:::danger

    • 端口: 5985/TCP (WinRM HTTP) 5986/TCP (WinRM HTTPS)
    • 权限: Remote Administrator

    :::

    WinRM 是一种基于 Web 的协议,用于向远程 Windows 主机发送 PowerShell 命令,默认情况下,大多数 Windows Server 安装启用 WinRM。地址类似这样:http://192.168.1.105:5985/wsman, https://192.168.1.105:5986/wsman

    1. # Server和client启动winrm服务
    2. Enable-PSRemoting force
    3. winrm quickconfig -transport:https
    4. // winrm支持NTLM认证和Kerberos认证,工作组环境使用NTLM认证时需要在client端将Server加入trustedhosts
    5. Set-Item wsman:\localhost\client\trustedhosts * 
    6. Restart-Service WinRM
    8. # 测试连接
    9. test-wsman -computername "WIN-S0V7KMTVLD2"
    10. test-wsman -computername "192.168.1.105"
    1. winrs.exe -u:Administrator -p:Mypass123 -r:target cmd

    使用 PowerSHELL 连接目标:

    1. $username = 'Administrator';
    2. $password = 'Mypass123';
    3. $securePassword = ConvertTo-SecureString $password -AsPlainText -Force; 
    4. $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;

    创建 PSCredential 后使用 Enter-PSSession 创建交互式会话:

    1. Enter-PSSession -Computername TARGET -Credential $credential
    Powershell还包括Invoke-Command cmdlet,它通过WinRM远程运行ScriptBlocks。凭据还必须通过 PSCredential 对象传递: 
    1. Invoke-Command -Computername TARGET -Credential $credential -ScriptBlock {whoami}