Metasploit mailing list archives
getwinrm (Get windows remote management/shell) meterpreter script
From: Joshua Smith <lazydj98 () gmail com>
Date: Fri, 13 Aug 2010 16:08:07 -0400
Ok, This is my first major meterpreter script, and my Ruby is weak, so be gentle. I'm sorry the message is so long, but it's not easy to explain. Script is here: http://pastebin.com/1BMnYRbf getwinrm.rb will upload (if nec) and install (if nec) and configure WinRM. Why is this useful? Cuz WinRM has a remote shell feature. If you're not familiar with WinRM, it's a long story, you can read the comments in the script if you're interested, but the gist is that the script will install the WinRM service (and configure it and the fw etc) on a victim, you can then connect to the victim from a Windows client (attacker) which also has winrm installed, using WinRS (after some client config). The script configures WinRM to use http on port 80 (you can change it to SSL, but I'm way too dumb and lazy to work that shiz out). Honestly, since you need creds, and you obviously already have a meterpreter shell, this is only useful in one particular instance. When you want a persistent shell of some kind and can't use the persistence script due to application white listing such as Bit9. I basically wrote this solely to bypass Bit9's lockdown mode (when you don't want to totally disable it, which is trivial if you are System, I'll send that script too once I gussy it up a bit). Bit 9 in lockdown mode won't allow anything to run, even a vbs script (when properly configured), that isn't white-listed or signed by Microsoft/or other approved source. WinRM is signed by Microsoft so the install doesn't raise an alert (UAC aside of course) in this case. I tested on Windows XP SP3 with Bit9 running in lockdown mode (parity.exe ver 5.1) and configured to automatically approve MS signed code. There is notional support for Vista/7/2008, just use the config only option (-co) since WinRM is installed by default on those platforms. I'll try to test them soon. But I know the uninstall options won't work for those platforms (which you probably don't want to do anyway since WinRM was already there). You may want to timestomp (-t) though. Keep in mind, you are connecting TO the victim (it's not a reverse connection), so NATs and such will cause issues. I tried to do some hole punching by having Meterpreter send out a packet to the client, sourced from port 80, but there's no way for Meterpreter to dictate the source port (or there wasn't when I worked on this a while back, let me know if that has changed), in the meantime, you'd have to be local on the network, or farm multiple hosts out of the network through a single meterpreter session (like on a server, servers often have a hard time with Bit9 for various reasons, so you can probably get typical persistence there) I hope it doesn't suck. Feedback is appreciated. -- - Josh
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- getwinrm (Get windows remote management/shell) meterpreter script Joshua Smith (Aug 13)