# Winrm Using Certificate\[PFX] ### From Windows First, import the certificate and then use Powershell script to get a session over `winrm`. ```powershell param ( [string]$ComputerName = $(throw "-ComputerName is required."), [string]$CertificateSubject = $(throw "-CertificateSubject is required.") ) $store = New-Object System.Security.Cryptography.X509Certificates.X509Store( [System.Security.Cryptography.X509Certificates.StoreName]::My, [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser) $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly) foreach($cert in $store.Certificates) { if ($cert.Subject -eq $CertificateSubject) { $sessionCert = $cert break } } if (!$sessionCert) { throw "An X509 certificate matching subject `"$CertificateSubject`" could not be found." } $opt = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck $session = New-PSSession -ComputerName $ComputerName -UseSSL -CertificateThumbprint $sessionCert.Thumbprint -SessionOption $opt Enter-PSSession $session ``` For this we need a valid certificate, `ComputerName` and `CertificateSubject`. We can simply use `IP` as `ComputerName` and for `CertificateSubject`, we dump data from the certificate using `certutil`.\ Command => `certutil -dump .\0xEr3bus.pfx`\ Looking at the output we see `Issuer: CN=Erebus`, This is the `CertificateSubject`\ Now run the command ==> \ `.\`session.`ps1 -ComputerName 10.10.xx.xx -CertificateSubject "CN=Erebus"` ### For Linux Reference => [Link](https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file#r_extratsslcert__keypwd) ```ruby openssl pkcs12 -in 0xEr3bus.pfx -nocerts -out private.pem openssl pkcs12 -in 0xEr3bus.pfx -clcerts -nokeys -out cert.crt openssl rsa -in private.pem -out private2.pem evil-winrm -i 10.xx.xx.xx -u -k $PWD/private2.pem -c $PWD/cert.crt -p '' ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.shashwatshah.me/windows/active-directory/winrm-using-certificate-pfx.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.