What is it?
“Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different vendors, to interoperate.
The WS-Management protocol specification provides a common way for systems to access and exchange management information across an IT infrastructure. WinRM and Intelligent Platform Management Interface (IPMI), along with the Event Collector are components of the Windows Hardware Management features. “
https://docs.microsoft.com/en-us/windows/win32/winrm/portal
Now may have come across this service whilst scanning Windows systems before.
The ports you will see are 5985 (http) and 5986 (https).
The service is disabled by default and even when it’s not (Windows 2008 and above), the listener is not enabled so no traffic can pass. This makes this service quite hard to find in the wild, but it is there.
Because remote execution is needed for certain systems, the users will opt to enable this feature. They might however be unaware that the default will allow a brute force attack to take place. The other problem is that vendors may lean towards open rules to ensure their supported system functions. It can be used for “good” but does need to be restricted.
As you can see from the Shodan search, there are several systems on the internet that have the WinRM service running. These are reachable anyway and are on the “Workgroup” domain. This makes brute forcing easier as there are certain domain trusted restrictions.
There are several scripts available to connect to this service however the most common method would be to use the Metasploit modules.
If you did want to use Ruby, this is very helpful: https://github.com/WinRb/WinRM
gem install -r winrm
Metasploit comes pre-installed on Kali or Parrot so to start, simply run: msfconsole
First let’s scan a system to check if the service is open. We can use the Winrm_auth_methods scanner to see if our target has the service running.
Use auxiliary/scanner/winrm/winrm_auth_methods
You will need to fill in the required parameters but will first need to know a little about the machine. If the port shows 5986, you may need to use SSL for instance. It is hard to tell remotely the configuration of the service, so may be a case of trial and error.
Once we are happy our target is vulnerable, we can brute force.
Use auxiliary/scanner/winrm/winrm_login
Again, we will need to pass the required parameters.
It’s important you get the domain correct as there is a trust requirement for this service (By default). This can be obtained through scanning additional ports. If the machine is in Workgroup, you should have no issues.
As you can see above, we have the credentials.
Now we can execute remote code on the system. Because this is the administrator, there are quite a lot of damaging things we can do. It will also be trusted as it will come from the system itself. You may also use malicious code as it will be running on the attackers system not the targets. Meaning you can bypass the AV in certain situations.
As you can see, a few lines of code could help you gain credentials to a system. You don’t have to be running Linux or Metasploit though to be able to brute force your way in. Because there are PowerShell functions built into your Windows system, you can simply run the following commands:
Command Line:
Winrs is a command which can be used to execute remote commands. The example below shows me passing the credentials and running “whoami”
PowerShell:
We can also use several Powershell commands to scan or execute remote code using the WinRM/WsMan (Client) service.
Test-Wsman:
Test-NetConnection:
Invoke-Command
This can be tedious method though. That is why I have written a script that allows you to scan and brute force the WinRM service from your Windows System.
To find out more: https://github.com/ctrlaltdel-blog/WinRM_Brute_Scanner
As you can see, this simple service can be abused and used against you. Therefore, it is advised not to use the services defaults. If you do have this enabled, I would recommend reading the following and enabling some restrictions.
I found a useful post that explains another method of obtaining credentials. This was back in 2015 however is still applicable today: https://devblogs.microsoft.com/powershell/compromising-yourself-with-winrms-allowunencrypted-true/
WinRM can also be used as a ‘Post’ exploit action.
Normally you would implement a persistent shell using netcat, but this could be spotted by the user and does requires work.
WinRM may give you the persistent shell, that you require with little effort. Below are the commands that can be ran to enable the service on the targets machine.
By default, the service will start automatically so even if they reboot, it will remain.
The following does need to be ran as admin:
winrm quickconfig
winrm set winrm/config/Client @{AllowUnencrypted = “true”}
Set-Item WSMan:localhost\client\trustedhosts -value “*”
The benefit of this is that it’s a built in Windows feature so no Anti-viruses should interfere.
If you are to defend against these attacks, you would force encryption and limit trusted hosts to only a handful. Simply replace “*” with “server1, server2”
amoran.io 
Leave a Reply