WinRM (tcp/5985,5986)
Windows Remote Management (WinRM) allows administrators to execute commands remotely and even get an interactive shell on the remote system.
The default ports for this service are the following:
| Port | Description |
|---|---|
tcp/5985 |
WS-Management Protocol over HTTP |
tcp/5986 |
WS-Management Protocol over HTTPS |
By default, all users of the groups BUILTIN\Administrators and BUILTIN\Remote Management Users are allowed to connect to a remote system via WinRM. Check for additional permissions:
Get-PSSessionConfiguration -Name Microsoft.PowerShell
PowerShell
Prior to launching a PSSession, our attacker system must be setup to trust the targeted host (or any host), this command requires administrative rights:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value *
Info
Remove the TrustedHosts entries: Clear-Item WSMan:\localhost\Client\TrustedHosts
Remote Shell
Enter-PSSession -ComputerName <HOST> -Credential [DOMAIN\]<USERNAME>
Remote Command Execution
Invoke-Command -ComputerName <HOST> -Credential [DOMAIN\]<USERNAME> -ScriptBlock { <COMMAND> }
Invoke-Command -ComputerName <HOST> -Credential [DOMAIN\]<USERNAME> -FilePath <\path\to\powershell\script.ps1>
Copy Files
Copy-Item [-FromSession <PSSession>] [-ToSession <PSSession>] -Path <source> -Destination <destination>
The PSSession object can be created on the fly with (New-PSSession ...) or retrieve from the list of sessions with (Get-PSSession ...) (see Session Management).
Session Management
Instead of creating a disposable new session with every command, it is also possible to first create a permanent PSSession and then use it to perform any of the action described above:
New-PSSession -ComputerName <HOST> -Credential [DOMAIN\]<USERNAME>
List PSSession available:
Get-PSSession [-Name <NAME>]
In order to use an existing PSSession, replace both -ComputerName and -Credential parameters with -Session <PSSession>, e.g.:
Enter-PSSession -Session (Get-PSSession -Name <NAME>)
Tip
It is possible to pass a PSCredential object to the -Credential option if you need to reuse credentials multiple times: $creds = Get-Credential -Credential [DOMAIN\]<USERNAME>
References
- https://docs.microsoft.com/en-us/windows/win32/winrm/portal
- https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/
- http://woshub.com/powershell-remoting-via-winrm-for-non-admin-users/