PowerShell + WinRM = Get-WinRMPassword

Hi All!

So I was working out what I will be putting in the paper based upon my PowerShell Shenanigans presentation from CrikeyCon, and started to ponder a few things around WinRM. In particular:

  1. How many machines have WinRM exposed to the public Internet?
  2. Out of these, are they exposing HTTP or HTTPS endpoints?
  3. Could this be an interesting remote dictionary/brute force attack?
  4. Could this be written in PowerShell for humour sake?
  5. Could we use this to breach a network and go from there?
  6. Has anyone else thought of this?

Let’s take a look at the answers to these questions.

Well the first two are pretty easy to answer. Turning to our good friend, Shaodan, we can put in some queries to get some rough estimates:

WinRM HTTP Hosts (TCP 5985)     185316

WinRM HTTPS Hosts (TCP 5986)    83840

Now we can’t easily assume that there is 269156 individual hosts out there, because we might have some duplicates (hosts listening on both HTTP and HTTPS) as well as some hosts with other services out there. There could also be older Windows Server systems listening on TCP 80 and 443. Either way, almost 300K is a pretty nice number to work with.

Now surely people really are not enabling HTTP? Well, I found this on some of my “out of the box” test systems. Interesting.

I think this would be an interesting attack method…

Could we make an attack tool and could it be made in PowerShell? It turns out, Microsoft has given us a significant amount code to perform this attack. As usual, let’s see if there is anything in PowerShell which looks like the basis for a brute force or dictionary based attack tool…test-wsman looks good!

Get-Help Test-WSMan: http://pastebin.com/uxKeEPHr

And we know how to read files and build PSCredential objects dynamically. So what would the CMDLet look like then?

CMDLet, Get-WinRMPassword: http://pastebin.com/RdygF0J6

And how would it work?

Examples: http://pastebin.com/pUhVazW3

So has anyone else done this? Yes, and some very smart people pointed out this as a possibility several years ago. TheLightCosine and Mubix (disclosure: I am a massive fan of Mubix’ work) talked about this very thing back in November 2012, and even wrote a MetaSploit module doing just this.  And there were some very interesting discussions on Reddit about a year ago,  and even a post on NetSPI.Com.

So some bright people pointed it out, and no one really seemed to pay much attention, this is a real shame.

So where to from here? Well, it is really hard to tell to be honest. WinRM has be around for a number of years (almost 10) and yet it isn’t something that has gained a huge amount of attention in the IT community, from an automation or security point-of-view. Brian Krebs wrote late last year on Windows RDP enabled servers to which access was for sale on underground forums. Attackers had gained access to these systems via poorly selected passwords and RDP connections exposed to the internet, whilst it certainly is easy to brute force passwords via RDP, WinRM makes it even easier, yet there doesn’t seem to be much of an appetite.

It could be that we simply do not know about it. It could be the case that a lot of these systems with WinRM exposed could have been taken over my malicious users and we simply don’t know about it. I really hope to see more people looking at why they are exposing WinRM to the internet, and if they have indeed been attacked via it. Perhaps now that we are shinning some light on it, we might really see what is hiding in the dark.