# Pentesting WinRM

## Overview

* Windows Remote Management
* Ports: TCP 5985 (HTTP), TCP 5986 (HTTPS)
* Uses SOAP-based XML protocol
* Integrated into PowerShell Remoting

## Scanning

```
nmap -sV -sC 10.129.201.248 -p5985,5986 --disable-arp-ping -n
```

## Evil-WinRM

```
evil-winrm -i 10.129.201.248 -u Cry0l1t3 -p P455w0rD!
```

## PowerShell Test

```powershell
Test-WsMan <hostname>
```

## WMI (TCP 135)

* Windows Management Instrumentation
* Uses TCP 135 for initial connection, then random high port
* Allows reading/writing to all Windows settings, triggering actions, remote code execution

### WMIexec.py (Impacket)

```
/usr/share/doc/python3-impacket/examples/wmiexec.py Cry0l1t3:"P455w0rD!"@10.129.201.248 "hostname"
```