WinRM [5985, 5986]

The Windows Remote Management (WinRM) is a simple Windows integrated remote management protocol based on the command line.

Overview

• Overview

  • WinRM is a Windows-integrated remote management protocol based on the command line.

  • Uses Simple Object Access Protocol (SOAP) for remote connections.

  • Must be explicitly enabled and configured on Windows 10 and later.

• Communication & Ports

  • Uses TCP ports 5985 (HTTP) and 5986 (HTTPS) for communication.

  • Previously used ports 80 (HTTP) and 443 (HTTPS), but port 80 was blocked for security reasons.

• Windows Remote Shell (WinRS)

  • Works alongside WinRM for administration.

  • Enables execution of arbitrary commands on a remote system.

  • Included by default in Windows 7 and later.

• WinRM Use Cases

  • Supports remote command execution on another server.

  • Required for PowerShell remote sessions and event log merging.

• Default Configuration

  • Enabled by default from Windows Server 2012 onwards.

  • Older Windows versions require manual configuration and firewall exceptions.

Footprinting the Service

Nmap WinRM

nmap -sV -sC 10.129.201.248 -p5985,5986 --disable-arp-ping -n

EvilwinRM

If we want to find out whether one or more remote servers can be reached via WinRM, we can easily do this with the help of PowerShell. The Test-WsMan cmdlet is responsible for this, and the host's name in question is passed to it. In Linux-based environments, we can use the tool called evil-winrm, another penetration testing tool designed to interact with WinRM.

z3tssu@htb[/htb]$ evil-winrm -i 10.129.201.248 -u Cry0l1t3 -p P455w0rD!

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Cry0l1t3\Documents>