WINRM

(Windows Remote Management)

Miguel Ángel Orozco Tortosa - Seguridad y Alta Disponibilidad

What is WinRM?

● WS-Management Protocol, a standard Simple Object Access Protocol (SOAP)-based,

firewall-friendly protocol that allows hardware and Windows operating systems to interoperate
● You communicate with other Windows OS via Powershell and you can run most of the available
commands
● The ports that are used are HTTP:5985 and HTTPS:5986
● The intended audience for Windows Remote Management is IT Pros, who write scripts to automate
the management of servers, and ISV (Independent Software Vendor) developers, who want to obtain
data for management applications.
Initial Authentication

● Regardless of the transport protocol used (HTTP or HTTPS), WinRM always encrypts all PowerShell
remoting communication after initial authentication.
● When a client connects to a domain server using its computer name, the default authentication protocol
is Kerberos. Kerberos guarantees both the user identity and server identity.
● When a client connects to a domain server using its IP address, or connects to a workgroup server,
Kerberos authentication isn't possible. In that case, PowerShell Remoting relies on the NTLM
authentication protocol.
● You can configure target servers to use SSL for PowerShell Remoting. Assigning a SSL certificate to the
target server.
Security Issues (By Black Hat USA 2014)

● The attacker can obtain administrator-equivalent rights on the target system - most typically, the
credentials for a privileged domain account
● The attacker can laterally access the target system over common Windows ports and protocols (e.g.
SMB, NetBIOS, and / or WinRM)
● The attacker can bypass the default “Restricted” policy under which PowerShell will execute scripts.
● The attacker can remotely enable PowerShell remoting and the WinRM service on a remote host by
means of other native-Windows commands - such as through a scheduled task (“at” command), the
service control manager (“sc” command), or Windows Management Instrumentation (WMI)
How does WINRM work?
● When you submit a remote command, the command is transmitted across the network to the PowerShell
engine on the remote computer, and it runs in the PowerShell client on the remote computer. The
command results are sent back to the local computer and appear in the PowerShell session on the local
computer.
● The necessary commands that we need to use to connect to a remote computer are:

- winrm qc → Activate WINRM

- New-PSSession or Enter-PSSession -Computername <ComputerName>

● You can also use commands to run powershell commands without even have it installed in the other
computer and it will appear with a Computername parameter (it’s because it doesn’t use WINRM)

- Get-Command -ParameterName ComputerName

- Invoke-Command -ComputerName Server01, Server02 -ScriptBlock {Get-UICulture}

 WINRM VS SSH
● Only for Windows OS
● Only Windows PS Remoting
● Can use Vanilla VMs
● Enabled in AWS by default
● Not many programming languages
supported (.py, PS, EXE)
● Not built-in file transfer but it’s
configurable through scripts
● Data encryption
● Available for Linux and Windows OS
● Multiplatform PS Remoting
● Installation Required
● Built-in file transfer
● Data encryption
● No domain or lists required
● Authentication required
The End
Bibliography

● https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=pow
ershell-7.3
● INVESTIGATING POWERSHELL ATTACKS Black Hat USA 2014 by Ryan Kazanciyan, Matt
Hastings
● https://devblogs.microsoft.com/scripting/table-of-basic-powershell-commands/
● https://dzone.com/articles/cloud-automation-winrm-vs-ssh