Installing Native WinRM Client

Linux Host Connecting to Windows Host

Users may be able to get WSMan remoting to work using the PSWSMan module. This module isn't supported or maintained by Microsoft.

-- https://learn.microsoft.com/en-us/powershell/scripting/security/remoting/wsman-remoting-in-powershell?view=powershell-7.4

PSWSMan

Be warned! The only way I could get a session from Kali to domain hosts in my lab was using Kerberos authentication. On top of that, it takes an absurdly long time for any commands to complete over the session (also documented here).

For native Linux -> Windows support, better to look at Windows Remoting over SSH.

• PowerShell Gallery (outdated): https://www.powershellgallery.com/packages/PSWSMan/2.3.1
• GitHub Repository (active development): https://github.com/jborean93/PSWSMan

... I've stopped working on that in favour of this unreleased repository due to various issues like memory leaks.

-- https://github.com/jborean93/PSWSMan/issues/10#issuecomment-1913362424

Building PSWSMan

.NET Dependencies

Install DotNet Core 8.0 SDK: https://dotnet.microsoft.com/en-us/download/dotnet/8.0

At the time of this writing, the latest Kali version, 2024.2 is based on Debian 12, so we'll use this .deb package

wget https://packages.microsoft.com/config/debian/12/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
rm packages-microsoft-prod.deb
sudo apt update && sudo apt install -y dotnet-sdk-8.0                                                                         

Build and Install the Module

git clone https://github.com/jborean93/PSWSMan
cd PSWSMan

# Module is output in ./output/PSWSMan directory
sudo pwsh -c "Install-Module -Force ModuleFast -Scope AllUsers"
sudo pwsh -f ./build.ps1 -Task Build

sudo pwsh -c "Install-Module PSWSMan -Scope AllUsers"

sudo pwsh

PS> Import-Module PSWSMan
PS> Install-WSMan
PS> exit

Create a New WinRM Session

See here about setting up your Kerberos configuration file: Kerberos Authentication

echo '10.80.80.2        dc01.ad.lab ad.lab' | sudo tee -a /etc/hosts

sudo cp /etc/krb5.conf /etc/krb5.conf.bak

PowerShell does not respect the KRB5_CONFIG environment variable for custom config paths.

[libdefaults]
    default_realm = AD.LAB
    dns_lookup_realm = true
    dns_lookup_kdc = true

[realms]
    AD.LAB = {
    kdc = dc01.ad.lab
    admin_server = dc01.ad.lab
    default_domain = ad.lab
}

[domain_realm]
    ad.lab = AD.LAB
    .ad.lab = AD.LAB

Updated /etc/krb5.conf for my environment

pwsh

Start PowerShell

kinit winrm.user

You will be prompted to enter the user's password

klist

You should see the user's TGT cached

$session = New-PSSession -ComputerName 192.168.10.22 -Port 5985 -Authentication "Kerberos"

Unencrypted session (tcp/5985)

$options = New-PSSessionOption -SkipCACheck
$session = New-PSSession -ComputerName 'dc01.ad.lab' -SessionOption $options -Authentication 'Kerberos' -UseSSL -Port 5986

Encrypted session (tcp/5986)

$session | Enter-PSSession

Open an interactive WSMan session