Pentest - PowerShell Remoting Cheatsheet

最新推荐文章于 2022-02-15 09:17:56 发布

Nixawk

最新推荐文章于 2022-02-15 09:17:56 发布

阅读量1k

点赞数

分类专栏： Pentesting

Pentesting 专栏收录该内容

160 篇文章 1 订阅

订阅专栏

Introduction to PowerShell Remoting

PowerShell Remoting is essentially a native Windows remote command execution feature that’s build on top of the Windows Remote Management (WinRM) protocol. Based on my super Google results, WinRM is supported by Windows Vista with Service Pack 1 or later, Windows 7, Windows Server 2008, and Windows Server 2012.

Enable PowerShell Remoting

PS C:\> Enable-PSRemoting

WinRM Quick Configuration
Running command "Set-WSManQuickConfig" to enable this machine for remote management through WinRM
 service.
 This includes:
    1. Starting or restarting (if already started) the WinRM service
    2. Setting the WinRM service type to auto start
    3. Creating a listener to accept requests on any IP address
    4. Enabling firewall exception for WS-Management traffic (for http only).

Do you want to continue?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A
WinRM already is set up to receive requests on this machine.
WinRM already is set up for remote management on this machine.
PS C:\>

PS C:\> Enable-PSSessionConfiguration

WinRM Quick Configuration
Running command "Set-WSManQuickConfig" to enable this machine for remote management through WinRM
 service.
 This includes:
    1. Starting or restarting (if already started) the WinRM service
    2. Setting the WinRM service type to auto start
    3. Creating a listener to accept requests on any IP address
    4. Enabling firewall exception for WS-Management traffic (for http only).

Do you want to continue?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A
WinRM already is set up to receive requests on this machine.
WinRM already is set up for remote management on this machine.

Make sure the WinRM service is setup to start automatically.

# Set start mode to automatic
Set-Service WinRM -StartMode Automatic

# Verify start mode and state - it should be running
Get-WmiObject -Class win32_service | Where-Object {$_.name -like "WinRM"}

Set all remote hosts to trusted. Note: You may want to unset this later.

# Trust all hosts
Set-Item WSMan:localhost\client\trustedhosts -value *

# Verify trusted hosts configuration
Get-Item WSMan:\localhost\Client\TrustedHosts

Disable PowerShell Remoting

Disable-PSRemoting
Disable-PSSessionConfiguration

Execute Remote Commands with PowerShell Remoting

Now we can play around a little. There’s a great blog from a while back that provides a nice overview of PowerShell Remoting at http://blogs.technet.com/b/heyscriptingguy/archive/2009/10/29/hey-scripting-guy-october-29-2009.aspx. It’s definitely on my recommended reading list, but I’ll expand on the examples a little.

The “Invoke-Command” command can be used to run commands on remote systems. It can run as the current user or using alternative credentials from a non domain system. Examples below.

[remoting]: PS C:\> Invoke-Command -ComputerName remoting -ScriptBlock {Hostname}
REMOTING

[remoting]: PS C:\> Invoke-Command –ComputerName MyServer1 -Credential demo\serveradmin -ScriptBlock {Hostname}

If the ActiveDirectory PowerShell module is installed it’s possible to execute commands on many systems very quickly using the pipeline. Below is a basic example.

Get-ADComputer -Filter *  -properties name | select @{Name="computername";Expression={$_."name"}} | Invoke-Command -ScriptBlock {hostname}

Sometimes it’s nice to run scripts stored locally on your system against remote systems. Below are a few basic examples.

Invoke-Command -ComputerName MyServer1 -FilePath C:\pentest\Invoke-Mimikatz.ps1
Invoke-Command -ComputerName MyServer1 -FilePath C:\pentest\Invoke-Mimikatz.ps1 -Credential demo\serveradmin

Also, if your dynamically generating commands or functions being passed to remote systems you can use invoke-expression through invoke-command as shown below.

$MyCommand = "hostname"
$MyFunction = "function evil {write-host `"Getting evil...`";iex -command $MyCommand};evil"
invoke-command -ComputerName MyServer1 -Credential demo\serveradmin -ScriptBlock {Invoke-Expression -Command  "$args"} -ArgumentList $MyFunction

Establish an Interactive PowerShell Console on a Remote System

An interactive PowerShell console can be obtained on a remote system using the “Enter-PsSession” command. It feels a little like SSH. Similar to “Invoke-Command”, “Enter-PsSession” can be run as the current user or using alternative credentials from a non domain system. Examples below.

