Windows Remote Mgmt

# RDP (3389) - remote desktop mgmt protocol (RDP) uses TCP/UDP port 3389 - allows display and control commands to be transmitted via the GUI encrypted over IP networks - works at application layer - handles SSL/TLS since Windows Vista - activated using the `Service Manager` and comes with with the default setting to allow connections to the service only to hosts with [Network level authentication](https://en.wikipedia.org/wiki/Network_Level_Authentication) (NLA) ## Footprinting RDP ```bash sudo nmap -sC -sV -p3389 <ip_addr> --script rdp* sudo nmap -sC -sV -p3389 <ip_addr> --packet-trace --disable-arp-ping -n #determine whether RDP cookies (mstshash=nmap) used by Nmap to interact with the RDP server are identified by "threat hunters" and various security services usch as EDR #RDP security check that unauthentically identifies the security settings of RDP servers based on the handshakes git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check ./rdp-sec-check.pl <ip_addr> ``` ## Interact with RDP - `xfreerdp`, `rdesktop`, or `remmina` can be used to authenticate and connect to RDP servers ```bash xfreerdp3 /u:<user_name> /p:"<password>" /v:<ip_addr> /dynamic-resolution remmina #opens GUI app ``` # WinRM (5985,5986) - Windows remote mgmt (WinRM) is a simple Windows integrated remote mgmt protocol that uses SOAP to establish connections to remote hosts and their applications - WinRM must be explicitly enabled and configured starting with Windows 10 - TCP port 5985 uses HTTP - TCP port 5986 uses HTTPS - Windows remote shell (WinRS) lets us execute arbitrary commands on the remote system - included on Windows 7 by default ## Footprinting WinRM ```bash sudo nmap -sV -sC <ip_addr> -p5985,5986 --disable-arp-ping -n #can also use the test-wsman cmdlet within powersell to determine whether one or more remote servers can be reached via WinRM #once we have creds, try evil-winrm for an interactive shell evil-winrm -i <ip_addr> -u <user_name> -p <password> ``` # WMI (135) - Windows mgmt instrumentation (WMI) is Microsoft's implementation and also an extension of the Common Information Model (CIM), which is a core functionality of the standardized Web-Based Enterprise Management (WBEM) for the Windows platform - initialization of WMI comms takes place over TCP port 135, then comms move to a random port ## Footprinting WMI ```bash wmiexec.py <user_name>:"<password>"@<ip_addr> "hostname" #impacket tool uses to enumerate wmi and expose hostname ```