Exploiting WinRM: A Guide for Pentesters
Table of Contents
- What is WinRM?
- How WinRM Works
- Default Configuration and Port Info
- Enumerating WinRM
- Exploiting WinRM
- Tools and Commands
- Post-Exploitation Tips
- Defenses and Detection
1. What is WinRM?
Windows Remote Management (WinRM) is Microsoft’s implementation of the WS-Management protocol — a SOAP-based protocol used for remote management. It’s commonly used to run PowerShell commands or scripts remotely, making it a prime target for lateral movement.
Think of it like SSH for Windows, using port 5985 (HTTP) or 5986 (HTTPS).
2. How WinRM Works
WinRM allows authenticated users to:
- Execute PowerShell remotely
- Manage services, files, users
- Automate administrative tasks
It runs as a Windows service (winrm) and interacts with WMI and PowerShell Remoting behind the scenes.
3. Default Configuration and Port Info
| Protocol | Port | Description |
|---|---|---|
| HTTP | 5985 | Default unencrypted channel |
| HTTPS | 5986 | Encrypted channel (requires cert) |
To check if WinRM is enabled on a target:
winrm enumerate winrm/config/listener
To enable:
winrm quickconfig
4. Enumerating WinRM
From a Linux attacker machine:
- Use
nmapto scan for WinRM ports:
nmap -p 5985,5986 --open <target>
- Check for basic auth via
curlornmapscript:
nmap --script http-winrm-enum -p 5985 <target>
- Use CrackMapExec to test credentials:
crackmapexec winrm <target> -u user -p pass
- Enumerate local admins with CME:
crackmapexec winrm <target> -u user -p pass --local-auth
5. Exploiting WinRM
If you have valid credentials and WinRM is enabled, you can get a full PowerShell session remotely.
Evil-WinRM (Go-to tool):
evil-winrm -i <target> -u <user> -p <pass>
Options:
-sto upload scripts-cto upload files-rto upload and execute reverse shell
Use Cases:
- Enumerate users and groups
- Dump memory (if local admin)
- Upload scripts for persistence or recon
- Stealthy lateral movement with PowerView/PowerUp
6. Tools and Commands
| Tool | Purpose |
|---|---|
| Evil-WinRM | Fully interactive WinRM shell |
| CrackMapExec | Check if WinRM is enabled, test creds |
| Nmap | Port scanning and WinRM enumeration |
| WinRMSharp | Lightweight alternative client |
| PowerShell | Native interaction via Invoke-Command |
7. Post-Exploitation Tips
- Drop recon tools (like
SharpHound) viaevil-winrm - Enumerate privileges:
whoami /priv
- Look for lateral movement paths (shared drives, open SMB shares, etc.)
- Combine with token impersonation or PowerShell Remoting
8. Defenses and Detection
- Disable WinRM if not needed
- Restrict access to 5985/5986 via firewall
- Use group policy to control who can connect via WinRM
- Monitor logs:
Microsoft-Windows-WinRM/OperationalSecuritylog forEvent ID 4624(logon events)