PowerShell Remoting

Using the WS-Management protocol, Windows PowerShell remoting lets you run any Windows PowerShell command on one or more remote computers. You can establish persistent connections, start interactive sessions, and run scripts on remote computers.

When having access to the internal network PowerShell has a CMDLET that allows to check for PS Remote availability on a Remote Host

If outside the network the usual port for this connection would be 5985, this can be edited to avoid attackers to find common ports open

Now form outside the network would be an amazing tool named evil-winrm that can allow us to take advantage of this protocol

Internal access will allow us to connect to a different workstation, we can use various methods to authenticate but I used the approach of running as a different user with the runas command, and the user can simply access the PSSession of the remote workstation as seen below

Last updated