WinRM appears to be a soap based shell allowing users/admins to connect in and run commands or scripts or whatever. It's basically a remote administration/management tool. All the tests i performed was on a windows 7 box.
Something to note is that the http port it runs on is 5985, https is on 5986. Neither of these ports are in nmap's default port scan list (top 1000) so unless you are looking for it, you could miss it.
In nmap it shows up as:
Nmap scan report for 192.168.1.118 Host is up (0.056s latency). PORT STATE SERVICE VERSION 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
So no super obvious signs that its WinRM listening on the port. I think the only thing you could really go off of is the actual port number and know that its a windows system.
Luckily someone created a ruby library that interacts with WinRM and allows you to connect to it and run commands.
When i first the github example, it was giving me auth issues so i had to run the following to get it to shut up and accept my creds:
winrm set winrm/config/client/auth @{Basic="true"} winrm set winrm/config/service/auth @{Basic="true"} winrm set winrm/config/service @{AllowUnencrypted="true"}
Once I ran that on the server, the library stopped giving me auth errors. I was able to run ipconfig on the remote system and it spat back the results.
so yay...
No comments:
Post a Comment