WinRM (5985-5986)

Windows Remote Management.

Protocol Information

Allows systems to access or exchange management information through HTTP(S). Created to facilitate operations for system administrators. Thus it was used to remotely access and interact with windows hosts on a local network, execute commands on those hosts, and remotely configure and administer windows systems. WinRM implements access control and communication security through various forms of authentication.

Port

5985 TCP

WinRM HTTP

5986 TCP

WinRm HTTPS

Interact

Tools

Details

evil-winrm

evil-winrm.rb -u <USER>[@<DOMAIN>] -p <PASS> -i <IP>

winrmexec

python3 evil_winrmexec.py -ssl -port 5986 <DOMAIN>/<USER>:'<PASS>'@<IP/HOST> [-k]

$password = ConvertTo-SecureString "<PASS>" -AsPlainText -Force
$cred = new-object System.Management.Automation.PSCredential ("<DOMAIN>\<USER>", $password)
Enter-PSSession -ComputerName <PC_NAME> -Credential $cred

Last updated 1 month ago

Was this helpful?