Edit

WimRM (PowerShell Remoting)

#powershell #winrs

  • Ports: 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)

  • Group Required: Remote Management Users

  • PsExec on steroids

  • If Admin creds are used, we get a elevated shell on the remote machine (No UAC issues), because the remoting process runs a a High Integrity Process.

  • PSRemoting uses WinRM which is MS's implementation of WS-Management

  • Enabled by default since Server 2012

  • Need to manually enable in Windows Desktop (Requires Adminitrative Privs)

  • Some disadvantages:

    • Supports systemwide transcript and deep script logging

One-to-One

  • Interactive login to one machine

  • Runs in a new process (wsmprovhost)

  • State-full (persistent variables and state) using New-PSSession

  • Commands:

    • Enter-PSSession : Enter interactive prompt on the target machine

    • New-PSSession : Returns sessions to create persistent environment.

# Create interactive session using the current credentials
Enter-PSSession -ComputerName mymachine.domain.local

# Create session
$sess = New-PSSession -ComputerName mymachine.domain.local
$sess # holds the credentails and ohter information

# Enter-PSSession can be used to connnec to this session
Enter-PSSession -Session $sess

# Use Credentails to connect to the remote machine
# Creat PScredentails object that holds username and password
$username = 'Administrator';
$password = 'Mypass123';
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force; 
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
# Connect to the machine
Enter-PSSession -Computername TARGET -Credential $credential

One-to-Many

  • Also knows as fan-out remoting.

  • Non Interactive

  • Executes commands parallely.

  • Commands:

    • Invoke-Command : Executes command on one more machine parallely.

  • Run commands/scripts on:

    • one more more computers

    • disconnected session

    • as a background job

  • Required administrative access on the target machine.

# Execute Command
Invoke-Command -ComputerName mycomputer.mydomain.local -ScriptBlock {whoami}

# Execute a fiile
Invoke-Command -ComputerName mycomputer.mydomain.local -FilePath .\Temp.ps1

# Can also run local functions on the target machine
Invoke-Command -ComputerName mycomputer.mydomain.local -ScriptBlock ${function:mylocalfunction}

# Can also use already created session from New-PSSession
Invoke-Command -FilePath C:\script.ps1 -Session $session

# Specify Multiple Servers
Invoke-Command  -Scriptblock {whoami} -Computername (Get-Content servers.txt)

  • We can also get host process information for the running PS Remoting session

Get-PSHostProcessInfo

winrs

  • Evades powershell based logging

  • Uses WinRM ports - 5985 and 5986

winrs.exe -u:<username> -p:<password> -r:<server> cmd

Last updated