15
Abusing Windows Remote Management with Metasploit David Maloney Metasploit Software Engineer Rapid7

Abusing Windows Remote Management with Metasploit David Maloney Metasploit Software Engineer Rapid7

Embed Size (px)

Citation preview

Abusing Windows Remote Management with Metasploit

David Maloney

Metasploit Software Engineer

Rapid7

2

Introduction

• Windows Remote Management

and Windows Remote Shell

• Why they’re interesting for

penetration testers

Abusing WinRM and WinRS

Live demo

Setting up your demo

environment

• Pitfalls to watch out for

Q&A

Agenda

3

Windows Remote

Manangement

Remote management service for

Windows

XP and higher: Installed but not

enabled

• Can be installed on lower versions

HTTP/S SOAP Listener

Kerberos and NTLM authentication

Introducing WinRM and WinRS

Windows Remote Shell

WinRM’s twin sister

Remote shell service for Windows

HTTP/S SOAP Listener

Kerberos and NTLM authentication

4

Additional attack vector on systems

• Especially WinRS surprisingly often enabled

Avoid anti-virus detection

• Great alternative to PSExec module

Why They Are Interesting to Penetration Testers

5

Find WinRM listeners on the

network

Metasploit module: use

auxiliary/scanner/winrm/winrm

_auth_methods

Discovery

6

Bruteforce

Click icon to add pictureBruteforce credentials on

WinRM service

• Accessing service requires

credentials

Supports Negotiate (NTLM)

authentication

Metasploit module: use

auxiliary/scanner/winrm/winrm_l

ogin

7

Running WMI Queries

Click icon to add pictureWMI = Windows Management

Instrumentation

Execute arbitrary WQL (SQL for

WMI) queries against target

• Find out architecture (32/64 bit)

• We’ll need the architecture later

Metasploit module: use

auxiliary/scanner/winrm_wql

8

Running Commands

Click icon to add pictureInstantiate a shell

• Stateless shell over HTTP/SOAP

Send Windows command

Receive output streams

• STDOUT and STDERR

Metasploit module: (use

auxiliary/scanner/winrm/winrm_

cmd)

9

Two different payloads

• PowerShell 2.0

Checks if PowerShell 2.0 is

available

Enables unrestricted script

execution

Necessary to run unsigned script

files

• VBS CmdStager

Activated if PowerShell 2.0 fails

Metasploit Module: use

exploit/windows/winrm/winrm_s

cript_exec

Problem: Shells expire after 5

minutes

Getting Shells

10

Writes payload into script file

using Append-Content

cmdlet and executes it

• Not flagged by any known AV

solutions

• Pick correct architecture for

payload

Must migrate before shell

expires

• Migrate –f doesn’t work because

child processes also expire

New smart_migrate module

• Migrates into existing

winlogon.exe and explorer.exe

• Not child processes, so don’t

expire

Metasploit Module: use

post/windows/manage/smart_m

igrate

PowerShell 2.0

11

Is initiated if PowerShell 2.0

checks fail

Writes two files to the file

system

• Base64-encoded version of

payload

• Vbscript to decode executable and

launch the payload

Less stealthy because it writes

executable to file system

Same migration needed – shell

times out!

VBS CmdStager

Live Demo

Abusing WinRM/WinRS with Metasploit

12

13

From command prompt: winrm quickconfig

Default quickconfig setup is broken

• Will set AllowUnencrypted to False, i.e. non-SSL traffic will be refused

• However, will not set up HTTPS listener

To fix

• Either set AllowUnencrypted to True

• Or set up HTTPS listener

How To Set Up WinRM for Your Demo Environment (1)

14

If listener is HTTPS

• Set SSL to True

• Set SSLVersion to correct SSL

Version

• Adjust RPORT

Listener types

• WinRM: WMI

• WinRS: Remote Shell

How To Set Up WinRM for Your Demo Environment (2)

Default Ports for WinRM

Older Versions Newer Versions

HTTP 80 5985

HTTPS 443 5986

Q&A

David Maloney, Metasploit Software Engineer, Rapid7

[email protected]

@TheLightCosine