WinRM (tcp/5985,5986)

Windows Remote Management (WinRM) allows administrators to execute commands remotely and even get an interactive shell on the remote system.


The default ports for this service are the following:

Port Description
tcp/5985 WS-Management Protocol over HTTP
tcp/5986 WS-Management Protocol over HTTPS

By default, all users of the groups BUILTIN\Administrators and BUILTIN\Remote Management Users are allowed to connect to a remote system via WinRM. Check for additional permissions:

Get-PSSessionConfiguration -Name Microsoft.PowerShell

PowerShell

Prior to launching a PSSession, our attacker system must be setup to trust the targeted host (or any host), this command requires administrative rights:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value *
Remote Shell
Enter-PSSession -ComputerName <HOST> -Credential [DOMAIN\]<USERNAME>
Remote Command Execution
Invoke-Command -ComputerName <HOST> -Credential [DOMAIN\]<USERNAME> -ScriptBlock { <COMMAND> }
Invoke-Command -ComputerName <HOST> -Credential [DOMAIN\]<USERNAME> -FilePath <\path\to\powershell\script.ps1>
Copy Files
Copy-Item [-FromSession <PSSession>] [-ToSession <PSSession>] -Path <source> -Destination <destination>

The PSSession object can be created on the fly with (New-PSSession ...) or retrieve from the list of sessions with (Get-PSSession ...) (see Session Management).

Session Management

Instead of creating a disposable new session with every command, it is also possible to first create a permanent PSSession and then use it to perform any of the action described above:

New-PSSession -ComputerName <HOST> -Credential [DOMAIN\]<USERNAME>

List PSSession available:

Get-PSSession [-Name <NAME>]

In order to use an existing PSSession, replace both -ComputerName and -Credential parameters with -Session <PSSession>, e.g.:

Enter-PSSession -Session (Get-PSSession -Name <NAME>)

References