PowerShell for Pentesters, Part 5: Remoting With PowerShell

Introduction

In part five of our series on PowerShell for pentesters, we will discuss a very important subject: the process of remoting with PowerShell. Remoting will allow us to execute PowerShell commands on a remote target machine(s). So let’s learn how to do it!

Of course, we are talking about this only for penetration testing purposes; other techniques or ways might exist to exploit remoting, but we’re choosing the most important for this specific context.

Remoting With PowerShell

Remoting lets us run PowerShell commands or access full PowerShell sessions on remote Windows systems. This is very important to us as pentesters because PowerShell has been natively present in Windows OS-based systems since Windows 7.

Remoting with PowerShell is based on the WSMAN protocol and uses WinRM. So I will need the port 5985 (HTTP) and 5986 (HTTPS).

In the first config, you might have problems using remoting. This is due to WinRM not being configured and the firewall rule not added. We can solve this by using the following command:

Sponsorships Available

Sponsorships Available

Sponsorships Available

Note: If you are part of a trusted domain, there is no requirement, but if your computers aren’t on a domain, you need to perform a few more steps in order to get things started. You should have already enabled remoting on the PC to which you want to connect using the command:

Enable-PSRemoting -Force. Then you need to configure the TrustedHosts setting on both the PC to which you want to connect and the computer (or computers) you want to connect from. This is so that the computers will trust each other. If you’re on a home network where you want to go ahead and trust any PC to connect remotely, you can type the following cmdlet in PowerShell: Set-Item wsman:localhostclienttrustedhosts *, then restart the WinRM service: Restart-Service (Read more...)