Windows Servers Can Expose PowerShell on the Web
HTML-код
- Опубликовано: 21 окт 2024
- jh.live/snyk || Try Snyk for free and find vulnerabilities in your code and applications! ➡ jh.live/snyk
Learn Cybersecurity with Just Hacking Training: justhacking.com
www.cisa.gov/n...
x.com/M_haggis...
x.com/M_haggis...
www.splunk.com...
gist.github.co...
Learn Coding: jh.live/codecr...
Don't listen to other "influencer" VPN crap -- host YOUR OWN: jh.live/openvpn
WATCH MORE:
Dark Web & Cybercrime Investigations: • Tracking Cybercrime on...
Malware & Hacker Tradecraft: • Malware Analysis & Thr...
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥RUclips ALGORITHM ➡ Like, Comment, & Subscribe!
Just casually drops "by the way I used to work there" like it's a casual Tuesday took me a little off guard I'll be honest
feels to me like its an integrated part of powershell that microsoft forgot about so any time they bring out a new server they just take powershell as it is and make the changes to the code they want to make, which leads to this feature not being touched since server 2016 and thats probably why the string is hard coded, it probably wasnt meant to carry over for this long.
It's not as if Microsoft forgot, it's just that they did not anticipate that this unknown vector of attack could be exploited.
new attack vectors lets gooo
na id win
"new"
PenTesters licking their lips while cupping their hands in regards to the new toy they can play with:
New video released, new video watched. Best way to start the Monday morning thanks for the content
Learned so much from you which had inspired me to learn more on cybersecurity. Thanks
I have Bash CGI script that acts as a more competent web shell. I can actually stream events using the Server-sent events/EventSource mechanism.
I Built it for my server control panel, but would also be a good web shell, as it has no dependencies other than a CGI-capable web server and Bash.
Oh, no! If you are an administrator you can do anything! So, anyway...
*cough* Linux.
This is not a vuln but a clever attack vector where you can hide in plain sight. Your web shell now looks legit unlike other type of web shells.
Hahhahaaahha microsoft says is normal
@@iamwitchergeraltofrivia9670 Like SSH server on Linux? If I'm root on Linux, I can run sshd and I've setup a remoteshell with full access to the system and if I change some settings I don't even need to use a password to login, also I don't need to setup and webserver, which could be a hint, that the system is compromised.
Sry, but Linux is way more unsecure, then windows, because you need administrator/root access on windows, so this isn't a vulnerability at all.
On Linux, SSH server is enabled by default (or was, I'm not quite sure, but RHEL 9 definitely has it enabled by default!) and by default the integrated firewall was also disabled. I'm pretty sure, that most Linux distros never enabled the firewall by default, like Windows does it since it has a firewall integrated. Nowdays they enabled the firewall, but also open the SSH server by default, so you've exposed a root shell to the internet, without any interaction, whatsoever from the user..🎉
A somewhat pointless feature, admins will administer Windows servers from .... another Windows server, using Invoke, or Enable-PSSession, or WMI or WinRM, no need for this odd feature. And for WinRM you can restrict which machines can connect. I'd never install this, or use it. Imagine having IIS on every Windows box - a significant increase in the attack surface.
This is interesting, but if a threat actor had access to a local admin account, is Powershell not just one of many things they could access remotely?
It's like Enter-PSSession. But for web?
I just verified with Microsoft and Powershell is not even a virus, apparently it is a perfectly normal feature inside Windows.
People are so paranoid these days...
It's like ssh, but you've to be administrator on the windows machine, you've to install two separate packages, which aren't installed by default, like on Linux!!!!
It's normal windows domain login behavior, host is always hostname not IP. You could do just .\username which automatically prefixes the computers hostname, or you could do localhost\
How this "vulnerability" is different from exposing RDP port ? It's basically the same logic. Anyway, you should not do this.
Hey John, do you remember the Apex Legends Hacker Destroyer2009 aka timoxa?
It seems he discovered yet another 0-day related to anticheat recently. Could you cover this topic, please?
Is it really any worse than having SSH enabled on a server that has exposure to the internet?
I’m kind of lost, doesn’t every vps machine have its ssh port open to the internet tho?
No, it's not half as worse, as SSH!
1. The SSH server is enabled on nearly any Linux distribution out there.
2. If the distribution has it's firewall enabled (not all have/had them enabled or installed), then sshd is open by default.
3. On Windows, you've to enable explicit two packages/features with administrator access.
4. You've to use credentials on Windows, you can't access the server without a password or any other sort auf authentication.
5. On Linux, I've to change one setting and I don't even need a password or any other authentication, besides the username.
If you get this points and compare them side by side, then Linux is obviously way more insecure, since you already need administrator access to the machine. As an attacker, this is nearly never the case they start, so all of the points aren't valid at all!
If it is, then most, if not all Linux distributions are definitely insecure by itself and can't be more secure then windows, which has an built-in firewall, which is activated and configured by default and is way more restrict, then the default firewall on Linux, if it's configured at all...
a post in reddit:
"PowerShell Web Access: What could possibly go wrong?"
12y ago. xD , thx microsoft.
Is this really a recent topic? I knew that this is a potential hazard when I was working with it as a student for a company with no motivation & know-how to try and confirm my suspicions. But surely security researches would have caught up on this much earlier, no? A bit strange that only now it seems to have gained attention. Another channel, for which the US discovered that not only their agencies knew about it and used it - and thus are now making it public. Because the gain does not outweight the cost. The whole Azure Webshell for example reeked of potential abuse.
I actually feel like this, or at least the original article/tweets is clickbait. It’s a server. You had the local admin account, reconfigured the policy, and the policy works as expected.
As long as it is visible in the event log as a remote login, I fail to see how this is a backdoor any more than other methods.
Does it use a different, unmonitored port? Even then, the attacker already has local admin privileges, there is nothing stopping them from setting up a RAT in any way they want. Reverse connection would be so much harder to detect as well.
They instead (translating to linux) enabled root-login and configured either webshell or ssh to allow it from any source. They already had complete control over the host (in the demo they already had privileges on the hypervisor… ). So they just wrote a policy and used it as it was written. The host was not protected by a domain firewall given they can reach it with inbound connection.
Like seriously. This is like calling SSH or RDP a backdoor, because they excist. Someone could use them for remote connections!
Time to back in 🎃
Free undetectable web shell 😂😂 thank you Microsoft
How fast will MS fix the website to say Windows 2022 🤪
dense
Hi
wow. this is great
I have a question sonosuite s.l is your company
This is COOL!😃👍
what a nothingburger video
You need new thumbnail ideas.
Idol
E
i think microsoft needs to overhaul windows server platform, because this showing as a feature of windows server 2016 is simply laziness.