Presentation is loading. Please wait.

Presentation is loading. Please wait.

Abusing Windows Remote Management with Metasploit David Maloney Metasploit Software Engineer Rapid7.

Published byLilian Joseph Modified over 9 years ago

Similar presentations

Presentation on theme: "Abusing Windows Remote Management with Metasploit David Maloney Metasploit Software Engineer Rapid7."— Presentation transcript:

1 Abusing Windows Remote Management with Metasploit David Maloney Metasploit Software Engineer Rapid7

2 Introduction Windows Remote Management and Windows Remote Shell Why they’re interesting for penetration testers Abusing WinRM and WinRS Live demo Setting up your demo environment Pitfalls to watch out for Q&A 2 Agenda

3 Windows Remote Manangement Remote management service for Windows XP and higher: Installed but not enabled Can be installed on lower versions HTTP/S SOAP Listener Kerberos and NTLM authentication 3 Introducing WinRM and WinRS Windows Remote Shell WinRM’s twin sister Remote shell service for Windows HTTP/S SOAP Listener Kerberos and NTLM authentication

4 Additional attack vector on systems Especially WinRS surprisingly often enabled Avoid anti-virus detection Great alternative to PSExec module Why They Are Interesting to Penetration Testers 4

5 Find WinRM listeners on the network Metasploit module: use auxiliary/scanner/winrm/winrm_a uth_methods 5 Discovery

6 Bruteforce 6 Bruteforce credentials on WinRM service Accessing service requires credentials Supports Negotiate (NTLM) authentication Metasploit module: use auxiliary/scanner/winrm/winrm_lo gin

7 Running WMI Queries 7 WMI = Windows Management Instrumentation Execute arbitrary WQL (SQL for WMI) queries against target Find out architecture (32/64 bit) We’ll need the architecture later Metasploit module: use auxiliary/scanner/winrm_wql

8 Running Commands 8 Instantiate a shell Stateless shell over HTTP/SOAP Send Windows command Receive output streams STDOUT and STDERR Metasploit module: (use auxiliary/scanner/winrm/winrm_c md)

9 Two different payloads PowerShell 2.0  Checks if PowerShell 2.0 is available  Enables unrestricted script execution  Necessary to run unsigned script files VBS CmdStager  Activated if PowerShell 2.0 fails Metasploit Module: use exploit/windows/winrm/winrm_scr ipt_exec Problem: Shells expire after 5 minutes 9 Getting Shells

10 Writes payload into script file using Append-Content cmdlet and executes it Not flagged by any known AV solutions Pick correct architecture for payload Must migrate before shell expires Migrate –f doesn’t work because child processes also expire New smart_migrate module Migrates into existing winlogon.exe and explorer.exe Not child processes, so don’t expire Metasploit Module: use post/windows/manage/smart_migr ate 10 PowerShell 2.0

11 Is initiated if PowerShell 2.0 checks fail Writes two files to the file system Base64-encoded version of payload Vbscript to decode executable and launch the payload Less stealthy because it writes executable to file system Same migration needed – shell times out! 11 VBS CmdStager

12 Live Demo Abusing WinRM/WinRS with Metasploit 12

13 From command prompt: winrm quickconfig Default quickconfig setup is broken Will set AllowUnencrypted to False, i.e. non-SSL traffic will be refused However, will not set up HTTPS listener To fix Either set AllowUnencrypted to True Or set up HTTPS listener How To Set Up WinRM for Your Demo Environment (1) 13

14 If listener is HTTPS Set SSL to True Set SSLVersion to correct SSL Version Adjust RPORT Listener types WinRM: WMI WinRS: Remote Shell 14 How To Set Up WinRM for Your Demo Environment (2) Default Ports for WinRM Older VersionsNewer Versions HTTP805985 HTTPS4435986

15 Q&A David Maloney, Metasploit Software Engineer, Rapid7 David_Maloney@rapid7.com @TheLightCosine

Download ppt "Abusing Windows Remote Management with Metasploit David Maloney Metasploit Software Engineer Rapid7."

Similar presentations

ActiveXperts Network Monitor Monitors servers, workstations and devices for availability Alerts and corrects.

ActiveXperts Network Monitor Monitors servers, workstations and devices for availability Alerts and corrects.
Armitage and Metasploit Penetration Testing Lab

Armitage and Metasploit Penetration Testing Lab
Offensive Security Part 1 Basics of Penetration Testing

Offensive Security Part 1 Basics of Penetration Testing
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Great people, great experience, great passion Administering SharePoint with Windows PowerShell Go Beyond the Management Shell with SharePoint and Windows.

Great people, great experience, great passion Administering SharePoint with Windows PowerShell Go Beyond the Management Shell with SharePoint and Windows.
Wade Wegner Windows Azure Technical Evangelist Microsoft Corporation Real World Windows Azure Development – Tips & Tricks.

Wade Wegner Windows Azure Technical Evangelist Microsoft Corporation Real World Windows Azure Development – Tips & Tricks.
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si
CADRipper Pro Installation The CADRipper Pro is installed on either a 32-bit or 64-bit desktop computer running the latest updates for XP, Vista and Windows.

CADRipper Pro Installation The CADRipper Pro is installed on either a 32-bit or 64-bit desktop computer running the latest updates for XP, Vista and Windows.
We have you by the gadgets Hitting your OS below the belt.

We have you by the gadgets Hitting your OS below the belt.
MIS 5211.001 Week 7 Site:

MIS Week 7 Site:
System Center 2012 R2 Windows Azure Pack Service Management Automation 101.

System Center 2012 R2 Windows Azure Pack Service Management Automation 101.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Task Scheduler Pro Managing scheduled tasks across the enterprise Joe Vachon Sales Engineer.

Task Scheduler Pro Managing scheduled tasks across the enterprise Joe Vachon Sales Engineer.
Smart Card Single Sign On with Access Gateway Enterprise Edition

Smart Card Single Sign On with Access Gateway Enterprise Edition
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
AppCMD Quick Reference Guide for IIS 7 installed on Win2k8 Servers.

AppCMD Quick Reference Guide for IIS 7 installed on Win2k8 Servers.
Administering Windows 7 Lesson 11. Objectives Troubleshoot Windows 7 Use remote access technologies Troubleshoot installation and startup issues Understand.

Administering Windows 7 Lesson 11. Objectives Troubleshoot Windows 7 Use remote access technologies Troubleshoot installation and startup issues Understand.
Remote Desktop Services Remote Desktop Connection Remote Desktop Protocol Remote Assistance Remote Server Administration T0ols.

Remote Desktop Services Remote Desktop Connection Remote Desktop Protocol Remote Assistance Remote Server Administration T0ols.
MIS 5212.001 Week 2 Site:

MIS Week 2 Site:

Similar presentations

Ads by Google