Abusing Windows Remote Management with Metasploit

David Maloney

Metasploit Software Engineer

Rapid7

2

Introduction

• Windows Remote Management

and Windows Remote Shell

• Why they’re interesting for

penetration testers

Abusing WinRM and WinRS

Live demo

Setting up your demo

environment

• Pitfalls to watch out for

Q&A

Agenda

3

Windows Remote

Manangement

Remote management service for

Windows

XP and higher: Installed but not

enabled

• Can be installed on lower versions

HTTP/S SOAP Listener

Kerberos and NTLM authentication

Introducing WinRM and WinRS

Windows Remote Shell

WinRM’s twin sister

Remote shell service for Windows

HTTP/S SOAP Listener

Kerberos and NTLM authentication

4

Additional attack vector on systems

• Especially WinRS surprisingly often enabled

Avoid anti-virus detection

• Great alternative to PSExec module

Why They Are Interesting to Penetration Testers

5

Find WinRM listeners on the

network

Metasploit module: use

auxiliary/scanner/winrm/winrm

_auth_methods

Discovery

6

Bruteforce

Click icon to add pictureBruteforce credentials on

WinRM service

• Accessing service requires

credentials

Supports Negotiate (NTLM)

authentication

Metasploit module: use

auxiliary/scanner/winrm/winrm_l

ogin

7

Running WMI Queries

Click icon to add pictureWMI = Windows Management

Instrumentation

Execute arbitrary WQL (SQL for

WMI) queries against target

• Find out architecture (32/64 bit)

• We’ll need the architecture later

Metasploit module: use

auxiliary/scanner/winrm_wql

8

Running Commands

Click icon to add pictureInstantiate a shell

• Stateless shell over HTTP/SOAP

Send Windows command

Receive output streams

• STDOUT and STDERR

Metasploit module: (use

auxiliary/scanner/winrm/winrm_

cmd)

9

Two different payloads

• PowerShell 2.0

Checks if PowerShell 2.0 is

available

Enables unrestricted script

execution

Necessary to run unsigned script

files

• VBS CmdStager

Activated if PowerShell 2.0 fails

Metasploit Module: use

exploit/windows/winrm/winrm_s

cript_exec

Problem: Shells expire after 5

minutes

Getting Shells

10

Writes payload into script file

using Append-Content

cmdlet and executes it

• Not flagged by any known AV

solutions

• Pick correct architecture for

payload

Must migrate before shell

expires

• Migrate –f doesn’t work because

child processes also expire

New smart_migrate module

• Migrates into existing

winlogon.exe and explorer.exe

• Not child processes, so don’t

expire

Metasploit Module: use

post/windows/manage/smart_m

igrate

PowerShell 2.0

11

Is initiated if PowerShell 2.0

checks fail

Writes two files to the file

system

• Base64-encoded version of

payload

• Vbscript to decode executable and

launch the payload

Less stealthy because it writes

executable to file system

Same migration needed – shell

times out!

VBS CmdStager

Live Demo

Abusing WinRM/WinRS with Metasploit

12

13

From command prompt: winrm quickconfig

Default quickconfig setup is broken

• Will set AllowUnencrypted to False, i.e. non-SSL traffic will be refused

• However, will not set up HTTPS listener

To fix

• Either set AllowUnencrypted to True

• Or set up HTTPS listener

How To Set Up WinRM for Your Demo Environment (1)

14

If listener is HTTPS

• Set SSL to True

• Set SSLVersion to correct SSL

Version

• Adjust RPORT

Listener types

• WinRM: WMI

• WinRS: Remote Shell

How To Set Up WinRM for Your Demo Environment (2)

Default Ports for WinRM

Older Versions Newer Versions

HTTP 80 5985

HTTPS 443 5986

Q&A

David Maloney, Metasploit Software Engineer, Rapid7

David_Maloney@rapid7.com

@TheLightCosine