Winrm Using Certificate[PFX]

Notes to connect to a system through Winrm using a certificate [pfx]

From Windows

First, import the certificate and then use Powershell script to get a session over winrm.

param (
    [string]$ComputerName = $(throw "-ComputerName is required."),
    [string]$CertificateSubject = $(throw "-CertificateSubject is required.")
 )

$store = New-Object System.Security.Cryptography.X509Certificates.X509Store(
    [System.Security.Cryptography.X509Certificates.StoreName]::My,
    [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser)
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)

foreach($cert in $store.Certificates) {
    if ($cert.Subject -eq $CertificateSubject) {
        $sessionCert = $cert
        break
    }
}

if (!$sessionCert) {
    throw "An X509 certificate matching subject `"$CertificateSubject`" could not be found."
}

$opt = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$session = New-PSSession -ComputerName $ComputerName -UseSSL -CertificateThumbprint $sessionCert.Thumbprint -SessionOption $opt
Enter-PSSession $session

For this we need a valid certificate, ComputerName and CertificateSubject. We can simply use IP as ComputerName and for CertificateSubject, we dump data from the certificate using certutil. Command => certutil -dump .\0xEr3bus.pfxLooking at the output we see Issuer: CN=Erebus, This is the CertificateSubjectNow run the command ==> .\session.ps1 -ComputerName 10.10.xx.xx -CertificateSubject "CN=Erebus"

For Linux

Reference => Link

openssl pkcs12 -in 0xEr3bus.pfx -nocerts -out private.pem
openssl pkcs12 -in 0xEr3bus.pfx -clcerts -nokeys -out cert.crt
openssl rsa -in private.pem -out private2.pem
evil-winrm -i 10.xx.xx.xx -u <UserName> -k $PWD/private2.pem -c $PWD/cert.crt -p ''

PreviousWeaponizing Windows Pt-1 NextWriteOwner

Last updated 3 years ago