WinRM_Brute_Scanner Guide

WinRM_Brute_Scanner.ps1 allows you to scan and brute force the WinRM service remotely.

I wrote this script to be able to scan for this service on a Windows system. Because this uses PowerShell commands, no AV should interfere, and no additional modules are required.  Once obtained, remote commands can be sent.

Download: https://github.com/ctrlaltdel-blog/WinRM_Brute_Scanner

WinRM Ports:

• Port: 5985 (http)
• Port: 5986 (https)

To find out more about the service: https://docs.microsoft.com/en-us/windows/win32/winrm/installation-and-configuration-for-windows-remote-management

Importing Module

First you must download and import the module:

Import-Module [Script location]

Scanning

To scan the device, we can use the function: winrm_scanner

Once ran, you will need to select 1 of 2 options.

• Option 1: Single IP
• Option 2: Multiple IPs (IP List)

To generate an IP List, you could use this online tool: http://magic-cookie.co.uk/iplist.html

Option 1: Single IP

Simply enter the IP or Hostname

Option 2: IP List

Simply enter the text file location. IPs need to be on separate lines.

Brute Force

To brute force the service, you can use the winrm_brute function.

You will need to supply the following:

• IP or Hostname
• Username
• Wordlist Location

For this to be successful, you will need to meet the following requirements:

• Be a trusted machine (Get-Item WSMan:\localhost\Client\TrustedHosts)
• Be on the same domain (depending on restrictions)
• Be able to reach the remote device (Firewall)