search
TwitterGitHubBlog

WinRM / PSRemoting

Windows Remote Management / PowerShell Remoting

hashtag
Enable WinRM

Using PowerShell (takes ~1m to be applied):

PS > Enable-PSRemoting -Force
PS > Set-Item wsman:\localhost\client\trustedhosts * -Force

Remotely with CME:

$ cme smb 10.10.13.37 -u snovvcrash -p 'Passw0rd!' -x 'powershell -enc RQBuAGEAYgBsAGUALQBQAFMAUgBlAG0AbwB0AGkAbgBnACAALQBGAG8AcgBjAGUAOwBTAGUAdAAtAEkAdABlAG0AIAB3AHMAbQBhAG4AOgBcAGwAbwBjAGEAbABoAG8AcwB0AFwAYwBsAGkAZQBuAHQAXAB0AHIAdQBzAHQAZQBkAGgAbwBzAHQAcwAgACoACgA=' --no-output

hashtag
From Windows

PS > winrm get winrm/config
PS > winrm set winrm/config/client '@{TrustedHosts="*"}'
PS > $sess = New-PSSession -ComputerName 192.168.11.1 -Credential $cred
PS > Enter-PSSession -Session $sess
PS > Copy-Item .\file.txt -Destination "C:\users\administrator\music\" -ToSession $sess

hashtag
From Linux

hashtag
Evil-WinRM

Basic syntax:

circle-info

Always use full username when authenticating as a domain user, because if there're 2 users sharing the same name (a local user and a domain user), say WORKGROUP\Administrator and MEGACORP\Administrator, and you're trying to authenticate as a domain admin without providing the domain prefix, authentication will fail.

Execute a .NET binary:

Spawn interactive bind shell with powercat.ps1arrow-up-right and Invoke-PSInject.ps1arrow-up-right:

Install Python version:

hashtag
pwsh

Last updated