Added auxiliary/scanner/winrm docs #11437
Conversation
documentation/modules/auxiliary/scanner/winrm/winrm_auth_methods.md
Outdated
Show resolved
Hide resolved
…ds.md Co-Authored-By: Yashvendra <yashkashyap00720@gmail.com>
Release NotesDocumentation has been added for the winrm_cmd and winrm_auth_methods auxiliary scanner modules. |
|
Thanks @Yashvendra |
| @@ -0,0 +1,23 @@ | |||
| ## Description | |||
| This module sends a request to an HTTP/HTTPS service to see if it is a WinRM service. If it is a WinRM service, it also gathers the Authentication Methods supported. | |||
|
|
|||
There was a problem hiding this comment.
is this on by default, did you have to set anything to enable it to be vulnerable?
| 3. Do: ```run``` | ||
|
|
||
| ## Scenarios | ||
|
|
| @@ -0,0 +1,34 @@ | |||
| ## Description | |||
| This module runs arbitrary Windows commands using the WinRM Service. It needs login credentials to do so. | |||
There was a problem hiding this comment.
needs valid login credentials to do so.
I'd also ask what auth/group level they need to be. Local admin, domain admin, guest account?
| 6. Do: ```run``` | ||
|
|
||
| ## Scenarios | ||
|
|
|
|
||
| msf auxiliary(scanner/winrm/winrm_cmd) > | ||
| ``` | ||
|
|
There was a problem hiding this comment.
Another good scenario would be showing how to turn this into an exploit. Can you run powershell from it to grab a meterpreter, or other such maneuver?
There was a problem hiding this comment.
How would I grab meterpreter and turn it into an exploit? Can you describe it a bit more.
There was a problem hiding this comment.
I believe @h00die is referring to creating a session using this module, as this module only executes a command, and does not return a session.
One scenario would be using the web_delivery module to generate a staging command, then send that command using the WinRM module.
There was a problem hiding this comment.
Yup, exactly. I'm not sure it's possible, just seemed like it should be
There was a problem hiding this comment.
Yup, exactly. I'm not sure it's possible, just seemed like it should be
It should be. That's what the exploit/windows/winrm/winrm_script_exec.rb module is for.
I'm not sure why there's two modules.
There was a problem hiding this comment.
Yup, exactly. I'm not sure it's possible, just seemed like it should be
Will do it.
There was a problem hiding this comment.
I tried running running powershell script of web_delivery as a CMD of winrm_cmd but this error threw up.
Looks like the code has syntax errors.
And ignore the test in auxiliary/scanner/winrm/test , it is same as auxiliary/scanner/winrm/winrm_cmd
There was a problem hiding this comment.
If there is a direct exploitation route through a module, you could just reference it directly. ie https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/x11/open_x11.md#direct-exploitation
It looks like maybe there is an encoding issue, or some other deeper issue going on. Throw the exploitation reference to the msf module and call it a day. While it would be cool to show this other method, it may be more than its worth since there's a module already
There was a problem hiding this comment.
Yeah. I even tried running commands like start to connect to the listener server, but didn't work. Will go with the reference I guess.
Added
auxiliary/scanner/winrm/winrm_cmdandauxiliary/scanner/winrm/winrm_auth_methodsmodules docs.