πŸ–‹οΈ
Dev & Ops
Network
ProgrammingAdminNetwork
Network
ProgrammingAdminNetwork
  • Network Book
  • Π‘Π΅Ρ‚ΠΈ для самых ΠΌΠ°Π»Π΅Π½ΡŒΠΊΠΈΡ…
  • OSI
    • ΠŸΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»Ρ‹ Π½Π°Π΄ сСтями
      • NAT
      • BGP
      • ΠšΡ€ΠΈΠΏΡ‚ΠΎΠ³Ρ€Π°Ρ„ΠΈΡ‡Π΅ΡΠΊΠΈΠ΅ ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»Ρ‹
        • SSL
        • TLS
          • Π Π°ΡΡˆΠΈΡ€Π΅Π½ΠΈΡ
            • TLS-ALPN
        • SSH
        • IPSec
      • ОбмСн сообщСниями (IM) Π² Ρ€Π΅ΠΆΠΈΠΌΠ΅ Ρ€Π΅Π°Π»ΡŒΠ½ΠΎΠ³ΠΎ Π²Ρ€Π΅ΠΌΠ΅Π½ΠΈ ΠΈ ΠΈΠ½Ρ„ΠΎΡ€ΠΌΠ°Ρ†ΠΈΠΈ ΠΎ присутствии (Presence)
        • SIMPLE (Основан Π½Π° SIP)
        • XMPP/Jabber
        • Matrix
      • VoIP
        • Intro
        • ΠŸΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ» SIP
        • ΠŸΠ΅Π½Ρ‚Π΅ΡΡ‚
      • WebRTC
      • VPN
    • L7: Application Layer
      • WEB
        • (Π½Π΅ поддСрТиваСтся) SPDY
        • HTTP
          • WebSockets
          • h2c (HTTP/2 Cleartext)
          • ΠšΠΎΠ΄Ρ‹ ΠΎΡ‚Π²Π΅Ρ‚ΠΎΠ²
          • Π—Π°Π³ΠΎΠ»ΠΎΠ²ΠΊΠΈ
          • URI
        • HTTP/2
        • HTTP/3 (HTTP-over-QUIC)
      • ΠŸΠΎΡ‡Ρ‚ΠΎΠ²Ρ‹Π΅ ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»Ρ‹
        • IMAP
        • POP
      • Windows
        • HTTP / Windows
        • LDAP
        • RPC
        • SMB
        • Windows Name Resolution
          • КакиС Π΅ΡΡ‚ΡŒ
          • mDNS
          • LLMNR
          • NBNS
        • WinRM
        • WPAD
      • DHCP
      • NTP
      • DNS
      • FTP
      • SMTP
      • SSH
      • Telnet
    • L6: Presentation Layer
      • SSL/TLS
    • L5: Session Layer
      • SSDP
    • L4: Transport Layer
      • SMPP
      • QUIC
      • UDP
      • TCP
    • L3: Network Layer
      • IP (IPv4, IPv6)
      • ICMP
    • L2: Link Layer
      • ЛогичСскоС Ρ€Π°Π·Π΄Π΅Π»Π΅Π½ΠΈΠ΅ ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»ΠΎΠ² Π½Π° этом ΡƒΡ€ΠΎΠ²Π½Π΅
      • 802.3 (Ethernet/ARP)
      • 802.1Q (VLANs)
      • 802.11 (Wi-Fi)
        • План
        • Атаки
        • Π˜Π½ΡΡ‚Ρ€ΡƒΠΌΠ΅Π½Ρ‚Ρ‹
        • Π‘Ρ‚Π°Ρ‚ΡŒΠΈ
      • NFC
      • Bluetooth
  • Security
    • MiTM
    • Network Pentest Course (youtube)
    • Tools
      • HTTP Proxy
        • mitmproxy
        • broxy
        • netty
        • proxenet
        • ZAP
        • PolarProxy
      • Wireshark
      • Bettercap
      • Impacket
      • Responder
  • Devices
    • Common Network Device Manufacturer
    • Physical Servers
Powered by GitBook
On this page
  1. OSI
  2. L7: Application Layer
  3. Windows

WinRM

Apart from RPC, there is also possible to use WinRM (Windows Remote Management) to communicate and execute operations in other machines. WinRM is the Microsoft implementation of the WS-Management (Web Services-Management) specification that defines a protocol for managing computers by using SOAP over HTTP.

WinRM uses some extensions that are defined in WSMAN and WSMV for accessing CIM objects in remote machines. These CIM objects are like an update to WMI objects. You can access to CIM objects in local and remote machines with the CIM Cmdlets such as Get-CimInstance. Additionally, you can use also use winrs to perform actions in remote computers by using WinRM.

By default, WinRM service listen on port 5985 for HTTP connections and port 5986 for HTTPS connections. By default, HTTP is used, since the WinRM messages are encrypted in a top layer. However, WinRM can be configured to use the regular HTTP ports 80 and 443 for HTTP and HTTPS connections respectively.

Powershell Remoting

One great utility to manage systems is Powershell remoting, that allows the client to establish a Powershell session on remote computers and perform all kind of tasks with Powershell. By default, Powershell remoting is enabled by default in Windows server versions (not client like Windows 10) since Windows Server 2012 R2.

PS C:\> $pw = ConvertTo-SecureString -AsPlainText -Force -String "Admin1234!"
PS C:\> $cred = New-Object -typename System.Management.Automation.PSCredential -argumentlist "contoso\Administrator",$pw
PS C:\> 
PS C:\> $session = New-PSSession -ComputerName dc01 -Credential $cred
PS C:\> Invoke-Command -Session $session -ScriptBlock {hostname}
dc01
PS C:\> Enter-PSSession -Session $session
[dc01]: PS C:\Users\Administrator\Documents>

Originally, Powershell remoting was built on top of WinRM protocol. However, it was expected to be used in Linux machines so it also supports SSH as transport protocol.

In order to use Powershell remoting, you can use several PSSession CmdLets to use to execute commands on remote machines. Also, from Linux you can install Powershell or using a tool like evil-winrm.

Apart from being useful for lateral movement, you could also use JEA endpoints (only available over WinRM) as a persistence mechanism.

However, be careful in a pentest since Powershell has many logging features.

Trusted Hosts

Apart from being enabled to use it, Powershell required also that the TrustedHost variable is correctly set in the client.

By default, Powershell remoting allows you to connect to all machines in the domain, by using Kerberos. However, in case you want to connect a machine of a different domain, you need to add that IP to the TrustedHost value (or use '*' for any machine). In that case, you have to configure TrustedHost in the client, not in the server (as you may think since from a security perspective would be the logical idea).

PS C:\> Set-Item wsman:localhost\client\TrustedHosts -Value * -Force
PreviousNBNSNextWPAD

Last updated 3 years ago