5985 - WinRM
Windows Remote Management (WinRM) is a Microsoft protocol that allows remote management of Windows machines over HTTP(S) using SOAP. On the backend it's utilising WMI, so you can think of it as an HTTP based API for WMI.
If WinRM is enabled on the machine, it's trivial to remotely administer the machine from PowerShell. In fact, you can just drop in to a remote PowerShell session on the machine (as if you were using SSH!)
The easiest way to detect whether WinRM is available is by seeing if the port is opened. WinRM will listen on one of two ports:
5985/tcp (HTTP)
5986/tcp (HTTPS)
If one of these ports is open, WinRM is configured and you can try entering a remote session.
Brute Force
Be careful, brute-forcing WinRM could block users.
Metasploit
The winrm_login module is a standard Metasploit login scanner to brute force passwords.
Using evil-winrm
Read documentation on its github: https://github.com/Hackplayers/evil-winrm
To use evil-winrm to connect to an IPv6 address create an entry inside /etc/hosts setting a domain name to the IPv6 address and connect to that domain.
CrackMapexec
Here’s an example of using CrackMapExec winrm method as local Administrator with a clear text password:
Here’s example using a NTLM hash:
Docker evil-winrm
Pass the hash with evil-winrm
Winrs (Windows)
Login from windows
Powershell
From a powershell command prompt:
Shodan
port:5985 Microsoft-HTTPAPI
Last updated