1 min read

Warning

By default, UAC restricts WinRM calls to domain admins and the default local “Administrator” account. Local Windows admins cannot call this service without first disabling UAC!

Tip

Admin-ish privileges (including privileges associated with the Backup Operators group) are stripped by default when using WinRM. To enable this access, we need to set the LocalAccountTokenFilterPolicy registry key to 1.

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1

Windows Remote Management (WinRM) is basically PowerShell-over-HTTP. It requires access to TCP 5985 (unencrypted) or TCP 5986 (encrypted).

WinRS

winrs

winrs.exe is an older application used to interact with WinRM.

winrs.exe -u:$TARGET_USER `
          -p:$TARGET_PASSWORD `
          -r:$TARGET_HOST $COMMAND

This interface has been largely deprecated in favor of using PowerShell, and may not even be present on recent versions of Windows.

Link to original

PowerShell

Use WinRM with PowerShell

Many large companies will enable PowerShell remoting on all machines in order to ease IT support burdens (by default, remoting is only enabled on domain controllers).

# Create PSCredential object for authentication.
#
$username = "$TARGET_USER";
$password = "$TARGET_PASSWORD";
$SECURE_PASSWORD = ConvertTo-SecureString "$TARGET_PASSWORD" `
                                          -AsPlainText -Force;
$CREDENTIAL_OBJECT = New-Object `
                   System.Management.Automation.PSCredential `
                   $TARGET_USER, $SECURE_PASSWORD;
 
# Enter an interactive PowerShell session on the $TARGET_HOST.
#
Enter-PSSession -ComputerName $TARGET_HOST `
                -Credential $CREDENTIAL_OBJECT
 
# Alternately, we can pass commands directly as "script
# blocks". Note that the $POWERSHELL_SCRIPT does not have
# access to any variables in the host script or session, as
# its sent to $TARGET_HOST for execution (though this can be
# worked around using the -ArgumentList parameter, if
# necessary).
#
Invoke-Command -ComputerName $TARGET_HOST `
               -Credential $CREDENTIAL_OBJECT `
               -ScriptBlock {
                    $POWERSHELL_SCRIPT
                }
Link to original

Evil-WinRM

Evil-WinRM

evil-winrm -i $TARGET_HOST \
           -u $TARGET_USER \
           -H $TARGET_USER_NTLM_HASH

This requires that you already have the target user’s NTLM hash, obviously.

Note that Evil-WinRM does have a built-in download command for transferring files, but it’s sloooow

Link to original

Backlinks

Graph View