RFC - Offensive Security Notes
  • Active Directory
    • Enumeration
      • Active Directory Module
        • Enumerating the Domain
        • Enumerating ACLs
      • PowerView 3.0
      • Verify connectivity to domain controller
      • WMI domain enumeration through root\directory\ldap
      • PAM Trust
      • DNS discovery
        • Get-DnsServerZone
    • Privilege Escalation
      • Kerberos Delegation
        • Unconstrained delegation
        • Constrained delegation
        • Resource-based Constrained Delegation
      • Escalating from child to parent domain
      • Abusing inter-forest trust
      • WSUS server abuse
      • ACL Enumeration with PowerView 2.0
    • Persistence
      • Kerberos attacks
        • Golden ticket
        • Silver ticket
      • DSRM (Directory Services Restore Mode)
  • Initial Access
    • VBA Macros
      • Mark-of-the-Web
  • Discovery
    • Juicy files
      • PowerShell history
    • Network Enumeration
      • Network discovery scans
        • Ping scan
      • Nmap
      • Perimeter firewall scanning for open outbound ports
  • Execution
    • WMI
      • Remote code execution using WMI
    • PowerShell
      • C# assembly in PowerShell
        • List load assembly
        • Add-Type
        • UnsafeNativeMethods
        • DelegateType Reflection
        • Reflective Load
    • C# .Net Assembly
      • Process injection
        • Debugging
        • Using VirtualAllocEx and WriteProcessMemory
        • Using NTAPI Undocumented Functions
    • ReverseShells
      • Linux
        • Stabilizing zsh shell
    • Metasploit
      • HTTPs Meterpreter
  • Exploitation
    • Win32 APIs
      • OpenProcess
      • VirtualAllocEx
      • WriteProcessMemory
      • CreateRemoteThread
  • Credential Access
    • Microsoft Windows
      • Windows credential audit and logon types
      • Local credentials (SAM and LSA)
      • Lsass from forensics dump
      • Access Tokens
        • SeImpersonatePrivilege
      • ntds.dit
        • Dumping the contents of ntds.dit files using PowerShell
      • Mimikatz
      • LAPS
  • Lateral Movement
    • Windows Lateral Movement
      • Remote Desktop Protocol (RDP)
      • PowerShell Remoting (PS Remote)
        • Kerberos double hoping
      • Windows Task Scheduler
    • Linux Lateral Movement
  • Persistence
  • Defence Evasion
    • Antimalware Scan Interface (AMSI)
      • Debugging AMSI with Frida
      • PowerShell Bypasses
      • JS/VBA Bypasses
    • PowerShell
      • PowerShell version 2
      • Constrained Language Mode
      • Just Enough Administration (JEA)
      • ScriptBlockLogging
    • Microsoft Defender
    • Anti-virus evasion
      • Evasion and bypassing detection within C#
        • Encryptors
          • Aes encryptor
        • Sandbox evasion
          • Time accelerated checks
    • AppLocker
      • InstallUtil
      • MsBuild
  • Network Pivoting
    • Proxies and port fowarding
      • SSH
      • Metasploit
      • Socat
      • SSH Shuttle
      • Windows netsh command
    • Network discovery and scanning
  • Exfiltration
    • Windows
      • Copy files over SMB
  • Services
    • MS SQL Server
      • Enumeration
      • UNC Path Injection
      • Privilege Escalation
      • Linked Servers
      • SQL Injection
  • Misc
    • CrackMapExec
    • Cheat sheets
  • Cloud
    • Azure
      • Authentication
      • Enumeration
        • AzureHound
        • Az.Powershell
        • Microsoft Graph PowerShell
      • Initial Access
        • Device Code Phishing
        • Family-Of-Client-Ids - FOCI
        • JWT Assertion
Powered by GitBook
On this page
  • Overview
  • Authentication
  • Specifying credentials
  • Trusted hosts
  • Enumerating for WinRM administrator access
  • Command examples
  • Connecting to remote host
  • Executing script on remote host/s
  • File transfer
  • Using WinRM on Kali PowerShell
  • References
  1. Lateral Movement
  2. Windows Lateral Movement

PowerShell Remoting (PS Remote)

PreviousRemote Desktop Protocol (RDP)NextKerberos double hoping

Last updated 2 years ago

Overview

Windows PowerShell Remoting. Using the WS-Management protocol, Windows PowerShell remoting lets you run any Windows PowerShell command on one or more remote computers.

