Windows has a feature named Windows remote management, otherwise known as WinRM. It uses the WS-Management protocol to allow administrators to run scripts remotely. For the ethical hacking lab we will enable this feature on the Windows 2019 server.
I show you how to use Evil-WinRM in a realistic lab environment in Become An Ethical Hacker, check the price on Amazon.
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.
This evil winrm tutorial for Kali Linux will show you how to install and use the tool for pentesting. This tool is great for getting your first shell open on a target, as it is used in the online ethical hacking course Become An Ethical Hacker. It can be used for lateral movement and pivoting as well.
Table of Contents
What Is WinRM?
If you have no idea, it’s ok.
According to Microsoft, WinRM or Windows Remote Management is:
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port.
If you enable this policy setting, the WinRM service automatically listens on the network for requests on the HTTP transport over the default HTTP port.
To allow WinRM service to receive requests over the network, configure the Windows Firewall policy setting with exceptions for Port 5985 (default port for HTTP).
Create A Group Policy Object
The first step to enable the WinRM service on a Windows 2019 server is to go into Active Directory and create a new group policy object. Right click on the GPO and click on “Create a GPO in this domain, and Link it here…”.
Name the GPO “Enable WinRM Service”.
Configure WinRM GPO
The Enable WinRM Service Group Policy object will enable the WinRM service and automatically handle basic authentication from clients across the network. The authentication will be handled by Active Directory. Meaning if a user is not an authenticated user then the connection to the service over 5985 will be dropped.
Authentication is also a setting that can be changed, however by editing the GPO that we created. Right now it is on “allow authenticated users.”
The next step is to set the service to Auto Start so that it will run every reboot and be persistent. This is best, to avoid having to restart the service every time we need to use it.
Right click on the new GO we created and click on “Edit”. Now follow this path, Enable WinRM Service GPO > Computer Configuration > Preferences > Control Panel Settings > Services and create a new service.
Enable WinRM Service Group Policy Setting
To edit the GPO next go to Computer Configuration > Windows Components > Windows Remote Management (WinRM) > WinRM Service and double click on “Allow remote server management through WinRM”.
To install the service as a vulnerability add a * next to the IPv4 filter field.
Evil-Winrm Tutorial: Install Evil-Winrm
The -s means “scripts folder”, while the -e means “executables folder”. These are both locally on Kali Linux, for example mine here is /home/kali or the kali user’s home directory.
#https://github.com/Hackplayers/evil-winrm
# install dependencies
sudo gem install winrm winrm-fs stringio
#cloen the
git clone https://github.com/Hackplayers/evil-winrm.git
# switch to directory for evil winrm
kali@kali:~/$cd evil-winrm
#connect to target using low level user credentials
kali@kali:~/evil-winrm$ ./evil-winrm.rb -i 10.0.0.33 -u ‘bobjones’ -p ‘Password1’ -s ‘/home/kali/’ -e ‘/usr/share/windows-binaries/’
The script and executable folder location is not mutable once a connection has been made. If, for example, you added a new script and wanted to call it within your existing connection, it will not be found. In that case you must restart the tool so that it can refresh the contents of the folders.
Evil-Winrm Tutorial: How To Use Evil-Winrm
To use evil-winrm you need credentials. By default domain administrators can open a connection, but not low level users. There is an easy way to grant a low level user access to create a new evil winrm connection.
For example, from the online ethical hacking course Become An Ethical Hacker, there is a user bobjones. Attempting to use his credentials fails with an authorization error.
Add the user bobjones to the Remote Management Users group in Active Directory and attempt to connect using evil-winrm again.
But see what happens now after I added the user bobjones to the Remote Management Users group. The account can now open a session on the target box.
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.