Wednesday, August 12, 2015

Running commands through WinRM

I followed both and to get winrm up and working and running remote commands.

WinRM appears to be a soap based shell allowing users/admins to connect in and run commands or scripts or whatever. It's basically a remote administration/management tool. All the tests i performed was on a windows 7 box.

Something to note is that the http port it runs on is 5985, https is on 5986. Neither of these ports are in nmap's default port scan list (top 1000) so unless you are looking for it, you could miss it.

In nmap it shows up as:
Nmap scan report for
Host is up (0.056s latency).
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

So no super obvious signs that its WinRM listening on the port. I think the only thing you could really go off of is the actual port number and know that its a windows system.

Luckily someone created a ruby library that interacts with WinRM and allows you to connect to it and run commands.

When i first the github example, it was giving me auth issues so i had to run the following to get it to shut up and accept my creds:

winrm set winrm/config/client/auth @{Basic="true"}
winrm set winrm/config/service/auth @{Basic="true"}
winrm set winrm/config/service @{AllowUnencrypted="true"}

Once I ran that on the server, the library stopped giving me auth errors. I was able to run ipconfig on the remote system and it spat back the results.

so yay...

No comments:

Post a Comment