Remote password attacks
Last updated
Last updated
(WinRM
) is the Microsoft implementation of the network protocol (WS-Management
). It is a network protocol based on XML web services using the (SOAP
) used for remote management of Windows systems. It takes care of the communication between (WBEM
) and the (WMI
), which can call the (DCOM
).
However, for security reasons, WinRM must be activated and configured manually in Windows 10. Therefore, it depends heavily on the environment security in a domain or local network where we want to use WinRM. In most cases, one uses certificates or only specific authentication mechanisms to increase its security. WinRM uses the TCP ports 5985
(HTTP
) and 5986
(HTTPS
).
A handy tool that we can use for our password attacks is , which can also be used for other protocols such as SMB, LDAP, MSSQL, and others. We recommend reading the for this tool to become familiar with it.
Another handy tool that we can use to communicate with the WinRM service is , which allows us to communicate with the WinRM service efficiently.
Install: sudo gem install evil-winrm
The SSH server runs on TCP port 22
by default, to which we can connect using an SSH client. This service uses three different cryptography operations/methods: symmetric
encryption, asymmetric
encryption, and hashing
.
Symmetric Encryption
Asymmetrical Encryption
Asymmetric encryption uses two SSH keys
: a private key and a public key. The private key must remain secret because only it can decrypt the messages that have been encrypted with the public key. If an attacker obtains the private key, which is often not password protected, he will be able to log in to the system without credentials. Once a connection is established, the server uses the public key for initialization and authentication. If the client can decrypt the message, it has the private key, and the SSH session can begin.
Hashing
The hashing method converts the transmitted data into another unique value. SSH uses hashing to confirm the authenticity of messages. This is a mathematical algorithm that only works in one direction.
We can also use Hydra
to perform RDP bruteforcing.
old Hydra might not support SMBv3, metasploit:
CrackMapExec can list shares
and Smbclient can interact
Symmetric encryption uses the same key
for encryption and decryption. However, anyone who has access to the key could also access the transmitted data. Therefore, a key exchange procedure is needed for secure symmetric encryption. The key exchange method is used for this purpose. If a third party obtains the key, it cannot decrypt the messages because the key exchange method is unknown. However, this is used by the server and client to determine the secret key needed to access the data. Many different variants of the symmetrical cipher system can be used, such as AES, Blowfish, 3DES, etc.
We can use a tool such as Hydra
to brute force SSH. This is covered in-depth in the module.
Microsoft's (RDP
) is a network protocol that allows remote access to Windows systems via TCP port 3389
by default.
Linux offers different clients to communicate with the desired server using the RDP protocol. These include , , , and many others. For our purposes, we will work with xfreerdp.