winrm不指定端口远程即可执行命令

原创

Windows技术交流

修改于 2024-06-28 15:34:27

1.5K0

修改于 2024-06-28 15:34:27

文章被收录于专栏：Windows技术交流

远程攻击的手法应该比较多，有的不需要指定远程端口，只要remote desktop services是监听的，就能一直攻击

我知道这种就是（无需指定端口），例如

wmic /node:"IP" /USER:"用户名" /password:"密码" process call create "cmd.exe"

如果返回了下面的，就代表用户名密码不对

错误:

描述 = 拒绝访问。

如果返回了如下信息，说明用户名密码已经试对了

执行(Win32_Process)->Create()

方法执行成功。

外参数:

instance of __PARAMETERS

{

ProcessId = xxxx;

ReturnValue = 0;

};

基于上面的原因，光改默认远程端口号，也不能躲避这种攻击，因此，要加强安全设置：①修改远程端口②在安全组放行新的远程端口并限定客户端IP。

对服务端机器（被远程的机器），除过termservice服务正常运行、远程端口正常监听外，还要额外以管理员身份执行一句powershell命令：

winrm quickconfig -q 2>&1> $null;winrm quickconfig -q -force 2>&1> $null;netstat -ano|findstr :5985;

确保5985是监听的才行。

以下代码兼容server2008r2/2012r2/2016/2019/2022

对客户端机器，如果5985端口不在会报错

powershell命令：

reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM" /f 2>&1 >$null
#stop-service mpssvc 2>&1 > $null
winrm quickconfig -q 2>&1 > $null
winrm quickconfig -q -force 2>&1 > $null
restart-service winrm 2>&1 > $null
#Set-Item WSMan:localhost\client\trustedhosts -value * -force 2>&1 > $null
winrm set winrm/config/client '@{TrustedHosts="*"}' 2>&1 > $null
netstat -ato|findstr :5985
Set-Item WSMan:localhost\client\trustedhosts -value * -Force

如果上面这段代码配置winrm报错-2147024894 0x80070002就是得装补丁，参考我整理的文档https://cloud.tencent.com/developer/article/2043723

先打全补丁，参考我这篇文档里微软的更新脚本来更新：https://cloud.tencent.com/developer/article/2345790

然后检查注册表，删掉HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM

Registry Path：HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM

powershell：reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM" /f 2>&1 >$null

cmd：reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM" /f 2>&1 >nul

如果上面都操作了，还是无法通过winrm访问，在服务端和客户端参考https://developer.hashicorp.com/packer/docs/communicators/winrm#examples 启用winrm

net user Administrator "密码"
wmic useraccount where "name='Administrator'" set PasswordExpires=FALSE

Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore

# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "stop"

# Remove HTTP listener
#Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse

# Create a self-signed certificate to let ssl work
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force

# WinRM
write-output "Setting up WinRM"
write-host "(host) setting up WinRM"

# Configure WinRM to allow unencrypted communication, and provide the
# self-signed cert to the WinRM listener.
cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"

# Make sure appropriate firewall port openings exist
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
cmd.exe /c netsh firewall add portopening TCP 5985 "Port 5985"

# Restart WinRM, and set it so that it auto-launches on startup.
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start= auto
cmd.exe /c net start winrm

#执行完这段Powershell后要重启机器
#执行完这段Powershell后要重启机器
#执行完这段Powershell后要重启机器

客户端上以管理员身份打开powershell执行Set-Item WSMan:localhost\client\trustedhosts -value * -force 2>&1 > $null

然后以管理员身份打开cmd，执行下面命令看看是否报错，看看对端磁盘根目录有没有产生一个empt.txt的空文件

wmic /node:"对端IP或主机名" /USER:"域\administrator" /password:"密码" process call create "fsutil file createnew C:\empty.txt 0"

例如

wmic /node:"IP" /USER:"administrator" /password:"密码" process call create "fsutil file createnew C:\empty.txt 0"

下面这句是重启对端机器

wmic /node:"IP" /USER:"administrator" /password:"密码" process call create "shutdown -r -t 0"

原创声明：本文系作者授权腾讯云开发者社区发表，未经许可，不得转载。

如有侵权，请联系 cloudcommunity@tencent.com 删除。

windows server