Rapid7 Vulnerability & Exploit Database

SYSTEM token impersonation through NTLM bits authentication on missing WinRM Service.

Back to Search

SYSTEM token impersonation through NTLM bits authentication on missing WinRM Service.



This module exploit BITS behavior which tries to connect to the local Windows Remote Management server (WinRM) every times it starts. The module launches a fake WinRM server which listen on port 5985 and triggers BITS. When BITS starts, it tries to authenticate to the Rogue WinRM server, which allows to steal a SYSTEM token. This token is then used to launch a new process as SYSTEM user. In the case of this exploit, notepad.exe is launched as SYSTEM. Then, it write shellcode in its previous memory space and trigger its execution. As this exploit uses reflective dll injection, it does not write any file on the disk. See /documentation/modules/exploit/windows/local/bits_ntlm_token_impersonation.md for complementary words of information. Vulnerable operating systems are Windows 10 and Windows servers where WinRM is not running. Lab experiments has shown that Windows 7 does not exhibit the vulnerable behavior. WARNING: - As this exploit runs a service on the target (Fake WinRM on port 5985), a firewall popup may appear on target screen. Thus, this exploit may not be completely silent. - This exploit has been successfully tested on : Windows 10 (10.0 Build 19041) 32 bits Windows 10 Pro, Version 1903 (10.0 Build 18362) 64 bits - This exploit failed because of no BITS authentication attempt on: Windows 7 (6.1 Build 7601, Service Pack 1) 32 bits - Windows servers are not vulnerable because a genuine WinRM service is already running, except if the user has disabled it (Or if this exploit succeed to terminate it). - SE_IMPERSONATE_NAME or SE_ASSIGNPRIMARYTOKEN_NAME privs are required. - BITS must not be running. - This exploit automatically perform above quoted checks. run "check" command to run checklist.


  • Cassandre
  • Andrea Pierini (decoder)
  • Antonio Cocomazzi (splinter_code)
  • Roberto (0xea31)




x86, x64


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/local/bits_ntlm_token_impersonation
msf exploit(bits_ntlm_token_impersonation) > show targets
msf exploit(bits_ntlm_token_impersonation) > set TARGET < target-id >
msf exploit(bits_ntlm_token_impersonation) > show options
    ...show and set options...
msf exploit(bits_ntlm_token_impersonation) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security