The Windows Remote Management (WinRM) is a simple Windows integrated remote management protocol based on the command line. WinRM uses the Simple Object Access Protocol (SOAP) to establish connections to remote hosts and their applications.
Default Port: 5985,5986(ssl)
Banner grabbing
nc -nv $IP 5985Nmap
Nmap is a network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on computer network by sending packets and analyzing the responses.
Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.
# Default NSE
sudo nmap -sCV -p5985,5986 $IPNetExec
NetExec (AKA nxc) is a network service exploitation tool that helps automate assessing the security of large networks.
# Get Windows version
nxc winrm $IP
# Password spraying
nxc winrm $IP -u /wordlists.txt/users.txt -p /wordlists/passwords.txt --no-bruteforce
# Execute command with AUTHENTICATION
nxc winrm $IP -u administrator -p password123 -x "whoami"Evil-WinRM
Evil-WinRM is the ultimate WinRM shell for hacking/pentesting.
evil-winrm -i $IP -u Administrator -p password123 # Login
evil-winrm -S -c pub.key -k decrypted_priv.key -i $IP # Login (CERTIFICATES/SSL)Metasploit Framework
Metasploit Framework is an open source platform that supports vulnerability research, exploit development, and the creation of custom security tools.
Link to original
auxiliary/scanner/winrm/winrm_auth_methods # Checks the authentication methods
auxiliary/scanner/winrm/winrm_cmd # Execute command
auxiliary/scanner/winrm/winrm_login # Brute-forcing login
# Execute payload (required AUTHENTICATION)
# If you can't execute it [BUG]; make sure to `set FORCE_VBS true`
exploit/windows/winrm/winrm_script_exec