# **Basic Information** According to [HTB Academy](https://academy.hackthebox.com/module/112/section/1242): > The Windows Remote Management (`WinRM`) is a simple Windows integrated remote management protocol based on the command line. WinRM uses the Simple Object Access Protocol (`SOAP`) to establish connections to remote hosts and their applications. Therefore, WinRM must be explicitly enabled and configured starting with Windows 10. WinRM relies on `TCP` ports `5985` and `5986` for communication, with the last port `5986 using HTTPS`, as ports 80 and 443 were previously used for this task. However, since port 80 was mainly blocked for security reasons, the newer ports 5985 and 5986 are used today. > > Another component that fits WinRM for administration is Windows Remote Shell (`WinRS`), which lets us execute arbitrary commands on the remote system. The program is even included on Windows 7 by default. Thus, with WinRM, it is possible to execute a remote command on another server. # **Enumeration** ## **Scanning** ```bash # default scan nmap -sV -sC -p5985,5986 --disable-arp-ping -n <target_ip> ``` ## **Initiate a WinRM Session** ```bash # connect to target with a password evil-winrm -i <target_ip> -u <username> -p <password> # connect to target with a hash evil-winrm -i <target_ip> -u <username> -H $(cat admin_hash.txt) ``` # **References** # **Practical Application** | Platform | Name | Notes | | ----------------- | ---------- | ----- | | Hack the Box Labs | [[Cicada]] | |