Backlink: reference-notes-readme

Overview

Windows Remote Management, or WinRM, is commonly run on tcp/5985. This port is used for WinRM (Windows Remote Management), the MS implementation of the WS-Management Protocol. It is a standard SOAP based protocol. This service requires credentials.

WinRM was Microsoft's implementation of the open WS-Management standard for SOAP-based remote management. Microsoft includes several standalone tools (winrm, winrs) and is also the underlying technology used for PowerShell Remoting. Under the surface, WinRM makes use of WMI queries, but can also leverages the IPMI driver for hardware management. It's a terribly powerful tool, albeit not a widely deployed yet due to its relative infancy.

Port: 5985/TCP (HTTP), 5986/TCP (HTTPS)

Tools: winrm, winrs, PowerShell Remoting

Examples

List Services:

winrm get wmicimv2/Win32_Service –r:192.168.112.20

Execute ipconfig:

winrs /r:WIN-DEHIB5FROC2 /u:josh /p:Password1 ipconfig

Open PSRemote Interactive PS Session:

Enter-PSSession -ComputerName 192.168.112.200 -Credential testlab\josh
Exit-PSSession

Commands

To open a PS shell to the target with evil-winrm:

evil-winrm -i 10.10.10.175 -u fsmith -p 'Thestrokes23'

References

HTB Sauna/LDAP Attack/Stealing Kerberos ticket and PTH with evil-winrm

Talks about importing PS modules and stuff https://www.kitploit.com/2019/07/evil-winrm-ultimate-winrm-shell-for.html