{"id":17770,"date":"2015-10-27T11:57:56","date_gmt":"2015-10-27T19:57:56","guid":{"rendered":"http:\/\/devblogs.microsoft.com\/powershell\/?p=17770"},"modified":"2019-06-06T12:27:25","modified_gmt":"2019-06-06T20:27:25","slug":"compromising-yourself-with-winrms-allowunencrypted-true","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/powershell\/compromising-yourself-with-winrms-allowunencrypted-true\/","title":{"rendered":"Compromising Yourself with WinRM\u2019s \u201cAllowUnencrypted = True\u201d"},"content":{"rendered":"<p>One thing that\u2019s a mixed blessing in the world of automation is how often people freely share snippets of code that you can copy and paste to make things work.<\/p>\n<p>Sometimes, this is a snippet of code \/ functionality that would have been hard or impossible to write yourself, and saves the day. Sometimes, this is a snippet that changes some configuration settings to finally make something work.<\/p>\n<p>For both types of code, you should really understand what\u2019s happening before you run it. Configuration snippets are particularly important in this regard, as they permanently change the posture of the system.<\/p>\n<p>One disappointing example is the number of posts out there that show you how to enable CredSSP without ever discussing the dangers. They don\u2019t tend to warn you that the CredSSP authentication mechanism essentially <a href=\"http:\/\/www.powershellmagazine.com\/2014\/03\/06\/accidental-sabotage-beware-of-credssp\/\">donates your username and password to the remote system<\/a> \u2013 the reason we disable it by default.<\/p>\n<p>So let\u2019s talk about another example, where folks demonstrate how to easily connect to WinRM over SOAP directly.<\/p>\n<blockquote>\n<p><font size=\"2\" face=\"Courier New\">winrm set winrm\/config\/client\/auth @{Basic=&quot;true&quot;}        <br \/>winrm set winrm\/config\/service\/auth @{Basic=&quot;true&quot;}         <br \/>winrm set winrm\/config\/service @{AllowUnencrypted=&quot;true&quot;}<\/font><\/p>\n<\/blockquote>\n<p>Hmm. That\u2019s configuring a lot of non-default settings. And without any sort of security guidance. But whatever.<\/p>\n<p>I can use pretty much any HTTP-aware tool to make calls now. Take an example of using a client that requires these settings, enumerating the \u2018WinRM\u2019 service from a remote computer. Here\u2019s a network capture of that event:<\/p>\n<p><img decoding=\"async\" title=\"image\" style=\"border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; float: none; margin-left: auto; display: block; border-top-width: 0px; margin-right: auto\" border=\"0\" alt=\"image\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/MSDNBlogsFS\/prod.evol.blogs.msdn.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/63\/74\/metablogapi\/2146.image_327327AF.png\" original-url=\"http:\/\/blogs.msdn.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-63-74-metablogapi\/2146.image_5F00_327327AF.png\" width=\"604\" height=\"484\" \/> <\/p>\n<p>The tool is using \u2018Authorization: Basic\u2019, as you can see from the top. The rest of the red is the content of the WinRM SOAP request.<\/p>\n<p>The first thing you\u2019ll notice is that this is a lot of unencrypted content. In fact, all of it. This command and response was over plain HTTP. If I was retrieving sensitive information from that remote computer, it is now public knowledge. This message also could have been tampered with in transit \u2013 either going there, or coming back. If an attacker intercepted this communication, they could have rewritten my innocent service request to instead add themselves to the local administrators group of that local machine.<\/p>\n<p>There\u2019s one particularly sensitive bit of information you may have noticed. The Authorization header:<\/p>\n<blockquote>\n<p><font size=\"2\" face=\"Courier New\">Authorization: Basic RnJpc2t5TWNSaXNreTpTb21lIVN1cDNyU3RyMG5nUGFzc3coKXJk<\/font><\/p>\n<\/blockquote>\n<p>If we <a href=\"https:\/\/en.wikipedia.org\/wiki\/Basic_access_authentication\">research<\/a> what that complicated string of text is, we\u2019ll see that it\u2019s just a Base64 encoding of the username and password, separated by a colon:<\/p>\n<blockquote>\n<p><font size=\"2\" face=\"Courier New\">PS [C:\\temp]        <br \/><\/font><font size=\"2\" face=\"Courier New\">&gt;&gt; [System.Text.Encoding]::Ascii.GetString([Convert]::FromBase64String(&quot;RnJpc2t5TWNSaXNreTpTb21lIVN1cDNyU3RyMG5nUGFzc3coKXJk&quot;))<\/font><\/p>\n<p><font color=\"#ff0000\" size=\"2\" face=\"Courier New\">FriskyMcRisky:Some!Sup3rStr0ngPassw()rd<\/font><\/p>\n<\/blockquote>\n<p>Hope you didn\u2019t need those credentials, because you just donated them!<\/p>\n<p>Basic Authentication isn\u2019t always the devil, as it can be done over a secure authenticated channel (like HTTPS). And HTTP isn\u2019t always the devil, as it can be done over a secure authenticated channel (like Kerberos). But combine them (and disable all kinds of WinRM security safeguards), and you\u2019re in for a bad day.<\/p>\n<p>So please \u2013 if you are using code from others, make sure you understand what it does. Understanding code is much easier than writing it, so you\u2019re still benefiting.<\/p>\n<p>And blog \/ sample authors? Don\u2019t think you\u2019re getting away so easy \ud83d\ude42 If you\u2019re providing code samples that might have an unintended side effect (i.e.: complete system and credential compromise), please make those risks drastically clear. Saying \u201cfor testing purposes only\u201d doesn\u2019t count.<\/p>\n<p>&#160;<\/p>\n<p>Lee Holmes [MSFT]    <br \/>Principal Software Engineer<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One thing that\u2019s a mixed blessing in the world of automation is how often people freely share snippets of code that you can copy and paste to make things work. Sometimes, this is a snippet of code \/ functionality that would have been hard or impossible to write yourself, and saves the day. Sometimes, this [&hellip;]<\/p>\n","protected":false},"author":600,"featured_media":13641,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-17770","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-powershell"],"acf":[],"blog_post_summary":"<p>One thing that\u2019s a mixed blessing in the world of automation is how often people freely share snippets of code that you can copy and paste to make things work. Sometimes, this is a snippet of code \/ functionality that would have been hard or impossible to write yourself, and saves the day. Sometimes, this [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/17770","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/users\/600"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/comments?post=17770"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/17770\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media\/13641"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media?parent=17770"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/categories?post=17770"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/tags?post=17770"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}