WinRM Penetration Testing

In this post, we will discuss all possible methods and tools used for WinRM penetration testing. Let’s get deep into WinRM service and its security assessment and learn more. This attack can be performed locally (using windows client machine) and remotely (using Kali Linux).

Lab Setup

Windows Server 2016: 192.168.1.105

Windows 10 client: 192.168.106

Kali Linux: 192.168.1.112

Table of Content

WinRM Service

  • History of WinRM
  • WinRM Configuration
  • Testing Connection

Lateral Movement- Locally

  • Connecting Server shell using CMD
  • Connecting Server shell using PowerShell

Lateral Movement- Remotely

  • Scanning
  • Identify the WinRM Authentication Method
  • Winrm Login Brute Force
  • Connect to Remote Shell through Ruby script
  • Connecting Remote Shell through Evil-WinRM
  • Connecting Remote Shell through PowerShell Empire
  • Connecting Remote Shell through Docker
  • Connecting Remote Shell through Crackmapexec

WinRM Service

WinRM is a command-line tool that enables administrators to remotely execute the CMD.exe commands using the WS-Management protocol. This specification describes a general SOAP-based protocol for managing systems such as PCs, servers, devices, Web services, other applications, and other manageable entities. It port 5985 for HTTP transport and 5986 for HTTPS Transport.

On server and client versions of the Windows operating system, Enable-PSRemoting allows the administrator to access the remote shell using Powershell for private and domain networks through WinRM service.

History of WinRM

Versions 1.1 of Winrm have been found in Windows Vista and Windows Server 2008. Its versions 2.0 have been found in Windows 7 and Windows Server 2008 R2 and the latest version 3.0 is pre-installed in Windows 8 and Windows 2012 Server, but you need to enable it in Windows 10.

WinRM Configration

Configuring and installing WinRM is quite simple, but you only need to execute commands below that will enable WinRM on the server for trusted hosts. Here we have given the wildcard character (*) for all the machines on the network. This type of configuration cloud is a threat to the server because it allows any machine to connect to a server that knows the server’s credential.

Note:  WinrRM Service should be Enabled on both machine (Server and client)

Testing Connection

Now, with the help of the following command, we can check the server ‘s connectivity through any host machine on the network.

As you can see, the version details of the protocol and the product have been revealed, so this shows that we are capable of connecting to the server.

Lateral Movement- Locally

Connecting Server shell using CMD

As we know, WinRM is used to get a remote machine shell just like SSH, so if you have compromised an account or system that is a trusted host, you can access the server shell with the help of CMD. Here, first, we try to run the system command remotely using the server credential and execute the following command.

Since we were able to run system command remotely thus, we try to access a remote shell with the help of the following command.

Connecting Remote shell using PowerShell

Just like a command prompt, you can also use PowerShell to remotely run arbitrary system commands and thus execute the following command through a compromised system.

As a result you can we have enumerated user details for the administrator account.

Similarly, you can use PSSession to get a remote shell with PowerShell, so we need to run the following and get a server shell.

Lateral Movement- Remotely

Scanning

So, first, you need to scan the host IP in order to identify available ports for WinRM and Nmap is the best tool to do so.

From its scan, we found that 5985 (HTTP) is available for unsecure WinRM connections and 5986 (HTTPS) is available for secure WinRM connections.

Identify the WinRM Authentication Method

Further use can you Metasploit auxiliary to identify Authentication Method used by WinRM. This module sends a request to an HTTP/HTTPS service to see if it is a WinRM service. If it is a WinRM service, it also gathers the Authentication Methods supported.

WinRM Login Brute Force

This module attempts to authenticate to a WinRM service. It currently works only if the remote end allows Negotiate (NTLM) authentication. Kerberos is not currently supported. Please note: in order to use this module without SSL, the ‘AllowUnencrypted’ winrm option must be set. Otherwise, adjust the port and set the SSL options in the module as appropriate.

As a result, it will try a valid combination of username and password and dump the output accordingly.

Connect to Remote Shell through Ruby script

You can download the ruby script from GitHub that allow the Linux system to connect with Windows Protocol WinRM and provide the access of the PowerShell of the target machine. You can download it from here and add Target IP, username as well as password inside the download script then install WinRM in your local machine and execute the script.

As a result, you will get PowerShell access to the target machine as shown.

Connecting Remote Shell through Evil-WinRM

Now using evil-winrm we try to access remote machine shell by connecting through port 5985 open for winrm. In our previous article we have already discussed on Evil-Winrm and its usage, you can more about it from here.

