Port 5985, 5986 - WinRM - Windows Remote Management
How is WinRM different from Remote Desktop (RDP)? WinRM is a protocol for remote management, while Remote Desktop (RDP) is a protocol for remote desktop access. WinRM allows for remote execution of management commands, while RDP provides a graphical interface for remote desktop access.
WinRM is part of the operating system. However, to obtain data from remote computers, you must configure a WinRM listener.
WinRM is a network protocol based on XML web services using the Simple Object Access Protocol (SOAP) used for remote management of Windows systems. It takes care of the communication between Web-Based Enterprise Management (WBEM) and the Windows Management Instrumentation (WMI), which can call the Distributed Component Object Model (DCOM).WinRM uses the Simple Object Access Protocol (SOAP) to establish connections to remote hosts and their applications. However, for security reasons, WinRM must be activated and configured manually in Windows 10. WinRM uses the TCP ports 5985 (HTTP) and 5986 (HTTPS).
Another component that fits WinRM for administration is Windows Remote Shell (WinRS), which lets us execute arbitrary commands on the remote system. The program is even included on Windows 7 by default.
Footprinting winrm
As we already know, WinRM uses TCP ports 5985 (HTTP) and 5986 (HTTPS) by default, which we can scan using Nmap:
We'll connect to the WinRM service on the target and try to get a session. Because PowerShell isn't installed on Linux by default, we'll use a tool called Evil-WinRM which is made for this kind of scenario.
For windows, we can use The Test-WsMan cmdlet.
Last update: 2023-07-13 Created: July 1, 2023 08:34:56