Windows Remote Management (WinRM)
WinRM is a protocol that if enabled, allows administrators to remotely connect to a server using a remote shell.
ποΈ Ports
- 5985 (TCP, HTTP)
- 5986 (TCP, HTTPS)
WinRM is a SOAP-based protocol. See also: WMI, WBEM, DCOM.
WinRM vulnerabilities β οΈ
You can use evil-winrm (3.9k β) on Linux to spawn a powershell using WinRM. On a Windows host, we can use Test-WSMan.
$ evil-winrm -i IP -u username -p password
$ evil-winrm -i IP -u 'username' -p 'password'
$ evil-winrm -i IP -u 'username' -H 'hash'
You can try to brute force credentials:
$ nxc winrm IP -u user.list -p password.list
π We can upload files with upload /path/to/file.
From a Windows host, you can use:
PS> Enter-PSSession -ComputerName "COMPUTER_NAME"
PS> Enter-PSSession -ComputerName "COMPUTER_NAME.example.com" -Credential example\username
PS> $password = ConvertTo-SecureString "password" -AsPlainText -Force
PS> $cred = new-object System.Management.Automation.PSCredential ("example\username", $password)
PS> Enter-PSSession -ComputerName "COMPUTER_NAME" -Credential $cred
To avoid the double hop problem when we get access denied to a resource we should be able to access after multiple hops:
PS> Enter-PSSession [...]
session> Register-PSSessionConfiguration -Name xxx -RunAsCredential example\username
session> Restart-Service WinRM
PS> Enter-PSSession [...] -ConfigurationName xxx
π» To-do π»
Stuff that I found, but never read/used yet.
- Windows Remote Shell (WinRS),
MS-PSRP - nmap
wsman