Authentication

The following list contains a list of what occurs when a script or application runs under the default credentials:

Specifying credentials

Credentials through PowerShell

$passwd = ConvertTo-SecureString "Password123" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("lab\logagent", $passwd)

Get-Credentials

Will popup a promtp to enter user credentials

$creds = Get-Credential

Trusted hosts

Windows by default has an empty TrustedHosts list, a list that contains those remote computers (hosts) that you can remotely manage from a client without authentication.

To run PowerShell commands on a device from a remote computer, we have to add the remote machine to the trusted hosts list of the host machine.

Lazy: Allow all

Set-Item WSMan:\localhost\Client\TrustedHosts * -Force

Specify a host

Set-Item WSMan:localhost\client\trustedhosts -value ServerDC -Force

Enumerating for WinRM administrator access

Get all AD computers

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher.Filter = "(&(sAMAccountType=805306369))"
$Computers = $objSearcher.FindAll() | %{$_.properties.dnshostname}

Check for administrator access

Invoke-Command -ScriptBlock {hostname} -ComputerName $Computers -ErrorAction SilentlyContinue

Command examples

Connecting to remote host

One-to-one remoting

If you want your remote session to be interactive, then one-to-one remoting is what you want. This type of remoting is provided via the Enter-PSSession cmdlet.

$creds = Get-Credential
Enter-PSSession -ComputerName dc01 -Credential $creds

One-to-many remoting

Sometimes you may need to perform a task interactively on a remote computer. But remoting is much more powerful when performing a task on multiple remote computers at the same time. Use the Invoke-Command cmdlet to run a command against one or more remote computers at the same time.

Invoke-Command -ComputerName dc01, sql02, web01 {Get-Service -Name W32time} -Credential $Cred

PowerShell Sessions

Similar to the CIM sessions, a PowerShell session to a remote computer can be used to run multiple commands against the remote computer without the overhead of a new session for each individual command.

$session = New-PSSession -ComputerName dc01, sql02, web01 -Credential $Cred

Now we can the variable $session to run persist commands. 

Invoke-Command -Session $Session {(Get-Service -Name W32time).Start()}
Invoke-Command -Session $Session {Get-Service -Name W32time}

When you finish remove the sessions

Get-PSSession | Remove-PSSession

Executing script on remote host/s

Invoke-Command -ComputerName Server01, Server02 -FilePath c:\Scripts\DiskCollect.ps1

File transfer

Downloading a file over PS Remote from remote machine

$sess = New-PSSession IT-APPSRV01
Copy-Item -FromSession $sess C:\{file} -Destination C:\Windows\Temp\{file}

Upload a file over PS Remote to remote machine

$sess = New-PSSession IT-APPSRV01
Copy-Item -ToSession $sess C:\Windows\Temp\{file} -Destination C:\{file}

Using WinRM on Kali PowerShell

Installing PowerShell on Kali

sudo apt install powershell

Enter into PowerShell and install PSWSMan 

pwsh
Install-Module PSWSMan -Force
Install-WSMan

Common problems

Problem: Error message about unspecified GSS failure

Enter-PSSession : Connecting to remote server xxx.xxx.xxx.xxx failed with the following error message : acquiring creds with username only failed Unspecified GSS failure. Minor code may provide more information SPNEGO cannot find mechanisms to negotiate For more information, see the about_Remote_Troubleshooting Help topic.

sudo apt install gss-ntlmssp

Problem: Error message about access denied connecting with NTLM

Enter-PSSession : MI_RESULT_ACCESS_DENIED

Solution: Make sure to use -Authentication Negotiate even if this isn’t necessary when remoting from a Windows client.

References

is the default method of authentication when the client is in a domain and the remote destination string is not one of the following: localhost, 127.0.0.1, or [::1].

is the default method when the client is not in a domain, but the remote destination string is one of the following: localhost, 127.0.0.1, or [::1].

Kerberos
Negotiate
Authentication for Remote Connections - Win32 appsdocsmsft
Logo
PowerShell remoting - PowerShelldocsmsft
Logo
Linux to Windows powershell remoting (Kali 2019.4)