Abusing Windows Remote Management with Metasploit David Maloney Metasploit Software Engineer Rapid7

Introduction Windows Remote Management and Windows Remote Shell Why they’re interesting for penetration testers Abusing WinRM and WinRS Live demo Setting up your demo environment Pitfalls to watch out for Q&A 2 Agenda

Windows Remote Manangement Remote management service for Windows XP and higher: Installed but not enabled Can be installed on lower versions HTTP/S SOAP Listener Kerberos and NTLM authentication 3 Introducing WinRM and WinRS Windows Remote Shell WinRM’s twin sister Remote shell service for Windows HTTP/S SOAP Listener Kerberos and NTLM authentication

Additional attack vector on systems Especially WinRS surprisingly often enabled Avoid anti-virus detection Great alternative to PSExec module Why They Are Interesting to Penetration Testers 4

Find WinRM listeners on the network Metasploit module: use auxiliary/scanner/winrm/winrm_a uth_methods 5 Discovery

Bruteforce 6 Bruteforce credentials on WinRM service Accessing service requires credentials Supports Negotiate (NTLM) authentication Metasploit module: use auxiliary/scanner/winrm/winrm_lo gin

Running WMI Queries 7 WMI = Windows Management Instrumentation Execute arbitrary WQL (SQL for WMI) queries against target Find out architecture (32/64 bit) We’ll need the architecture later Metasploit module: use auxiliary/scanner/winrm_wql

Running Commands 8 Instantiate a shell Stateless shell over HTTP/SOAP Send Windows command Receive output streams STDOUT and STDERR Metasploit module: (use auxiliary/scanner/winrm/winrm_c md)

Two different payloads PowerShell 2.0  Checks if PowerShell 2.0 is available  Enables unrestricted script execution  Necessary to run unsigned script files VBS CmdStager  Activated if PowerShell 2.0 fails Metasploit Module: use exploit/windows/winrm/winrm_scr ipt_exec Problem: Shells expire after 5 minutes 9 Getting Shells

Writes payload into script file using Append-Content cmdlet and executes it Not flagged by any known AV solutions Pick correct architecture for payload Must migrate before shell expires Migrate –f doesn’t work because child processes also expire New smart_migrate module Migrates into existing winlogon.exe and explorer.exe Not child processes, so don’t expire Metasploit Module: use post/windows/manage/smart_migr ate 10 PowerShell 2.0

Is initiated if PowerShell 2.0 checks fail Writes two files to the file system Base64-encoded version of payload Vbscript to decode executable and launch the payload Less stealthy because it writes executable to file system Same migration needed – shell times out! 11 VBS CmdStager

Live Demo Abusing WinRM/WinRS with Metasploit 12

From command prompt: winrm quickconfig Default quickconfig setup is broken Will set AllowUnencrypted to False, i.e. non-SSL traffic will be refused However, will not set up HTTPS listener To fix Either set AllowUnencrypted to True Or set up HTTPS listener How To Set Up WinRM for Your Demo Environment (1) 13

If listener is HTTPS Set SSL to True Set SSLVersion to correct SSL Version Adjust RPORT Listener types WinRM: WMI WinRS: Remote Shell 14 How To Set Up WinRM for Your Demo Environment (2) Default Ports for WinRM Older VersionsNewer Versions HTTP HTTPS

Q&A David Maloney, Metasploit Software Engineer,