feels to me like its an integrated part of powershell that microsoft forgot about so any time they bring out a new server they just take powershell as it is and make the changes to the code they want to make, which leads to this feature not being touched since server 2016 and thats probably why the string is hard coded, it probably wasnt meant to carry over for this long.
I'm glad you're amused by it. I was amused watching Windows admins login to GUI sessions via RDP for the firs time a million years ago and being blown away there was no way to reboot a server. Well, I guess now there is a way... Webshells? Support PKI or pubkeys? Last time I tried to reboot a Wintendo box all I could see was "Log-out..." so I had to walk over instead and tap the power button.
I have Bash CGI script that acts as a more competent web shell. I can actually stream events using the Server-sent events/EventSource mechanism. I Built it for my server control panel, but would also be a good web shell, as it has no dependencies other than a CGI-capable web server and Bash.
@@iamwitchergeraltofrivia9670 Like SSH server on Linux? If I'm root on Linux, I can run sshd and I've setup a remoteshell with full access to the system and if I change some settings I don't even need to use a password to login, also I don't need to setup and webserver, which could be a hint, that the system is compromised. Sry, but Linux is way more unsecure, then windows, because you need administrator/root access on windows, so this isn't a vulnerability at all. On Linux, SSH server is enabled by default (or was, I'm not quite sure, but RHEL 9 definitely has it enabled by default!) and by default the integrated firewall was also disabled. I'm pretty sure, that most Linux distros never enabled the firewall by default, like Windows does it since it has a firewall integrated. Nowdays they enabled the firewall, but also open the SSH server by default, so you've exposed a root shell to the internet, without any interaction, whatsoever from the user..🎉
It's normal windows domain login behavior, host is always hostname not IP. You could do just .\username which automatically prefixes the computers hostname, or you could do localhost\
I just verified with Microsoft and Powershell is not even a virus, apparently it is a perfectly normal feature inside Windows. People are so paranoid these days...
It's like ssh, but you've to be administrator on the windows machine, you've to install two separate packages, which aren't installed by default, like on Linux!!!!
I'm i right in thinking this feature is not enabled by default ? - therefore someone would need to install and setup this role and allow access through a security device ( firewall, proxy etc ) ... which case one would assume this is no other flaw than anything elts ? - if you have installed, setup, and exsposed this - just like a webserver, PBX etc etc - your bed bud ... anyways - MS Azure is mostly remote powershell ? --- cheers :)
I'm not sure what the problem with this video is. If you're using HTTPS with a proper certificate, there's no need to worry about MITM, right? And if someone who knows the server admin details leaves the company, of course, you'd update the server account credentials. Did the PowerShell web server do anything wrong here?
So if I understand well, you need at first local access with admin rights to setup PSWA and then to login you need a valid account... At this stage you already own the network before you can use that feature no? Here you don't exploit anything.
Hey John, do you remember the Apex Legends Hacker Destroyer2009 aka timoxa? It seems he discovered yet another 0-day related to anticheat recently. Could you cover this topic, please?
A somewhat pointless feature, admins will administer Windows servers from .... another Windows server, using Invoke, or Enable-PSSession, or WMI or WinRM, no need for this odd feature. And for WinRM you can restrict which machines can connect. I'd never install this, or use it. Imagine having IIS on every Windows box - a significant increase in the attack surface.
Is this really a recent topic? I knew that this is a potential hazard when I was working with it as a student for a company with no motivation & know-how to try and confirm my suspicions. But surely security researches would have caught up on this much earlier, no? A bit strange that only now it seems to have gained attention. Another channel, for which the US discovered that not only their agencies knew about it and used it - and thus are now making it public. Because the gain does not outweight the cost. The whole Azure Webshell for example reeked of potential abuse.
No, it's not half as worse, as SSH! 1. The SSH server is enabled on nearly any Linux distribution out there. 2. If the distribution has it's firewall enabled (not all have/had them enabled or installed), then sshd is open by default. 3. On Windows, you've to enable explicit two packages/features with administrator access. 4. You've to use credentials on Windows, you can't access the server without a password or any other sort auf authentication. 5. On Linux, I've to change one setting and I don't even need a password or any other authentication, besides the username. If you get this points and compare them side by side, then Linux is obviously way more insecure, since you already need administrator access to the machine. As an attacker, this is nearly never the case they start, so all of the points aren't valid at all! If it is, then most, if not all Linux distributions are definitely insecure by itself and can't be more secure then windows, which has an built-in firewall, which is activated and configured by default and is way more restrict, then the default firewall on Linux, if it's configured at all...
