Windows Remote Management (WinRM)
WinRM is a protocol that if enabled, allows administrators to remotely connect to a server using a remote shell.
ποΈ Ports
- 5985 (TCP, HTTP)
- 5986 (TCP, HTTPS)
WinRM is a SOAP-based protocol. See also: WMI, WBEM, DCOM.
WinRM vulnerabilities β οΈ
You can use evil-winrm (3.9k β) on Linux to spawn a powershell using WinRM. On a Windows host, we can use Test-WSMan.
$ evil-winrm -i IP -u username -p password
$ evil-winrm -i IP -u 'username' -p 'password'
$ evil-winrm -i IP -u 'username' -H 'hash'
You can try to brute force credentials:
$ nxc winrm IP -u user.list -p password.list
See also: RogueWinRM (0.5k β, 2020 πͺ¦).
π» To-do π»
Stuff that I found, but never read/used yet.
- Windows Remote Shell (WinRS),
MS-PSRP - nmap
wsman