As a result, it will give access to victim shell by providing its PowerShell as given below.

Connecting Remote Shell through PowerShell Empire

Once you’ve compromised the host machine using the empire, as we’ve done here. Using Powershell Empire, you can perform post-exploitation to access the server shell via the client machine using the WinRM service.

And finally! We got the shell of the server through client machine.

Connecting Remote Shell through Docker

Docker image of PowerShell with NTLM support to allow for PS-Remoting from Linux to Windows, hence we can use this to access the shell of the server by executing following command.

Read more from here.

Once it will install the docker image, you will get the session for login credential as shown below in the image. As soon as you will enter the server login it will give a shell of the server.

Connecting Remote Shell through Crackmapexec

Now using Crackmapexec we try to execute arbitrary system command remotely by connecting through port 5985 open for winrm. In our previous article we have already discussed on Crackmapexec and its usage, you can more about it from here.

As a result, it gives the output for request command as shown.

Reference: https://docs.microsoft.com/en-us/windows/win32/winrm/about-windows-remote-management

Evil-Winrm : Winrm Pentesting Framework

In this post, we will discuss the most famous framework for PS Remote shell hacking tool named as “Evil-Winrm”. It is an opensource tool which is available on GitHub for winrm penetration testing.

Table of Content

  • Evil-winrm
  • Features
  • Installation
  • Load PowerShell scripts
  • Pass the Hash
  • Install using its Docker image

Evil-winrm

This program can be used on any Microsoft Windows Servers with this feature enabled (usually at port 5985), of course only if you have credentials and permissions to use it. So we can say that it could be used in a post-exploitation hacking/pentesting phase. The purpose of this program is to provide nice and easy-to-use features for hacking. It can be used with legitimate purposes by system administrators as well but most of its features are focused on hacking/pentesting stuff.

Features

  • Compatible to Linux and Windows client systems
  • Load in memory Powershell scripts
  • Load in memory dll files bypassing some AVs
  • Load in memory C# (C Sharp) assemblies bypassing some AVs
  • Load x64 payloads generated with awesome donut technique
  • AMSI Bypass
  • Pass-the-hash support
  • Kerberos auth support
  • SSL and certificates support
  • Upload and download files showing a progress bar
  • List remote machine services without privileges
  • Command History
  • WinRM command completion
  • Local files completion
  • Colorization on prompt and output messages (can be disabled optionally)
  • Docker support (prebuilt images available at Dockerhub)
  • Trap capturing to avoid accidental shell exit on Ctrl+C

Installation

In the post, we have discussed two easy methods to install winrm in your Kali Linux, you will find more method for installation from GitHub.

With the help of Ruby gem, you can directly install the evil-winrm, it will automatically install all dependency in your machine by executing following command.

once it will get installed you can pull its HELP option by typing ‘evil-winrm’ that will display the syntax and other operators for executing evil-winrm against windows remote management service.

Now using evil-winrm we try to access remote machine shell by connecting through port 5985 open for winrm. As a result, it will give the access of victim shell by providing its Powershell as given below.

Syntax: evil-winrm -i <Windows IP> -u <username> -p <’password’>

It will not only provide a shell of the host machine but also provide a menu to load function such as Invoke-Binary, Dll-Loader, Donut-Loader and Bypass-4MSI.

Load PowerShell scripts

So we have some pen testing powershell script in the /root/powershell and we can upload this ps1 script through evil winrm on the host machine.

The .PS1 scripts must be in the path set at -s argument and execute this as given below:

Syntax: evil-winrm -i <Windows IP> -u <username> -p <’password’> -s <path>

Type menu again and see the loaded functions and use Bypass 4MSI then Invoke the script. Here we have tried to upload mimikatz PowerShell script to dump stored credential.

As a result, it has dumped all the credential of the Windows Server. 😈

Pass the Hash

It has one more feature which allows you to conduct Pass the HASH attack and as a result it gives the shell of the host machine.

Install using its Docker image

This is a very easy and convenient method to install winrm on your attacking machine and simultaneously provide the shell of the victim machine by compromising it winrm service. Only you need to execute the following command.

Domain Persistence: DC Shadow Attack

In this post, we are going to discuss the most dynamic attack on AD named as DC Shadow attack. It is part of Persistence which create rogue Domain controller in the network. This attack is an actual threat because of This attack leverage into another dynamic attack such as  DCSync Attack and Golden ticket Attack.

