[prev in list] [next in list] [prev in thread] [next in thread]
List: metasploit-framework
Subject: [framework] getwinrm (Get windows remote management/shell)
From: Joshua Smith <lazydj98 () gmail ! com>
Date: 2010-08-13 20:08:07
Message-ID: AANLkTi=WO_2TXc28qnFLn691yGKv4PGsaPH70aE-paSJ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Ok,
This is my first major meterpreter script, and my Ruby is weak, so be
gentle. I'm sorry the message is so long, but it's not easy to explain.
Script is here: http://pastebin.com/1BMnYRbf
getwinrm.rb will upload (if nec) and install (if nec) and configure WinRM.
Why is this useful? Cuz WinRM has a remote shell feature. If you're not
familiar with WinRM, it's a long story, you can read the comments in the
script if you're interested, but the gist is that the script will install
the WinRM service (and configure it and the fw etc) on a victim, you can
then connect to the victim from a Windows client (attacker) which also has
winrm installed, using WinRS (after some client config). The script
configures WinRM to use http on port 80 (you can change it to SSL, but I'm
way too dumb and lazy to work that shiz out).
Honestly, since you need creds, and you obviously already have a meterpreter
shell, this is only useful in one particular instance. When you want a
persistent shell of some kind and can't use the persistence script due to
application white listing such as Bit9. I basically wrote this solely to
bypass Bit9's lockdown mode (when you don't want to totally disable it,
which is trivial if you are System, I'll send that script too once I gussy
it up a bit). Bit 9 in lockdown mode won't allow anything to run, even a
vbs script (when properly configured), that isn't white-listed or signed by
Microsoft/or other approved source. WinRM is signed by Microsoft so the
install doesn't raise an alert (UAC aside of course) in this case.
I tested on Windows XP SP3 with Bit9 running in lockdown mode (parity.exe
ver 5.1) and configured to automatically approve MS signed code. There is
notional support for Vista/7/2008, just use the config only option (-co)
since WinRM is installed by default on those platforms. I'll try to test
them soon. But I know the uninstall options won't work for those platforms
(which you probably don't want to do anyway since WinRM was already there).
You may want to timestomp (-t) though.
Keep in mind, you are connecting TO the victim (it's not a reverse
connection), so NATs and such will cause issues. I tried to do some hole
punching by having Meterpreter send out a packet to the client, sourced from
port 80, but there's no way for Meterpreter to dictate the source port (or
there wasn't when I worked on this a while back, let me know if that has
changed), in the meantime, you'd have to be local on the network, or farm
multiple hosts out of the network through a single meterpreter session (like
on a server, servers often have a hard time with Bit9 for various reasons,
so you can probably get typical persistence there)
I hope it doesn't suck. Feedback is appreciated.
--
- Josh
[Attachment #5 (text/html)]
Ok,<br>This is my first major meterpreter script, and my Ruby is weak, so be gentle. \
I'm sorry the message is so long, but it's not easy to explain.<br>Script is \
here: <a href="http://pastebin.com/1BMnYRbf">http://pastebin.com/1BMnYRbf</a> <br> \
<br>getwinrm.rb will upload (if nec) and install (if nec) and configure WinRM. Why \
is this useful? Cuz WinRM has a remote shell feature. If you're not
familiar with WinRM, it's a long story, you can read the comments in the
script if you're interested, but the gist is that the script will
install the WinRM service (and configure it and the fw etc) on a victim,
you can then connect to the victim from a Windows client (attacker)
which also has winrm installed, using WinRS (after some client config).
The script configures WinRM to use http on port 80 (you can change it
to SSL, but I'm way too dumb and lazy to work that shiz out). <br>
<br>Honestly, since you need creds, and you obviously already have a
meterpreter shell, this is only useful in one particular instance. When
you want a persistent shell of some kind and can't use the persistence
script due to application white listing such as Bit9. I basically wrote
this solely to bypass Bit9's lockdown mode (when you don't want to
totally disable it, which is trivial if you are System, I'll send that
script too once I gussy it up a bit). Bit 9 in lockdown mode won't
allow anything to run, even a vbs script (when properly configured), that isn't \
white-listed or signed by Microsoft/or other approved source. WinRM is signed by
Microsoft so the install doesn't raise an alert (UAC aside of course) in
this case.<br>
<br>I tested on Windows XP SP3 with Bit9 running in lockdown mode
(parity.exe ver 5.1) and configured to automatically approve MS signed
code. There is notional support for Vista/7/2008, just use the config
only option (-co) since WinRM is installed by default on those
platforms. I'll try to test them soon. But I know the uninstall
options won't work for those platforms (which you probably don't want to
do anyway since WinRM was already there). You may want to timestomp
(-t) though.<br>
<br>Keep in mind, you are connecting TO the victim (it's not a reverse
connection), so NATs and such will cause issues. I tried to do some
hole punching by having Meterpreter send out a packet to the client,
sourced from port 80, but there's no way for Meterpreter to dictate the
source port (or there wasn't when I worked on this a while back, let me
know if that has changed), in the meantime, you'd have to be local on
the network, or farm multiple hosts out of the network through a single
meterpreter session (like on a server, servers often have a hard time with
Bit9 for various reasons, so you can probably get typical persistence there)<br>
<br>I hope it doesn't suck. Feedback is appreciated.<br clear="all"><br>-- <br>- \
Josh<br>
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic