Powershell tricks: Powershell Remoting

Powershell tricks: Powershell Remoting
0x01 Introduction

Powershell Remoting is built on the windows WinRM service, which can be one-to-one or one-to-many remote control, or an HTTP or HTTPS "listeners" that uses the WS-MAM protocol to receive commands remotely delivered.

Windows Remote Management (WinRM) is a Microsoft implementation of the WS-Management protocol. This Protocol provides a secure way for communications between local and remote computers using Web Services. That is to say, on the basis of the WS-MAN protocol, the client operating environment can be diversified. For example, openwsman.

 

Image Source: v3 Secrets of PowerShell Remoting

0x02 Remote Management

Powershell Remoting is disabled by default before windows server 2008. It must be enabled by running the Enable-PSRemoting command by the administrator.

In windows server 2012, Powershell Remoting is enabled by default.

In windows, powershell uses winrm for remote management by default. The default listening ports of different winrm versions are also different. As follows:

The default ports for winrm 1.1 are http port 80 and https port 443

The default ports for winrm 2.x are http port 5985 and https port 5986

You can refer to here to determine the winrm version.

Run the Enable-PSRemoting command to Enable the remote connection. Kerberos authentication is enabled by default. This method is only suitable for two computers in the same domain or trusted domain (the name can contain a suffix). However, it does not support cross-domain, out-of-domain, or IP addresses.

If you want to execute the following code on the client side during cross-domain or specified IP address execution, you need to add all or a single remote host to the trust table.

Set-Item WSMan:\localhost\Client\TrustedHosts -Value * -Force

Delete all remote Trusted Hosts

Clear-Item WSMan:\localhost\Client\TrustedHosts

To delete a single remote host, run the following command:

$newvalue = ((Get-ChildItem WSMan:\localhost\Client\TrustedHosts).Value).Replace("computer01,","")Set-Item WSMan:\localhost\Client\TrustedHosts $newvalue

Change computer01.

List all remote Trusted Hosts

Get-Item WSMan:\localhost\Client\TrustedHosts

If only the user name is provided during Remote execution, the password is displayed. In this case, we can create a PSCredential object to save the user name and password. Then pass the-Credential parameter. -The ScriptBlock parameter is followed by the code to be executed.

$UserName = "admin3"$serverpass = "admin123!@"$Password = ConvertTo-SecureString $serverpass -AsPlainText –Force$cred = New-Object System.Management.Automation.PSCredential($UserName,$Password)invoke-command -ComputerName localhost -Credential $cred -ScriptBlock { ipconfig }

Use the help *-Parameter computername command to list all commands that can be used remotely by default. And $ cred can be passed in the authentication process like the above Code.

Then write a for loop to execute one-to-multiple operations.

If the output content is too complex, you can use convertes-csv or convertes-html to convert the output of the powershell object to Html or Csv.

To obtain interactive powershell one-to-one, run Enter-PSSession as follows:

Enter-PSSession -ComputerName 192.168.200.161 -Credential $cred

0x03 multi-task distribution

When invoke-command is used, computername can be multiple parameters. During execution, you can use the-Asjob parameter to deploy the execution process in the background. When receiving echo, you can use get-job to view the job id, and then use receive-job to receive all echo results. But what if I just want to view the execution results of a remote host? You can do this as follows:

Get-Job -Id 1 | select -ExpandProperty childjobs

After the child job id is obtained, receive-job is used to receive the echo result.

0x04 Domain Information Collection

Basic Information Collection (logs, processes, services, etc.) can be collected by the commands listed above, but remote invocation of invoke-command requires creden, can we use nltest to collect trust domains in the domain?

In windows, there is a System. DirectoryServices. ActiveDirectory namespace, which is related to the windows domain. There is a class Domain under it. The GetAllTrustRelationships () method can obtain the trust Domain.

In powershell, You can execute the following command:

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

Obtain the trust relationship before the domain. If you need to develop your own scripts, you can also refer to the following documents.

In addition, do you still remember the local_admin_search module in the previous metasploit notes? Veil-powerview also implements this process in the same way.

Both scripts call the OpenSCManagerA API to connect to the remote host and test whether the host is successful.

Local_admin_search.rb

Invoke-CheckLocalAdminAccess

Attached to the veil-powerview author's blog:

0x05 references Http://www.harmj0y.net/blog/redteaming/trusts-you-might-have-missed/

Http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectory.domain (v = vs.110). aspx

Https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Schroeder-The-Veil-Framework-Slides.pdf

Https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Schroeder-The-Veil-Framework-Slides.pdf

V3 Secrets of PowerShell Remoting.pdf

0x06 powershell pentest project learning recommendation

Many blogs and projects have been found during the sorting process. Here we will share with you.

Powershell HID attack toolkit: Https://github.com/samratashok/Kautilya

Post exploitation: Https://github.com/samratashok/nishang

Remote DLL inject: Https://github.com/clymb3r

Aspx Powershell webshell: Https://github.com/samratashok/nishang/tree/master/Antak-WebShell

Veil Post exploitation: Https://github.com/Veil-Framework/Veil-PowerView

A PowerShell Post-Exploitation Framework: Https://github.com/mattifestation/PowerSploit

Local privilege escalation: Https://github.com/HarmJ0y/PowerUp