@@PsychEngelNice bullshit dump. 1: Almost all Linux distros require installing SSH. 2: Yes... because you need it open to use SSH. 3 and 4: ? Since when can you access a Linux server without authentication? 5: Again, what? All system software requires root privileges to modify Leave it to an incompetent Windows admin to talk about how "insecure" Linux is.
I actually feel like this, or at least the original article/tweets is clickbait. It’s a server. You had the local admin account, reconfigured the policy, and the policy works as expected. As long as it is visible in the event log as a remote login, I fail to see how this is a backdoor any more than other methods. Does it use a different, unmonitored port? Even then, the attacker already has local admin privileges, there is nothing stopping them from setting up a RAT in any way they want. Reverse connection would be so much harder to detect as well. They instead (translating to linux) enabled root-login and configured either webshell or ssh to allow it from any source. They already had complete control over the host (in the demo they already had privileges on the hypervisor… ). So they just wrote a policy and used it as it was written. The host was not protected by a domain firewall given they can reach it with inbound connection. Like seriously. This is like calling SSH or RDP a backdoor, because they excist. Someone could use them for remote connections!
Just casually drops "by the way I used to work there" like it's a casual Tuesday took me a little off guard I'll be honest
feels to me like its an integrated part of powershell that microsoft forgot about so any time they bring out a new server they just take powershell as it is and make the changes to the code they want to make, which leads to this feature not being touched since server 2016 and thats probably why the string is hard coded, it probably wasnt meant to carry over for this long.
It's not as if Microsoft forgot, it's just that they did not anticipate that this unknown vector of attack could be exploited.
I'm glad you're amused by it. I was amused watching Windows admins login to GUI sessions via RDP for the firs time a million years ago and being blown away there was no way to reboot a server. Well, I guess now there is a way... Webshells? Support PKI or pubkeys? Last time I tried to reboot a Wintendo box all I could see was "Log-out..." so I had to walk over instead and tap the power button.
new attack vectors lets gooo
na id win
"new"
PenTesters licking their lips while cupping their hands in regards to the new toy they can play with:
I have Bash CGI script that acts as a more competent web shell. I can actually stream events using the Server-sent events/EventSource mechanism.
I Built it for my server control panel, but would also be a good web shell, as it has no dependencies other than a CGI-capable web server and Bash.
Learned so much from you which had inspired me to learn more on cybersecurity. Thanks
New video released, new video watched. Best way to start the Monday morning thanks for the content
Much safer to use than the telnet server Windows NTs used to have!
What's the fuss PSWA has to enabled by admin on purpose, like sshd.
You just helped me in ways you will never know unless I become famous thank you
This is interesting, but if a threat actor had access to a local admin account, is Powershell not just one of many things they could access remotely?
Oh, no! If you are an administrator you can do anything! So, anyway...
*cough* Linux.
This is not a vuln but a clever attack vector where you can hide in plain sight. Your web shell now looks legit unlike other type of web shells.
Hahhahaaahha microsoft says is normal
@@iamwitchergeraltofrivia9670 Like SSH server on Linux? If I'm root on Linux, I can run sshd and I've setup a remoteshell with full access to the system and if I change some settings I don't even need to use a password to login, also I don't need to setup and webserver, which could be a hint, that the system is compromised.
Sry, but Linux is way more unsecure, then windows, because you need administrator/root access on windows, so this isn't a vulnerability at all.
On Linux, SSH server is enabled by default (or was, I'm not quite sure, but RHEL 9 definitely has it enabled by default!) and by default the integrated firewall was also disabled. I'm pretty sure, that most Linux distros never enabled the firewall by default, like Windows does it since it has a firewall integrated. Nowdays they enabled the firewall, but also open the SSH server by default, so you've exposed a root shell to the internet, without any interaction, whatsoever from the user..🎉
How this "vulnerability" is different from exposing RDP port ? It's basically the same logic. Anyway, you should not do this.
It's normal windows domain login behavior, host is always hostname not IP. You could do just .\username which automatically prefixes the computers hostname, or you could do localhost\
It's like Enter-PSSession. But for web?
I just verified with Microsoft and Powershell is not even a virus, apparently it is a perfectly normal feature inside Windows.
People are so paranoid these days...
It's like ssh, but you've to be administrator on the windows machine, you've to install two separate packages, which aren't installed by default, like on Linux!!!!
