Abusing Windows Remote
Management with Metasploit
David Maloney
Metasploit Software Engineer
Rapid7
Agenda
Introduction
• Windows Remote Management and
Windows Remote Shell
• Why they’re interesting for
penetration testers
Live demo
Setting up your demo environment
• Pitfalls to watch out for
Q&A
Abusing WinRM and WinRS
2
Introducing WinRM and WinRS
Windows Remote Manangement
Windows Remote Shell
Remote management service for Windows
WinRM’s twin sister
XP and higher: Installed but not enabled
Remote shell service for Windows
• Can be installed on lower versions
HTTP/S SOAP Listener
HTTP/S SOAP Listener
Kerberos and NTLM authentication
Kerberos and NTLM authentication
3
Why They Are Interesting to Penetration Testers
Additional attack vector on systems
• Especially WinRS surprisingly often enabled
Avoid anti-virus detection
• Great alternative to PSExec module
4
Discovery
Find WinRM listeners on the
network
Metasploit module: use
auxiliary/scanner/winrm/winrm_a
uth_methods
5
Bruteforce
Bruteforce credentials on WinRM
service
• Accessing service requires credentials
Supports Negotiate (NTLM)
authentication
Metasploit module: use
auxiliary/scanner/winrm/winrm_lo
gin
6
Running WMI Queries
WMI = Windows Management
Instrumentation
Execute arbitrary WQL (SQL for
WMI) queries against target
• Find out architecture (32/64 bit)
• We’ll need the architecture later
Metasploit module: use
auxiliary/scanner/winrm_wql
7
Running Commands
Instantiate a shell
• Stateless shell over HTTP/SOAP
Send Windows command
Receive output streams
• STDOUT and STDERR
Metasploit module: (use
auxiliary/scanner/winrm/winrm_c
md)
8
Getting Shells
Two different payloads
• PowerShell 2.0
Metasploit Module: use
exploit/windows/winrm/winrm_scr
ipt_exec
 Checks if PowerShell 2.0 is available
 Enables unrestricted script execution
 Necessary to run unsigned script files
Problem: Shells expire after 5
minutes
• VBS CmdStager
 Activated if PowerShell 2.0 fails
9
PowerShell 2.0
Writes payload into script file using
Append-Content cmdlet and
executes it
• Not flagged by any known AV solutions
• Pick correct architecture for payload
Must migrate before shell expires
• Migrate –f doesn’t work because child
New smart_migrate module
• Migrates into existing winlogon.exe
and explorer.exe
• Not child processes, so don’t expire
Metasploit Module: use
post/windows/manage/smart_migr
ate
processes also expire
10
VBS CmdStager
Is initiated if PowerShell 2.0
Same migration needed – shell
checks fail
times out!
Writes two files to the file system
• Base64-encoded version of payload
• Vbscript to decode executable and
launch the payload
Less stealthy because it writes
executable to file system
11
Live Demo
Abusing WinRM/WinRS with Metasploit
12
How To Set Up WinRM for Your Demo Environment (1)
From command prompt: winrm quickconfig
Default quickconfig setup is broken
• Will set AllowUnencrypted to False, i.e. non-SSL traffic will be refused
• However, will not set up HTTPS listener
To fix
• Either set AllowUnencrypted to True
• Or set up HTTPS listener
13
How To Set Up WinRM for Your Demo Environment (2)
If listener is HTTPS
Listener types
• Set SSL to True
• WinRM: WMI
• Set SSLVersion to correct SSL Version
• WinRS: Remote Shell
• Adjust RPORT
Default Ports for WinRM
Older Versions
Newer Versions
HTTP
80
5985
HTTPS
443
5986
14
Q&A
David Maloney, Metasploit Software Engineer, Rapid7
David_Maloney@rapid7.com
@TheLightCosine