/ Lateral Movement, Uncategorized / By

PowerShell Remoting Setup Between Two Windows Machines

This guide walks you through setting up PowerShell Remoting between two Windows machines (attacker and target) in a non-domain (workgroup) environment. It covers user creation, enabling remoting, setting TrustedHosts, and allowing unencrypted traffic — ideal for labs.

On the Target Machine

1. Create a New Local User

net user attackerUser Str0ngP@ssword! /add

2. Add the User to the Remote Management Users Group

net localgroup "Remote Management Users" attackerUser /add

3. Enable PowerShell Remoting

Enable-PSRemoting -Force

4. Allow Unencrypted Traffic (Lab Use Only)

Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $true

5. Allow Basic Authentication (Optional, for lab environments)

Set-Item WSMan:\localhost\Service\Auth\Basic -Value $true

6. Enable the WinRM Firewall Rule

Enable-NetFirewallRule -Name "WINRM-HTTP-In-TCP"

7. Ensure a Listener Is Active

winrm enumerate winrm/config/listener

If no listener is configured:

winrm quickconfig

On the Attacker Machine

1. Enable PowerShell Remoting

Enable-PSRemoting -Force

2. Configure TrustedHosts to Accept Connections (from any IP for lab)

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force

3. Allow Unencrypted Connections (Lab Only)

Set-Item WSMan:\localhost\Client\AllowUnencrypted -Value $true

Pro Tip: Verify TrustedHosts Was Set

Get-Item WSMan:\localhost\Client\TrustedHosts

Create a Credential Object

$cred = Get-Credential

Enter attackerUser and Str0ngP@ssword!

Remote Into the Target

Standard Command:

Enter-PSSession -ComputerName 10.4.31.39 -Credential $cred

If It Fails, Try with Explicit Authentication:

Enter-PSSession -ComputerName 10.4.31.39 -Credential $cred -Authentication Negotiate

Or Run a Remote Command:

Invoke-Command -ComputerName 10.4.31.39 -Credential $cred -ScriptBlock { whoami }

Root Cause of Issues in Non-Domain Setups

If you’re getting blocked, it’s likely due to one or more of the following:

  • You’re using Basic or NTLM authentication over HTTP.
  • Kerberos can’t be used since the machines aren’t domain-joined.
  • PowerShell remoting requires TrustedHosts to be set or HTTPS to be used.
  • You’re trying to use encrypted traffic without HTTPS configured.

Related Posts

Scroll to Top