Skip to content

Windows Remote Management Protocol

WINDOWS mostly uses WinRM or RDP

Linux uses SSH

  • Enabled by default starting Windows 2016 Server
  • A Service implementing:
  • WS-Management Protocol,
  • HW diagnostics and
  • control through baseboard management controllers, and
  • a COM API

  • script objects that enable us to write applications that communicate remotely through the WS-Management protocol.\

  • The main components used for remote management of Windows and Windows servers are the following:

  • Remote Desktop Protocol (RDP)
  • Windows Remote Management (WinRM)
  • Windows Management Instrumentation (WMI)

RDP:

  • Remote access to a computer running Windows.
  • GUI supported on PORT 3389
  • The client you are connecting to must have a public IP address.
  • PORT FORWARDING must be setup on the NAT router to point to the server.
  • Encrypted with SSL/TLS
  • ISSUE: client cannot distinguish a genuine certificate from a forged one and generates a certificate warning for the user.
  • Authentication with Network Level Authentication (NLA)

Commands:

  • nmap -sV -sC 10.129.201.248 -p3389 --script rdp*
  • determine if NLA is enabled, product version, hostname
  • RDP Security Check:
  • sudo cpan
  • cpan[1]> install Encoding::BER
  • git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check
  • Create an RDP Session using: xfreerdp, rdesktop, or Remmina
  • xfreerdp /u:cry0l1t3 /p:"P455w0rd!" /v:10.129.201.248
  • xfreedrp folder
  • xfreerdp /v:172.16.5.35 /u:‘mlefay’ /p:‘P****’ /drive:linux,/home/kali/ctf/rdp /dynamic-resolution
    • This Will share your local kali drive to rdp session you established as network drive

WinRM:

  • Windows Remote Management protocol based on the command line.
  • WinRM uses the Simple Object Access Protocol (SOAP) to establish connections to remote hosts and their applications.
  • Must be enabled and configured starting windows 10 | enabled by default > W S 12
  • BY DEFAULT EVIL-WINRM uses non-SSL version
  • to use the SSL version when using a .pem key and .crt certificate use -S flag
  • WinRM relies on TCP ports 5985, 5986 for communication,
  • PORT 5986 using HTTPS
  • WinRS (Remote Shell) used in Windows 7

Commands:

  • nmap -sV -sC 10.129.201.248 -p5985,5986 --disable-arp-ping -n
  • To find out if a remote servers can be reached via WinRM:
  • In Windows -> Use the Powershell Test-WsMan cmdlet, and pass the host's name in question.
  • In Linux -> use the tool called evil-winrm
    • evil-winrm -i 10.129.201.248 -u Cry0l1t3 -p P455w0rD!
    • evil-winrm -i 10.10.11.152 -u legacyy -c cert.crt -k private2.pem -p '' -S
    • when using certificates and SSL

WMI:

  • Windows Management Instrumentation
  • PORT 135 and after the successful establishment of the connection, the communication is moved to a random port
  • WMI allows read and write access to almost all settings on Windows systems.
  • critical interface in the Windows environment for the administration and remote maintenance of Windows
  • WMI is typically accessed via PowerShell, VBScript, or the Windows Management Instrumentation Console (WMIC).
  • WMI is not a single program but consists of several programs and various databases, also known as repositories.

Commands:

  • /usr/share/doc/python3-impacket/examples/wmiexec.py Cry0l1t3:"P455w0rD!"@10.129.201.248 "hostname"

Change user in Powershell (su user)

$username = 'plaintext'
$password = 'admin123'
$secpassword = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
New-PSSession -Credential $cred | Enter-PSSession