getwinrm (Get windows remote management/shell) meterpreter script

[Joshua Smith <lazydj98 () gmail com>]

Ok,
This is my first major meterpreter script, and my Ruby is weak, so be
gentle.  I'm sorry the message is so long, but it's not easy to explain.
Script is here:  http://pastebin.com/1BMnYRbf

getwinrm.rb will upload (if nec) and install (if nec) and configure WinRM.
Why is this useful?  Cuz WinRM has a remote shell feature.  If you're not
familiar with WinRM, it's a long story, you can read the comments in the
script if you're interested, but the gist is that the script will install
the WinRM service (and configure it and the fw etc) on a victim, you can
then connect to the victim from a Windows client (attacker) which also has
winrm installed, using WinRS (after some client config).  The script
configures WinRM to use http on port 80 (you can change it to SSL, but I'm
way too dumb and lazy to work that shiz out).

Honestly, since you need creds, and you obviously already have a meterpreter
shell, this is only useful in one particular instance.  When you want a
persistent shell of some kind and can't use the persistence script due to
application white listing such as Bit9.  I basically wrote this solely to
bypass Bit9's lockdown mode (when you don't want to totally disable it,
which is trivial if you are System, I'll send that script too once I gussy
it up a bit).  Bit 9 in lockdown mode won't allow anything to run, even a
vbs script (when properly configured), that isn't white-listed or signed by
Microsoft/or other approved source.  WinRM is signed by Microsoft so the
install doesn't raise an alert (UAC aside of course) in this case.

I tested on Windows XP SP3 with Bit9 running in lockdown mode (parity.exe
ver 5.1) and configured to automatically approve MS signed code.  There is
notional support for Vista/7/2008, just use the config only option (-co)
since WinRM is installed by default on those platforms.  I'll try to test
them soon.  But I know the uninstall options won't work for those platforms
(which you probably don't want to do anyway since WinRM was already there).
You may want to timestomp (-t) though.

Keep in mind, you are connecting TO the victim (it's not a reverse
connection), so NATs and such will cause issues.  I tried to do some hole
punching by having Meterpreter send out a packet to the client, sourced from
port 80, but there's no way for Meterpreter to dictate the source port (or
there wasn't when I worked on this a while back, let me know if that has
changed), in the meantime, you'd have to be local on the network, or farm
multiple hosts out of the network through a single meterpreter session (like
on a server, servers often have a hard time with Bit9 for various reasons,
so you can probably get typical persistence there)

I hope it doesn't suck.  Feedback is appreciated.

-- 
- Josh

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework