Shulou(Shulou.com)06/02 Report--

This article will explain in detail how PowerShell remoting from Linux to Windows is like, the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

prerequisite

1) Target NTLM authentication can be passed during post-utilization.

2) restart the WinRM service

3) use this NTLM to support PowerShell Docker mirroring to Linux PS-Remote, and you can PS remotely to Windows from Linux to Windows.

background information

I happened to find it useful to use PowerShell remoting as the primary method for maintaining system remote code execution in my tests. It is a built-in Windows function. Unfortunately, because of the authentication mechanism supported by the Linux branch of PowerShell Core, it is not easy to connect remotely from my Kali Linux to my destination.

PowerShell remoting requires Kerberos authentication, which means that both the client computer and the target computer must be connected to the same domain. If we don't have a machine to connect to to perform remoting, this may cause problems for testers. Fortunately, we can choose to add ourselves as "TrustedHost" in the target configuration, which will allow us to perform NTLM authentication instead of Kerberos, so there is no need to connect from systems on the domain.

The only problem now is that the PowerShell core for Linux (PowerShell 6.1.0 at the time of this writing) does not support NTLM authentication. Fortunately, Redditors found a way to use PowerShell for NTLM authentication on Centos, so I integrated their findings into a simple PowerShell Docker image quickbreach / powershell-ntlm.

How to use PowerShell remoting from Linux to Windows

This section provides step-by-step instructions on establishing a remote PowerShell session from a Linux client to a Windows destination. Suppose you have administrative access to the target PC (RDP,payload, etc.).

1. Enable PowerShell remoting on the destination

Enable-PSRemoting-Force

two。 Get a list of the current TrustedHost on the target system for reference

Get-Item WSMan:\ localhost\ Client\ TrustedHosts

3. Add yourself as a TrustedHost on the target. This is necessary to use NTLM authentication during the Enter-PSSession setup phase, which is the only authentication mechanism that can be used to connect from Linux to Windows through a PowerShell remote connection. To do this, run one of the following commands: use wildcards to allow all computers to use NTLM when authenticating this host

Set-Item WSMan:\ localhost\ Client\ TrustedHosts-Force-Value

Or just add your IP to the NTLM authentication allow list

Set-Item WSMan:\ localhost\ Client\ TrustedHosts-Force-Concatenate-Value 192.168.10.100

4. Set up and restart the WinRM service

Set-Service WinRM-StartMode Automatic

Restart-Service-Force WinRM

5. Put the instance of the PowerShell-NTLM Docker image. The following example command also installs the PowerShell script on the / mnt path within the docker image

Docker run-it-v / pathTo/PowerShellModules:/mnt quickbreach/powershell-ntlm

6. Now we've been waiting: enter the remote PowerShell session using the following command-note that you must specify the-Authentication type:

# Grab the creds we will be logging in with

$creds = Get-Credential

# Launch the session

# Important: you MUST state the authentication type as Negotiate

Enter-PSSession-ComputerName (Target-IP)-Authentication Negotiate-Credential $creds

# i.e.

Enter-PSSession-ComputerName 10.20.30.190-Authentication Negotiate-Credential $creds

You can use the Invoke-Command feature in a similar way

Invoke-Command-ComputerName 10.20.30.190-Authentication Negotiate-Credential $creds-ScriptBlock {Get-HotFix}

Remove traces

If a TrustedHosts exists before your command to add it yourself, replace your IP and run the following command:

$newvalue = ((Get-ChildItem WSMan:\ localhost\ Client\ TrustedHosts) .value) .replace (", 192.168.10.100", ") Set-Item WSMan:\ localhost\ Client\ TrustedHosts-Force-Value $newvalue

Or, if you are the only TrustedHosts, you can delete all TrustedHosts

Clear-Item WSMan:\ localhost\ Client\ TrustedHosts

Restart the WinRM service to complete the changes (note that this will disconnect you from Enter-PSSession)

Restart-Service WinRM

About from Linux to Windows PowerShell remote processing is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.