Windows Remote Management Protocols

RDP - 3389

# Nmap scan for RDP
nmap -sV -sC ip -p3389 --script rdp*

# to track the individual packages and inspect their contents manually.
nmap -sV -sC ip -p3389 --packet-trace --disable-arp-ping -n

# RDP Security Check
git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check

./rdp-sec-check.pl ip

# Initiate an RDP session
xfreerdp /u:eren /p:"P455w0rd!" /v:ip

rdesktop -u admin -p password123 ip

# RDP Password Spraying

# Crowbar - <https://github.com/galkan/crowbar>
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'

# Hydra 
hydra -L usernames.txt -p 'password123' ip rdp

WinRM - 5985, 5986

# Nmap WinRM
nmap -sV -sC ip -p5985,5986 --disable-arp-ping -n

# evil-WinRM
evil-winrm -i ip -u eren -p P455w0rD!

WMI - 135

# WMIexec.py
wmiexec.py eren:"P455w0rD!"@ip "hostname"
PreviousLinux Remote Management ProtocolsNextFuzzing

Last updated