WinRM
Last updated
Last updated
Apart from RPC, there is also possible to use WinRM (Windows Remote Management) to communicate and execute operations in other machines. WinRM is the Microsoft implementation of the (Web Services-Management) specification that defines a protocol for managing computers by using SOAP over HTTP.
WinRM uses some extensions that are defined in and for accessing CIM objects in remote machines. These CIM objects are like an update to WMI objects. You can access to CIM objects in local and remote machines with the such as . Additionally, you can use also use to perform actions in remote computers by using WinRM.
By default, WinRM service listen on port 5985 for HTTP connections and port 5986 for HTTPS connections. By default, HTTP is used, since the WinRM messages are encrypted in a top layer. However, WinRM can be configured to 80 and 443 for HTTP and HTTPS connections respectively.
One great utility to manage systems is Powershell remoting, that allows the client to establish a Powershell session on remote computers and perform all kind of tasks with . By default, Powershell remoting is enabled by default in Windows server versions (not client like Windows 10) .
Originally, Powershell remoting was built on top of protocol. However, it was expected to be used in Linux machines so it also supports as transport protocol.
In order to use Powershell remoting, you can use several . Also, from Linux you can or using a tool like .
Apart from being useful for , you could also use (only available over WinRM) as a .
However, be careful in a pentest since .
Trusted Hosts
Apart from being enabled to use it, Powershell required also that the TrustedHost variable is correctly set in the client.
By default, Powershell remoting allows you to connect to all machines in the domain, by using Kerberos. However, in case you want to connect a machine of a different domain, you need to add that IP to the TrustedHost value (or use '*' for any machine). In that case, you have to configure TrustedHost in the client, not in the server (as you may think since from a security perspective would be the logical idea).