PowerShell Remoting Setup Between Two Windows Machines
This guide walks you through setting up PowerShell Remoting between two Windows machines (attacker and target) in a non-domain (workgroup) environment. It covers user creation, enabling remoting, setting TrustedHosts, and allowing unencrypted traffic — ideal for labs.
On the Target Machine
1. Create a New Local User
net user attackerUser Str0ngP@ssword! /add
2. Add the User to the Remote Management Users Group
net localgroup "Remote Management Users" attackerUser /add
3. Enable PowerShell Remoting
Enable-PSRemoting -Force
4. Allow Unencrypted Traffic (Lab Use Only)
Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $true
5. Allow Basic Authentication (Optional, for lab environments)
Set-Item WSMan:\localhost\Service\Auth\Basic -Value $true
6. Enable the WinRM Firewall Rule
Enable-NetFirewallRule -Name "WINRM-HTTP-In-TCP"
7. Ensure a Listener Is Active
winrm enumerate winrm/config/listener
If no listener is configured:
winrm quickconfig
On the Attacker Machine
1. Enable PowerShell Remoting
Enable-PSRemoting -Force
2. Configure TrustedHosts to Accept Connections (from any IP for lab)
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force
3. Allow Unencrypted Connections (Lab Only)
Set-Item WSMan:\localhost\Client\AllowUnencrypted -Value $true
Pro Tip: Verify TrustedHosts Was Set
Get-Item WSMan:\localhost\Client\TrustedHosts
Create a Credential Object
$cred = Get-Credential
Enter
attackerUserandStr0ngP@ssword!
Remote Into the Target
Standard Command:
Enter-PSSession -ComputerName 10.4.31.39 -Credential $cred
If It Fails, Try with Explicit Authentication:
Enter-PSSession -ComputerName 10.4.31.39 -Credential $cred -Authentication Negotiate
Or Run a Remote Command:
Invoke-Command -ComputerName 10.4.31.39 -Credential $cred -ScriptBlock { whoami }
Root Cause of Issues in Non-Domain Setups
If you’re getting blocked, it’s likely due to one or more of the following:
- You’re using Basic or NTLM authentication over HTTP.
- Kerberos can’t be used since the machines aren’t domain-joined.
- PowerShell remoting requires TrustedHosts to be set or HTTPS to be used.
- You’re trying to use encrypted traffic without HTTPS configured.