🦦
Otter's Notes
  • Introduction
  • Articles
    • Dumping data from the Microsoft Recall folder
    • Gaining persistence on Windows with Time Providers
    • Reverse engineering LSASS to decrypt DPAPI keys
    • Intro to Hypervisor Implants
    • In-depth Windows Telemetry
  • Notes
    • Active Directory
      • Active Directory Structure
      • Active Directory Terminology
      • Active Directory Objects
      • Active Directory Groups
      • Active Directory Functionality
      • Active Directory Protocols
      • Active Directory Rights and Privileges
      • Security in Active Directory
      • Users and Machine Accounts
      • NTLM
      • LDAP
      • Making a Target User List
      • Enumerating & Retrieving Password Policies
      • Enumerating Security Controls
      • Examining Group Policy
      • GPOs
      • LAPS
      • LLMNR & NBT-NS Poisoning
      • LOLBIN Enumeration
    • AAD
      • Useful Links
      • Overview of Azure & M365
      • Enumerate Users and Domains
      • Post-exploitation Reconnaissance
      • OAuth 2.0 Abuse
      • Abusing Device Code Authentication
      • Abusing Cloud Administrator Role
      • Abusing User Administrator Role
      • AAD Federated Backdoor
      • Service Principal Abuse
      • Compromising Azure Blobs and Storage Accounts
      • Malicious Device Join
      • Disabling Auditing (Unified Audit Logs)
      • Spoofing Azure Sign-In Logs
      • Registering Fake Agents for Log Spoofing
      • Pass the PRT
      • Pass the Cookie
      • Abusing Managed Identities
      • Virtual Machine Abuse
      • Attacking Key Vaults
    • Forest Trust Abuse
      • Parent-Child Trust Abuse
      • One-Way Inbound Trust Abuse
      • Foreign Group Membership
      • Foreign ACL Principals
      • SID History
      • SID Filter Bypass
      • Intra-Forest Attacks
        • Configuration Naming Context Replication
        • ADCS NC Replication Attack
        • GPO On-Site Attack
        • GoldenGMSA Attack
        • DNS Trust Attack
      • Cross-Forest Attacks
        • Trust Account Attack
        • Abusing SQL Linked Servers
        • Abusing PAM Trusts
    • Kerberos
      • Overview of Kerberos Authentication
      • Silver Tickets
      • Golden Tickets
      • Diamond Tickets
      • Kerberoasting
      • AS-REPRoasting
      • Resource-Based Constrained Delegation
      • Constrained Delegation
      • Unconstrained Delegation
      • S4U2Self & S4U2Proxy
      • Golden Certificates
    • DACL Abuse
      • DACL Overview
      • DACLs Enumeration
      • AddMembers
      • GPO Attacks
      • Granting Rights and Ownership
      • Logon Scripts
      • NoPAC
      • Password Abuse
      • SPN Jacking
      • Shadow Credentials
      • Targeted Kerberoasting
    • ADCS
      • Introduction to ADCS
      • ESC1
      • ESC2
      • ESC3
      • ESC4
      • ESC5
      • ESC6
      • ESC7
      • ESC8
      • ESC9
      • ESC10
      • ESC11
      • Certificate Mapping
    • PowerShell
      • PowerShell Basics
      • PowerShell Remoting
      • Alternate PowerShell Hosts
      • PowerShell Pipeline Runners
      • PowerShell Code Signing
      • Scriptblock Logging
      • PowerShell CLM
      • AMSI
      • PowerShell Reflection
      • WMI - Windows Management Instrumentation
      • Interfacing with AD
      • PowerShell Snippets
        • Bypass application whitelisting and CLM with runscripthelper and WMI
        • Create fake PowerShell logs
        • Enumerate AD ACLs
        • Enumerate WMI events
        • Enumerate Domain Trusts
        • Enumerate change metadata
        • Enumerate non-signed service binaries
        • Enumerate with GPOs
        • Find signed alternate PowerShell hosts
        • Get AMSI module
        • Group processes by user with WMI
        • Hide processes from Get-Process
        • Malware re-purposing with PowerShell reflection
        • Monitor PowerShell hosts with WMI
        • PowerShell reflection offensive use-case
        • Query PowerShell alternative hosts with WMI
        • Retrieve file certificate
        • Search LDAP for misconfigurations
        • Sign custom code with PowerShell
        • WMI service creation
        • Weak folder permission enumeration
    • AWS
      • AWS Organizations
      • AWS Principals
    • Binary Exploitation
      • Environment setup for Browser Exploitation
      • Browser Overview and Components
    • Kernel Development
      • Windows
        • Configuring a VM for driver development
Powered by GitBook
On this page
  1. Notes
  2. PowerShell

