New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added auxiliary/scanner/winrm docs #11437
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
## Description | ||
This module sends a request to an HTTP/HTTPS service to see if it is a WinRM service. If it is a WinRM service, it also gathers the Authentication Methods supported. | ||
|
||
## Verification Steps | ||
|
||
1. Do: ```use auxiliary/scanner/winrm/winrm_auth_methods``` | ||
2. Do: ```set RHOSTS [IP]``` | ||
3. Do: ```run``` | ||
|
||
## Scenarios | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
``` | ||
msf > use auxiliary/scanner/winrm/winrm_auth_methods | ||
msf auxiliary(scanner/winrm/winrm_auth_methods) > set RHOSTS 1.1.1.10 | ||
RHOSTS => 1.1.1.10 | ||
msf auxiliary(scanner/winrm/winrm_auth_methods) > run | ||
|
||
[+] 1.1.1.10:5985: Negotiate protocol supported | ||
[+] 1.1.1.10:5985: Basic protocol supported | ||
[*] Scanned 1 of 1 hosts (100% complete) | ||
[*] Auxiliary module execution completed | ||
msf auxiliary(scanner/winrm/winrm_auth_methods) > | ||
``` |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
## Description | ||
This module runs arbitrary Windows commands using the WinRM Service. It needs login credentials to do so. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. needs valid login credentials to do so. I'd also ask what auth/group level they need to be. Local admin, domain admin, guest account? |
||
|
||
## Verification Steps | ||
|
||
1. Do: ```use auxiliary/scanner/winrm/winrm_cmd``` | ||
2. Do: ```set CMD [WINDOWS COMMAND]``` | ||
3. Do: ```set RHOSTS [IP]``` | ||
4. Do: ```set USERNAME [USERNAME]``` | ||
5. Do: ```set PASSWORD [PASSWORD]``` | ||
6. Do: ```run``` | ||
|
||
## Scenarios | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
``` | ||
msf > use auxiliary/scanner/winrm/winrm_cmd | ||
msf auxiliary(scanner/winrm/winrm_cmd) > set CMD hostname | ||
CMD => hostname | ||
msf auxiliary(scanner/winrm/winrm_cmd) > set RHOSTS 1.1.1.10 | ||
RHOSTS => 1.1.1.10 | ||
msf auxiliary(scanner/winrm/winrm_cmd) > set USERNAME Administrator | ||
USERNAME => Administrator | ||
msf auxiliary(scanner/winrm/winrm_cmd) > set PASSWORD vagrant | ||
PASSWORD => vagrant | ||
msf auxiliary(scanner/winrm/winrm_cmd) > run | ||
|
||
[+] vagrant-2008R2 | ||
|
||
[*] Scanned 1 of 1 hosts (100% complete) | ||
[*] Auxiliary module execution completed | ||
|
||
msf auxiliary(scanner/winrm/winrm_cmd) > | ||
``` | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Another good scenario would be showing how to turn this into an exploit. Can you run powershell from it to grab a meterpreter, or other such maneuver? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. How would I grab meterpreter and turn it into an exploit? Can you describe it a bit more. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I believe @h00die is referring to creating a session using this module, as this module only executes a command, and does not return a session. One scenario would be using the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yup, exactly. I'm not sure it's possible, just seemed like it should be There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
It should be. That's what the exploit/windows/winrm/winrm_script_exec.rb module is for. I'm not sure why there's two modules. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Will do it. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If there is a direct exploitation route through a module, you could just reference it directly. ie https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/x11/open_x11.md#direct-exploitation There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah. I even tried running commands like |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this on by default, did you have to set anything to enable it to be vulnerable?