Lorem ipsum dolor sit amet, consectetur adipiscing elit

Abusing Windows Remote Management with MetasploitDavid MaloneyMetasploit Software EngineerRapid7Introduction Windows Remote Management and Windows Remote ShellWhy theyre interesting for penetration testersAbusing WinRM and WinRSLive demoSetting up your demo environment Pitfalls to watch out forQ&A2AgendaWindows Remote Manangement Remote management service for WindowsXP and higher: Installed but not enabledCan be installed on lower versions HTTP/S SOAP ListenerKerberos and NTLM authentication3Introducing WinRM and WinRSWindows Remote ShellWinRMs twin sister Remote shell service for WindowsHTTP/S SOAP ListenerKerberos and NTLM authenticationAdditional attack vector on systemsEspecially WinRS surprisingly often enabledAvoid anti-virus detectionGreat alternative to PSExec moduleWhy They Are Interesting to Penetration Testers4Find WinRM listeners on the networkMetasploit module: use auxiliary/scanner/winrm/winrm_auth_methods5Discovery

Bruteforce6Bruteforce credentials on WinRM service Accessing service requires credentialsSupports Negotiate (NTLM) authenticationMetasploit module: use auxiliary/scanner/winrm/winrm_login

Running WMI Queries7WMI = Windows Management Instrumentation Execute arbitrary WQL (SQL for WMI) queries against targetFind out architecture (32/64 bit) Well need the architecture laterMetasploit module: use auxiliary/scanner/winrm_wql

Running Commands 8Instantiate a shell Stateless shell over HTTP/SOAPSend Windows command Receive output streamsSTDOUT and STDERRMetasploit module: (use auxiliary/scanner/winrm/winrm_cmd)

Two different payloadsPowerShell 2.0Checks if PowerShell 2.0 is availableEnables unrestricted script executionNecessary to run unsigned script filesVBS CmdStagerActivated if PowerShell 2.0 failsMetasploit Module: use exploit/windows/winrm/winrm_script_execProblem: Shells expire after 5 minutes9Getting ShellsWrites payload into script file using Append-Content cmdlet and executes itNot flagged by any known AV solutionsPick correct architecture for payloadMust migrate before shell expires Migrate f doesnt work because child processes also expire

New smart_migrate moduleMigrates into existing winlogon.exe and explorer.exeNot child processes, so dont expireMetasploit Module: use post/windows/manage/smart_migrate10PowerShell 2.0Is initiated if PowerShell 2.0 checks failWrites two files to the file systemBase64-encoded version of payloadVbscript to decode executable and launch the payloadLess stealthy because it writes executable to file system Same migration needed shell times out! 11VBS CmdStager

Live DemoAbusing WinRM/WinRS with Metasploit12From command prompt: winrm quickconfigDefault quickconfig setup is broken Will set AllowUnencrypted to False, i.e. non-SSL traffic will be refusedHowever, will not set up HTTPS listenerTo fix Either set AllowUnencrypted to True Or set up HTTPS listenerHow To Set Up WinRM for Your Demo Environment (1)13If listener is HTTPSSet SSL to TrueSet SSLVersion to correct SSL VersionAdjust RPORT Listener types WinRM: WMIWinRS: Remote Shell14How To Set Up WinRM for Your Demo Environment (2)Default Ports for WinRMOlder VersionsNewer VersionsHTTP805985HTTPS4435986Q&ADavid Maloney, Metasploit Software Engineer, Rapid7David_Maloney@rapid7.com@TheLightCosine