Powershell tricks: Powershell Remoting
0x01 Introduction
Powershell Remoting is built on the windows WinRM service, which can be one-to-one or one-to-many remote control, or an HTTP or HTTPS "listeners" that uses the WS-MAM protocol to receive commands remotely delivered.
Windows Remote Management (WinRM) is a Microsoft implementation of the WS-Management protocol. This Protocol provides a secure way for communications between local and remote computers using Web Services. That is to say, on the basis of the WS-MAN protocol, the client operating environment can be diversified. For example, openwsman.
Image Source: v3 Secrets of PowerShell Remoting
0x02 Remote Management
Powershell Remoting is disabled by default before windows server 2008. It must be enabled by running the Enable-PSRemoting command by the administrator.
In windows server 2012, Powershell Remoting is enabled by default.
In windows, powershell uses winrm for remote management by default. The default listening ports of different winrm versions are also different. As follows:
The default ports for winrm 1.1 are http port 80 and https port 443
The default ports for winrm 2.x are http port 5985 and https port 5986
You can refer to here to determine the winrm version.
Run the Enable-PSRemoting command to Enable the remote connection. Kerberos authentication is enabled by default. This method is only suitable for two computers in the same domain or trusted domain (the name can contain a suffix). However, it does not support cross-domain, out-of-domain, or IP addresses.
If you want to execute the following code on the client side during cross-domain or specified IP address execution, you need to add all or a single remote host to the trust table.
Set-Item WSMan:\localhost\Client\TrustedHosts -Value * -Force
Delete all remote Trusted Hosts
Clear-Item WSMan:\localhost\Client\TrustedHosts
To delete a single remote host, run the following command:
$newvalue = ((Get-ChildItem WSMan:\localhost\Client\TrustedHosts).Value).Replace("computer01,","")Set-Item WSMan:\localhost\Client\TrustedHosts $newvalue
Change computer01.
List all remote Trusted Hosts
Get-Item WSMan:\localhost\Client\TrustedHosts
If only the user name is provided during Remote execution, the password is displayed. In this case, we can create a PSCredential object to save the user name and password. Then pass the-Credential parameter. -The ScriptBlock parameter is followed by the code to be executed.
$UserName = "admin3"$serverpass = "admin123!@"$Password = ConvertTo-SecureString $serverpass -AsPlainText –Force$cred = New-Object System.Management.Automation.PSCredential($UserName,$Password)invoke-command -ComputerName localhost -Credential $cred -ScriptBlock { ipconfig }
Use the help *-Parameter computername command to list all commands that can be used remotely by default. And $ cred can be passed in the authentication process like the above Code.
Then write a for loop to execute one-to-multiple operations.
If the output content is too complex, you can use convertes-csv or convertes-html to convert the output of the powershell object to Html or Csv.
To obtain interactive powershell one-to-one, run Enter-PSSession as follows:
Enter-PSSession -ComputerName 192.168.200.161 -Credential $cred
0x03 multi-task distribution
When invoke-command is used, computername can be multiple parameters. During execution, you can use the-Asjob parameter to deploy the execution process in the background. When receiving echo, you can use get-job to view the job id, and then use receive-job to receive all echo results. But what if I just want to view the execution results of a remote host? You can do this as follows:
Get-Job -Id 1 | select -ExpandProperty childjobs
After the child job id is obtained, receive-job is used to receive the echo result.
0x04 Domain Information Collection
Basic Information Collection (logs, processes, services, etc.) can be collected by the commands listed above, but remote invocation of invoke-command requires creden, can we use nltest to collect trust domains in the domain?
In windows, there is a System. DirectoryServices. ActiveDirectory namespace, which is related to the windows domain. There is a class Domain under it. The GetAllTrustRelationships () method can obtain the trust Domain.
In powershell, You can execute the following command:
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
Obtain the trust relationship before the domain. If you need to develop your own scripts, you can also refer to the following documents.
In addition, do you still remember the local_admin_search module in the previous metasploit notes? Veil-powerview also implements this process in the same way.
Both scripts call the OpenSCManagerA API to connect to the remote host and test whether the host is successful.
Local_admin_search.rb
Invoke-CheckLocalAdminAccess
Attached to the veil-powerview author's blog:
0x05 references Http://www.harmj0y.net/blog/redteaming/trusts-you-might-have-missed/
Http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectory.domain (v = vs.110). aspx
Https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Schroeder-The-Veil-Framework-Slides.pdf
Https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Schroeder-The-Veil-Framework-Slides.pdf
V3 Secrets of PowerShell Remoting.pdf
0x06 powershell pentest project learning recommendation
Many blogs and projects have been found during the sorting process. Here we will share with you.
Powershell HID attack toolkit: Https://github.com/samratashok/Kautilya
Post exploitation: Https://github.com/samratashok/nishang
Remote DLL inject: Https://github.com/clymb3r
Aspx Powershell webshell: Https://github.com/samratashok/nishang/tree/master/Antak-WebShell
Veil Post exploitation: Https://github.com/Veil-Framework/Veil-PowerView
A PowerShell Post-Exploitation Framework: Https://github.com/mattifestation/PowerSploit
Local privilege escalation: Https://github.com/HarmJ0y/PowerUp