DCShadow Attack

Dcshadow is a feature in mimikatz that manipulating Active Directory (AD) data, including objects and schemas, by registering and replicating the behaviour of a Domain Controller (DC). It simulates the behaviour of a Domain Controller (using protocols like RPC used only by DC) to inject its own data, bypassing most of the common security controls and including your SIEM. It shares some similarities with the DCSync attack (already present in the lsadump module of mimikatz)

It is a post-exploitation attack (also called domination attack) because it requires domain admin (or enterprise admin) privileges

Description of the attack

The attacks are done using the following steps:

  • registering the “DC” by creating 2 objects in the CN=Configuration partition and altering the SPN of the computer used.
  • Pushing the data (triggered using DrsReplicaAdd, KCC or other internal AD events)
  • Removing the object previously created to demote the DC

Walkthrough

Using the compromised user account we identify the identity of logon user “Yashika” and notice it is member of Domain User group.

To perform the DC SHADOW attack, you need to download and install mimikatz inside the host machine and run it as an administrator in order to execute “!+” and “!processtoken” command. This will register and start mimidrv service and try to elevate for privilege token thus it provides privilege to call kernel-level functions via a user-mode application.

Thus with the help of “token::whoami” we can enumerate the current identity. As you can observe that it has shown “NT Authority/System” privilege.

Now execute the following command which will mimic as a bogus domain controller in the network and try to add user Yashika in the domain admin group.

Open one more mimikatz in a new terminal and execute the following command which will try to push bogus domain controller into legitimate.

So, after executing the above-mentioned command, we checked identity for user yashika again and noticed that this time it becomes the member of the domain admin group.

Why DCshadow is a dynamic attack, because if you have added the user into PrimaryGroupID object then it will be not easy for an administrator to remove any user from inside domain admin group.

This attack also becomes a ladder for carrying out other attacks like the DCsync attack. As we discussed earlier, if a host is a member of a privileged group such as a domain administrator or enterprise, an intruder can imitate as a domain controller with dcsync attacks and can request user NTLM hashes from other domain controllers on the network, read more about it from here.

Once the intruder is able to get hashes of KDC server, further he can carry out the Golden Ticket attack which read from here, therefore we called DC Shadow is the most dynamic attack on AD.

Reference: https://www.dcshadow.com/

Domain Persistence AdminSDHolder

In this post, we will discuss the Persistence attack on Active Directory by abusing AdminSDHolder. This attack is an actual threat because of This attack leverage into another dynamic attack such as  DCSync Attack and Golden ticket Attack.

AdminSDHolder

Active Directory Domain Services uses AdminSDHolder, protected groups and Security Descriptor propagator (SD propagator or SDPROP for short) to secure privileged users and groups from unintentional modification. Unlike most objects in the Active Directory domain, which are owned by the Administrators group, AdminSDHolder is owned by the Domain Admins group.

The AdminSDHolder object has a unique Access Control List (ACL), which is used to control the permissions of security principals that are members of built-in privileged Active Directory groups.  Every hour, a background process runs on the domain controller to compare manual modifications to an ACL and overwrites them so that the ACL matches the ACL on the AdminSDHolder object.

Read from here for more detail.

AdminSDHolder Persistence Attack

On compromised domain controller with administrator privilege, the attacker is capable to create a permanent backdoor for his future attack by abusing AdminSDHolder. With the help of this attack, we will be able to alter AdminSDHolder by adding a new user to its Access Control List.

Here we will try to add user Yashika into ACL of AdminSDHolder object in order to change privilege for user yashika. Current User yashika is a domain user as shown below.

Follow the step to learn how an attacker can conduct AdminSDHolder attack.

  1. Navigate to Active Director User and Computers
  2. Explore Menu > View> Advanced Features

  1. Explore System > AdminSDHolder > Properties

  1. Add user to whom you want to give Full Permission. Here I have chosen user: “Yashika”

 5.Give Full Permission by enabling All check box.

As we mention background process runs, by default, every sixty (60) minutes but default frequency for running Security Descriptor Propagator process could be changed by creating a REG_DWORD registry entry and setting the new frequency value.

This can be done on compromised DC by executing the following command inside command prompt which will reset Security Descriptor Propagator process for 3 minutes (300 as decimal & 12c as hexadecimal)

To ensure the fruitful result of the above command, explore the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

After three minutes we checked to identify for user “yashika” using net user command and notice Yashika has become the member of the domain admin group.

Even if the administrator tries to remove yashika form domain admin group then after 3 minute due to Security Descriptor Propagator process it will again add Yashika into Domain Admin Group.