PowerShell Remoting

PowerShell remoting is a protocol that allows to run PowerShell commands remote systems; it was first introduced in PowerShellV2 and it's based on the Simple Object Access Protocol. It is considered a firewall-friendly protocol as it only uses one port

  • 5985 for HTTP

  • 5986 for HTTPS

and provides temporary persistence.

Traffic sent with the protocol is encrypted by default with AES256 and authentication is handled by Kerberos - this means that the credentials are not passed to the remote system at all, only to the DC and KDC, eliminating the chances of an attacker harvesting them from the remote system.

To set the protocol up we need to do the following

  1. Start the WinRM service

Start-Service -Name WinRM

  1. Set the WinRM service startup type to Automatic

Set-Service -Name WinRM -StartupType Automatic

  1. Create a WinRM listener (HTTP or HTTPS)

# ensure that WinRM is enabled and create a listener for HTTP
winrm quickconfig -force
# ensure that WinRM is enabled
winrm quickconfig -force

# create an HTTPS listener (requires a certificate)
# replace "YOUR_CERT_THUMBPRINT" with the thumbprint of your certificate
# replace "YOUR_DOMAIN_OR_IP" with your domain name or IP address

$certThumbprint = "YOUR_CERT_THUMBPRINT"
$urlPrefix = "https://+:5986/wsman/"
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="YOUR_DOMAIN_OR_IP"; CertificateThumbprint=$certThumbprint}

  1. Allow WinRM requests through local firewall

# allow inbound HTTP WinRM traffic on port 5985
New-NetFirewallRule -Name "Allow WinRM HTTP" -DisplayName "Allow WinRM HTTP" -Enabled True -Profile Any -Action Allow -Direction Inbound -Protocol TCP -LocalPort 5985
# allow inbound HTTPS WinRM traffic on port 5986
New-NetFirewallRule -Name "Allow WinRM HTTPS" -DisplayName "Allow WinRM HTTPS" -Enabled True -Profile Any -Action Allow -Direction Inbound -Protocol TCP -LocalPort 5986

WinRM listeners can be HTTP or HTTPS; WinRM traffic is encrypted by default in both cases but HTTPS listeners need server authentication for non-domain systems.

By default, the ACL for each PowerShell remote endpoint grant access to NT AUTHORITY\INTERACTIVE, Administrators and Remote Management Users. The ACLs can be seen with

Get-PSSessionConfiguration | Select-Object -ExludeProperty Permission

PS remoting is limited to systems that are domain-joined and use Kerberos authentication.

This limitation is in place to guarantee mutual authentication.

To know if PS remoting is enabled on a remote computer we can use the Test-WSMan command

Test-WSMan -ComputerName 10.10.10.10

If remoting is enabled, we can create a new PS session with the right credentials

$session = New-PSSession -ComputerName 10.10.10.10 -Credential administrator
Enter-PSSession -Session $session

CIM sessions got introduced with PowerShellV3, the main use for these sessions is creating reusable sessions to reduce authentication overhead.

$session = New-CimSession -ComputerName localhost
Get-CimInstance -CimSession $session -CassName Win32_Process

It's possible to execute scripts, functions or scriptblocks remotely with a saved session

Invoke-Command -Session $sessions[3] -FilePath script.ps1
function hello {Write-Host "hi"}
Invoke-Command -Session $sessions[3] -ScriptBlock ${ function:hello }
Invoke-Command -Session $sessions[3] -ScriptBlock ${ Write-Host "hi" }
PreviousPowerShell BasicsNextAlternate PowerShell Hosts

Last updated 8 months ago