WinRM_Brute_Scanner.ps1 allows you to scan and brute force the WinRM service remotely.
I wrote this script to be able to scan for this service on a Windows system. Because this uses PowerShell commands, no AV should interfere, and no additional modules are required. Once obtained, remote commands can be sent.
- Port: 5985 (http)
- Port: 5986 (https)
To find out more about the service: https://docs.microsoft.com/en-us/windows/win32/winrm/installation-and-configuration-for-windows-remote-management
First you must download and import the module:
Import-Module [Script location]
To scan the device, we can use the function: winrm_scanner
Once ran, you will need to select 1 of 2 options.
- Option 1: Single IP
- Option 2: Multiple IPs (IP List)
To generate an IP List, you could use this online tool: http://magic-cookie.co.uk/iplist.html
Option 1: Single IP
Simply enter the IP or Hostname
Option 2: IP List
Simply enter the text file location. IPs need to be on separate lines.
To brute force the service, you can use the winrm_brute function.
You will need to supply the following:
- IP or Hostname
- Wordlist Location
For this to be successful, you will need to meet the following requirements:
- Be a trusted machine (Get-Item WSMan:\localhost\Client\TrustedHosts)
- Be on the same domain (depending on restrictions)
- Be able to reach the remote device (Firewall)