Windows Remote Management (WinRM)

WinRM is a protocol that if enabled, allows administrators to remotely connect to a server using a remote shell.

🐊️ Ports

  • 5985 (TCP, HTTP)
  • 5986 (TCP, HTTPS)

WinRM is a SOAP-based protocol. See also: WMI, WBEM, DCOM.

WinRM vulnerabilities ☠️


You can use evil-winrm (3.9k ⭐) on Linux to spawn a powershell using WinRM. On a Windows host, we can use Test-WSMan.

$ evil-winrm -i IP -u username -p password
$ evil-winrm -i IP -u 'username' -p 'password'
$ evil-winrm -i IP -u 'username' -H 'hash'

You can try to brute force credentials:

$ nxc winrm IP -u user.list -p password.list

See also: RogueWinRM (0.5k ⭐, 2020 πŸͺ¦).

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • Windows Remote Shell (WinRS), MS-PSRP
  • nmap wsman