PS C:\> Enter-PSSession -ComputerName Remoting
[remoting]: PS C:\Users\Administrator\Documents> PS C:\>

PS C:\> Enter-PsSession –ComputerName server1.domain.com –Credentials domain\serveradmin

If you want out of the PowerShell session the “Exit-PsSession” command can be used.

Exit-PsSession

Create Background Sessions

There is another cool feature of PowerShell Remoting that allows users to create background sessions using the “New-PsSession” command. Background sessions can come in handy if you want to execute multiple commands against many systems. Similar to the other commands, the “New-PsSession” command can run as the current user or using alternative credentials from a non domain system. Examples below.

New-PSSession -ComputerName server1.domain.com
New-PSSession –ComputerName server1.domain.com –Credentials domain\serveradmin

If the ActiveDirectory PowerShell module is installed it’s possible to create background sessions for many systems at a time (However, this can be done in many ways). Below is a command example showing how to create background sessions for all of the domain systems. The example shows how to do this from a non domain system using alternative domain credentials.

New-PSDrive -PSProvider ActiveDirectory -Name RemoteADS -Root "" -Server a.b.c.d -credential domain\user
cd RemoteADS:
Get-ADComputer -Filter * -Properties name  | select @{Name="ComputerName";Expression={$_."name"}} | New-PSSession

List Background Sessions

Once a few sessions have been established the “Get-PsSession” command can be used to view them.

Get-PSSession

Interacte with Background Sessions

The first time I used this feature I felt like I was working with Metasploit sessions, but these sessions are a little more stable. Below is an example showing how to interact with an active session using the session id.

Enter-PsSession –id 3

To exit the session use the “Exit-PsSession” command. This will send the session into the background again.

Exit-PsSession

Execute Commands through Background Sessions

If your goal is to execute a command on all active sessions the “Invoke-Command” and “Get-PsSession” commands can be used together. Below is an example.

Invoke-Command -Session (Get-PSSession) -ScriptBlock {Hostname}

Remove Background Sessions

Finally, to remove all of your active sessions the “Disconnect-PsSession” command can be used as shown below.

Get-PSSession | Disconnect-PSSession

WinRM HELP

PS C:\Windows\system32> Get-Help WinRM

Name                              Category  Synopsis
----                              --------  --------
Disable-PSRemoting                Cmdlet    Prevents the computer from receiving remote Windows PowerShell commands.
Set-WSManQuickConfig              Cmdlet    Configures the local computer for remote management.
Test-WSMan                        Cmdlet    Tests whether the WinRM service is running on a local or remote computer.
Connect-WSMan                     Cmdlet    Connects to the WinRM service on a remote computer.
Disconnect-WSMan                  Cmdlet    Disconnects the client from the WinRM service on a remote computer.
Get-WSManInstance                 Cmdlet    Displays management information for a resource instance specified by a R...
Set-WSManInstance                 Cmdlet    Modifies the management information that is related to a resource.
Remove-WSManInstance              Cmdlet    Deletes a management resource instance.
New-WSManInstance                 Cmdlet    Creates a new instance of a management resource.
Unregister-PSSessionConfiguration Cmdlet    Deletes registered session configurations from the computer.
Set-PSSessionConfiguration        Cmdlet    Changes the properties of a registered session configuration.
Enable-PSSessionConfiguration     Cmdlet    Enables the session configurations on the local computer.
Disable-PSSessionConfiguration    Cmdlet    Denies access to the session configurations on the local computer.
Enable-PSRemoting                 Cmdlet    Configures the computer to receive remote commands.
New-PSSession                     Cmdlet    Creates a persistent connection to a local or remote computer.
Start-Job                         Cmdlet    Starts a Windows PowerShell background job.
Get-WmiObject                     Cmdlet    Gets instances of Windows Management Instrumentation (WMI) classes or in...
Get-Service                       Cmdlet    Gets the services on a local or remote computer.
Set-Service                       Cmdlet    Starts, stops, and suspends a service, and changes its properties.
about_parameters                  HelpFile  Describes how to work with cmdlet parameters in Windows PowerShell.
about_preference_variables        HelpFile  Variables that customize the behavior of Windows PowerShell
about_remote_FAQ                  HelpFile  Contains questions and answers about running remote commands
about_remote_requirements         HelpFile  Describes the system requirements and configuration requirements for
about_remote_troubleshooting      HelpFile  Describes how to troubleshoot remote operations in Windows PowerShell.
about_Windows_PowerShell_2.0      HelpFile  Describes the new features that are included in Windows PowerShell 2.0.
about_WMI_Cmdlets                 HelpFile  Provides background information about Windows Management Instrumentation
about_WS-Management_Cmdlets       HelpFile  Provides an overview of Web Services for Management (WS-Management) as