TLDRBins TLDRBins / Winrm

Usage Tips:

  • Click on a keyword to enable inline editing.
  • Click inside a code block to copy (excludes comments).
  • Use the button to view examples.
  • Click outside to collapse all examples.

Psexec

# Domain auth
impacket-psexec '<DOMAIN>/<USER>:<PASSWORD>@<TARGET>'

Sample Output:
TO-DO
# Local auth
impacket-psexec '<USER>:<PASSWORD>@<TARGET>'

Sample Output:
TO-DO
# Domain auth
impacket-psexec '<DOMAIN>/<USER>@<TARGET>' -hashes :<HASH>

Sample Output:
TO-DO
# Local auth
impacket-psexec '<USER>@<TARGET>' -hashes :<HASH>

Sample Output:
TO-DO

Evil-Winrm

evil-winrm -i <TARGET> -u '<USER>' -p '<PASSWORD>'

Sample Output:
$ evil-winrm -i 127.0.0.1 -u dr.zaiuss -p 'qwe123QWE!@#'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Dr.Zaiuss\Documents>

evil-winrm -i <TARGET> -u '<USER>' -H <HASH> 

Sample Output:
TO-DO
# Step 1: Edit '/etc/krb5.conf' (All in uppercase)

[libdefaults]
    default_realm = <DOMAIN>

[realms]
    <DOMAIN> = {
        kdc = <DC>:88
        admin_server = <DC>
        default_domain = <DOMAIN>
    }
    
[domain_realm]
    .domain.internal = <DOMAIN>
    domain.internal = <DOMAIN>

Sample Output:
[libdefaults]
    default_realm = WINDCORP.HTB

[realms]
    WINDCORP.HTB = {
        kdc = HOPE.WINDCORP.HTB:88
        admin_server = HOPE.WINDCORP.HTB
        default_domain = WINDCORP.HTB
    }
    
[domain_realm]
    .domain.internal = WINDCORP.HTB
    domain.internal = WINDCORP.HTB

# Step 2: export .ccache
export KRB5CCNAME=<CCACHE>

Sample Output:
$ export KRB5CCNAME=winrm_user.ccache

# Step 3: Connect
sudo ntpdate -s <DC> && evil-winrm -i <TARGET> -r <DOMAIN>

Sample Output:
$ evil-winrm -i dc.absolute.htb -r absolute.htb
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_user\Documents> 

evil-winrm -i <TARGET> -S -k auth.key -c auth.crt

Sample Output:
TO-DO

Disable Winrm

Disable-PSRemoting -Force

Sample Output:
TO-DO
Stop-Service WinRM -PassThru

Sample Output:
TO-DO
Set-Service WinRM -StartupType Disabled -PassThru

Sample Output:
TO-DO