Simple WinRM shell (via Kerberos)

Sh11td0wn · September 7, 2019, 9:52pm

Hi there,

I’m here (again) to proudly (x2) introduce a WinRM shell that i developed for simple needs.
The main difference from my past winrm_shell is that this on relays on a valid Kerberos ticket.
(Very useful with Golden Tickets)

ATTENTION

Make sure you have your kerberos ticket properly configured,
either setting the KRB5CCNAME variable or copying and renaming it to ‘/tmp/krb5cc_0’

Example:

export KRB5CCNAME=‘/foo/bar/ticket.ccache’
or
cp -v /foo/bar/ticket.ccache /tmp/krb5cc_0

Also, make sure you can resolve all domain involved names.

Usage: ./winrm_kerb_shell.rb [options]

Example:
./winrm_kerb_shell.rb -s fooserver.contoso.com -r CONTOSO.COM

PS contoso.com\bob@fooserver Documents>

It requires ruby and ‘winrm’ ruby module (gem install winrm)

I really appreciate any comments and suggestions.

Regards,

OscarAkaElvis · September 30, 2019, 9:54pm

Nice! probably we’ll add something similar to Evil-WinRM (kerberos auth). Thanks for the inspiration.

Topic		Replies	Views
Simple WinRM shell Tools	1	914	September 30, 2019
Evil-WinRM shell Tools shell , hacking , windows , winrm , evil-winrm	43	21463	December 31, 2022
Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01) Academy	18	3781	September 24, 2024
OSCP ban Evil-winrm please help me Exploits	2	1186	January 6, 2022
Password Attacks Module: Network Services (winrm) Help Academy	2	316	May 28, 2024

Simple WinRM shell (via Kerberos)

ATTENTION

Related topics