PowerShell

Description

This exploiter uses brute-force to propagate to a victim through PowerShell Remoting using Windows Remote Management (WinRM).

See Microsoft’s documentation for more on PowerShell Remoting Protocol external link and Windows Remote Management external link .

Credentials used

The PowerShell exploiter can be run from both Linux and Windows attackers. On Windows attackers, the exploiter has the ability to use the cached username and/or password from the current user. On both Linux and Windows attackers, the exploiter uses all combinations of the user-configured usernames and passwords , as well as and LM or NT hashes that have been collected. Different combinations of credentials are attempted in the following order:

  1. Cached username and password (Windows attacker only) - The exploiter will use the stored credentials of the current user to attempt to log into the victim machine.

  2. Brute force usernames with blank passwords - Windows allows you to configure a user with a blank/empty password. The exploiter will attempt to log into the victim machine using each username set in the configuration with a blank password.

    In order for the attacker to connect with a blank password, the victim must have enabled basic authentication, http and no encryption.

  3. Brute force usernames with cached password (Windows attacker only) - The exploiter will attempt to log into the victim machine using each username set in the configuration and the current user’s cached password.

  4. Brute force usernames and passwords - The exploiter will attempt to use all combinations of usernames and passwords that were set in the configuration.

  5. Brute force usernames and LM hashes - The exploiter will attempt to use all combinations of usernames that were set in the configuration and LM hashes that were collected from any other victims.

  6. Brute force usernames and NT hashes - The exploiter will attempt to use all combinations of usernames that were set in the configuration and NT hashes that were collected from any other victims.

Securing PowerShell Remoting

Information about how to remediate security concerns related to PowerShell Remoting can be found here external link .