Documentation on winrm_script_exec #8130
Conversation
|
I'll check it out in a few hours |
|
@hoodie I also need to know what will happen we get a successful meterpreter session. I can't get a successful session and hence I cannot write the documentation further. Thanks in advance. |
| ## Vulnerable Application | ||
|
|
||
| Windows Remote Management (WinRM) is a feature of Windows Vista that allows administrators to remotely run management scripts. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol). This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy. | ||
| IMPORTANT: If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return. |
There was a problem hiding this comment.
lets bold IMPORTANT and add an extra newline before it (so its on its own line)
There was a problem hiding this comment.
How do I bold in github using this " ** bolded text ** "? How to add an extra line in an md file in github. Just by using the 'Enter' key or there is some other process ?
There was a problem hiding this comment.
**bold**
bold
yea just hit enter again to add an extra newline.
In markdown if an item is on a new line (line 3 and 4) when processed its kept on the same line. If there is an EMPTY line between, its treated as a new line when interpreted.
|
|
||
| Windows Remote Management (WinRM) is a feature of Windows Vista that allows administrators to remotely run management scripts. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol). This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy. | ||
| IMPORTANT: If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return. | ||
| [EXPLOIT DB:] https://www.exploit-db.com/exploits/22526/ |
There was a problem hiding this comment.
dont think this is needed, i think you can remove it
There was a problem hiding this comment.
Remove which part? The exploit db source or the entire portion?
| @@ -0,0 +1,67 @@ | |||
| ## Vulnerable Application | |||
|
|
|||
| Windows Remote Management (WinRM) is a feature of Windows Vista that allows administrators to remotely run management scripts. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol). This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy. | |||
There was a problem hiding this comment.
I think this is Vista and newer since #995 references win8
| LPORT => 4444 | ||
| msf exploit(winrm_script_exec) > set RHOST 192.168.198.130 | ||
| RHOST => 192.168.198.130 | ||
| msf exploit(winrm_script_exec) > show options |
There was a problem hiding this comment.
no need to have the show options since you show all the items which were set
There was a problem hiding this comment.
There are some default configurations given in the 'show options' which I have not added like the URI, SRVPORT etc., Should I remove it still?
There was a problem hiding this comment.
yea, if its default, theres no need to show that it wasn't changed.
| @@ -0,0 +1,67 @@ | |||
| ## Vulnerable Application | |||
|
|
|||
| Windows Remote Management (WinRM) is a feature of Windows Vista that allows administrators to remotely run management scripts. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol). This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy. | |||
There was a problem hiding this comment.
Check out #995 there may be some comments about configuration changes etc.
If you have to install WinRM or configure it in any way other than a default win install, it would be great to include those as well.
There was a problem hiding this comment.
Will check for sure..
There was a problem hiding this comment.
https://msdn.microsoft.com/en-us/library/aa384372%28v=vs.85%29.aspx
https://msdn.microsoft.com/en-us/library/aa384372%28v=vs.85%29.aspx
https://support.microsoft.com/en-in/help/2019527/how-to-configure-winrm-for-https
Are these three links enough for the later part of your comment?
There was a problem hiding this comment.
I generally like it when the markdown has a step by step for configuring (if not default), the doc should be self contained as much as possible.
Still not sure if that would be needed, however see https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/centreon_useralias_exec.md#creating-a-testing-environment for an example
There was a problem hiding this comment.
#995 isn't using any payload. Should I remove the lines:-
+msf exploit(winrm_script_exec) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
There was a problem hiding this comment.
you could try it, but when you don't set a payload msf attempts to set a default compatible payload, so it more than likely just defaulted to something.
|
I made the requested changes except the part of installing WinRM and configuring it. I am googling about those and I'll make changes soon. @h00die |
|
|
||
|
|
||
| ## Example Usage | ||
|
|
There was a problem hiding this comment.
### Windows 2008
**Powershell 2.0 is used for payload delivery here**
I'd add that so we know what the target is. (don't add the triple ticks, thats just so it doesn't auto-format on the comment)
| msf exploit(winrm_script_exec) > set RHOST 192.168.198.130 | ||
| RHOST => 192.168.198.130 | ||
|
|
||
| **Powershell 2.0 is used for payload delivery here** |
There was a problem hiding this comment.
remove this line, it'll be outside of the code block
| meterpreter > getpid | ||
| Current pid: 568 | ||
| meterpreter > | ||
|
|
There was a problem hiding this comment.
end the code block here (triple ticks)
| meterpreter > | ||
|
|
||
| **In case the VBS CmdStager is used for payload delivery here** | ||
|
|
There was a problem hiding this comment.
start a new code block here
There was a problem hiding this comment.
Should I start a code block using triple ticks too? And are triple ticks '###' ?
| meterpreter > | ||
|
|
||
|
|
||
|
|
There was a problem hiding this comment.
remove all these extra newlines at the end here. you can keep one
|
PS docs are looking good so far, a few minor touchups and this should be land-able this weekend. Docs seem easy, take someone's work and just run it, copy+pate, and done. However, as has been noted by other r7 people, its actually pretty time consuming to set up the environment, write down any changes or oddities (like vbs vs psh here). While it won't get you glory, it makes a big difference when someone looks at the module a few years later, or it isn't working for some reason. So thanks for spending the time and knocking this one out! |
|
@h00die Writing the docs are helping me learn how to use the exploits. I am a GSOC aspirant and I've got one month to prove myself. So I'll work on the docs and also some other minor issues this month to get a hang about the basics of how things work and it is a great honor to work for Metasploit whether I get selected for GSOC or not. |
|
|
||
| ## Example Usage | ||
|
|
||
| ## Windows 2008 |
There was a problem hiding this comment.
One more '#' as in it should look like: -
+### Example Usage
+
+### Windows 2008
| WinRM, is a Windows-native built-in remote management protocol in its simplest form that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol). | ||
| This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy. | ||
|
|
||
| **IMPORTANT:-** If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return. |
|
|
||
| ``` | ||
|
|
||
| **In case the VBS CmdStager is used for payload delivery here** |
There was a problem hiding this comment.
Change this to be **VBS CmdStager is used for payload delivery here**
| [*] Current server process: mSPvA.exe (3548) | ||
| [+] Migrating to 580 | ||
| [+] Successfully migrated to process | ||
| [*] nil |
There was a problem hiding this comment.
this line is funny to me, nothing you did, but prob a print in the module that didn't check it was nil before printing it. at least it didn't crash!
There was a problem hiding this comment.
Tell me what changes I should make
|
any other changes or things youre waiting on for this, I think its ready to go, just want to double check |
|
|
||
| **IMPORTANT:** If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return. | ||
|
|
||
| ### Example Usage |
|
|
||
| ### Example Usage | ||
|
|
||
| ### Windows 2008 |
There was a problem hiding this comment.
3 here (like it is now, its good)
Release NotesDocumentation for the |
Git hub issue:- KB for exploit/windows/winrm/winrm_script_exec fixes #7129
Documentation