← Back to Lessons

  • windows

  • ethical-hacking

  • smb

  • winrm

  • enumeration

Exploring Windows from the Outside - SMB, WinRM, and Other Backdoors

SMB
evil-winrm

Behind every Windows machine on a network, there are services that speak. Some speak loudly, like RDP, which displays full desktops. Others are more discreet, like SMB, which are limited to file sharing. But all of them, without exception, can become open doors if not properly configured. Today, you’ll approach a machine that will teach you just that—how to listen to those voices, how to discover what others have left exposed.

These machines have several services running. Let’s see what they are and why they matter.

  • Port 139 (NetBIOS): An old technology that still survives in some networks. Its purpose is to help identify and locate devices and shared services, like folders or printers. Think of it as Windows’ internal address book.
  • Port 445 (SMB): This is where the magic—and sometimes disaster—happens. SMB (Server Message Block) allows sharing files, folders, and printers over the network. If configured without authentication or restrictions, it can reveal much more than it should.
  • Port 5985 (WinRM): Windows Remote Management is a service that allows remote administration of machines via PowerShell commands. It’s powerful, elegant… and if someone has privileged access, it can become a direct highway into the system.
  • Port 3389 (RDP): Remote Desktop Protocol provides graphical access to the machine. When enabled, you can control Windows as if you were sitting in front of it. It’s useful, but also risky if combined with leaked credentials.

SMB

In this lesson, the first thing you need to do is enumerate SMB. Because SMB remembers. If there are unprotected shared folders, you can see them from the outside, without needing to be a system user. You can use tools like smbclient, smbmap, enum4linux, or even nmap to explore those resources.

For example, using smbclient:

1smbclient -L \\TARGET_IP\

This command shows you which shared resources are available. If any don’t require authentication, you can mount them directly:

1smbclient \\\\TARGET_IP\\share

Inside, you might find files like alice_creds.txt and backup.zip. The first file gives you something direct—a username and password. But the second, the .zip, holds something deeper: a hash. That hash belongs to the Administrator account and gives you access to WinRM—and this is where a key tool comes in, evil-winrm.

evil-winrm

Evil-WinRM is a utility designed to connect you remotely to a Windows machine via port 5985. But not as a simple user. It opens an interactive, practical remote PowerShell session from which you can move around the entire system.

The power of Evil-WinRM is that you can connect even if you don’t have the real password, as long as you have the user’s NTLM hash. And that’s exactly what you can find in this exercise.

The basic usage is:

1evil-winrm -i <IP> -u Administrator -H <NTLM_HASH>

From that moment, you’re inside, with full permissions and the ability to search, read, and execute. But remember, getting there isn’t by chance. It’s the result of a series of poor decisions: sharing files without control, storing credentials in plain text, not properly encrypting .zip files, allowing authentication with hashes, and exposing remote services.

You’re seeing them from the outside, with the perspective of a learner. But many of these mistakes exist in real systems, with real data.