Winrm

Source CTF and HTB Academy

• Usually on port 5985, 5986

The Windows Remote Management (WinRM) is a simple Windows integrated remote management protocol based on the command line. WinRM uses the Simple Object Access Protocol (SOAP) to establish connections to remote hosts and their applications. Therefore, WinRM must be explicitly enabled and configured starting with Windows 10.

Enumeration

Nmap

• nmap -sV -sC 10.129.201.248 -p5985,5986 --disable-arp-ping -n

Evil-winrm

• sudo gem install evil-winrm install

• evil-winrm -i <target-IP> -u <username> -p <password> Usage

• evil-winrm -i 10.129.201.248 -u user -p password Example

Crackmapexec

• crackmapexec winrm 10.129.42.197 -u user.list -p password.list

Resources

• CrackMapExec
• Winrm Pentest - Raj Chandel
• Abusing Windows Remote Management (WinRM) with Metasploit - Rapid7
• Winrm - Lisandre
• 5985,5986 - Pentesting WinRM - Hacktricks