I'm i right in thinking this feature is not enabled by default ? - therefore someone would need to install and setup this role and allow access through a security device ( firewall, proxy etc ) ... which case one would assume this is no other flaw than anything elts ? - if you have installed, setup, and exsposed this - just like a webserver, PBX etc etc - your bed bud ... anyways - MS Azure is mostly remote powershell ? --- cheers :)
I'm not sure what the problem with this video is. If you're using HTTPS with a proper certificate, there's no need to worry about MITM, right? And if someone who knows the server admin details leaves the company, of course, you'd update the server account credentials. Did the PowerShell web server do anything wrong here?
So if I understand well, you need at first local access with admin rights to setup PSWA and then to login you need a valid account... At this stage you already own the network before you can use that feature no? Here you don't exploit anything.
Hey John, do you remember the Apex Legends Hacker Destroyer2009 aka timoxa?
It seems he discovered yet another 0-day related to anticheat recently. Could you cover this topic, please?
The NSA’s not gonna be happy you found it.
BTW, Love your work!
a post in reddit:
"PowerShell Web Access: What could possibly go wrong?"
12y ago. xD , thx microsoft.
How would i get credentials a bug bounty setup?
love the learning
A somewhat pointless feature, admins will administer Windows servers from .... another Windows server, using Invoke, or Enable-PSSession, or WMI or WinRM, no need for this odd feature. And for WinRM you can restrict which machines can connect. I'd never install this, or use it. Imagine having IIS on every Windows box - a significant increase in the attack surface.
Is this really a recent topic? I knew that this is a potential hazard when I was working with it as a student for a company with no motivation & know-how to try and confirm my suspicions. But surely security researches would have caught up on this much earlier, no? A bit strange that only now it seems to have gained attention. Another channel, for which the US discovered that not only their agencies knew about it and used it - and thus are now making it public. Because the gain does not outweight the cost. The whole Azure Webshell for example reeked of potential abuse.
I just block PS on my firewall and unblock it when I need it (like Chris Titus' program) xD
John, did I see you in a video on another channel dressed in a military uniform? It was a short video?
Time to back in 🎃
Is it really any worse than having SSH enabled on a server that has exposure to the internet?
I’m kind of lost, doesn’t every vps machine have its ssh port open to the internet tho?
No, it's not half as worse, as SSH!
1. The SSH server is enabled on nearly any Linux distribution out there.
2. If the distribution has it's firewall enabled (not all have/had them enabled or installed), then sshd is open by default.
3. On Windows, you've to enable explicit two packages/features with administrator access.
4. You've to use credentials on Windows, you can't access the server without a password or any other sort auf authentication.
5. On Linux, I've to change one setting and I don't even need a password or any other authentication, besides the username.
If you get this points and compare them side by side, then Linux is obviously way more insecure, since you already need administrator access to the machine. As an attacker, this is nearly never the case they start, so all of the points aren't valid at all!
If it is, then most, if not all Linux distributions are definitely insecure by itself and can't be more secure then windows, which has an built-in firewall, which is activated and configured by default and is way more restrict, then the default firewall on Linux, if it's configured at all...
@@PsychEngelNice bullshit dump. 1: Almost all Linux distros require installing SSH. 2: Yes... because you need it open to use SSH. 3 and 4: ? Since when can you access a Linux server without authentication? 5: Again, what? All system software requires root privileges to modify
Leave it to an incompetent Windows admin to talk about how "insecure" Linux is.
@@mgord9518also even if it was true, for both Windows and Linux you have to open the port in your router still.
smiles informative
How fast will MS fix the website to say Windows 2022 🤪
dense
i casually like steaks
wow. this is great
60hz screen
I actually feel like this, or at least the original article/tweets is clickbait. It’s a server. You had the local admin account, reconfigured the policy, and the policy works as expected.
As long as it is visible in the event log as a remote login, I fail to see how this is a backdoor any more than other methods.
Does it use a different, unmonitored port? Even then, the attacker already has local admin privileges, there is nothing stopping them from setting up a RAT in any way they want. Reverse connection would be so much harder to detect as well.
They instead (translating to linux) enabled root-login and configured either webshell or ssh to allow it from any source. They already had complete control over the host (in the demo they already had privileges on the hypervisor… ). So they just wrote a policy and used it as it was written. The host was not protected by a domain firewall given they can reach it with inbound connection.
Like seriously. This is like calling SSH or RDP a backdoor, because they excist. Someone could use them for remote connections!
This is COOL!😃👍
Hi
what a nothingburger video
👏
i think microsoft needs to overhaul windows server platform, because this showing as a feature of windows server 2016 is simply laziness.
You need new thumbnail ideas.
share
Idol
Free undetectable web shell 😂😂 thank you Microsoft
E