It is not recommended to add local accounts into Domain Controllers, they should be on workstations only. Use your windows machines, not the server. Steps should be similar as this practical.

  1. By default on windows server 2019 winRM comes enabled.
  2. We can verify through server manager as well as CLI , let’s verify: SERVER MANAGER: wr_1 POWERSHELL: wr_2
  • Default port for WINRM is 5985
# command
netstat -ano | findstr "5985"
  • The WinRM service starts automatically on Windows Server 2008, and later. On earlier versions of Windows (client or server), you need to start the service manually.

winrm hardening:

RESOURCE-BLOG

  • By default, no WinRM listener is configured. Even if the WinRM service is running, WS-Management protocol messages that request data can’t be received or sent.
  • Internet Connection Firewall (ICF) blocks access to ports.

COMMANDS:

winrm enumerate winrm/config/listener
winrm get winrm/config
winrm quickconfig # winrm qc (in short)

wr_3 wr_4 wr_5

winrm misconfigs for exploitation:

COMMANDS:

  1. Allowing unencrypted http traffic:
winrm set winrm/config/service '@{AllowUnencrypted="true"}'

wr_6 2. Enabling basic authentication on the server:

winrm set winrm/config/service/auth '@{Basic="true"}'

wr_7 3. Adding a local user sysadmin into the group of winrm 4. But first we need to create that group if it’s not been created automatically:

net localgroup "WinRMRemoteWMIUsers__" /add /comment:"Users authorized for remote WMI and WinRM."

then add the user

net localgroup "WinRMRemoteWMIUsers__" "TheUserName" /add

wr_8 5. Now we need to configure that the group is having proper permissions and ACLs for remote connections, follow the steps:

winrm configSDDL default

wr_9 6. To confirm the group is added type this command in cmd:

(Get-PSSessionConfiguration -Name "Microsoft.PowerShell").Permission

wr_10

IF THE GROUP ALREADY EXISTS, LIKE IN MY CASE IT IS, then follow the steps: wr_11

net localgroup "Remote Management Users" "sysadmin" /add