WinRM
WinRM is a Windows protocol that enables remote management and access to Windows systems over HTTP or HTTPS. It is not enabled by default and must be explicitly configured. System administrators use WinRM to facilitate tasks such as:
Remotely accessing and interacting with Windows hosts.
Executing commands remotely on Windows systems.
Managing and configuring Windows systems remotely.
WinRM commonly uses TCP ports 5985 (HTTP) and 5986 (HTTPS).
WSMan (Web Services for Management) is a protocol developed by Microsoft that allows for remote management of systems using web services. It is based on the Simple Object Access Protocol (SOAP) and is designed to standardize the way systems communicate with management tools. WSMan is often used in conjunction with WinRM for managing Windows environments.
Exploiting WinRM
WinRM enforces access control and security during communication between systems using various authentication methods. To test WinRM security, tools like CrackMapExec can be used to perform brute-force attacks, helping identify user credentials and execute commands on target systems. Additionally, the Evil-WinRM Ruby script provides a way to establish a command shell session on the target system, facilitating remote access and command execution.
Enumeration & Brute-force
Getting a Reverse Shell
w/ Metasploit
Last updated