration testers • Abusing WinRM and WinRS • Live demo • Setting up your demo environment • Pitfalls to watch out for • Q&A
Introducing WinRM and WinRS Windows Remote Manangement Windows Remote Shell • Remote management service for Windows • XP and higher: Installed but not enabled • Can be installed on lower versions • HTTP/S SOAP Listener • Kerberos and NTLM authentication • WinRM’s twin sister • Remote shell service for Windows • HTTP/S SOAP Listener • Kerberos and NTLM authentication
Why They Are Interesting to Penetration Testers • Additional attack vector on systems • Especially WinRS surprisingly often enabled • Avoid anti-virus detection • Great alternative to PSExec module
Discovery • Find WinRM listeners on the network • Metasploit module: use auxiliary/scanner/winrm/winrm_auth_methods
Bruteforce • Bruteforce credentials on WinRM service • Accessing service requires credentials • Supports Negotiate (NTLM) authentication • Metasploit module: use auxiliary/scanner/winrm/winrm_login
Running WMI Queries • WMI = Windows Management Instrumentation • Execute arbitrary WQL (SQL for WMI) queries against target • Find out architecture (32/64 bit) • We’ll need the architecture later • Metasploit module: use auxiliary/scanner/winrm_wql
Running Commands • Instantiate a shell • Stateless shell over HTTP/SOAP • Send Windows command • Receive output streams • STDOUT and STDERR • Metasploit module: (use auxiliary/scanner/winrm/winrm_cmd)
Getting Shells • Two different payloads • PowerShell 2.0 • Checks if PowerShell 2.0 is available • Enables unrestricted script execution • Necessary to run unsigned script files • VBS CmdStager • Activated if PowerShell 2.0 fails • Metasploit Module: use exploit/windows/winrm/winrm_script_exec • Problem: Shells expire after 5 minutes
PowerShell 2.0 • Writes payload into script file using Append-Content cmdlet and executes it • Not flagged by any known AV solutions • Pick correct architecture for payload • Must migrate before shell expires • Migrate –f doesn’t work because child processes also expire • New smart_migratemodule • Migrates into existing winlogon.exe and explorer.exe • Not child processes, so don’t expire • Metasploit Module: use post/windows/manage/smart_migrate
VBS CmdStager • Is initiated if PowerShell 2.0 checks fail • Writes two files to the file system • Base64-encoded version of payload • Vbscript to decode executable and launch the payload • Less stealthy because it writes executable to file system • Same migration needed – shell times out!
Live Demo Abusing WinRM/WinRS with Metasploit
How To Set Up WinRM for Your Demo Environment (1) • From command prompt: winrmquickconfig • Default quickconfig setup is broken • Will set AllowUnencrypted to False, i.e. non-SSL traffic will be refused • However, will not set up HTTPS listener • To fix • Either set AllowUnencrypted to True • Or set up HTTPS listener
How To Set Up WinRM for Your Demo Environment (2) • If listener is HTTPS • Set SSL to True • Set SSLVersion to correct SSL Version • Adjust RPORT • Listener types • WinRM: WMI • WinRS: Remote Shell
Q&A David Maloney, Metasploit Software Engineer, Rapid7 David_Maloney@rapid7.com @TheLightCosine