Windows Remote Management Protocols
Windows servers can be managed locally or remotely using several built-in services and protocols. Remote management is enabled by default on Windows Server 2016 and newer. It provides administrators the ability to control, monitor, and configure systems through secure and sometimes GUI-based interfaces. This section covers the main protocols and methods used for remote management of Windows systems.
📡 RDP (Remote Desktop Protocol)
RDP is a Microsoft-developed protocol for GUI-based remote access to Windows systems. It typically uses TCP port 3389 (and optionally UDP 3389) and allows the user to control a system as if they were sitting in front of it.
🔐 Security
Supports TLS/SSL encryption.
Uses Network Level Authentication (NLA) by default on recent systems.
May use self-signed certificates, which are vulnerable to MITM attacks.
⚙️ Default Configuration
Installed and enabled on Windows Servers.
NLA required by default.
🔎 Footprinting
sudo nmap -sV -sC <IP CIBLE> -p3389 --script rdp*
Useful scripts:
rdp-enum-encryption
: lists supported encryption layers.rdp-ntlm-info
: retrieves hostname, domain, and version.
🛠️ Security Checks
To manually inspect RDP handshakes:
git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git
cd rdp-sec-check
./rdp-sec-check.pl <IP CIBLE>
🖥️ Connecting to RDP (Linux Example)
xfreerdp /u:<utilisateur> /p:<motdepasse> /v:<IP CIBLE>
🛑 Attention au mismatch de certificats auto-signés qui peuvent générer des alertes ou des refus.
🧩 WinRM (Windows Remote Management)
WinRM is a command-line based protocol for remote management, built on SOAP and accessible over TCP ports 5985 (HTTP) and 5986 (HTTPS).
🧾 Features
Supports remote PowerShell commands.
Powers WinRS and
Invoke-Command
.
🔎 Footprinting
nmap -sV -sC <IP CIBLE> -p5985,5986
🛠️ Connect via Evil-WinRM (Linux)
evil-winrm -i <IP CIBLE> -u <utilisateur> -p <motdepasse>
🧠 WMI (Windows Management Instrumentation)
WMI provides read/write access to a wide range of system components. It is Microsoft's implementation of the Web-Based Enterprise Management (WBEM) standard.
🛠️ Access via Impacket
/usr/share/doc/python3-impacket/examples/wmiexec.py <utilisateur>:<motdepasse>@<IP CIBLE> "hostname"
📡 Ports
TCP 135 to initialize.
Follow-up communication occurs over dynamic ports.
🛡️ Recommandations
Désactiver RDP si non nécessaire, ou le restreindre avec des ACL.
Utiliser des certificats valides et l'authentification forte (NLA, MFA).
Monitorer l'accès à WinRM et WMI, et restreindre aux seuls administrateurs autorisés.
📚 Ressources utiles
Mis à jour